diff --git a/assets/airlock/microgateway-4.3.2.tgz b/assets/airlock/microgateway-4.3.2.tgz new file mode 100644 index 000000000..e8fa21999 Binary files /dev/null and b/assets/airlock/microgateway-4.3.2.tgz differ diff --git a/assets/airlock/microgateway-cni-4.3.2.tgz b/assets/airlock/microgateway-cni-4.3.2.tgz new file mode 100644 index 000000000..e45605d84 Binary files /dev/null and b/assets/airlock/microgateway-cni-4.3.2.tgz differ diff --git a/assets/kong/kong-2.41.0.tgz b/assets/kong/kong-2.41.0.tgz new file mode 100644 index 000000000..73a69b47c Binary files /dev/null and b/assets/kong/kong-2.41.0.tgz differ diff --git a/assets/linkerd/linkerd-control-plane-2024.8.2.tgz b/assets/linkerd/linkerd-control-plane-2024.8.2.tgz index d4274e699..cda5c68aa 100644 Binary files a/assets/linkerd/linkerd-control-plane-2024.8.2.tgz and b/assets/linkerd/linkerd-control-plane-2024.8.2.tgz differ diff --git a/assets/linkerd/linkerd-control-plane-2024.8.3.tgz b/assets/linkerd/linkerd-control-plane-2024.8.3.tgz new file mode 100644 index 000000000..24067c043 Binary files /dev/null and b/assets/linkerd/linkerd-control-plane-2024.8.3.tgz differ diff --git a/assets/linkerd/linkerd-crds-2024.8.3.tgz b/assets/linkerd/linkerd-crds-2024.8.3.tgz new file mode 100644 index 000000000..a0fb54c45 Binary files /dev/null and b/assets/linkerd/linkerd-crds-2024.8.3.tgz differ diff --git a/assets/redpanda/redpanda-5.9.2.tgz b/assets/redpanda/redpanda-5.9.2.tgz new file mode 100644 index 000000000..c0b314ca1 Binary files /dev/null and b/assets/redpanda/redpanda-5.9.2.tgz differ diff --git a/charts/airlock/microgateway-cni/4.3.2/.helmignore b/charts/airlock/microgateway-cni/4.3.2/.helmignore new file mode 100644 index 000000000..8561d2892 --- /dev/null +++ b/charts/airlock/microgateway-cni/4.3.2/.helmignore @@ -0,0 +1,27 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ + +# Helm unit tests +/tests +/validation diff --git a/charts/airlock/microgateway-cni/4.3.2/Chart.yaml b/charts/airlock/microgateway-cni/4.3.2/Chart.yaml new file mode 100644 index 000000000..ea724bec3 --- /dev/null +++ b/charts/airlock/microgateway-cni/4.3.2/Chart.yaml @@ -0,0 +1,43 @@ +annotations: + artifacthub.io/category: security + artifacthub.io/license: MIT + artifacthub.io/links: | + - name: Airlock Microgateway Documentation + url: https://docs.airlock.com/microgateway/4.3/ + - name: Airlock Microgateway Labs + url: https://play.instruqt.com/airlock/invite/hyi9fy4b4jzc?icp_referrer=artifacthub.io + - name: Airlock Microgateway Forum + url: https://forum.airlock.com/ + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Airlock Microgateway CNI + catalog.cattle.io/kube-version: '>=1.25.0-0' + catalog.cattle.io/release-name: microgateway-cni + charts.openshift.io/name: Airlock Microgateway CNI +apiVersion: v2 +appVersion: 4.3.2 +description: A Helm chart for deploying the Airlock Microgateway CNI plugin +home: https://www.airlock.com/en/microgateway +icon: file://assets/icons/microgateway-cni.svg +keywords: +- WAF +- Web Application Firewall +- WAAP +- Web Application and API protection +- OWASP +- Airlock +- Microgateway +- Security +- Filtering +- DevSecOps +- shift left +- CNI +kubeVersion: '>=1.25.0-0' +maintainers: +- email: support@airlock.com + name: Airlock + url: https://www.airlock.com/ +name: microgateway-cni +sources: +- https://github.com/airlock/microgateway +type: application +version: 4.3.2 diff --git a/charts/airlock/microgateway-cni/4.3.2/README.md b/charts/airlock/microgateway-cni/4.3.2/README.md new file mode 100644 index 000000000..583f3efa8 --- /dev/null +++ b/charts/airlock/microgateway-cni/4.3.2/README.md @@ -0,0 +1,137 @@ +# Airlock Microgateway CNI + +![Version: 4.3.2](https://img.shields.io/badge/Version-4.3.2-informational?style=flat-square) ![AppVersion: 4.3.2](https://img.shields.io/badge/AppVersion-4.3.2-informational?style=flat-square) + +*Airlock Microgateway is a Kubernetes native WAAP (Web Application and API Protection) solution to protect microservices.* + + + + + Microgateway + + +Modern application security is embedded in the development workflow and follows DevSecOps paradigms. Airlock Microgateway is the perfect fit for these requirements. It is a lightweight alternative to the Airlock Gateway appliance, optimized for Kubernetes environments. Airlock Microgateway protects your applications and microservices with the tried-and-tested Airlock security features against attacks, while also providing a high degree of scalability. +__This Helm chart is part of Airlock Microgateway. See our [GitHub repo](https://github.com/airlock/microgateway/tree/4.3.2).__ + +### Features +* Kubernetes native integration with its Operator, Custom Resource Definitions, hot-reload, automatic sidecar injection. +* Reverse proxy functionality with request routing rules, TLS termination and remote IP extraction +* Using native Envoy HTTP filters like Lua scripting, RBAC, ext_authz, JWT authentication +* Content security filters for protecting against known attacks (OWASP Top 10) +* Access control using OpenID Connect to allow only authenticated users to access the protected services +* API security features like JSON parsing, OpenAPI specification enforcement or GraphQL schema validation + +For a list of all features, view the **[comparison of the community and premium edition](https://docs.airlock.com/microgateway/latest/#data/1675772882054.html)**. + +## Documentation and links + +Check the official documentation at **[docs.airlock.com](https://docs.airlock.com/microgateway/latest/)** or the product website at **[airlock.com/microgateway](https://www.airlock.com/en/microgateway)**. The links below point out the most interesting documentation sites when starting with Airlock Microgateway. + +* [Getting Started](https://docs.airlock.com/microgateway/latest/#data/1660804708742.html) +* [System Architecture](https://docs.airlock.com/microgateway/latest/#data/1660804709650.html) +* [Installation](https://docs.airlock.com/microgateway/latest/#data/1660804708637.html) +* [Troubleshooting](https://docs.airlock.com/microgateway/latest/#data/1659430054787.html) +* [GitHub](https://github.com/airlock/microgateway) + +# Quick start guide + +The instructions below provide a quick start guide. Detailed information are provided in the **[manual](https://docs.airlock.com/microgateway/latest/)**. + +## Prerequisites +* [helm](https://helm.sh/docs/intro/install/) (>= v3.8.0) + +## Deploy Airlock Microgateway CNI +1. Install the CNI Plugin with Helm. + > **Note**: Certain environments such as OpenShift or GKE require non-default configurations when installing the CNI plugin. For the most common setups, values files are provided in the [chart folder](/deploy/charts/airlock-microgateway-cni). + ```bash + # Standard setup + helm install airlock-microgateway-cni -n kube-system oci://quay.io/airlockcharts/microgateway-cni --version '4.3.2' + kubectl -n kube-system rollout status daemonset -l app.kubernetes.io/instance=airlock-microgateway-cni + ``` + ```bash + # GKE setup + helm install airlock-microgateway-cni -n kube-system oci://quay.io/airlockcharts/microgateway-cni --version '4.3.2' -f https://raw.githubusercontent.com/airlock/microgateway/4.3.2/deploy/charts/airlock-microgateway-cni/gke-values.yaml + kubectl -n kube-system rollout status daemonset -l app.kubernetes.io/instance=airlock-microgateway-cni + ``` + ```bash + # OpenShift setup + helm install airlock-microgateway-cni -n openshift-operators oci://quay.io/airlockcharts/microgateway-cni --version '4.3.2' -f https://raw.githubusercontent.com/airlock/microgateway/4.3.2/deploy/charts/airlock-microgateway-cni/openshift-values.yaml + kubectl -n openshift-operators rollout status daemonset -l app.kubernetes.io/instance=airlock-microgateway-cni + ``` + **Important:** On OpenShift, all pods which should be protected by Airlock Microgateway must explicitly reference the Airlock Microgateway CNI NetworkAttachmentDefinition via the annotation `k8s.v1.cni.cncf.io/networks` (see [documentation](https://docs.airlock.com/microgateway/latest/#data/1658483168033.html) for details). + +2. (Recommended) You can verify the correctness of the installation with `helm test`. + ```bash + # Standard and GKE setup + helm upgrade airlock-microgateway-cni -n kube-system --set tests.enabled=true --reuse-values oci://quay.io/airlockcharts/microgateway-cni --version '4.3.2' + helm test airlock-microgateway-cni -n kube-system --logs + helm upgrade airlock-microgateway-cni -n kube-system --set tests.enabled=false --reuse-values oci://quay.io/airlockcharts/microgateway-cni --version '4.3.2' + ``` + ```bash + # OpenShift setup + helm upgrade airlock-microgateway-cni -n openshift-operators --set tests.enabled=true --reuse-values oci://quay.io/airlockcharts/microgateway-cni --version '4.3.2' + helm test airlock-microgateway-cni -n openshift-operators --logs + helm upgrade airlock-microgateway-cni -n openshift-operators --set tests.enabled=false --reuse-values oci://quay.io/airlockcharts/microgateway-cni --version '4.3.2' + ``` + + Consult our [documentation](https://docs.airlock.com/microgateway/latest/#data/1699611533587.html) in case of any installation error. + +## Support + +### Premium support +If you have a paid license, please follow the [premium support process](https://techzone.ergon.ch/support-process). + +### Community support +For the community edition, check our **[Airlock community forum](https://forum.airlock.com/)** for FAQs or register to post your question. +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| affinity | object | `{}` | Custom affinity for the DaemonSet to only deploy the CNI plugin on specific nodes. | +| commonAnnotations | object | `{}` | Annotations to add to all resources. | +| commonLabels | object | `{}` | Labels to add to all resources. | +| config.cniBinDir | string | `"/opt/cni/bin"` | Directory where the CNI plugin binaries reside on the host. This path can either be found in the documentation of your Kubernetes distribution or CNI provider. It can also be queried by running the command `crictl info -o go-template --template '{{.config.cni.binDir}}'` on your Kubernetes node. | +| config.cniNetDir | string | `"/etc/cni/net.d"` | Directory where the CNI config files reside on the host. This path can either be found in the documentation of your Kubernetes distribution or CNI provider. It can also be queried by running the command `crictl info -o go-template --template '{{.config.cni.confDir}}'` on your Kubernetes node. | +| config.excludeNamespaces | list | `["kube-system"]` | Namespaces for which this CNI plugin should not apply any modifications. | +| config.installMode | string | `"chained"` | Whether to install the CNI plugin as a `chained` plugin (default, required with most interface CNI providers), as a `standalone` plugin (required for use with Multus CNI, e.g. on OpenShift) or in `manual` mode, where no CNI network configuration is written. | +| config.logLevel | string | `"info"` | Log level for the CNI installer and plugin. | +| fullnameOverride | string | `""` | Allows overriding the name to use as full name of resources. | +| image.digest | string | `"sha256:ed5ec546a65f0ae0bc3e058aafc1d2aa4848996b9f415fe6232486934443b460"` | SHA256 image digest to pull (in the format "sha256:7144f7bab3d4c2648d7e59409f15ec52a18006a128c733fcff20d3a4a54ba44a"). Overrides tag when specified. | +| image.pullPolicy | string | `"IfNotPresent"` | Pull policy for this image. | +| image.repository | string | `"quay.io/airlock/microgateway-cni"` | Image repository from which to pull the Airlock Microgateway CNI image. | +| image.tag | string | `"4.3.2"` | Image tag to pull. | +| imagePullSecrets | list | `[]` | ImagePullSecrets to use when pulling images. | +| multusNetworkAttachmentDefinition.create | bool | `false` | Whether a NetworkAttachmentDefinition CR should be created, which can be used for applying the CNI plugin to Pods. | +| multusNetworkAttachmentDefinition.namespace | string | `"default"` | Namespace in which the NetworkAttachmentDefinition is deployed. Note: If namespace is set to a custom value, referencing the created NetworkAttachmentDefinition from other namespaces may not work if Multus namespace isolation is enabled. https://github.com/k8snetworkplumbingwg/multus-cni/blob/v4.0.2/docs/configuration.md#namespace-isolation | +| nameOverride | string | `""` | Allows overriding the name to use instead of "microgateway-cni". | +| nodeSelector | object | `{"kubernetes.io/os":"linux"}` | NodeSelector to apply to the CNI DaemonSet in order to only deploy the CNI plugin on specific nodes. | +| podAnnotations | object | `{}` | Annotations to add to all Pods. | +| podLabels | object | `{}` | Labels to add to all Pods. | +| privileged | bool | `false` | Whether the DaemonSet should run in privileged mode. Must be enabled for environments which require it for writing files to the host (e.g. OpenShift). | +| rbac.create | bool | `true` | Whether to create RBAC resources which are required for the CNI plugin to function. | +| rbac.createSCCRole | OpenShift | `false` | Whether to create RBAC resources which allow the CNI installer to use the "privileged" security context constraint. | +| resources | object | `{"requests":{"cpu":"10m","memory":"100Mi"}}` | Resource restrictions to apply to the CNI installer container. | +| serviceAccount.annotations | object | `{}` | Annotations to add to the ServiceAccount. | +| serviceAccount.create | bool | `true` | Whether a ServiceAccount should be created. | +| serviceAccount.name | string | `""` | Name of the ServiceAccount to use. If not set and create is true, a name is generated using the fullname template. | +| tests.enabled | bool | `false` | Whether additional resources required for running `helm test` should be created (e.g. Roles and ServiceAccounts). If set to false, `helm test` will not run any tests. | + +## License +View the [detailed license terms](https://www.airlock.com/en/airlock-license) for the software contained in this image. +* Decompiling or reverse engineering is not permitted. +* Using any of the deny rules or parts of these filter patterns outside of the image is not permitted. + +Airlock® is a security innovation by [ergon](https://www.ergon.ch/en) + + + + + + + Airlock Secure Access Hub + + diff --git a/charts/airlock/microgateway-cni/4.3.2/gke-values.yaml b/charts/airlock/microgateway-cni/4.3.2/gke-values.yaml new file mode 100644 index 000000000..d6d5c21d1 --- /dev/null +++ b/charts/airlock/microgateway-cni/4.3.2/gke-values.yaml @@ -0,0 +1,4 @@ +# values for deploying on GKE + +config: + cniBinDir: "/home/kubernetes/bin" diff --git a/charts/airlock/microgateway-cni/4.3.2/openshift-values.yaml b/charts/airlock/microgateway-cni/4.3.2/openshift-values.yaml new file mode 100644 index 000000000..3b1d6cccd --- /dev/null +++ b/charts/airlock/microgateway-cni/4.3.2/openshift-values.yaml @@ -0,0 +1,15 @@ +# values for deploying on OpenShift + +rbac: + createSCCRole: true + +privileged: true + +multusNetworkAttachmentDefinition: + create: true + namespace: default + +config: + installMode: "standalone" + cniNetDir: "/etc/cni/multus/net.d" + cniBinDir: "/var/lib/cni/bin" diff --git a/charts/airlock/microgateway-cni/4.3.2/questions.yml b/charts/airlock/microgateway-cni/4.3.2/questions.yml new file mode 100644 index 000000000..73ed44d64 --- /dev/null +++ b/charts/airlock/microgateway-cni/4.3.2/questions.yml @@ -0,0 +1,18 @@ +questions: + - variable: config.cniNetDir + required: true + type: string + label: CNI Network Configuration Directory + group: "CNI Settings" + description: "Directory where the CNI config files reside on the host. This value depends on the kubernetes distribution and interface CNI Provider used. It can be fetched by running `crictl info -o go-template --template '{{.config.cni.confDir}}'` on your kubernetes host." + - variable: config.cniBinDir + required: true + type: string + label: CNI Plugin Binaries Directory + group: "CNI Settings" + description: "Directory where the CNI plugin binaries reside on the host. This value depends on the kubernetes distribution and interface CNI Provider used. It can be fetched by running `crictl info -o go-template --template '{{.config.cni.binDir}}'` on your kubernetes host." + - variable: config.installMode + required: true + label: CNI Plugin Installation Mode + group: "CNI Settings" + description: "Whether to install the CNI plugin as a `chained` plugin (default, required with most interface CNI providers) as a `standalone` plugin (required for use with Multus CNI, e.g. on OpenShift) or in `manual` mode, where no CNI network configuration is written. Please refer to the CNI installation documentation (https://github.com/airlock/microgateway?tab=readme-ov-file#deploy-airlock-microgateway-cni) to correctly setup the CNI Plugin for your environment." diff --git a/charts/airlock/microgateway-cni/4.3.2/templates/NOTES.txt b/charts/airlock/microgateway-cni/4.3.2/templates/NOTES.txt new file mode 100644 index 000000000..bb94ff521 --- /dev/null +++ b/charts/airlock/microgateway-cni/4.3.2/templates/NOTES.txt @@ -0,0 +1,15 @@ +Thank you for installing Airlock Microgateway CNI. + +Please ensure that the helm values'.config.cniNetDir' and '.config.cniBinDir' are configured for your Kubernetes distribution. +For further information, consider our manual https://docs.airlock.com/microgateway/{{ include "airlock-microgateway-cni.docsVersion" . }}. +The chapter 'Setup > Installation' describes how to set those settings correctly. + +Further information: +* Documentation: https://docs.airlock.com/microgateway/{{ include "airlock-microgateway-cni.docsVersion" . }} +* Airlock Microgateway Labs: https://play.instruqt.com/airlock/invite/hyi9fy4b4jzc?icp_referrer=helm + +Next steps: +* Install Airlock Microgateway (if not done already) + https://artifacthub.io/packages/helm/airlock-microgateway/microgateway + +Your release version is {{ .Chart.Version }}. \ No newline at end of file diff --git a/charts/airlock/microgateway-cni/4.3.2/templates/_helpers.tpl b/charts/airlock/microgateway-cni/4.3.2/templates/_helpers.tpl new file mode 100644 index 000000000..996491a87 --- /dev/null +++ b/charts/airlock/microgateway-cni/4.3.2/templates/_helpers.tpl @@ -0,0 +1,101 @@ +{{/* +Expand the name of the chart. +*/}} +{{- define "airlock-microgateway-cni.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Convert an image configuration object into an image ref string. +*/}} +{{- define "airlock-microgateway-cni.image" -}} + {{- if .digest -}} + {{- printf "%s@%s" .repository .digest -}} + {{- else if .tag -}} + {{- printf "%s:%s" .repository .tag -}} + {{- else -}} + {{- printf "%s" .repository -}} + {{- end -}} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 50 chars because some Kubernetes name fields are limited to 63 chars (by the DNS naming spec) +and the longest suffix is 13 characters. +If release name contains chart name it will be used as a full name. +*/}} +{{- define "airlock-microgateway-cni.fullname" -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 50 | trimSuffix "-" }} +{{- else }} +{{- $name := default .Chart.Name .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 50 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 50 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "airlock-microgateway-cni.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "airlock-microgateway-cni.labels" -}} +helm.sh/chart: {{ include "airlock-microgateway-cni.chart" . }} +{{ include "airlock-microgateway-cni.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- with .Values.commonLabels }} +{{ toYaml .}} +{{- end }} +{{- end }} + +{{/* +Common labels without component +*/}} +{{- define "airlock-microgateway-cni.labelsWithoutComponent" -}} +{{- $labels := fromYaml (include "airlock-microgateway-cni.labels" .) -}} +{{ unset $labels "app.kubernetes.io/component" | toYaml }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "airlock-microgateway-cni.selectorLabels" -}} +app.kubernetes.io/component: cni-plugin-installer +app.kubernetes.io/instance: {{ .Release.Name }} +app.kubernetes.io/name: {{ include "airlock-microgateway-cni.name" . }} +{{- end }} + +{{/* +Create the name of the service account to use for the CNI Plugin +*/}} +{{- define "airlock-microgateway-cni.serviceAccountName" -}} +{{- if .Values.serviceAccount.create }} +{{- default (include "airlock-microgateway-cni.fullname" .) .Values.serviceAccount.name }} +{{- else }} +{{- default "default" .Values.serviceAccount.name }} +{{- end }} +{{- end }} + +{{- define "airlock-microgateway-cni.isSemver" -}} +{{- regexMatch `^(0|[1-9]\d*)\.(0|[1-9]\d*)\.(0|[1-9]\d*)(?:-((?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\.(?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\+([0-9a-zA-Z-]+(?:\.[0-9a-zA-Z-]+)*))?$` . -}} +{{- end -}} + +{{- define "airlock-microgateway-cni.docsVersion" -}} +{{- if and (eq "true" (include "airlock-microgateway-cni.isSemver" .Chart.AppVersion)) (not (contains "-" .Chart.AppVersion)) -}} + {{- $version := (semver .Chart.AppVersion) -}} + {{- $version.Major }}.{{ $version.Minor -}} +{{- else -}} + {{- print "latest" -}} +{{- end -}} +{{- end -}} diff --git a/charts/airlock/microgateway-cni/4.3.2/templates/clusterrole.yaml b/charts/airlock/microgateway-cni/4.3.2/templates/clusterrole.yaml new file mode 100644 index 000000000..ef88ac783 --- /dev/null +++ b/charts/airlock/microgateway-cni/4.3.2/templates/clusterrole.yaml @@ -0,0 +1,22 @@ +{{- if .Values.rbac.create -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "airlock-microgateway-cni.fullname" . }} + labels: + {{- include "airlock-microgateway-cni.labels" . | nindent 4 }} + {{- with .Values.commonAnnotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +rules: + - apiGroups: + - "" + resources: + - pods + verbs: + - get + - list + - watch + - patch +{{- end -}} diff --git a/charts/airlock/microgateway-cni/4.3.2/templates/clusterrolebinding.yaml b/charts/airlock/microgateway-cni/4.3.2/templates/clusterrolebinding.yaml new file mode 100644 index 000000000..04f87cb0f --- /dev/null +++ b/charts/airlock/microgateway-cni/4.3.2/templates/clusterrolebinding.yaml @@ -0,0 +1,20 @@ +{{- if .Values.rbac.create -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ include "airlock-microgateway-cni.fullname" . }} + labels: + {{- include "airlock-microgateway-cni.labels" . | nindent 4 }} + {{- with .Values.commonAnnotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ include "airlock-microgateway-cni.fullname" . }} +subjects: + - kind: ServiceAccount + name: {{ include "airlock-microgateway-cni.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} +{{- end -}} diff --git a/charts/airlock/microgateway-cni/4.3.2/templates/configmap.yaml b/charts/airlock/microgateway-cni/4.3.2/templates/configmap.yaml new file mode 100644 index 000000000..b880116ef --- /dev/null +++ b/charts/airlock/microgateway-cni/4.3.2/templates/configmap.yaml @@ -0,0 +1,22 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "airlock-microgateway-cni.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "airlock-microgateway-cni.labels" . | nindent 4 }} + {{- with .Values.commonAnnotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +data: + plugin-conf.json: |- + { + "type": "{{ include "airlock-microgateway-cni.fullname" . }}", + "debug": {{ eq .Values.config.logLevel "debug" }}, + "logFilePath": "/var/log/{{ include "airlock-microgateway-cni.fullname" . }}.log", + "kubernetes": { + "kubeconfig": "{{ .Values.config.cniNetDir }}/{{ include "airlock-microgateway-cni.fullname" . }}-kubeconfig", + "excludeNamespaces": {{ toJson .Values.config.excludeNamespaces }} + } + } diff --git a/charts/airlock/microgateway-cni/4.3.2/templates/daemonset.yaml b/charts/airlock/microgateway-cni/4.3.2/templates/daemonset.yaml new file mode 100644 index 000000000..4ba9f2669 --- /dev/null +++ b/charts/airlock/microgateway-cni/4.3.2/templates/daemonset.yaml @@ -0,0 +1,136 @@ +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: {{ include "airlock-microgateway-cni.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "airlock-microgateway-cni.labels" . | nindent 4 }} + {{- with .Values.commonAnnotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + selector: + matchLabels: + {{- include "airlock-microgateway-cni.selectorLabels" . | nindent 6 }} + template: + metadata: + annotations: + checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }} + kubectl.kubernetes.io/default-container: cni-installer + {{- with mustMerge .Values.podAnnotations .Values.commonAnnotations}} + {{- toYaml . | nindent 8 }} + {{- end }} + labels: + {{- include "airlock-microgateway-cni.labels" . | nindent 8 }} + {{- with .Values.podLabels }} + {{- toYaml . | nindent 8 }} + {{- end }} + spec: + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + containers: + - args: + - --log-level + - "{{ .Values.config.logLevel }}" + env: + - name: CNI_NETWORK_CONFIG + valueFrom: + configMapKeyRef: + key: plugin-conf.json + name: {{ include "airlock-microgateway-cni.fullname" . }} + - name: CNI_BIN_DIR + value: /host/opt/cni/bin + - name: CNI_NET_DIR + value: /host/etc/cni/net.d + - name: KUBECONFIG_FILE_NAME + value: "{{ include "airlock-microgateway-cni.fullname" . }}-kubeconfig" + - name: INSTALL_MODE + value: {{ .Values.config.installMode }} + - name: KUBERNETES_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + image: {{ include "airlock-microgateway-cni.image" .Values.image }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + name: cni-installer + {{- with .Values.resources }} + resources: + {{- toYaml . | nindent 12 }} + {{- end }} + startupProbe: + exec: + command: + - /cni-installer + - probe + failureThreshold: 5 + initialDelaySeconds: 3 + periodSeconds: 3 + timeoutSeconds: 3 + readinessProbe: + exec: + command: + - /cni-installer + - probe + failureThreshold: 1 + periodSeconds: 60 + timeoutSeconds: 3 + securityContext: + allowPrivilegeEscalation: {{ .Values.privileged }} + capabilities: + drop: + - ALL + privileged: {{ .Values.privileged }} + readOnlyRootFilesystem: true + runAsGroup: 0 + runAsNonRoot: false + runAsUser: 0 + seccompProfile: + type: RuntimeDefault + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + volumeMounts: + - mountPath: /host/opt/cni/bin + name: cni-bin-dir + - mountPath: /host/etc/cni/net.d + name: cni-net-dir + - mountPath: /run/cni-installer + name: cni-installer-status + hostNetwork: true + priorityClassName: system-node-critical + restartPolicy: Always + securityContext: + fsGroup: 0 + runAsGroup: 0 + runAsNonRoot: false + runAsUser: 0 + serviceAccountName: {{ include "airlock-microgateway-cni.serviceAccountName" . }} + terminationGracePeriodSeconds: 5 + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + tolerations: + - effect: NoSchedule + operator: Exists + - key: CriticalAddonsOnly + operator: Exists + - effect: NoExecute + operator: Exists + volumes: + - hostPath: + path: "{{ .Values.config.cniBinDir }}" + type: Directory + name: cni-bin-dir + - hostPath: + path: "{{ .Values.config.cniNetDir }}" + type: Directory + name: cni-net-dir + - emptyDir: {} + name: cni-installer-status diff --git a/charts/airlock/microgateway-cni/4.3.2/templates/network-attachment-definition.yaml b/charts/airlock/microgateway-cni/4.3.2/templates/network-attachment-definition.yaml new file mode 100644 index 000000000..5d657e309 --- /dev/null +++ b/charts/airlock/microgateway-cni/4.3.2/templates/network-attachment-definition.yaml @@ -0,0 +1,13 @@ +{{- if .Values.multusNetworkAttachmentDefinition.create -}} +apiVersion: "k8s.cni.cncf.io/v1" +kind: NetworkAttachmentDefinition +metadata: + name: {{ include "airlock-microgateway-cni.fullname" . }} + namespace: {{ .Values.multusNetworkAttachmentDefinition.namespace }} + labels: + {{- include "airlock-microgateway-cni.labels" . | nindent 4 }} + {{- with .Values.commonAnnotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +{{- end -}} diff --git a/charts/airlock/microgateway-cni/4.3.2/templates/scc-role.yaml b/charts/airlock/microgateway-cni/4.3.2/templates/scc-role.yaml new file mode 100644 index 000000000..862748692 --- /dev/null +++ b/charts/airlock/microgateway-cni/4.3.2/templates/scc-role.yaml @@ -0,0 +1,22 @@ +{{- if .Values.rbac.createSCCRole -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ include "airlock-microgateway-cni.fullname" . }}-privileged + namespace: {{ .Release.Namespace }} + labels: + {{- include "airlock-microgateway-cni.labels" . | nindent 4 }} + {{- with .Values.commonAnnotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +rules: +- apiGroups: + - security.openshift.io + resourceNames: + - privileged + resources: + - securitycontextconstraints + verbs: + - use +{{- end -}} \ No newline at end of file diff --git a/charts/airlock/microgateway-cni/4.3.2/templates/scc-rolebinding.yaml b/charts/airlock/microgateway-cni/4.3.2/templates/scc-rolebinding.yaml new file mode 100644 index 000000000..ebd02982c --- /dev/null +++ b/charts/airlock/microgateway-cni/4.3.2/templates/scc-rolebinding.yaml @@ -0,0 +1,20 @@ +{{- if .Values.rbac.createSCCRole -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ include "airlock-microgateway-cni.fullname" . }}-privileged + namespace: {{ .Release.Namespace }} + labels: + {{- include "airlock-microgateway-cni.labels" . | nindent 4 }} + {{- with .Values.commonAnnotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ include "airlock-microgateway-cni.fullname" . }}-privileged +subjects: +- kind: ServiceAccount + name: {{ include "airlock-microgateway-cni.serviceAccountName" . }} +{{- end -}} diff --git a/charts/airlock/microgateway-cni/4.3.2/templates/serviceaccount.yaml b/charts/airlock/microgateway-cni/4.3.2/templates/serviceaccount.yaml new file mode 100644 index 000000000..3dc8d58ea --- /dev/null +++ b/charts/airlock/microgateway-cni/4.3.2/templates/serviceaccount.yaml @@ -0,0 +1,13 @@ +{{- if .Values.serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "airlock-microgateway-cni.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "airlock-microgateway-cni.labels" . | nindent 4 }} + {{- with mustMerge .Values.serviceAccount.annotations .Values.commonAnnotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +{{- end -}} diff --git a/charts/airlock/microgateway-cni/4.3.2/templates/tests/rbac.yaml b/charts/airlock/microgateway-cni/4.3.2/templates/tests/rbac.yaml new file mode 100644 index 000000000..744799333 --- /dev/null +++ b/charts/airlock/microgateway-cni/4.3.2/templates/tests/rbac.yaml @@ -0,0 +1,64 @@ +{{- if .Values.tests.enabled -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: "{{ include "airlock-microgateway-cni.fullname" . }}-tests" + namespace: {{ .Release.Namespace }} + labels: + {{- include "airlock-microgateway-cni.labelsWithoutComponent" . | nindent 4 }} + app.kubernetes.io/component: tests +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: "{{ include "airlock-microgateway-cni.fullname" . }}-tests" + namespace: {{ .Release.Namespace }} + labels: + {{- include "airlock-microgateway-cni.labelsWithoutComponent" . | nindent 4 }} + app.kubernetes.io/component: tests +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: "{{ include "airlock-microgateway-cni.fullname" . }}-tests" +subjects: +- kind: ServiceAccount + name: "{{ include "airlock-microgateway-cni.fullname" . }}-tests" +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: "{{ include "airlock-microgateway-cni.fullname" . }}-tests" + namespace: {{ .Release.Namespace }} + labels: + {{- include "airlock-microgateway-cni.labelsWithoutComponent" . | nindent 4 }} + app.kubernetes.io/component: tests +rules: +- apiGroups: + - "apps" + resources: + - daemonsets + resourceNames: + - {{ include "airlock-microgateway-cni.fullname" . }} + verbs: + - get + - watch + - list +- apiGroups: + - "" + resources: + - pods + - pods/log + verbs: + - get + - list +{{- if .Values.rbac.createSCCRole }} +- apiGroups: + - security.openshift.io + resourceNames: + - privileged + resources: + - securitycontextconstraints + verbs: + - use +{{- end -}} +{{- end -}} diff --git a/charts/airlock/microgateway-cni/4.3.2/templates/tests/test-install.yaml b/charts/airlock/microgateway-cni/4.3.2/templates/tests/test-install.yaml new file mode 100644 index 000000000..12d8c8de7 --- /dev/null +++ b/charts/airlock/microgateway-cni/4.3.2/templates/tests/test-install.yaml @@ -0,0 +1,103 @@ +{{- if .Values.tests.enabled -}} +apiVersion: v1 +kind: Pod +metadata: + name: "{{ include "airlock-microgateway-cni.fullname" . }}-test-install" + namespace: {{ .Release.Namespace }} + labels: + {{- include "airlock-microgateway-cni.labelsWithoutComponent" . | nindent 4 }} + app.kubernetes.io/component: test-install + annotations: + helm.sh/hook: test + helm.sh/hook-delete-policy: before-hook-creation +spec: + restartPolicy: Never + containers: + - name: test + image: "bitnami/kubectl:{{ .Capabilities.KubeVersion.Major }}.{{ .Capabilities.KubeVersion.Minor }}" + securityContext: + allowPrivilegeEscalation: {{ .Values.privileged }} + capabilities: + drop: + - ALL + privileged: {{ .Values.privileged }} + readOnlyRootFilesystem: true + runAsGroup: 0 + runAsNonRoot: false + runAsUser: 0 + seccompProfile: + type: RuntimeDefault + volumeMounts: + - mountPath: /host/opt/cni/bin + name: cni-bin-dir + readOnly: true + - mountPath: /host/etc/cni/net.d + name: cni-net-dir + readOnly: true + command: + - sh + - -c + - | + set -eu + + fail() { + echo "Error: ${1}" + echo "" + echo 'CNI installer logs:' + kubectl logs -n {{ .Release.Namespace }} daemonsets/{{ include "airlock-microgateway-cni.fullname" .}} -c cni-installer + exit 1 + } + + containsMGWCNIConf() { + cat "${1}" | grep -qe '"type":.*"{{ include "airlock-microgateway-cni.fullname" . }}"' + } + + if ! kubectl rollout status --timeout=60s -n {{ .Release.Namespace }} daemonsets/{{ include "airlock-microgateway-cni.fullname" .}}; then + fail 'CNI DaemonSet rollout did not complete within timeout' + fi + + echo "Checking whether CNI binary was installed" + if ! [ -f "/host/opt/cni/bin/{{ include "airlock-microgateway-cni.fullname" . }}" ]; then + fail 'CNI binary was not installed' + fi + + echo "Checking whether CNI kubeconfig was installed" + if ! [ -f "/host/etc/cni/net.d/{{ include "airlock-microgateway-cni.fullname" . }}-kubeconfig" ]; then + fail 'CNI kubeconfig was not created' + fi + + echo "Checking whether CNI configuration was written" + case {{ .Values.config.installMode }} in + "chained") + for file in "/host/etc/cni/net.d/"*.conflist; do + if containsMGWCNIConf "${file}"; then + echo "Success" + exit 0 + fi + done + ;; + "standalone") + if containsMGWCNIConf "/host/etc/cni/net.d/{{ include "airlock-microgateway-cni.fullname" . }}.conflist"; then + echo "Success" + exit 0 + fi + ;; + "manual") + echo "- Skipping because we are in 'manual' install mode" + echo "Success" + exit 0 + ;; + esac + + fail 'Configuration for plugin "{{ include "airlock-microgateway-cni.fullname" . }}" was not found' + serviceAccountName: "{{ include "airlock-microgateway-cni.fullname" . }}-tests" + volumes: + - hostPath: + path: "{{ .Values.config.cniBinDir }}" + type: Directory + name: cni-bin-dir + - hostPath: + path: "{{ .Values.config.cniNetDir }}" + type: Directory + name: cni-net-dir +{{- end -}} diff --git a/charts/airlock/microgateway-cni/4.3.2/values.schema.json b/charts/airlock/microgateway-cni/4.3.2/values.schema.json new file mode 100644 index 000000000..e087bd700 --- /dev/null +++ b/charts/airlock/microgateway-cni/4.3.2/values.schema.json @@ -0,0 +1,225 @@ +{ + "$schema": "https://json-schema.org/draft/2020-12/schema", + "type": "object", + "properties": { + "nameOverride": { + "type": "string" + }, + "fullnameOverride": { + "type": "string" + }, + "commonLabels": { + "$ref": "#/definitions/StringMap" + }, + "commonAnnotations": { + "$ref": "#/definitions/StringMap" + }, + "imagePullSecrets": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string", + "minLength": 1 + } + }, + "required": [ + "name" + ], + "additionalProperties": true + } + }, + "image": { + "$ref": "#/definitions/Image" + }, + "podAnnotations": { + "$ref": "#/definitions/StringMap" + }, + "podLabels": { + "$ref": "#/definitions/StringMap" + }, + "resources": { + "type": "object" + }, + "nodeSelector": { + "$ref": "#/definitions/StringMap" + }, + "affinity": { + "type": "object" + }, + "rbac": { + "type": "object", + "properties": { + "create": { + "type": "boolean" + }, + "createSCCRole": { + "type": "boolean" + } + }, + "required": [ + "create", + "createSCCRole" + ], + "additionalProperties": false + }, + "privileged": { + "type": "boolean" + }, + "serviceAccount": { + "type": "object", + "properties": { + "create": { + "type": "boolean" + }, + "annotations": { + "$ref": "#/definitions/StringMap" + }, + "name": { + "type": "string" + } + }, + "required": [ + "annotations", + "create", + "name" + ], + "additionalProperties": false + }, + "multusNetworkAttachmentDefinition": { + "type": "object", + "properties": { + "create": { + "type": "boolean" + }, + "namespace": { + "type": "string" + } + }, + "required": [ + "create", + "namespace" + ], + "additionalProperties": false + }, + "config": { + "type": "object", + "properties": { + "installMode": { + "type": "string", + "enum": [ + "chained", + "standalone", + "manual" + ] + }, + "logLevel": { + "type": "string", + "enum": [ + "debug", + "info", + "warn", + "error" + ] + }, + "cniNetDir": { + "type": "string", + "minLength": 1 + }, + "cniBinDir": { + "type": "string", + "minLength": 1 + }, + "excludeNamespaces": { + "type": "array", + "items": { + "type": "string" + } + } + }, + "required": [ + "cniBinDir", + "cniNetDir", + "excludeNamespaces", + "installMode", + "logLevel" + ], + "additionalProperties": false + }, + "tests": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + } + }, + "required": [ + "enabled" + ], + "additionalProperties": false + }, + "global": { + "type": "object" + } + }, + "required": [ + "affinity", + "commonAnnotations", + "commonLabels", + "config", + "fullnameOverride", + "image", + "imagePullSecrets", + "multusNetworkAttachmentDefinition", + "nameOverride", + "nodeSelector", + "podAnnotations", + "podLabels", + "privileged", + "rbac", + "resources", + "serviceAccount", + "tests" + ], + "additionalProperties": false, + "definitions": { + "StringMap": { + "type": "object", + "additionalProperties": { + "type": "string" + } + }, + "Image": { + "type": "object", + "properties": { + "repository": { + "type": "string", + "minLength": 1 + }, + "tag": { + "type": "string" + }, + "digest": { + "type": "string", + "pattern": "^$|^sha256:[a-f0-9]{64}$" + }, + "pullPolicy": { + "type": "string", + "enum": [ + "Always", + "IfNotPresent", + "Never" + ] + } + }, + "required": [ + "digest", + "pullPolicy", + "repository", + "tag" + ], + "additionalProperties": false + } + } +} diff --git a/charts/airlock/microgateway-cni/4.3.2/values.yaml b/charts/airlock/microgateway-cni/4.3.2/values.yaml new file mode 100644 index 000000000..5aa03a45c --- /dev/null +++ b/charts/airlock/microgateway-cni/4.3.2/values.yaml @@ -0,0 +1,85 @@ +# -- Allows overriding the name to use instead of "microgateway-cni". +nameOverride: "" +# -- Allows overriding the name to use as full name of resources. +fullnameOverride: "" +# -- Labels to add to all resources. +commonLabels: {} +# -- Annotations to add to all resources. +commonAnnotations: {} +# -- ImagePullSecrets to use when pulling images. +imagePullSecrets: [] +# - name: myRegistryKeySecretName + +# Specifies the Airlock Microgateway CNI image. +image: + # -- Image repository from which to pull the Airlock Microgateway CNI image. + repository: "quay.io/airlock/microgateway-cni" + # -- Image tag to pull. + tag: "4.3.2" + # -- SHA256 image digest to pull (in the format "sha256:7144f7bab3d4c2648d7e59409f15ec52a18006a128c733fcff20d3a4a54ba44a"). + # Overrides tag when specified. + digest: "sha256:ed5ec546a65f0ae0bc3e058aafc1d2aa4848996b9f415fe6232486934443b460" + # -- Pull policy for this image. + pullPolicy: IfNotPresent +# -- Annotations to add to all Pods. +podAnnotations: {} +# -- Labels to add to all Pods. +podLabels: {} +# -- Resource restrictions to apply to the CNI installer container. +resources: + requests: + cpu: 10m + memory: 100Mi +# -- NodeSelector to apply to the CNI DaemonSet in order to only deploy the CNI plugin on specific nodes. +nodeSelector: + kubernetes.io/os: linux +# -- Custom affinity for the DaemonSet to only deploy the CNI plugin on specific nodes. +affinity: {} +# Configures the generation of RBAC Roles and RoleBindings. +rbac: + # -- Whether to create RBAC resources which are required for the CNI plugin to function. + create: true + # -- (OpenShift) Whether to create RBAC resources which allow the CNI installer to use the "privileged" security context constraint. + createSCCRole: false +# -- Whether the DaemonSet should run in privileged mode. Must be enabled for environments which require it for writing files to the host (e.g. OpenShift). +privileged: false +# Configures the generation of the ServiceAccount. +serviceAccount: + # -- Whether a ServiceAccount should be created. + create: true + # -- Annotations to add to the ServiceAccount. + annotations: {} + # -- Name of the ServiceAccount to use. + # If not set and create is true, a name is generated using the fullname template. + name: "" +# Configures the generation of a NetworkAttachmentDefinition for use with Multus CNI (OpenShift) +multusNetworkAttachmentDefinition: + # -- Whether a NetworkAttachmentDefinition CR should be created, which can be used for applying the CNI plugin to Pods. + create: false + # -- Namespace in which the NetworkAttachmentDefinition is deployed. + # Note: If namespace is set to a custom value, referencing the created NetworkAttachmentDefinition from other namespaces + # may not work if Multus namespace isolation is enabled. https://github.com/k8snetworkplumbingwg/multus-cni/blob/v4.0.2/docs/configuration.md#namespace-isolation + namespace: default +# Parameters for the CNI installer configuration. +config: + # -- Whether to install the CNI plugin as a `chained` plugin (default, required with most interface CNI providers), + # as a `standalone` plugin (required for use with Multus CNI, e.g. on OpenShift) + # or in `manual` mode, where no CNI network configuration is written. + installMode: "chained" + # -- Log level for the CNI installer and plugin. + logLevel: info + # -- Directory where the CNI config files reside on the host. + # This path can either be found in the documentation of your Kubernetes distribution or CNI provider. + # It can also be queried by running the command `crictl info -o go-template --template '{{.config.cni.confDir}}'` on your Kubernetes node. + cniNetDir: "/etc/cni/net.d" + # -- Directory where the CNI plugin binaries reside on the host. + # This path can either be found in the documentation of your Kubernetes distribution or CNI provider. + # It can also be queried by running the command `crictl info -o go-template --template '{{.config.cni.binDir}}'` on your Kubernetes node. + cniBinDir: "/opt/cni/bin" + # -- Namespaces for which this CNI plugin should not apply any modifications. + excludeNamespaces: + - kube-system +tests: + # -- Whether additional resources required for running `helm test` should be created (e.g. Roles and ServiceAccounts). + # If set to false, `helm test` will not run any tests. + enabled: false diff --git a/charts/airlock/microgateway/4.3.2/.helmignore b/charts/airlock/microgateway/4.3.2/.helmignore new file mode 100644 index 000000000..101ff5ac5 --- /dev/null +++ b/charts/airlock/microgateway/4.3.2/.helmignore @@ -0,0 +1,28 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ +# CRDs kustomization.yaml +/crds/kustomization.yaml +# Helm unit tests +/tests +/validation diff --git a/charts/airlock/microgateway/4.3.2/Chart.yaml b/charts/airlock/microgateway/4.3.2/Chart.yaml new file mode 100644 index 000000000..63e5bc58d --- /dev/null +++ b/charts/airlock/microgateway/4.3.2/Chart.yaml @@ -0,0 +1,44 @@ +annotations: + artifacthub.io/category: security + artifacthub.io/license: MIT + artifacthub.io/links: | + - name: Airlock Microgateway Documentation + url: https://docs.airlock.com/microgateway/4.3/ + - name: Airlock Microgateway Labs + url: https://play.instruqt.com/airlock/invite/hyi9fy4b4jzc?icp_referrer=artifacthub.io + - name: Airlock Microgateway Forum + url: https://forum.airlock.com/ + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Airlock Microgateway + catalog.cattle.io/kube-version: '>=1.25.0-0' + catalog.cattle.io/release-name: microgateway + charts.openshift.io/name: Airlock Microgateway +apiVersion: v2 +appVersion: 4.3.2 +description: A Helm chart for deploying the Airlock Microgateway +home: https://www.airlock.com/en/microgateway +icon: file://assets/icons/microgateway.svg +keywords: +- WAF +- Web Application Firewall +- WAAP +- Web Application and API protection +- OWASP +- Airlock +- Microgateway +- Security +- Filtering +- DevSecOps +- shift left +- control plane +- Operator +kubeVersion: '>=1.25.0-0' +maintainers: +- email: support@airlock.com + name: Airlock + url: https://www.airlock.com/ +name: microgateway +sources: +- https://github.com/airlock/microgateway +type: application +version: 4.3.2 diff --git a/charts/airlock/microgateway/4.3.2/README.md b/charts/airlock/microgateway/4.3.2/README.md new file mode 100644 index 000000000..ddb26273c --- /dev/null +++ b/charts/airlock/microgateway/4.3.2/README.md @@ -0,0 +1,180 @@ +# Airlock Microgateway + +![Version: 4.3.2](https://img.shields.io/badge/Version-4.3.2-informational?style=flat-square) ![AppVersion: 4.3.2](https://img.shields.io/badge/AppVersion-4.3.2-informational?style=flat-square) + +*Airlock Microgateway is a Kubernetes native WAAP (Web Application and API Protection) solution to protect microservices.* + + + + + Microgateway + + +Modern application security is embedded in the development workflow and follows DevSecOps paradigms. Airlock Microgateway is the perfect fit for these requirements. It is a lightweight alternative to the Airlock Gateway appliance, optimized for Kubernetes environments. Airlock Microgateway protects your applications and microservices with the tried-and-tested Airlock security features against attacks, while also providing a high degree of scalability. +__This Helm chart is part of Airlock Microgateway. See our [GitHub repo](https://github.com/airlock/microgateway/tree/4.3.2).__ + +### Features +* Kubernetes native integration with its Operator, Custom Resource Definitions, hot-reload, automatic sidecar injection. +* Reverse proxy functionality with request routing rules, TLS termination and remote IP extraction +* Using native Envoy HTTP filters like Lua scripting, RBAC, ext_authz, JWT authentication +* Content security filters for protecting against known attacks (OWASP Top 10) +* Access control using OpenID Connect to allow only authenticated users to access the protected services +* API security features like JSON parsing, OpenAPI specification enforcement or GraphQL schema validation + +For a list of all features, view the **[comparison of the community and premium edition](https://docs.airlock.com/microgateway/latest/#data/1675772882054.html)**. + +## Documentation and links + +Check the official documentation at **[docs.airlock.com](https://docs.airlock.com/microgateway/latest/)** or the product website at **[airlock.com/microgateway](https://www.airlock.com/en/microgateway)**. The links below point out the most interesting documentation sites when starting with Airlock Microgateway. + +* [Getting Started](https://docs.airlock.com/microgateway/latest/#data/1660804708742.html) +* [System Architecture](https://docs.airlock.com/microgateway/latest/#data/1660804709650.html) +* [Installation](https://docs.airlock.com/microgateway/latest/#data/1660804708637.html) +* [Troubleshooting](https://docs.airlock.com/microgateway/latest/#data/1659430054787.html) +* [GitHub](https://github.com/airlock/microgateway) + +# Quick start guide + +The instructions below provide a quick start guide. Detailed information are provided in the **[manual](https://docs.airlock.com/microgateway/latest/)**. + +## Prerequisites +* [Airlock Microgateway CNI](https://artifacthub.io/packages/helm/airlock-microgateway-cni/microgateway-cni) +* [Airlock Microgateway License](#obtain-airlock-microgateway-license) +* [cert-manager](https://cert-manager.io/) +* [helm](https://helm.sh/docs/intro/install/) (>= v3.8.0) + +In order to use Airlock Microgateway you need a license and the cert-manager. You may either request a community license free of charge or purchase a premium license. +For an easy start in non-production environments, you may deploy the same cert-manager we are using internally for testing. +### Obtain Airlock Microgateway License +1. Either request a community or premium license + * Community license: [airlock.com/microgateway-community](https://airlock.com/en/microgateway-community) + * Premium license: [airlock.com/microgateway-premium](https://airlock.com/en/microgateway-premium) +2. Check your inbox and save the license file microgateway-license.txt locally. + +> See [Community vs. Premium editions in detail](https://docs.airlock.com/microgateway/latest/#data/1675772882054.html) to choose the right license type. +### Deploy cert-manager +```bash +helm repo add jetstack https://charts.jetstack.io +helm install cert-manager jetstack/cert-manager --version '1.15.1' -n cert-manager --create-namespace --set crds.enabled=true --wait +``` + +## Deploy Airlock Microgateway Operator + +> This guide assumes a microgateway-license.txt file is present in the working directory. + +1. Install CRDs and Operator. + ```bash + # Create namespace + kubectl create namespace airlock-microgateway-system + + # Install License + kubectl -n airlock-microgateway-system create secret generic airlock-microgateway-license --from-file=microgateway-license.txt + + # Install Operator (CRDs are included via the standard Helm 3 mechanism, i.e. Helm will handle initial installation but not upgrades) + helm install airlock-microgateway -n airlock-microgateway-system oci://quay.io/airlockcharts/microgateway --version '4.3.2' --wait + ``` + +2. (Recommended) You can verify the correctness of the installation with `helm test`. + ```bash + helm upgrade airlock-microgateway -n airlock-microgateway-system --set tests.enabled=true --reuse-values oci://quay.io/airlockcharts/microgateway --version '4.3.2' + helm test airlock-microgateway -n airlock-microgateway-system --logs + helm upgrade airlock-microgateway -n airlock-microgateway-system --set tests.enabled=false --reuse-values oci://quay.io/airlockcharts/microgateway --version '4.3.2' + ``` + +### Upgrading CRDs + +The `helm install/upgrade` command currently does not support upgrading CRDs that already exist in the cluster. +CRDs should instead be manually upgraded before upgrading the Operator itself via the following command: +```bash +kubectl apply -k https://github.com/airlock/microgateway/deploy/charts/airlock-microgateway/crds/?ref=4.3.2 --server-side --force-conflicts +``` + +**Note**: Certain GitOps solutions such as e.g. Argo CD or Flux CD have their own mechanisms for automatically upgrading CRDs included with Helm charts. + +## Support + +### Premium support +If you have a paid license, please follow the [premium support process](https://techzone.ergon.ch/support-process). + +### Community support +For the community edition, check our **[Airlock community forum](https://forum.airlock.com/)** for FAQs or register to post your question. +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| commonAnnotations | object | `{}` | Annotations to add to all resources. | +| commonLabels | object | `{}` | Labels to add to all resources. | +| crds.skipVersionCheck | bool | `false` | Whether to skip the sanity check which prevents installing/upgrading the helm chart in a cluster with outdated Airlock Microgateway CRDs. The check aims to prevent unexpected behavior and issues due to Helm v3 not automatically upgrading CRDs which are already present in the cluster when performing a "helm install/upgrade". | +| dashboards.config.grafana.dashboardLabel.name | string | `"grafana_dashboard"` | Name of the label that lets Grafana identify ConfigMaps that represent dashboards. | +| dashboards.config.grafana.dashboardLabel.value | string | `"1"` | Value of the label that lets Grafana identify ConfigMaps that represent dashboards. | +| dashboards.config.grafana.folderAnnotation.name | string | `"grafana_folder"` | Name of the annotation containing the folder name to file dashboards into. | +| dashboards.config.grafana.folderAnnotation.value | string | `"Airlock Microgateway"` | Name of the folder dashboards are filed into within the Grafana UI. | +| dashboards.create | bool | `false` | Whether to create any ConfigMaps containing Grafana dashboards to import. | +| dashboards.instances.blockLogs.create | bool | `true` | Whether to create the block logs dashboard. | +| dashboards.instances.blockMetrics.create | bool | `true` | Whether to create the block metrics dashboard. | +| dashboards.instances.license.create | bool | `true` | Whether to create the license dashboard. | +| dashboards.instances.overview.create | bool | `true` | Whether to create the overview dashboard. | +| engine.image.digest | string | `"sha256:8d42759d999e6b69efa9ef1ecfdc84dc1f8f6f1ca822c8d2d3ef8ff1e335b9c9"` | SHA256 image digest to pull (in the format "sha256:a3051f42d3013813b05f7513bb86ed6a3209cb3003f1bb2f7b72df249aa544d3"). Overrides tag when specified. | +| engine.image.pullPolicy | string | `"IfNotPresent"` | Pull policy for this image. | +| engine.image.repository | string | `"quay.io/airlock/microgateway-engine"` | Image repository from which to pull the Airlock Microgateway Engine image. | +| engine.image.tag | string | `"4.3.2"` | Image tag to pull. | +| engine.resources | object | `{}` | Resource restrictions to apply to the Airlock Microgateway Engine container. | +| engine.sidecar.podMonitor.create | bool | `false` | Whether to create a PodMonitor resource for monitoring. | +| engine.sidecar.podMonitor.labels | object | `{}` | Labels to add to the PodMonitor. | +| fullnameOverride | string | `""` | Allows overriding the name to use as full name of resources. | +| imagePullSecrets | list | `[]` | ImagePullSecrets to use when pulling images. | +| license.secretName | string | `"airlock-microgateway-license"` | Name of the secret containing the "microgateway-license.txt" key. | +| nameOverride | string | `""` | Allows overriding the name to use instead of "microgateway". | +| networkValidator.image.digest | string | `"sha256:d1c484f4b9ea6218e2b1925f6b08d54dd352c7aaf653977bbbbeeb21eb3e19dd"` | SHA256 image digest to pull (in the format "sha256:d1c484f4b9ea6218e2b1925f6b08d54dd352c7aaf653977bbbbeeb21eb3e19dd"). Overrides tag when specified. | +| networkValidator.image.pullPolicy | string | `"IfNotPresent"` | Pull policy for this image. | +| networkValidator.image.repository | string | `"cgr.dev/chainguard/netcat"` | Image repository from which to pull the netcat image for the Airlock Microgateway Network Validator init-container. | +| networkValidator.image.tag | string | `""` | Image tag to pull. | +| operator.affinity | object | `{}` | Custom affinity to apply to the operator Deployment. Used to influence the scheduling. | +| operator.config.logLevel | string | `"info"` | Operator application log level. | +| operator.image.digest | string | `"sha256:d22f2ca35603b805caa67dd07aba524c3e4d68c3b59f7ddfc0e22e7fc09a200c"` | SHA256 image digest to pull (in the format "sha256:c79ee3f85862fb386e9dd62b901b607161d27807f512d7fbdece05e9ee3d7c63"). Overrides tag when specified. | +| operator.image.pullPolicy | string | `"IfNotPresent"` | Pull policy for this image. | +| operator.image.repository | string | `"quay.io/airlock/microgateway-operator"` | Image repository from which to pull the Airlock Microgateway Operator image. | +| operator.image.tag | string | `"4.3.2"` | Image tag to pull. | +| operator.nodeSelector | object | `{}` | Custom nodeSelector to apply to the operator Deployment in order to constrain its Pods to certain nodes. | +| operator.podAnnotations | object | `{}` | Annotations to add to all Pods. | +| operator.podLabels | object | `{}` | Labels to add to all Pods. | +| operator.rbac.create | bool | `true` | Whether to create RBAC resources which are required for the Airlock Microgateway Operator to function. | +| operator.replicaCount | int | `2` | Number of replicas for the operator Deployment. | +| operator.resources | object | `{}` | Resource restrictions to apply to the operator container. | +| operator.serviceAccount.annotations | object | `{}` | Annotations to add to the ServiceAccount. | +| operator.serviceAccount.create | bool | `true` | Whether a ServiceAccount should be created. | +| operator.serviceAccount.name | string | `""` | Name of the ServiceAccount to use. If not set and create is true, a name is generated using the fullname template. | +| operator.serviceAnnotations | object | `{}` | Annotations to add to the Service. | +| operator.serviceLabels | object | `{}` | Labels to add to the Service. | +| operator.serviceMonitor.create | bool | `false` | Whether to create a ServiceMonitor resource for monitoring. | +| operator.serviceMonitor.labels | object | `{}` | Labels to add to the ServiceMonitor. | +| operator.tolerations | list | `[]` | Custom tolerations to apply to the operator Deployment in order to allow its Pods to run on tainted nodes. | +| operator.updateStrategy | object | `{"type":"RollingUpdate"}` | Specifies the operator update strategy. | +| operator.watchNamespaceSelector | object | `{}` | Allows to dynamically select watch namespaces of the operator and the scope of the webhooks based on a Namespace label selector. It is able to detect and reconcile resources in all namespaces that match the label selector automatically, even for new namespaces, without restarting the operator. This facilitates a dynamic `MultiNamespace` installation mode, but still requires cluster-scoped permissions (i.e., ClusterRoles and ClusterRoleBindings). An `AllNamespaces` installation or the usage of the `watchNamespaces` requires the `watchNamespaceSelector` to be empty. Please note that this feature requires a Premium license. | +| operator.watchNamespaces | list | `[]` | Allows to restrict the operator to specific namespaces, depending on your needs. For a `OwnNamespace` or `SingleNamespace` installation the list may only contain one namespace (e.g., `watchNamespaces: ["airlock-microgateway-system"]`). In case of the `OwnNamespace` installation mode the specified namespace should be equal to the installation namespace. For a static `MultiNamespace` installation, the complete list of namespaces must be provided in the `watchNamespaces`. An `AllNamespaces` installation or the usage of the `watchNamespaceSelector` requires the `watchNamespaces` to be empty. Regardless of the installation modes supported by `watchNamespaces`, RBAC is created only namespace-scoped (using Roles and RoleBindings) in the respective namespaces. Please note that this feature requires a Premium license. | +| sessionAgent.image.digest | string | `"sha256:d487f4099c267310debffe5d5cac168deeddf6082dafbee352550f2792b9609c"` | SHA256 image digest to pull (in the format "sha256:a3051f42d3013813b05f7513bb86ed6a3209cb3003f1bb2f7b72df249aa544d3"). Overrides tag when specified. | +| sessionAgent.image.pullPolicy | string | `"IfNotPresent"` | Pull policy for this image. | +| sessionAgent.image.repository | string | `"quay.io/airlock/microgateway-session-agent"` | Image repository from which to pull the Airlock Microgateway Session Agent image. | +| sessionAgent.image.tag | string | `"4.3.2"` | Image tag to pull. | +| sessionAgent.resources | object | `{}` | Resource restrictions to apply to the Airlock Microgateway Session Agent container. | +| tests.enabled | bool | `false` | Whether additional resources required for running `helm test` should be created (e.g. Roles and ServiceAccounts). If set to false, `helm test` will not run any tests. | + +## License +View the [detailed license terms](https://www.airlock.com/en/airlock-license) for the software contained in this image. +* Decompiling or reverse engineering is not permitted. +* Using any of the deny rules or parts of these filter patterns outside of the image is not permitted. + +Airlock® is a security innovation by [ergon](https://www.ergon.ch/en) + + + + + + + Airlock Secure Access Hub + + diff --git a/charts/airlock/microgateway/4.3.2/app-readme.md b/charts/airlock/microgateway/4.3.2/app-readme.md new file mode 100644 index 000000000..e32cac025 --- /dev/null +++ b/charts/airlock/microgateway/4.3.2/app-readme.md @@ -0,0 +1,28 @@ +# Airlock Microgateway + +*Airlock Microgateway is a Kubernetes native WAAP (Web Application and API Protection) solution to protect microservices.* + +## Features +* Kubernetes native integration with its Operator, Custom Resource Definitions, hot-reload, automatic sidecar injection. +* Reverse proxy functionality with request routing rules, TLS termination and remote IP extraction +* Using native Envoy HTTP filters like Lua scripting, RBAC, ext_authz, JWT authentication +* Content security filters for protecting against known attacks (OWASP Top 10) +* Access control to allow only authenticated users to access the protected services +* API security features like JSON parsing or OpenAPI specification enforcement + +For a list of all features, view the **[comparison of the community and premium edition](https://docs.airlock.com/microgateway/latest/#data/1675772882054.html)**. + +## Requirements +* [Airlock Microgateway CNI Helm Chart](https://artifacthub.io/packages/helm/airlock-microgateway-cni/microgateway-cni) (Also available as Rancher Chart) +* [Airlock Microgateway License](https://github.com/airlock/microgateway?tab=readme-ov-file#obtain-airlock-microgateway-license) (After obtaining the license install it according to the [documentation](https://github.com/airlock/microgateway?tab=readme-ov-file#deploy-airlock-microgateway-operator)) +* [cert-manager](https://cert-manager.io/docs/installation/) + +## Documentation and links + +Check the official documentation at **[docs.airlock.com](https://docs.airlock.com/microgateway/latest/)** or the product website at **[airlock.com/microgateway](https://www.airlock.com/en/microgateway)**. The links below point out the most interesting documentation sites when starting with Airlock Microgateway. + +* [Getting Started](https://docs.airlock.com/microgateway/latest/#data/1660804708742.html) +* [System Architecture](https://docs.airlock.com/microgateway/latest/#data/1660804709650.html) +* [Installation](https://docs.airlock.com/microgateway/latest/#data/1660804708637.html) +* [Troubleshooting](https://docs.airlock.com/microgateway/latest/#data/1659430054787.html) +* [GitHub](https://github.com/airlock/microgateway) \ No newline at end of file diff --git a/charts/airlock/microgateway/4.3.2/crds/accesscontrols.microgateway.airlock.com.yaml b/charts/airlock/microgateway/4.3.2/crds/accesscontrols.microgateway.airlock.com.yaml new file mode 100644 index 000000000..056dd32d9 --- /dev/null +++ b/charts/airlock/microgateway/4.3.2/crds/accesscontrols.microgateway.airlock.com.yaml @@ -0,0 +1,124 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.15.0 + labels: + app.kubernetes.io/name: airlock-microgateway-operator + app.kubernetes.io/version: 4.3.2 + name: accesscontrols.microgateway.airlock.com +spec: + group: microgateway.airlock.com + names: + categories: + - airlock-microgateway + kind: AccessControl + listKind: AccessControlList + plural: accesscontrols + singular: accesscontrol + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: AccessControl specifies the options to perform access control with a Microgateway Engine container. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Specifies how the Airlock Microgateway Engine performs access control. + properties: + policies: + description: Policies configures access control policies. + items: + properties: + authorization: + description: Authorization configures how requests are authorized. An empty object value {} disables authorization. + properties: + authentication: + description: Authentication specifies that clients need to be authenticated with the provided method. + properties: + oidc: + description: OIDC configures client authentication using OpenID Connect. + properties: + oidcRelyingPartyRef: + description: OIDCRelyingPartyRef configures how the Airlock Microgateway Engine interacts with the OpenID provider. + properties: + name: + description: Name of the resource + minLength: 1 + type: string + required: + - name + type: object + required: + - oidcRelyingPartyRef + type: object + type: object + type: object + identityPropagation: + description: IdentityPropagation configures how the authenticated user's identity is communicated to the protected application. + properties: + actions: + description: Actions specifies the propagation actions. + items: + properties: + identityPropagationRef: + description: IdentityPropagationRef selects an IdentityPropagation to apply. + properties: + name: + description: Name of the resource + minLength: 1 + type: string + required: + - name + type: object + required: + - identityPropagationRef + type: object + type: array + onFailure: + description: |- + OnFailure configures what should happen, if an identity propagation fails. Meaning of the possible values: + _Pass_: The request should be forwarded to the upstream, without including the information from the failed identity propagations. + enum: + - Pass + type: string + required: + - actions + - onFailure + type: object + required: + - authorization + type: object + maxItems: 1 + minItems: 1 + type: array + required: + - policies + type: object + required: + - spec + type: object + served: true + storage: true + subresources: {} diff --git a/charts/airlock/microgateway/4.3.2/crds/contentsecurities.microgateway.airlock.com.yaml b/charts/airlock/microgateway/4.3.2/crds/contentsecurities.microgateway.airlock.com.yaml new file mode 100644 index 000000000..6d6092e38 --- /dev/null +++ b/charts/airlock/microgateway/4.3.2/crds/contentsecurities.microgateway.airlock.com.yaml @@ -0,0 +1,139 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.15.0 + labels: + app.kubernetes.io/name: airlock-microgateway-operator + app.kubernetes.io/version: 4.3.2 + name: contentsecurities.microgateway.airlock.com +spec: + group: microgateway.airlock.com + names: + categories: + - airlock-microgateway + kind: ContentSecurity + listKind: ContentSecurityList + plural: contentsecurities + singular: contentsecurity + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: ContentSecurity specifies the options to secure an upstream web application with a Microgateway Engine container. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Specifies the options to secure an upstream web application with a Microgateway Engine container. + properties: + apiProtection: + description: |- + APIProtection defines the relevant configurations to protect APIs. + If undefined, default settings are applied, designed to work with most upstream web application services. + properties: + graphQLRef: + description: |- + GraphQLRef selects the relevant GraphQL configuration resource. + If undefined, default settings are applied, designed to work with most upstream web application services. + properties: + name: + description: Name of the resource + minLength: 1 + type: string + required: + - name + type: object + openAPIRef: + description: |- + OpenAPIRef selects the relevant OpenAPI configuration resource. + If undefined, default settings are applied, designed to work with most upstream web application services. + properties: + name: + description: Name of the resource + minLength: 1 + type: string + required: + - name + type: object + type: object + filter: + description: |- + Filter defines the set of filters, e.g. Airlock Deny Rules, to be applied to incoming requests + to protect against various attack patterns. + If undefined, default settings are applied, designed to work with most upstream web application services. + properties: + denyRulesRef: + description: |- + DenyRulesRef selects the relevant DenyRules configuration resource. + If undefined, default settings are applied, designed to work with most upstream web application services. + properties: + name: + description: Name of the resource + minLength: 1 + type: string + required: + - name + type: object + type: object + headerRewritesRef: + description: |- + HeaderRewritesRef selects the relevant HeaderRewrites. + If undefined, default settings are applied, designed to work with most upstream web application services. + properties: + name: + description: Name of the resource + minLength: 1 + type: string + required: + - name + type: object + limitsRef: + description: |- + LimitsRef selects the relevant Limits configuration resource. + If undefined, default settings are applied, designed to work with most upstream web application services. + properties: + name: + description: Name of the resource + minLength: 1 + type: string + required: + - name + type: object + parserRef: + description: |- + ParserRef selects the relevant Parser configuration resource. + If undefined, default settings are applied, designed to work with most upstream web application services. + properties: + name: + description: Name of the resource + minLength: 1 + type: string + required: + - name + type: object + type: object + type: object + served: true + storage: true + subresources: {} diff --git a/charts/airlock/microgateway/4.3.2/crds/denyrules.microgateway.airlock.com.yaml b/charts/airlock/microgateway/4.3.2/crds/denyrules.microgateway.airlock.com.yaml new file mode 100644 index 000000000..e54df2ee2 --- /dev/null +++ b/charts/airlock/microgateway/4.3.2/crds/denyrules.microgateway.airlock.com.yaml @@ -0,0 +1,1804 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.15.0 + labels: + app.kubernetes.io/name: airlock-microgateway-operator + app.kubernetes.io/version: 4.3.2 + name: denyrules.microgateway.airlock.com +spec: + group: microgateway.airlock.com + names: + categories: + - airlock-microgateway + kind: DenyRules + listKind: DenyRulesList + plural: denyrules + singular: denyrules + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: |- + DenyRules configures request filtering using Airlock built-in and custom deny rules. + Deny rules establish a negative security model. They define prohibited patterns which, when a match is found in a request, lead to it being blocked from reaching the upstream web application. + To handle possible false positives, lower the security level or define fine-granular deny rule exceptions + If undefined, default settings are applied, designed to work with most upstream web application services. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Specification of the desired deny rules behavior. + properties: + request: + description: Request configures deny rules for downstream requests. + properties: + builtIn: + description: BuiltIn configures the built-in deny rules. + properties: + exceptions: + description: Exceptions allows to define exceptions for specific requests and deny rules. + items: + description: |- + DenyRulesException defines an exception for deny rules. Exceptions may be defined by any or a combination of the following elements: blockedData (the request data causing a block) or requestConditions (properties of a request without taking into consideration the reason why a request has been blocked). + At least one of blockedData and requestConditions must be set. + properties: + blockedData: + description: BlockedData defines an exception based on the request data causing the block. + properties: + graphQL: + description: |- + GraphQL defines an exception based on a blocked GraphQL query. + Only one of parameter, header, path, pathSegment, json or graphQL can be set. + properties: + argument: + description: |- + Argument defines an argument of a field of the GraphQL query. + At least one of field, argument and value must be set. + properties: + matcher: + description: StringMatcher defines the way to match a string. + properties: + contains: + description: |- + Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + exact: + description: |- + Exact defines an explicit match on the string specified here. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + ignoreCase: + default: false + description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`. + type: boolean + prefix: + description: |- + Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + regex: + description: |- + Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. + The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + suffix: + description: |- + Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + type: object + required: + - matcher + type: object + field: + description: |- + Field defines a field of the GraphQL query. + At least one of field, argument and value must be set. + properties: + matcher: + description: StringMatcher defines the way to match a string. + properties: + contains: + description: |- + Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + exact: + description: |- + Exact defines an explicit match on the string specified here. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + ignoreCase: + default: false + description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`. + type: boolean + prefix: + description: |- + Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + regex: + description: |- + Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. + The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + suffix: + description: |- + Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + type: object + required: + - matcher + type: object + value: + description: |- + Value defines the value of an argument of the GraphQL query. + At least one of field, argument and value must be set. + properties: + matcher: + description: StringMatcher defines the way to match a string. + properties: + contains: + description: |- + Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + exact: + description: |- + Exact defines an explicit match on the string specified here. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + ignoreCase: + default: false + description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`. + type: boolean + prefix: + description: |- + Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + regex: + description: |- + Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. + The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + suffix: + description: |- + Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + type: object + required: + - matcher + type: object + type: object + header: + description: |- + Header defines an exception based on a blocked header. + Only one of parameter, header, path, pathSegment, json or graphQL can be set. + properties: + name: + description: Name defines the name of a header. + properties: + matcher: + description: Matcher defines the way to match a string. In comparison to a normal StringMatcher, a value is always matched ignoring the case and can't be inverted. + properties: + contains: + description: |- + Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + exact: + description: |- + Exact defines an explicit match on the string specified here. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + prefix: + description: |- + Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + regex: + description: |- + Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. + The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + suffix: + description: |- + Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + type: object + required: + - matcher + type: object + value: + description: Value defines the value of a header. + properties: + matcher: + description: StringMatcher defines the way to match a string. + properties: + contains: + description: |- + Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + exact: + description: |- + Exact defines an explicit match on the string specified here. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + ignoreCase: + default: false + description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`. + type: boolean + prefix: + description: |- + Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + regex: + description: |- + Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. + The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + suffix: + description: |- + Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + type: object + required: + - matcher + type: object + type: object + json: + description: |- + JSON defines an exception based on a blocked JSON property. + Only one of parameter, header, path, pathSegment, json or graphQL can be set. + properties: + jsonPath: + description: |- + JSONPath defines the JSONPath pattern to match the path within the JSON. + Expressions in JSONPath i.e. `?(expr)` are not supported. + minLength: 1 + type: string + key: + description: |- + Key defines the key of the JSON property. + At most one of key and value can be set. + properties: + matcher: + description: StringMatcher defines the way to match a string. + properties: + contains: + description: |- + Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + exact: + description: |- + Exact defines an explicit match on the string specified here. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + ignoreCase: + default: false + description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`. + type: boolean + prefix: + description: |- + Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + regex: + description: |- + Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. + The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + suffix: + description: |- + Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + type: object + required: + - matcher + type: object + value: + description: |- + Value defines the value of the JSON property. + At most one of key and value can be set. + properties: + matcher: + description: StringMatcher defines the way to match a string. + properties: + contains: + description: |- + Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + exact: + description: |- + Exact defines an explicit match on the string specified here. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + ignoreCase: + default: false + description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`. + type: boolean + prefix: + description: |- + Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + regex: + description: |- + Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. + The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + suffix: + description: |- + Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + type: object + required: + - matcher + type: object + type: object + parameter: + description: |- + Parameter defines an exception based on a blocked parameter. + Only one of parameter, header, path, pathSegment, json or graphQL can be set. + properties: + name: + description: Name defines the name of a parameter. + properties: + matcher: + description: StringMatcher defines the way to match a string. + properties: + contains: + description: |- + Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + exact: + description: |- + Exact defines an explicit match on the string specified here. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + ignoreCase: + default: false + description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`. + type: boolean + prefix: + description: |- + Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + regex: + description: |- + Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. + The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + suffix: + description: |- + Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + type: object + required: + - matcher + type: object + source: + default: Any + description: Source defines the source of the parameter. + enum: + - Query + - Post + - Any + type: string + value: + description: Value defines the value of a parameter. + properties: + matcher: + description: StringMatcher defines the way to match a string. + properties: + contains: + description: |- + Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + exact: + description: |- + Exact defines an explicit match on the string specified here. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + ignoreCase: + default: false + description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`. + type: boolean + prefix: + description: |- + Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + regex: + description: |- + Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. + The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + suffix: + description: |- + Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + type: object + required: + - matcher + type: object + type: object + path: + description: |- + Path defines an exception based on the blocked path. + Only one of parameter, header, path, pathSegment, json or graphQL can be set. + properties: + matcher: + description: StringMatcher defines the way to match a string. + properties: + contains: + description: |- + Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + exact: + description: |- + Exact defines an explicit match on the string specified here. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + ignoreCase: + default: false + description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`. + type: boolean + prefix: + description: |- + Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + regex: + description: |- + Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. + The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + suffix: + description: |- + Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + type: object + required: + - matcher + type: object + pathSegment: + description: |- + PathSegment defines an exception based on a blocked path segment. + Only one of parameter, header, path, pathSegment, json or graphQL can be set. + properties: + segments: + description: Segments defines the position of a segment within the path. + properties: + index: + description: Index specifies an exact path segment position by index (0-based). + minimum: 0 + type: integer + type: object + value: + description: Value defines the value of a path segment. + properties: + matcher: + description: StringMatcher defines the way to match a string. + properties: + contains: + description: |- + Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + exact: + description: |- + Exact defines an explicit match on the string specified here. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + ignoreCase: + default: false + description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`. + type: boolean + prefix: + description: |- + Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + regex: + description: |- + Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. + The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + suffix: + description: |- + Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + type: object + required: + - matcher + type: object + type: object + type: object + requestConditions: + description: RequestConditions defines an exception based on a property of a request without taking into consideration the reason why a request has been blocked. + properties: + header: + description: Header defines the matching headers of a request. + properties: + name: + description: Name defines the name of a header. + properties: + matcher: + description: Matcher defines the way to match a string. In comparison to a normal StringMatcher, a value is always matched ignoring the case and can't be inverted. + properties: + contains: + description: |- + Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + exact: + description: |- + Exact defines an explicit match on the string specified here. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + prefix: + description: |- + Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + regex: + description: |- + Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. + The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + suffix: + description: |- + Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + type: object + required: + - matcher + type: object + value: + description: Value defines the value of a header. + properties: + matcher: + description: StringMatcher defines the way to match a string. + properties: + contains: + description: |- + Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + exact: + description: |- + Exact defines an explicit match on the string specified here. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + ignoreCase: + default: false + description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`. + type: boolean + prefix: + description: |- + Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + regex: + description: |- + Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. + The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + suffix: + description: |- + Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + type: object + required: + - matcher + type: object + type: object + invert: + default: false + description: Invert indicates whether the request condition should be inverted. + type: boolean + mediaType: + description: MediaType defines the matching media type from the content-type header of a request. + properties: + matcher: + description: |- + NonInvertableCaseInsensitiveStringMatcher defines the way to match a string. + In comparison to a normal StringMatcher, a value is always matched ignoring the case and can't be inverted. + properties: + contains: + description: |- + Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + exact: + description: |- + Exact defines an explicit match on the string specified here. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + prefix: + description: |- + Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + regex: + description: |- + Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. + The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + suffix: + description: |- + Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + type: object + required: + - matcher + type: object + method: + description: Method defines the matching methods of a request. + items: + description: Method defines common HTTP methods. + enum: + - GET + - HEAD + - POST + - PUT + - PATCH + - DELETE + - CONNECT + - OPTIONS + - TRACE + type: string + type: array + path: + description: Path defines the matching path of a request. + properties: + matcher: + description: StringMatcher defines the way to match a string. + properties: + contains: + description: |- + Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + exact: + description: |- + Exact defines an explicit match on the string specified here. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + ignoreCase: + default: false + description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`. + type: boolean + prefix: + description: |- + Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + regex: + description: |- + Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. + The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + suffix: + description: |- + Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + type: object + required: + - matcher + type: object + remoteIP: + description: RemoteIP defines the matching remote IPs of a request. + properties: + cidrRanges: + description: CIDRRanges defines the IPv4 or IPv6 CIDR ranges, e.g. ``196.148.3.128/26`` or ``2001:db8::/28``. + items: + description: CIDRRange defines an IPv4 or IPv6 CIDR range, e.g. “196.148.3.128/26“ or “2001:db8::/28“. + format: cidr + type: string + minItems: 1 + type: array + invert: + default: false + description: Invert indicates whether the match should be inverted. + type: boolean + required: + - cidrRanges + type: object + type: object + ruleKeys: + description: RuleKeys restricts the exception to a set of deny rules. + items: + description: |- + A deny rule name can be any of the following values: + ENCODING | + EXPLOIT | + HPP | + HTML | + IDOR | + LDAP | + NOSQL | + OGNL | + PHP | + PROTOCOL | + SANITY | + SCANNING | + SQL | + TEMPLATE | + UNIXCMD | + WINCMD | + XSS + enum: + - ENCODING + - EXPLOIT + - HPP + - HTML + - IDOR + - LDAP + - NOSQL + - OGNL + - PHP + - PROTOCOL + - SANITY + - SCANNING + - SQL + - TEMPLATE + - UNIXCMD + - WINCMD + - XSS + type: string + minItems: 1 + type: array + type: object + type: array + overrides: + description: Overrides allows to override the builtIn settings for specific deny rules. + items: + description: DenyRulesOverride allows to override the builtIn settings for specific deny rules. + properties: + conditions: + description: Conditions select which built-in deny rules' settings will be adjusted. + properties: + ruleKeys: + description: RuleKeys is a list of built-in deny rule names. + items: + description: |- + A deny rule name can be any of the following values: + ENCODING | + EXPLOIT | + HPP | + HTML | + IDOR | + LDAP | + NOSQL | + OGNL | + PHP | + PROTOCOL | + SANITY | + SCANNING | + SQL | + TEMPLATE | + UNIXCMD | + WINCMD | + XSS + enum: + - ENCODING + - EXPLOIT + - HPP + - HTML + - IDOR + - LDAP + - NOSQL + - OGNL + - PHP + - PROTOCOL + - SANITY + - SCANNING + - SQL + - TEMPLATE + - UNIXCMD + - WINCMD + - XSS + type: string + minItems: 1 + type: array + types: + description: Types defines the type of attributes the override should be applied on. If Types are defined without any RuleKeys the override is applied to all deny rules. + items: + description: |- + A deny rule override type name can be any of the following values: + Header | + Parameter | + Path | + JSON | + GraphQL + enum: + - Header + - Parameter + - Path + - PathSegment + - JSON + - GraphQL + type: string + minItems: 0 + type: array + type: object + settings: + description: Settings override the corresponding properties for the selected rules. + properties: + level: + description: Level specifies the filter strength. + enum: + - Unfiltered + - Basic + - Standard + - Strict + type: string + threatHandlingMode: + description: ThreatHandlingMode specifies how threats should be handled. + enum: + - Block + - LogOnly + type: string + type: object + type: object + type: array + settings: + description: Settings contains the keys which will be adjusted. + properties: + level: + default: Standard + description: Level represents a set of deny rules with different filter strengths. + enum: + - Unfiltered + - Basic + - Standard + - Strict + type: string + threatHandlingMode: + default: Block + description: ThreatHandlingMode specifies how threats should be handled when a deny rule matches. + enum: + - Block + - LogOnly + type: string + type: object + type: object + custom: + description: Custom allows configuring additional deny rules. + properties: + rules: + description: Rules defines list of additional deny rules. + items: + properties: + blockData: + description: BlockData specifies the request data which should cause a block. + properties: + graphQL: + description: |- + GraphQL specifies to block requests containing a matching GraphQL property. + At least one of field, argument and value must be set. + properties: + argument: + description: |- + Argument defines an argument of a field of the GraphQL query. + At least one of field, argument and value must be set. + properties: + matcher: + description: StringMatcher defines the way to match a string. + properties: + contains: + description: |- + Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + exact: + description: |- + Exact defines an explicit match on the string specified here. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + ignoreCase: + default: false + description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`. + type: boolean + prefix: + description: |- + Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + regex: + description: |- + Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. + The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + suffix: + description: |- + Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + type: object + required: + - matcher + type: object + field: + description: |- + Field defines a field of the GraphQL query. + At least one of field, argument and value must be set. + properties: + matcher: + description: StringMatcher defines the way to match a string. + properties: + contains: + description: |- + Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + exact: + description: |- + Exact defines an explicit match on the string specified here. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + ignoreCase: + default: false + description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`. + type: boolean + prefix: + description: |- + Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + regex: + description: |- + Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. + The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + suffix: + description: |- + Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + type: object + required: + - matcher + type: object + value: + description: |- + Value defines the value of an argument of the GraphQL query. + At least one of field, argument and value must be set. + properties: + matcher: + description: StringMatcher defines the way to match a string. + properties: + contains: + description: |- + Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + exact: + description: |- + Exact defines an explicit match on the string specified here. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + ignoreCase: + default: false + description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`. + type: boolean + prefix: + description: |- + Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + regex: + description: |- + Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. + The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + suffix: + description: |- + Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + type: object + required: + - matcher + type: object + type: object + header: + description: |- + Header specifies to block requests containing a matching header. + Only one of parameter, header, path, pathSegment or json can be set. + properties: + name: + description: Name defines the name of a header. + properties: + matcher: + description: |- + NonInvertableCaseInsensitiveStringMatcher defines the way to match a string. + In comparison to a normal StringMatcher, a value is always matched ignoring the case and can't be inverted. + properties: + contains: + description: |- + Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + exact: + description: |- + Exact defines an explicit match on the string specified here. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + prefix: + description: |- + Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + regex: + description: |- + Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. + The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + suffix: + description: |- + Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + type: object + required: + - matcher + type: object + value: + description: Value defines the value of a header. + properties: + matcher: + description: StringMatcher defines the way to match a string. + properties: + contains: + description: |- + Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + exact: + description: |- + Exact defines an explicit match on the string specified here. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + ignoreCase: + default: false + description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`. + type: boolean + prefix: + description: |- + Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + regex: + description: |- + Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. + The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + suffix: + description: |- + Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + type: object + required: + - matcher + type: object + type: object + json: + description: |- + JSON specifies to block requests containing a matching JSON property in the body. + Only one of parameter, header, path, pathSegment or json can be set. + properties: + key: + description: Key defines the key of a JSON object. + properties: + matcher: + description: StringMatcher defines the way to match a string. + properties: + contains: + description: |- + Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + exact: + description: |- + Exact defines an explicit match on the string specified here. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + ignoreCase: + default: false + description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`. + type: boolean + prefix: + description: |- + Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + regex: + description: |- + Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. + The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + suffix: + description: |- + Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + type: object + required: + - matcher + type: object + value: + description: Value defines the value of a JSON object. + properties: + matcher: + description: StringMatcher defines the way to match a string. + properties: + contains: + description: |- + Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + exact: + description: |- + Exact defines an explicit match on the string specified here. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + ignoreCase: + default: false + description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`. + type: boolean + prefix: + description: |- + Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + regex: + description: |- + Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. + The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + suffix: + description: |- + Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + type: object + required: + - matcher + type: object + type: object + parameter: + description: |- + Parameter specifies to block requests containing a matching parameter. + Only one of parameter, header, path, pathSegment or json can be set. + properties: + name: + description: Name defines the name of a parameter. + properties: + matcher: + description: StringMatcher defines the way to match a string. + properties: + contains: + description: |- + Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + exact: + description: |- + Exact defines an explicit match on the string specified here. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + ignoreCase: + default: false + description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`. + type: boolean + prefix: + description: |- + Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + regex: + description: |- + Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. + The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + suffix: + description: |- + Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + type: object + required: + - matcher + type: object + value: + description: Value defines the value of a parameter. + properties: + matcher: + description: StringMatcher defines the way to match a string. + properties: + contains: + description: |- + Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + exact: + description: |- + Exact defines an explicit match on the string specified here. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + ignoreCase: + default: false + description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`. + type: boolean + prefix: + description: |- + Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + regex: + description: |- + Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. + The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + suffix: + description: |- + Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + type: object + required: + - matcher + type: object + type: object + path: + description: |- + Path specifies to block requests with a matching path. + Only one of parameter, header, path, pathSegment or json can be set. + properties: + matcher: + description: Matcher specifies which path to block. + properties: + contains: + description: |- + Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + exact: + description: |- + Exact defines an explicit match on the string specified here. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + ignoreCase: + default: false + description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`. + type: boolean + prefix: + description: |- + Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + regex: + description: |- + Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. + The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + suffix: + description: |- + Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + type: object + required: + - matcher + type: object + pathSegment: + description: |- + PathSegment specifies to block requests containing a matching path segment. + Only one of parameter, header, path, pathSegment or json can be set. + properties: + segments: + description: |- + Segments restricts which path segments are filtered by this rule. + If not specified, all segments of a path are filtered. + properties: + index: + description: Index restricts the rule to the path segment at this index (0-based). + minimum: 0 + type: integer + type: object + value: + description: Value specifies which path segment values to block. + properties: + matcher: + description: StringMatcher defines the way to match a string. + properties: + contains: + description: |- + Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + exact: + description: |- + Exact defines an explicit match on the string specified here. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + ignoreCase: + default: false + description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`. + type: boolean + prefix: + description: |- + Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + regex: + description: |- + Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. + The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + suffix: + description: |- + Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + type: object + required: + - matcher + type: object + required: + - value + type: object + type: object + requestConditions: + description: RequestConditions defines additional request properties which must be matched in order for this rule to apply. + properties: + header: + description: Header defines the matching headers of a request. + properties: + name: + description: Name defines the name of a header. + properties: + matcher: + description: Matcher defines the way to match a string. In comparison to a normal StringMatcher, a value is always matched ignoring the case and can't be inverted. + properties: + contains: + description: |- + Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + exact: + description: |- + Exact defines an explicit match on the string specified here. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + prefix: + description: |- + Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + regex: + description: |- + Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. + The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + suffix: + description: |- + Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + type: object + required: + - matcher + type: object + value: + description: Value defines the value of a header. + properties: + matcher: + description: StringMatcher defines the way to match a string. + properties: + contains: + description: |- + Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + exact: + description: |- + Exact defines an explicit match on the string specified here. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + ignoreCase: + default: false + description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`. + type: boolean + prefix: + description: |- + Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + regex: + description: |- + Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. + The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + suffix: + description: |- + Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + type: object + required: + - matcher + type: object + type: object + invert: + default: false + description: Invert indicates whether the request condition should be inverted. + type: boolean + mediaType: + description: MediaType defines the matching media type from the content-type header of a request. + properties: + matcher: + description: |- + NonInvertableCaseInsensitiveStringMatcher defines the way to match a string. + In comparison to a normal StringMatcher, a value is always matched ignoring the case and can't be inverted. + properties: + contains: + description: |- + Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + exact: + description: |- + Exact defines an explicit match on the string specified here. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + prefix: + description: |- + Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + regex: + description: |- + Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. + The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + suffix: + description: |- + Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + type: object + required: + - matcher + type: object + method: + description: Method defines the matching methods of a request. + items: + description: Method defines common HTTP methods. + enum: + - GET + - HEAD + - POST + - PUT + - PATCH + - DELETE + - CONNECT + - OPTIONS + - TRACE + type: string + type: array + path: + description: Path defines the matching path of a request. + properties: + matcher: + description: StringMatcher defines the way to match a string. + properties: + contains: + description: |- + Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + exact: + description: |- + Exact defines an explicit match on the string specified here. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + ignoreCase: + default: false + description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`. + type: boolean + prefix: + description: |- + Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + regex: + description: |- + Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. + The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + suffix: + description: |- + Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + type: object + required: + - matcher + type: object + remoteIP: + description: RemoteIP defines the matching remote IPs of a request. + properties: + cidrRanges: + description: CIDRRanges defines the IPv4 or IPv6 CIDR ranges, e.g. ``196.148.3.128/26`` or ``2001:db8::/28``. + items: + description: CIDRRange defines an IPv4 or IPv6 CIDR range, e.g. “196.148.3.128/26“ or “2001:db8::/28“. + format: cidr + type: string + minItems: 1 + type: array + invert: + default: false + description: Invert indicates whether the match should be inverted. + type: boolean + required: + - cidrRanges + type: object + type: object + ruleKey: + description: RuleKey defines a technical key for the deny rule. Must be unique. + minLength: 1 + pattern: ^[A-Z][A-Z0-9_]*$ + type: string + threatHandlingMode: + default: Block + description: ThreatHandlingMode specifies how threats should be handled when a deny rule matches. + enum: + - Block + - LogOnly + type: string + required: + - blockData + - ruleKey + type: object + type: array + x-kubernetes-list-map-keys: + - ruleKey + x-kubernetes-list-type: map + type: object + type: object + type: object + type: object + served: true + storage: true + subresources: {} diff --git a/charts/airlock/microgateway/4.3.2/crds/envoyclusters.microgateway.airlock.com.yaml b/charts/airlock/microgateway/4.3.2/crds/envoyclusters.microgateway.airlock.com.yaml new file mode 100644 index 000000000..f5f257264 --- /dev/null +++ b/charts/airlock/microgateway/4.3.2/crds/envoyclusters.microgateway.airlock.com.yaml @@ -0,0 +1,58 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.15.0 + labels: + app.kubernetes.io/name: airlock-microgateway-operator + app.kubernetes.io/version: 4.3.2 + name: envoyclusters.microgateway.airlock.com +spec: + group: microgateway.airlock.com + names: + categories: + - airlock-microgateway + kind: EnvoyCluster + listKind: EnvoyClusterList + plural: envoyclusters + singular: envoycluster + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: EnvoyCluster is an additional Envoy Cluster resource which is added to those defined by the Airlock Microgateway. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Specification of the desired additional Envoy cluster. + properties: + value: + description: Value defines the Envoy Cluster which is added to those configured by the Airlock Microgateway. + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + served: true + storage: true + subresources: {} diff --git a/charts/airlock/microgateway/4.3.2/crds/envoyconfigurations.microgateway.airlock.com.yaml b/charts/airlock/microgateway/4.3.2/crds/envoyconfigurations.microgateway.airlock.com.yaml new file mode 100644 index 000000000..9a26a34f4 --- /dev/null +++ b/charts/airlock/microgateway/4.3.2/crds/envoyconfigurations.microgateway.airlock.com.yaml @@ -0,0 +1,185 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.15.0 + labels: + app.kubernetes.io/name: airlock-microgateway-operator + app.kubernetes.io/version: 4.3.2 + name: envoyconfigurations.microgateway.airlock.com +spec: + group: microgateway.airlock.com + names: + categories: + - airlock-microgateway + kind: EnvoyConfiguration + listKind: EnvoyConfigurationList + plural: envoyconfigurations + singular: envoyconfiguration + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .status.status + name: Status + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: |- + EnvoyConfiguration is the Schema for the envoyconfigurations API + {{% notice warning %}} EnvoyConfiguration resources may contain sensitive information and thus RBAC permissions should be granted with care. {{% /notice %}} + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: EnvoyConfigurationSpec defines the desired state of EnvoyConfiguration + properties: + envoyResources: + properties: + clusters: + items: + type: object + x-kubernetes-preserve-unknown-fields: true + type: array + endpoints: + items: + type: object + x-kubernetes-preserve-unknown-fields: true + type: array + extensions: + items: + type: object + x-kubernetes-preserve-unknown-fields: true + type: array + listeners: + items: + type: object + x-kubernetes-preserve-unknown-fields: true + type: array + routes: + items: + type: object + x-kubernetes-preserve-unknown-fields: true + type: array + runtimes: + items: + type: object + x-kubernetes-preserve-unknown-fields: true + type: array + scopedRoutes: + items: + type: object + x-kubernetes-preserve-unknown-fields: true + type: array + secrets: + items: + type: object + x-kubernetes-preserve-unknown-fields: true + type: array + type: object + envoyResourcesRaw: + description: |- + EnvoyResourcesRaw defines the desired state for each resource type. The resources are stored as zstd compressed JSON bytes. + For debugging purposes, the resources can be inspected with the following command: `kubectl get envoyconfiguration -ojsonpath='{.spec.envoyResourcesRaw}' | base64 -d | zstd -d | jq` + format: byte + type: string + nodeID: + description: '**Deprecated:** This field is now ignored as NodeID is always derived from the resource name.' + type: string + type: object + status: + description: EnvoyConfigurationStatus defines the observed state of EnvoyConfiguration + properties: + conditions: + items: + properties: + lastTransitionTime: + description: Last time the condition transitioned from one status to another. + format: date-time + type: string + message: + description: A human-readable message indicating details about the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of EnvoyConfiguration condition. + type: string + required: + - status + - type + type: object + type: array + status: + type: string + xds: + properties: + resourceTypes: + additionalProperties: + description: XdsResourceTypeSyncStatus defines the sync status of xDS for a specific resource type + properties: + errorMessage: + description: ErrorMessage defines an optional message why the currently served resources of this resource type are rejected by the client. + type: string + resources: + additionalProperties: + description: XdsResourceStatus defines the status of xDS for a specific resource + properties: + version: + description: Version defines the version which is currently served for this resource. + type: string + required: + - version + type: object + description: Resources defines the resources which are currently served for this resource type. + type: object + status: + description: Status defines the current sync status of this resource type. + type: string + version: + description: Version defines the version which is currently served for this resource type. + type: string + required: + - resources + - status + - version + type: object + description: ResourceTypes defines the sync statuses for each resource type. + type: object + version: + description: Version defines the version of the underlying xDS snapshot. + type: integer + required: + - version + type: object + required: + - status + - xds + type: object + type: object + served: true + storage: true + subresources: + status: {} diff --git a/charts/airlock/microgateway/4.3.2/crds/envoyhttpfilters.microgateway.airlock.com.yaml b/charts/airlock/microgateway/4.3.2/crds/envoyhttpfilters.microgateway.airlock.com.yaml new file mode 100644 index 000000000..0b963eecc --- /dev/null +++ b/charts/airlock/microgateway/4.3.2/crds/envoyhttpfilters.microgateway.airlock.com.yaml @@ -0,0 +1,58 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.15.0 + labels: + app.kubernetes.io/name: airlock-microgateway-operator + app.kubernetes.io/version: 4.3.2 + name: envoyhttpfilters.microgateway.airlock.com +spec: + group: microgateway.airlock.com + names: + categories: + - airlock-microgateway + kind: EnvoyHTTPFilter + listKind: EnvoyHTTPFilterList + plural: envoyhttpfilters + singular: envoyhttpfilter + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: EnvoyHTTPFilter is an additional Envoy HTTP Filter resource which is added to those defined by the Airlock Microgateway. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Specification of the desired additional Envoy HTTP filter. + properties: + value: + description: Value defines the HTTP filter which is added to those configured by the Airlock Microgateway. + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + served: true + storage: true + subresources: {} diff --git a/charts/airlock/microgateway/4.3.2/crds/graphqls.microgateway.airlock.com.yaml b/charts/airlock/microgateway/4.3.2/crds/graphqls.microgateway.airlock.com.yaml new file mode 100644 index 000000000..5029d7e16 --- /dev/null +++ b/charts/airlock/microgateway/4.3.2/crds/graphqls.microgateway.airlock.com.yaml @@ -0,0 +1,88 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.15.0 + labels: + app.kubernetes.io/name: airlock-microgateway-operator + app.kubernetes.io/version: 4.3.2 + name: graphqls.microgateway.airlock.com +spec: + group: microgateway.airlock.com + names: + categories: + - airlock-microgateway + kind: GraphQL + listKind: GraphQLList + plural: graphqls + singular: graphql + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: GraphQL contains the configuration for the GraphQL specification. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Specification of the desired GraphQL specification. + properties: + settings: + description: Settings defines the settings to configure GraphQL. + properties: + allowIntrospection: + default: true + description: AllowIntrospection specifies if the introspection system is exposed. + type: boolean + allowMutations: + default: true + description: AllowMutations specifies if mutations are allowed. + type: boolean + schema: + description: Specifies the GraphQL schema. + properties: + source: + description: Source specifies the GraphQL schema to be enforced. + properties: + configMapRef: + description: ConfigMapRef references the configmap by its name containing the well-known key 'schema.graphql'. + properties: + name: + description: Name of the resource + minLength: 1 + type: string + required: + - name + type: object + type: object + required: + - source + type: object + threatHandlingMode: + default: Block + description: ThreatHandlingMode specifies how threats should be handled. + enum: + - Block + - LogOnly + type: string + type: object + type: object + type: object + served: true + storage: true diff --git a/charts/airlock/microgateway/4.3.2/crds/headerrewrites.microgateway.airlock.com.yaml b/charts/airlock/microgateway/4.3.2/crds/headerrewrites.microgateway.airlock.com.yaml new file mode 100644 index 000000000..166db49b7 --- /dev/null +++ b/charts/airlock/microgateway/4.3.2/crds/headerrewrites.microgateway.airlock.com.yaml @@ -0,0 +1,759 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.15.0 + labels: + app.kubernetes.io/name: airlock-microgateway-operator + app.kubernetes.io/version: 4.3.2 + name: headerrewrites.microgateway.airlock.com +spec: + group: microgateway.airlock.com + names: + categories: + - airlock-microgateway + kind: HeaderRewrites + listKind: HeaderRewritesList + plural: headerrewrites + singular: headerrewrites + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: HeaderRewrites is the Schema for the headerrewrites API + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Specification of the desired header rewriting behavior. + properties: + request: + description: Request defines manipulations on upstream request headers. + properties: + add: + description: Add defines which request headers will be added before forwarding to the upstream. + properties: + custom: + description: |- + Custom allows configuring additional upstream request headers. + Add selected headers. + items: + properties: + headers: + description: Headers to add. + items: + description: HeaderRewritesHeader specifies a header with a particular value + properties: + name: + description: Name defines the name of a header. + minLength: 1 + type: string + value: + description: Value defines the value of a header. + type: string + required: + - name + - value + type: object + minItems: 1 + type: array + mode: + default: AddIfAbsent + description: Mode defines the header addition strategy. + enum: + - AddIfAbsent + - OverwriteOrAdd + type: string + name: + description: Name describing the configured operation. + minLength: 1 + type: string + required: + - headers + - name + type: object + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + allow: + description: |- + Allow defines which request headers will be forwarded to the upstream. + This can either be allHeaders or matchingHeaders. + Default: matchingHeaders: {...} + properties: + allHeaders: + description: AllHeaders specifies that all request headers should be forwarded. + type: object + matchingHeaders: + description: MatchingHeaders specifies which request headers should be forwarded. + properties: + builtIn: + description: BuiltIn allows configuring a set of predefined upstream request headers. + properties: + standardHeaders: + default: true + description: StandardHeaders defines whether the request headers which are forwarded to the upstream will be restricted to a set of common request headers. + type: boolean + type: object + custom: + description: Custom allows configuring additional upstream request headers. + items: + properties: + headers: + description: Headers to allow. + items: + description: |- + HeaderMatcher defines a matcher for an HTTP header. + At least one of name and value must be set. + properties: + name: + description: Name defines the name of a header. + properties: + matcher: + description: Matcher defines the way to match a string. In comparison to a normal StringMatcher, a value is always matched ignoring the case and can't be inverted. + properties: + contains: + description: |- + Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + exact: + description: |- + Exact defines an explicit match on the string specified here. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + prefix: + description: |- + Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + regex: + description: |- + Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. + The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + suffix: + description: |- + Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + type: object + required: + - matcher + type: object + value: + description: Value defines the value of a header. + properties: + matcher: + description: StringMatcher defines the way to match a string. + properties: + contains: + description: |- + Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + exact: + description: |- + Exact defines an explicit match on the string specified here. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + ignoreCase: + default: false + description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`. + type: boolean + prefix: + description: |- + Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + regex: + description: |- + Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. + The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + suffix: + description: |- + Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + type: object + required: + - matcher + type: object + type: object + minItems: 1 + type: array + name: + description: Name describing the configured operation. Must be unique. + minLength: 1 + type: string + required: + - headers + - name + type: object + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + type: object + remove: + description: Remove defines which request headers will be removed before forwarding to the upstream. + properties: + builtIn: + description: BuiltIn allows configuring a set of predefined upstream request headers. + properties: + alternativeForwardedHeaders: + default: true + description: |- + AlternativeForwardedHeaders removes downstream request headers which could potentially + be abused to alter the upstream's view of the remote connection. + type: boolean + type: object + custom: + description: Custom allows configuring additional upstream request headers. + items: + properties: + headers: + description: Headers to remove. + items: + description: |- + HeaderMatcher defines a matcher for an HTTP header. + At least one of name and value must be set. + properties: + name: + description: Name defines the name of a header. + properties: + matcher: + description: Matcher defines the way to match a string. In comparison to a normal StringMatcher, a value is always matched ignoring the case and can't be inverted. + properties: + contains: + description: |- + Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + exact: + description: |- + Exact defines an explicit match on the string specified here. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + prefix: + description: |- + Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + regex: + description: |- + Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. + The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + suffix: + description: |- + Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + type: object + required: + - matcher + type: object + value: + description: Value defines the value of a header. + properties: + matcher: + description: StringMatcher defines the way to match a string. + properties: + contains: + description: |- + Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + exact: + description: |- + Exact defines an explicit match on the string specified here. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + ignoreCase: + default: false + description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`. + type: boolean + prefix: + description: |- + Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + regex: + description: |- + Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. + The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + suffix: + description: |- + Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + type: object + required: + - matcher + type: object + type: object + minItems: 1 + type: array + name: + description: Name describing the configured operation. Must be unique. + minLength: 1 + type: string + required: + - headers + - name + type: object + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + type: object + response: + description: Response defines manipulations on upstream response headers. + properties: + add: + description: Add defines which response headers will be added before forwarding to the downstream. + properties: + builtIn: + description: BuiltIn allows configuring a set of predefined upstream response headers. + properties: + csp: + default: true + description: |- + CSP sets a content security policy which allows only same-origin requests except for images + if the 'Content-Security-Policy' header is not set by the upstream. + type: boolean + featurePolicy: + default: false + description: |- + FeaturePolicy sets a feature policy which prevents cross-origin use of several browser features + if the 'Feature-Policy' header is not set by the upstream. + **Deprecated:** Use permissionsPolicy instead. + type: boolean + hsts: + default: true + description: HSTS enforces the use of HTTPS if the 'Strict-Transport-Security' header is not already set by the upstream. + type: boolean + hstsPreload: + default: false + description: HSTSPreload enforces the use of HTTPS including for subdomains and enables HSTS preload. + type: boolean + permissionsPolicy: + default: true + description: |- + PermissionsPolicy sets a permissions policy which prevents cross-origin use of several browser features + if the 'Permissions-Policy' header is not set by the upstream. + type: boolean + referrerPolicy: + default: true + description: |- + ReferrerPolicy ensures that no 'Referer' header is sent for cross-origin requests + if the 'Referrer-Policy' header is not set by the upstream. + type: boolean + xContentTypeOptions: + default: true + description: XContentTypeOptions sets 'X-Content-Type-Options' to 'nosniff' if it is not set by the upstream. + type: boolean + xFrameOptions: + default: true + description: XFrameOptions sets 'X-Frame-Options' to SAMEORIGIN if it is not set by the upstream. + type: boolean + type: object + custom: + description: Custom allows configuring additional upstream response headers. + items: + properties: + headers: + description: Headers to add. + items: + description: HeaderRewritesHeader specifies a header with a particular value + properties: + name: + description: Name defines the name of a header. + minLength: 1 + type: string + value: + description: Value defines the value of a header. + type: string + required: + - name + - value + type: object + minItems: 1 + type: array + mode: + default: AddIfAbsent + description: Mode defines the header addition strategy. + enum: + - AddIfAbsent + - OverwriteOrAdd + type: string + name: + description: Name describing the configured operation. + minLength: 1 + type: string + required: + - headers + - name + type: object + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + allow: + description: |- + Allow defines which response headers will be forwarded to the downstream. + This can either be allHeaders or matchingHeaders. + Default: allHeaders: {} + properties: + allHeaders: + description: AllHeaders specifies that all response headers should be forwarded. + type: object + matchingHeaders: + description: MatchingHeaders specifies which response headers should be forwarded. + properties: + builtIn: + description: BuiltIn allows configuring a set of predefined upstream response header. + properties: + standardHeaders: + default: false + description: StandardHeaders defines whether the response headers which are forwarded to the downstream will be restricted to a set of common response headers. + type: boolean + type: object + custom: + description: Custom allows configuring additional upstream response headers. + items: + properties: + headers: + description: Headers to allow. + items: + description: |- + HeaderMatcher defines a matcher for an HTTP header. + At least one of name and value must be set. + properties: + name: + description: Name defines the name of a header. + properties: + matcher: + description: Matcher defines the way to match a string. In comparison to a normal StringMatcher, a value is always matched ignoring the case and can't be inverted. + properties: + contains: + description: |- + Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + exact: + description: |- + Exact defines an explicit match on the string specified here. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + prefix: + description: |- + Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + regex: + description: |- + Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. + The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + suffix: + description: |- + Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + type: object + required: + - matcher + type: object + value: + description: Value defines the value of a header. + properties: + matcher: + description: StringMatcher defines the way to match a string. + properties: + contains: + description: |- + Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + exact: + description: |- + Exact defines an explicit match on the string specified here. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + ignoreCase: + default: false + description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`. + type: boolean + prefix: + description: |- + Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + regex: + description: |- + Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. + The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + suffix: + description: |- + Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + type: object + required: + - matcher + type: object + type: object + minItems: 1 + type: array + name: + description: Name describing the configured operation. Must be unique. + minLength: 1 + type: string + required: + - headers + - name + type: object + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + type: object + remove: + description: Remove defines which response headers will be removed before forwarding to the downstream. + properties: + builtIn: + description: BuiltIn allows configuring a set of predefined upstream response headers. + properties: + auth: + description: Auth defines the categories of headers concerning authentication. + properties: + basic: + default: false + description: Basic removes upstream response headers that advise clients to authenticate with Basic Authentication. + type: boolean + negotiate: + default: true + description: Negotiate removes upstream response headers that advise clients to authenticate with Negotiate. + type: boolean + ntlm: + default: true + description: |- + NTLM removes upstream response headers that advise clients to authenticate with NTLM. + By default, these headers are removed, because NTLM pass-through is not supported. + type: boolean + type: object + informationLeakage: + description: InformationLeakage defines the categories of headers concerning information leakage. + properties: + application: + default: true + description: Application removes upstream response headers that leak information about the deployed software. + type: boolean + server: + default: true + description: Server removes upstream response headers that leak information about the server. + type: boolean + type: object + permissiveCors: + default: true + description: PermissiveCORS removes upstream response headers for CORS (Cross-Origin Resource Sharing) which have no restrictions and therefore reduce client-side security. + type: boolean + type: object + custom: + description: Custom allows configuring additional upstream response headers. + items: + properties: + headers: + description: Headers to remove. + items: + description: |- + HeaderMatcher defines a matcher for an HTTP header. + At least one of name and value must be set. + properties: + name: + description: Name defines the name of a header. + properties: + matcher: + description: Matcher defines the way to match a string. In comparison to a normal StringMatcher, a value is always matched ignoring the case and can't be inverted. + properties: + contains: + description: |- + Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + exact: + description: |- + Exact defines an explicit match on the string specified here. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + prefix: + description: |- + Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + regex: + description: |- + Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. + The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + suffix: + description: |- + Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + type: object + required: + - matcher + type: object + value: + description: Value defines the value of a header. + properties: + matcher: + description: StringMatcher defines the way to match a string. + properties: + contains: + description: |- + Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + exact: + description: |- + Exact defines an explicit match on the string specified here. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + ignoreCase: + default: false + description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`. + type: boolean + prefix: + description: |- + Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + regex: + description: |- + Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. + The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + suffix: + description: |- + Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + type: object + required: + - matcher + type: object + type: object + minItems: 1 + type: array + name: + description: Name describing the configured remove operation. Must be unique. + minLength: 1 + type: string + required: + - headers + - name + type: object + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + type: object + settings: + description: Settings configures the HeaderRewrites filter. + properties: + operationalMode: + default: Production + description: OperationalMode defines the behavior of the filter. In integration mode more information is logged about the requests and responses. + enum: + - Production + - Integration + type: string + type: object + type: object + type: object + served: true + storage: true diff --git a/charts/airlock/microgateway/4.3.2/crds/identitypropagations.microgateway.airlock.com.yaml b/charts/airlock/microgateway/4.3.2/crds/identitypropagations.microgateway.airlock.com.yaml new file mode 100644 index 000000000..e01a242b1 --- /dev/null +++ b/charts/airlock/microgateway/4.3.2/crds/identitypropagations.microgateway.airlock.com.yaml @@ -0,0 +1,108 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.15.0 + labels: + app.kubernetes.io/name: airlock-microgateway-operator + app.kubernetes.io/version: 4.3.2 + name: identitypropagations.microgateway.airlock.com +spec: + group: microgateway.airlock.com + names: + categories: + - airlock-microgateway + kind: IdentityPropagation + listKind: IdentityPropagationList + plural: identitypropagations + singular: identitypropagation + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: IdentityPropagation specifies the desired identity propagation. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Specification of the desired identity propagation. + properties: + header: + description: Header configures identity propagation via a request header. + properties: + name: + description: Name of the header to set. + minLength: 1 + type: string + value: + description: Value to propagate to the application. + properties: + source: + description: Source from which to extract the value. + properties: + metadata: + description: Metadata specifies to extract a value from an Envoy dynamic filter metadata key. + properties: + key: + description: Key specifies the metadata key from which to load the value, e.g. `some_payload.aud`. + minLength: 1 + type: string + namespace: + description: Namespace specifies the metadata namespace within which the lookup should be performed, e.g. `envoy.filters.http.jwt_authn`. + minLength: 1 + type: string + required: + - key + - namespace + type: object + oidc: + description: OIDC specifies to extract a value from the result of an OpenID Connect flow. + properties: + idToken: + description: IDToken specifies to extract the value from the OpenID Connect ID Token. + properties: + claim: + description: Claim selects the JWT claim from which to extract the value. + minLength: 1 + type: string + required: + - claim + type: object + required: + - idToken + type: object + type: object + required: + - source + type: object + required: + - name + - value + type: object + type: object + required: + - spec + type: object + served: true + storage: true + subresources: {} diff --git a/charts/airlock/microgateway/4.3.2/crds/limits.microgateway.airlock.com.yaml b/charts/airlock/microgateway/4.3.2/crds/limits.microgateway.airlock.com.yaml new file mode 100644 index 000000000..4dad85aaf --- /dev/null +++ b/charts/airlock/microgateway/4.3.2/crds/limits.microgateway.airlock.com.yaml @@ -0,0 +1,651 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.15.0 + labels: + app.kubernetes.io/name: airlock-microgateway-operator + app.kubernetes.io/version: 4.3.2 + name: limits.microgateway.airlock.com +spec: + group: microgateway.airlock.com + names: + categories: + - airlock-microgateway + kind: Limits + listKind: LimitsList + plural: limits + singular: limits + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: Limits contains the configuration for limits. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Specification of the desired limits behavior. + properties: + request: + description: Request defines the limits for requests. + properties: + limited: + description: Limited enables limits on request scope. + properties: + exceptions: + description: Exceptions defines limit exceptions. + items: + description: LimitsException defines an exception for limits. + properties: + length: + description: Length defines an exception for length limits based on the data element exceeding the limit. + properties: + graphQL: + description: GraphQL defines a field, argument or value length limit exception for a GraphQL query. + properties: + argument: + description: |- + Argument restricts the exception to GraphQL queries with a matching argument of a field. + At least one of field, argument and value must be set. + properties: + matcher: + description: StringMatcher defines the way to match a string. + properties: + contains: + description: |- + Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + exact: + description: |- + Exact defines an explicit match on the string specified here. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + ignoreCase: + default: false + description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`. + type: boolean + prefix: + description: |- + Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + regex: + description: |- + Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. + The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + suffix: + description: |- + Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + type: object + required: + - matcher + type: object + field: + description: |- + Field restricts the exception to GraphQL queries with a matching field. + At least one of field, argument and value must be set. + properties: + matcher: + description: StringMatcher defines the way to match a string. + properties: + contains: + description: |- + Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + exact: + description: |- + Exact defines an explicit match on the string specified here. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + ignoreCase: + default: false + description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`. + type: boolean + prefix: + description: |- + Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + regex: + description: |- + Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. + The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + suffix: + description: |- + Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + type: object + required: + - matcher + type: object + value: + description: |- + Value restricts the exception to GraphQL queries with a matching argument value. + At least one of field, argument and value must be set. + properties: + matcher: + description: StringMatcher defines the way to match a string. + properties: + contains: + description: |- + Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + exact: + description: |- + Exact defines an explicit match on the string specified here. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + ignoreCase: + default: false + description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`. + type: boolean + prefix: + description: |- + Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + regex: + description: |- + Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. + The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + suffix: + description: |- + Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + type: object + required: + - matcher + type: object + type: object + json: + description: JSON defines a key and value length limit exception for a JSON property. + properties: + jsonPath: + description: |- + JSONPath restricts the exception to JSON properties with a matching JSONPath. + Expressions in JSONPath i.e. `?(expr)` are not supported. + minLength: 1 + type: string + required: + - jsonPath + type: object + parameter: + description: Parameter defines a name and value length limit exception for a parameter. + properties: + name: + description: Name restricts the exception to parameters with a matching name. + properties: + matcher: + description: StringMatcher defines the way to match a string. + properties: + contains: + description: |- + Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + exact: + description: |- + Exact defines an explicit match on the string specified here. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + ignoreCase: + default: false + description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`. + type: boolean + prefix: + description: |- + Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + regex: + description: |- + Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. + The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + suffix: + description: |- + Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + type: object + required: + - matcher + type: object + source: + default: Any + description: Source restricts the exception to parameters of this kind. + enum: + - Query + - Post + - Any + type: string + required: + - name + type: object + type: object + requestConditions: + description: RequestConditions defines additional request properties which must be matched in order for this exception to apply. + properties: + header: + description: Header defines the matching headers of a request. + properties: + name: + description: Name defines the name of a header. + properties: + matcher: + description: Matcher defines the way to match a string. In comparison to a normal StringMatcher, a value is always matched ignoring the case and can't be inverted. + properties: + contains: + description: |- + Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + exact: + description: |- + Exact defines an explicit match on the string specified here. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + prefix: + description: |- + Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + regex: + description: |- + Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. + The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + suffix: + description: |- + Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + type: object + required: + - matcher + type: object + value: + description: Value defines the value of a header. + properties: + matcher: + description: StringMatcher defines the way to match a string. + properties: + contains: + description: |- + Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + exact: + description: |- + Exact defines an explicit match on the string specified here. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + ignoreCase: + default: false + description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`. + type: boolean + prefix: + description: |- + Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + regex: + description: |- + Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. + The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + suffix: + description: |- + Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + type: object + required: + - matcher + type: object + type: object + invert: + default: false + description: Invert indicates whether the request condition should be inverted. + type: boolean + mediaType: + description: MediaType defines the matching media type from the content-type header of a request. + properties: + matcher: + description: |- + NonInvertableCaseInsensitiveStringMatcher defines the way to match a string. + In comparison to a normal StringMatcher, a value is always matched ignoring the case and can't be inverted. + properties: + contains: + description: |- + Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + exact: + description: |- + Exact defines an explicit match on the string specified here. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + prefix: + description: |- + Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + regex: + description: |- + Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. + The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + suffix: + description: |- + Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + type: object + required: + - matcher + type: object + method: + description: Method defines the matching methods of a request. + items: + description: Method defines common HTTP methods. + enum: + - GET + - HEAD + - POST + - PUT + - PATCH + - DELETE + - CONNECT + - OPTIONS + - TRACE + type: string + type: array + path: + description: Path defines the matching path of a request. + properties: + matcher: + description: StringMatcher defines the way to match a string. + properties: + contains: + description: |- + Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + exact: + description: |- + Exact defines an explicit match on the string specified here. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + ignoreCase: + default: false + description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`. + type: boolean + prefix: + description: |- + Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + regex: + description: |- + Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. + The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + suffix: + description: |- + Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + type: object + required: + - matcher + type: object + remoteIP: + description: RemoteIP defines the matching remote IPs of a request. + properties: + cidrRanges: + description: CIDRRanges defines the IPv4 or IPv6 CIDR ranges, e.g. ``196.148.3.128/26`` or ``2001:db8::/28``. + items: + description: CIDRRange defines an IPv4 or IPv6 CIDR range, e.g. “196.148.3.128/26“ or “2001:db8::/28“. + format: cidr + type: string + minItems: 1 + type: array + invert: + default: false + description: Invert indicates whether the match should be inverted. + type: boolean + required: + - cidrRanges + type: object + type: object + type: object + type: array + general: + description: General defines general request limits. + properties: + bodySize: + anyOf: + - type: integer + - type: string + default: 100Mi + description: BodySize limits the total size of the request body. It specifies the number of bytes (0 = unlimited). This limit is effective for any request not processed by one of the content parsers (e.g. json) as configured in the Parser CRD. **Note** This limit does not apply to WebSocket or gRPC traffic. + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + pathLength: + anyOf: + - type: integer + - type: string + default: 1Ki + description: PathLength defines the maximum path length for all requests (parsed and unparsed). + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + graphQL: + description: GraphQL defines the limits for GraphQL requests. + properties: + nestingDepth: + default: 10 + description: NestingDepth defines the maximum depth of nesting for GraphQL objects. + format: int64 + type: integer + querySize: + anyOf: + - type: integer + - type: string + default: 1Ki + description: QuerySize defines the maximum size for GraphQL queries. + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + valueLength: + anyOf: + - type: integer + - type: string + default: "256" + description: ValueLength defines the maximum length for GraphQL values. + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + json: + description: JSON defines the limits for JSON requests. + properties: + bodySize: + anyOf: + - type: integer + - type: string + default: 100Ki + description: BodySize limits the total size of the JSON request body. It specifies the number of bytes (0 = unlimited). + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + elementCount: + default: 10000 + description: ElementCount defines the maximum number of keys and array items in the whole JSON document (recursive). + format: int64 + type: integer + keyCount: + default: 250 + description: KeyCount defines the maximum number of keys of a single JSON object (non-recursive). + format: int64 + type: integer + keyLength: + anyOf: + - type: integer + - type: string + default: "128" + description: KeyLength defines the maximum length for JSON keys. + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + nestingDepth: + default: 100 + description: NestingDepth defines the maximum depth of nesting for JSON objects and JSON arrays. + format: int64 + type: integer + valueLength: + anyOf: + - type: integer + - type: string + default: 8Ki + description: ValueLength defines the maximum length for JSON values. + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + multipart: + description: Multipart defines the limits for Multipart requests. + properties: + bodySize: + anyOf: + - type: integer + - type: string + default: 100Mi + description: BodySize limits the total size of the Multipart request body. It specifies the number of bytes (0 = unlimited). + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + parameter: + description: Parameter defines the limits for request parameters. + properties: + bodySize: + anyOf: + - type: integer + - type: string + default: 100Ki + description: BodySize limits the total size of the form data body. It specifies the number of bytes (0 = unlimited). + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + count: + default: 128 + description: Count defines the maximum number of request parameters. + format: int64 + type: integer + nameLength: + anyOf: + - type: integer + - type: string + default: "128" + description: NameLength defines the maximum length for parameter names. + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + valueLength: + anyOf: + - type: integer + - type: string + default: 8Ki + description: ValueLength defines the maximum length for parameter values. + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + type: object + unlimited: + description: Unlimited disables all limits on request scope. + type: object + type: object + settings: + description: Settings configures the limits filter. + properties: + threatHandlingMode: + default: Block + description: ThreatHandlingMode specifies how threats should be handled when a limit hits. + enum: + - Block + - LogOnly + type: string + type: object + type: object + type: object + served: true + storage: true diff --git a/charts/airlock/microgateway/4.3.2/crds/oidcproviders.microgateway.airlock.com.yaml b/charts/airlock/microgateway/4.3.2/crds/oidcproviders.microgateway.airlock.com.yaml new file mode 100644 index 000000000..7d2ef8e9e --- /dev/null +++ b/charts/airlock/microgateway/4.3.2/crds/oidcproviders.microgateway.airlock.com.yaml @@ -0,0 +1,305 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.15.0 + labels: + app.kubernetes.io/name: airlock-microgateway-operator + app.kubernetes.io/version: 4.3.2 + name: oidcproviders.microgateway.airlock.com +spec: + group: microgateway.airlock.com + names: + categories: + - airlock-microgateway + kind: OIDCProvider + listKind: OIDCProviderList + plural: oidcproviders + singular: oidcprovider + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: |- + OIDCProvider specifies an OpenID Provider (OP). + + + {{% notice warning %}} The OIDC feature is currently in an experimental state. + + + We encourage you to try it out and give feedback, but be aware that we do not recommend using it in a production environment yet, as security has not yet been hardened. + In particular, the current implementation has the following limitations, which we intend to address in future Microgateway releases: + - The state parameter is guessable. + - Sessions are always shared across all Microgateway Engines using the same Redis instance. + I.e. if application A and B (with different SidecarGateways) have the same Redis instance configured in their SessionHandling CR, users which are logged into application A + may be able to access authenticated routes on application B, even if their OIDCRelyingParty configuration differs. + + + {{% /notice %}} + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Specification of an OpenID Provider. + properties: + static: + description: Static configures an OpenID Provider by explicitly specifying all endpoints. + properties: + endpoints: + description: Endpoints specifies the OpenID Provider endpoints. + properties: + authorization: + description: Authorization specifies the endpoint to which the authorization request is sent. + properties: + uri: + description: URI specifies the endpoint address. + format: uri + minLength: 1 + pattern: ^(http|https)://.*$ + type: string + required: + - uri + type: object + token: + description: Token configures the endpoint from which the access, ID and refresh tokens are obtained. + properties: + tls: + description: TLS defines TLS settings. + properties: + certificateVerification: + description: CertificateVerification specifies how the certificate presented by the server is verified. + properties: + custom: + description: |- + Custom explicitly specifies how the server certificate should be verified. + Typical use cases include specifying a custom CA and SAN match when working with self-signed certificates or pinning a specific public key. + properties: + allowedSANs: + description: |- + AllowedSANs is a list of matchers to verify the Subject Alternative name. If specified, it will verify that the + Subject Alternative Name of the presented certificate matches one of the specified matchers. The matching uses “any” semantics, + that is to say, the SAN is verified if at least one matcher is matched. + AllowedSANs requires trustedCA to be set. + items: + description: |- + TLSValidationContextSANMatcher is a list of matchers to verify the Subject Alternative name. If specified, it will verify that the + Subject Alternative Name of the presented certificate matches one of the specified matchers. + properties: + matcher: + description: Matcher defines the string matcher for the SAN value. + properties: + contains: + description: |- + Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + exact: + description: |- + Exact defines an explicit match on the string specified here. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + ignoreCase: + default: false + description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`. + type: boolean + prefix: + description: |- + Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + regex: + description: |- + Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. + The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + suffix: + description: |- + Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + type: object + sanType: + description: SanType defines the type of SAN matcher. + enum: + - DNS + - Email + - URI + - IPAddress + type: string + required: + - matcher + - sanType + type: object + minItems: 1 + type: array + certificatePinning: + description: |- + CertificatePinning defines constraints the presented certificate must fulfill. + If more than one constraint is configured only one must be satisfied. + At least one of allowedSPKIs and allowedHashes must be set. + properties: + allowedHashes: + description: |- + AllowedHashes is a list of hex-encoded SHA-256 hashes. + If specified, it will verify that the SHA-256 of the DER-encoded presented certificate matches one of the specified values. + items: + type: string + minItems: 1 + type: array + allowedSPKIs: + description: |- + AllowedSPKIs is a list of base64-encoded SHA-256 hashes. + If specified, it will verify that the SHA-256 of the DER-encoded Subject Public Key Information (SPKI) of the presented certificate matches one of the specified values. + items: + type: string + minItems: 1 + type: array + type: object + crl: + description: CRL defines the Certificate Revocation List (CRL) settings. + properties: + lists: + description: Lists defines the list of secretRefs containing Certificate Revocation Lists. + items: + properties: + secretRef: + description: SecretRef defines the reference to a secret containing one or more CRL's (in PEM format) under the key 'ca.crl'. + properties: + name: + description: Name of the resource + minLength: 1 + type: string + required: + - name + type: object + required: + - secretRef + type: object + minItems: 1 + type: array + validationMode: + default: VerifyChain + description: ValidationMode defines whether only the leaf certificate or also the CA certs should be checked. + enum: + - VerifyLeafCertOnly + - VerifyChain + type: string + type: object + trustedCA: + description: TrustedCA defines which CA certificates are trusted. + properties: + certificates: + description: Certificates defines the list of secretRefs containing trusted CA certificates. + items: + properties: + secretRef: + description: SecretRef defines the reference to a secret containing one or more CA certificates under the key 'ca.crt'. + properties: + name: + description: Name of the resource + minLength: 1 + type: string + required: + - name + type: object + required: + - secretRef + type: object + minItems: 1 + type: array + verificationDepth: + default: 1 + description: |- + VerificationDepth specifies the hops in the certificate chain at which validation is performed. + 1 means that either the leaf or the signing CA must be in the set of trusted certificates. + format: int32 + type: integer + required: + - certificates + type: object + type: object + disabled: + description: |- + Disabled specifies to trust any certificate without verification. + THIS IS INSECURE AND SHOULD ONLY BE USED FOR TESTING. + type: object + publicCAs: + description: PublicCAs specifies to only accept certificates with a SAN matching "uri" and which are signed by a CA which is either directly or indirectly trusted by any of the root CA certificates shipped with the Airlock Microgateway Engine's base image. + type: object + type: object + ciphers: + description: Ciphers defines a list of the supported TLS cipher suites. For details on cipher list refer to the envoy documentation on cipher_suites in common tls configuration. + items: + type: string + minItems: 1 + type: array + protocol: + description: Protocol defines the supported TLS protocol versions. + properties: + maximum: + description: Maximum supported TLS version. + enum: + - TLSv1_0 + - TLSv1_1 + - TLSv1_2 + - TLSv1_3 + type: string + minimum: + description: Minimum supported TLS version. + enum: + - TLSv1_0 + - TLSv1_1 + - TLSv1_2 + - TLSv1_3 + type: string + type: object + type: object + uri: + description: URI specifies the endpoint address. + format: uri + minLength: 1 + pattern: ^(http|https)://.*$ + type: string + required: + - uri + type: object + required: + - authorization + - token + type: object + required: + - endpoints + type: object + type: object + required: + - spec + type: object + served: true + storage: true + subresources: {} diff --git a/charts/airlock/microgateway/4.3.2/crds/oidcrelyingparties.microgateway.airlock.com.yaml b/charts/airlock/microgateway/4.3.2/crds/oidcrelyingparties.microgateway.airlock.com.yaml new file mode 100644 index 000000000..b1cba83b1 --- /dev/null +++ b/charts/airlock/microgateway/4.3.2/crds/oidcrelyingparties.microgateway.airlock.com.yaml @@ -0,0 +1,224 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.15.0 + labels: + app.kubernetes.io/name: airlock-microgateway-operator + app.kubernetes.io/version: 4.3.2 + name: oidcrelyingparties.microgateway.airlock.com +spec: + group: microgateway.airlock.com + names: + categories: + - airlock-microgateway + kind: OIDCRelyingParty + listKind: OIDCRelyingPartyList + plural: oidcrelyingparties + singular: oidcrelyingparty + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: |- + OIDCRelyingParty specifies how the Airlock Microgateway Engine interacts with an OpenID Provider (OP). + + + {{% notice warning %}} The OIDC feature is currently in an experimental state. + + + We encourage you to try it out and give feedback, but be aware that we do not recommend using it in a production environment yet, as security has not yet been hardened. + In particular, the current implementation has the following limitations, which we intend to address in future Microgateway releases: + - The state parameter is guessable. + - Sessions are always shared across all Microgateway Engines using the same Redis instance. + I.e. if application A and B (with different SidecarGateways) have the same Redis instance configured in their SessionHandling CR, users which are logged into application A + may be able to access authenticated routes on application B, even if their OIDCRelyingParty configuration differs. + + + {{% /notice %}} + {{% notice info %}} The OIDC feature requires SessionHandling to be configured in the SidecarGateway. {{% /notice %}} + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Specification of the OIDC Relying Party configuration. + properties: + clientID: + description: ClientID specifies the OIDCRelyingParty "client_id". + minLength: 1 + type: string + credentials: + description: Credentials used for client authentication on the back-channel with the authorization server. + properties: + clientSecret: + description: ClientSecret authenticates with the client password issued by the OpenID Provider (OP). + properties: + method: + default: BasicAuth + description: Method specifies in which format the client secret is sent with the authorization request. + enum: + - BasicAuth + - FormURLEncoded + type: string + secretRef: + description: SecretRef specifies the kubernetes secret containing the client password with key "client.secret". + properties: + name: + description: Name of the resource + minLength: 1 + type: string + required: + - name + type: object + required: + - secretRef + type: object + required: + - clientSecret + type: object + oidcProviderRef: + description: OIDCProviderRef selects the OpenID Provider (OP) used to authenticate users. + properties: + name: + description: Name of the resource + minLength: 1 + type: string + required: + - name + type: object + pathMapping: + description: PathMapping configures the action matching. + properties: + logoutPath: + description: LogoutPath specifies which request paths should initiate a logout. + properties: + matcher: + description: StringMatcher defines the way to match a string. + properties: + contains: + description: |- + Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + exact: + description: |- + Exact defines an explicit match on the string specified here. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + ignoreCase: + default: false + description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`. + type: boolean + prefix: + description: |- + Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + regex: + description: |- + Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. + The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + suffix: + description: |- + Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + type: object + required: + - matcher + type: object + redirectPath: + description: RedirectPath specifies which request paths should be interpreted as a response from the authorization endpoint. + properties: + matcher: + description: StringMatcher defines the way to match a string. + properties: + contains: + description: |- + Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + exact: + description: |- + Exact defines an explicit match on the string specified here. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + ignoreCase: + default: false + description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`. + type: boolean + prefix: + description: |- + Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + regex: + description: |- + Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. + The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + suffix: + description: |- + Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + type: object + required: + - matcher + type: object + required: + - logoutPath + - redirectPath + type: object + redirectURI: + description: |- + RedirectURI configures the "redirect_uri" parameter included in the authorization request. + May contain envoy command operators, e.g. '%REQ(:x-forwarded-proto)%://%REQ(:authority)%/callback'. + minLength: 1 + type: string + required: + - clientID + - credentials + - oidcProviderRef + - pathMapping + - redirectURI + type: object + required: + - spec + type: object + served: true + storage: true + subresources: {} diff --git a/charts/airlock/microgateway/4.3.2/crds/openapis.microgateway.airlock.com.yaml b/charts/airlock/microgateway/4.3.2/crds/openapis.microgateway.airlock.com.yaml new file mode 100644 index 000000000..7ba7160c5 --- /dev/null +++ b/charts/airlock/microgateway/4.3.2/crds/openapis.microgateway.airlock.com.yaml @@ -0,0 +1,167 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.15.0 + labels: + app.kubernetes.io/name: airlock-microgateway-operator + app.kubernetes.io/version: 4.3.2 + name: openapis.microgateway.airlock.com +spec: + group: microgateway.airlock.com + names: + categories: + - airlock-microgateway + kind: OpenAPI + listKind: OpenAPIList + plural: openapis + singular: openapi + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: OpenAPI contains the configuration for the OpenAPI specification. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Specification of the desired OpenAPI specification. + properties: + response: + description: Response defines the validation behaviour for responses. + properties: + secured: + description: Secured enables response checking. + properties: + validation: + default: Lax + description: Validation defines the validation mode for responses. + enum: + - Lax + - Strict + type: string + type: object + unsecured: + description: Unsecured disables response checking. + type: object + type: object + settings: + description: Settings defines the settings to configure OpenAPI specification enforcement. + properties: + logging: + description: Logging specifies the access log behavior. + properties: + maxFailedSubvalidations: + default: 10 + description: MaxFailedSubvalidations defines the maximum number of failed subvalidations being logged. + format: int64 + type: integer + type: object + schema: + description: Schema configures the OpenAPI specification. + properties: + source: + description: Source specifies the OpenAPI specification to be enforced. + properties: + configMapRef: + description: ConfigMapRef references the configmap by its name containing the well-known key 'openapi.json'. + properties: + name: + description: Name of the resource + minLength: 1 + type: string + required: + - name + type: object + type: object + required: + - source + type: object + threatHandlingMode: + default: Block + description: ThreatHandlingMode specifies how threats should be handled. + enum: + - Block + - LogOnly + type: string + validation: + description: Validation specifies the patterns for the validation behavior. + properties: + authentication: + description: Authentication defines the settings for the authentication scheme. + properties: + oAuth2: + description: OAuth2 specifies the OAuth2 parameters. + properties: + allowedParameters: + description: AllowedParameters specifies the allowed parameters for the authentication scheme. + properties: + builtIn: + description: BuiltIn allows configuring a set of predefined allowed parameters. + properties: + standardParameters: + default: true + description: StandardParameters defines whether the allowed parameters should be expanded by the set of common parameters. + type: boolean + type: object + custom: + description: Custom allows configuring additional allowed parameters. + items: + minLength: 1 + type: string + minItems: 1 + type: array + type: object + type: object + oidc: + description: Oidc specifies the OIDC parameters. + properties: + allowedParameters: + description: AllowedParameters specifies the allowed parameters for the authentication scheme. + properties: + builtIn: + description: BuiltIn allows configuring a set of predefined allowed parameters. + properties: + standardParameters: + default: true + description: StandardParameters defines whether the allowed parameters should be expanded by the set of common parameters. + type: boolean + type: object + custom: + description: Custom allows configuring additional allowed parameters. + items: + minLength: 1 + type: string + minItems: 1 + type: array + type: object + type: object + type: object + type: object + required: + - schema + type: object + required: + - settings + type: object + required: + - spec + type: object + served: true + storage: true diff --git a/charts/airlock/microgateway/4.3.2/crds/parsers.microgateway.airlock.com.yaml b/charts/airlock/microgateway/4.3.2/crds/parsers.microgateway.airlock.com.yaml new file mode 100644 index 000000000..b3d51efe6 --- /dev/null +++ b/charts/airlock/microgateway/4.3.2/crds/parsers.microgateway.airlock.com.yaml @@ -0,0 +1,358 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.15.0 + labels: + app.kubernetes.io/name: airlock-microgateway-operator + app.kubernetes.io/version: 4.3.2 + name: parsers.microgateway.airlock.com +spec: + group: microgateway.airlock.com + names: + categories: + - airlock-microgateway + kind: Parser + listKind: ParserList + plural: parsers + singular: parser + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: Parser contains the configuration for content parsers (default and custom). + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Specification of the desired parser behavior. + properties: + request: + description: Request defines the parsing for downstream requests. + properties: + custom: + description: Custom allows configuring additional rules for parser selection. + properties: + rules: + description: |- + Rules defines a custom set prepended before built-in rules of enabled request parsers. + Disable all built-in parsers to overrule them completely. + items: + properties: + action: + description: |- + Action specifies what should happen when a request condition matches. + Only one of parse or skip can be set. + properties: + parse: + description: Parse activates the configured parser. + properties: + form: + description: Form activates the Form parser. + type: object + json: + description: JSON activates the JSON parser. + type: object + multipart: + description: Multipart activates the multipart parser. + type: object + type: object + skip: + description: Skip disables any content parsing + type: object + type: object + requestConditions: + description: RequestConditions defines additional request properties which must be matched in order for this rule to apply. + properties: + header: + description: Header defines the matching headers of a request. + properties: + name: + description: Name defines the name of a header. + properties: + matcher: + description: Matcher defines the way to match a string. In comparison to a normal StringMatcher, a value is always matched ignoring the case and can't be inverted. + properties: + contains: + description: |- + Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + exact: + description: |- + Exact defines an explicit match on the string specified here. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + prefix: + description: |- + Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + regex: + description: |- + Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. + The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + suffix: + description: |- + Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + type: object + required: + - matcher + type: object + value: + description: Value defines the value of a header. + properties: + matcher: + description: StringMatcher defines the way to match a string. + properties: + contains: + description: |- + Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + exact: + description: |- + Exact defines an explicit match on the string specified here. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + ignoreCase: + default: false + description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`. + type: boolean + prefix: + description: |- + Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + regex: + description: |- + Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. + The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + suffix: + description: |- + Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + type: object + required: + - matcher + type: object + type: object + invert: + default: false + description: Invert indicates whether the request condition should be inverted. + type: boolean + mediaType: + description: MediaType defines the matching media type from the content-type header of a request. + properties: + matcher: + description: |- + NonInvertableCaseInsensitiveStringMatcher defines the way to match a string. + In comparison to a normal StringMatcher, a value is always matched ignoring the case and can't be inverted. + properties: + contains: + description: |- + Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + exact: + description: |- + Exact defines an explicit match on the string specified here. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + prefix: + description: |- + Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + regex: + description: |- + Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. + The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + suffix: + description: |- + Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + type: object + required: + - matcher + type: object + method: + description: Method defines the matching methods of a request. + items: + description: Method defines common HTTP methods. + enum: + - GET + - HEAD + - POST + - PUT + - PATCH + - DELETE + - CONNECT + - OPTIONS + - TRACE + type: string + type: array + path: + description: Path defines the matching path of a request. + properties: + matcher: + description: StringMatcher defines the way to match a string. + properties: + contains: + description: |- + Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + exact: + description: |- + Exact defines an explicit match on the string specified here. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + ignoreCase: + default: false + description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`. + type: boolean + prefix: + description: |- + Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + regex: + description: |- + Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. + The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + suffix: + description: |- + Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + type: object + required: + - matcher + type: object + remoteIP: + description: RemoteIP defines the matching remote IPs of a request. + properties: + cidrRanges: + description: CIDRRanges defines the IPv4 or IPv6 CIDR ranges, e.g. ``196.148.3.128/26`` or ``2001:db8::/28``. + items: + description: CIDRRange defines an IPv4 or IPv6 CIDR range, e.g. “196.148.3.128/26“ or “2001:db8::/28“. + format: cidr + type: string + minItems: 1 + type: array + invert: + default: false + description: Invert indicates whether the match should be inverted. + type: boolean + required: + - cidrRanges + type: object + type: object + required: + - action + - requestConditions + type: object + type: array + type: object + defaultContentType: + default: application/x-www-form-urlencoded + description: DefaultContentType specifies the content-type header which should be injected into the request before parser selection if it is not already present and the request has a body. + minLength: 1 + type: string + parsers: + description: Parsers defines the configuration for the available content parsers. + properties: + form: + description: Form defines the configuration for the form parser. + properties: + enable: + default: true + description: Enable defines whether form payloads are inspected. + type: boolean + mediaTypePattern: + default: .*urlencoded.* + description: MediaTypePattern is a regex specifying the media types for which the request body should be treated as form arguments. + minLength: 1 + type: string + type: object + json: + description: JSON defines the configuration for the JSON parser. + properties: + enable: + default: true + description: Enable defines whether json payloads are inspected. + type: boolean + mediaTypePattern: + default: .*json.* + description: MediaTypePattern is a regex specifying the media types for which the request body should be treated as JSON. + minLength: 1 + type: string + type: object + multipart: + description: Multipart defines the configuration for the multipart parser. + properties: + enable: + default: true + description: Enable defines whether multipart payloads are inspected. + type: boolean + mediaTypePattern: + default: .*multipart.* + description: MediaTypePattern is a regex specifying the media types for which the request body should be treated as a multipart payload. + minLength: 1 + type: string + type: object + type: object + type: object + type: object + type: object + served: true + storage: true diff --git a/charts/airlock/microgateway/4.3.2/crds/redisproviders.microgateway.airlock.com.yaml b/charts/airlock/microgateway/4.3.2/crds/redisproviders.microgateway.airlock.com.yaml new file mode 100644 index 000000000..32a23cbc1 --- /dev/null +++ b/charts/airlock/microgateway/4.3.2/crds/redisproviders.microgateway.airlock.com.yaml @@ -0,0 +1,159 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.15.0 + labels: + app.kubernetes.io/name: airlock-microgateway-operator + app.kubernetes.io/version: 4.3.2 + name: redisproviders.microgateway.airlock.com +spec: + group: microgateway.airlock.com + names: + categories: + - airlock-microgateway + kind: RedisProvider + listKind: RedisProviderList + plural: redisproviders + singular: redisprovider + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: RedisProvider contains a client configuration for connecting to a Redis database. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Specification of a Redis database client configuration. + properties: + auth: + description: Auth specifies the Redis credentials. + properties: + password: + description: Password specifies the Redis password. + properties: + secretRef: + description: SecretRef selects the secret containing the Redis password under the key 'redis.password'. + properties: + name: + description: Name of the resource + minLength: 1 + type: string + required: + - name + type: object + required: + - secretRef + type: object + username: + default: default + description: Username specifies the Redis username to authenticate with. + minLength: 1 + pattern: ^[^\s]+$ + type: string + required: + - password + type: object + mode: + description: Mode configures the redis deployment mode. + properties: + standalone: + description: Standalone specifies the standalone Redis instance to connect to. + properties: + host: + description: Host specifies the IP or hostname. + minLength: 1 + pattern: ^(\d{1,3}(\.\d{1,3}){3}|([0-9a-fA-F]{1,4}|:)+(:\d{1,3}(\.\d{1,3}){3})?|[a-z0-9\-]+(\.[a-z0-9\-]+)*)$ + type: string + port: + default: 6379 + description: Port specifies the port. + maximum: 65535 + minimum: 1 + type: integer + required: + - host + type: object + type: object + timeouts: + description: Timeouts specifies the timeouts when interacting with the Redis endpoint. + properties: + connect: + default: 5s + description: Connect specifies the timeout for establishing a connection. + type: string + maxDuration: + default: 2s + description: MaxDuration specifies the response timeout. + type: string + type: object + tls: + description: TLS defines TLS settings. If not specified, TLS is disabled i.e. unencrypted TCP is used when connecting to the Redis instance. + properties: + certificateVerification: + description: CertificateVerification specifies how the certificate presented by the server is verified. + properties: + custom: + description: Custom explicitly specifies how the server certificate should be verified. + properties: + trustedCA: + description: TrustedCA defines which CA certificates are trusted. + properties: + certificates: + description: Certificates defines the list of secretRefs containing trusted CA certificates. + items: + properties: + secretRef: + description: SecretRef defines the reference to a secret containing one or more CA certificates under the key 'ca.crt'. + properties: + name: + description: Name of the resource + minLength: 1 + type: string + required: + - name + type: object + required: + - secretRef + type: object + minItems: 1 + type: array + required: + - certificates + type: object + required: + - trustedCA + type: object + disabled: + description: 'Disabled specifies to trust any certificate without verification. THIS IS INSECURE AND SHOULD ONLY BE USED FOR TESTING. Note: This setting currently also disables TLS SNI.' + type: object + publicCAs: + description: PublicCAs specifies to only accept certificates with a SAN matching the host and which are signed by a CA which is either directly or indirectly trusted by any of the root CA certificates shipped with the Airlock Microgateway Session Agent’s base image. + type: object + type: object + type: object + required: + - mode + type: object + required: + - spec + type: object + served: true + storage: true diff --git a/charts/airlock/microgateway/4.3.2/crds/sessionhandlings.microgateway.airlock.com.yaml b/charts/airlock/microgateway/4.3.2/crds/sessionhandlings.microgateway.airlock.com.yaml new file mode 100644 index 000000000..da22e63a5 --- /dev/null +++ b/charts/airlock/microgateway/4.3.2/crds/sessionhandlings.microgateway.airlock.com.yaml @@ -0,0 +1,77 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.15.0 + labels: + app.kubernetes.io/name: airlock-microgateway-operator + app.kubernetes.io/version: 4.3.2 + name: sessionhandlings.microgateway.airlock.com +spec: + group: microgateway.airlock.com + names: + categories: + - airlock-microgateway + kind: SessionHandling + listKind: SessionHandlingList + plural: sessionhandlings + singular: sessionhandling + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: |- + SessionHandling contains the configuration for session handling. + + + {{% notice warning %}} The Session Handling feature (required for OIDC) is currently in an experimental state. + + + We encourage you to try it out and give feedback, but be aware that we do not recommend using it in a production environment yet, as high-availability Redis configurations (e.g. Sentinel/Cluster) are not yet supported. + {{% /notice %}} + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Specification of the desired session handling behavior. + properties: + persistence: + description: Persistence configures where to store the session state. + properties: + redisProviderRef: + description: RedisProviderRef specifies to cache session information in the provided Redis instance. + properties: + name: + description: Name of the resource + minLength: 1 + type: string + required: + - name + type: object + required: + - redisProviderRef + type: object + required: + - persistence + type: object + required: + - spec + type: object + served: true + storage: true diff --git a/charts/airlock/microgateway/4.3.2/crds/sidecargateways.microgateway.airlock.com.yaml b/charts/airlock/microgateway/4.3.2/crds/sidecargateways.microgateway.airlock.com.yaml new file mode 100644 index 000000000..c9ec220a8 --- /dev/null +++ b/charts/airlock/microgateway/4.3.2/crds/sidecargateways.microgateway.airlock.com.yaml @@ -0,0 +1,758 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.15.0 + labels: + app.kubernetes.io/name: airlock-microgateway-operator + app.kubernetes.io/version: 4.3.2 + name: sidecargateways.microgateway.airlock.com +spec: + group: microgateway.airlock.com + names: + categories: + - airlock-microgateway + kind: SidecarGateway + listKind: SidecarGatewayList + plural: sidecargateways + singular: sidecargateway + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .status.status + name: Status + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: SidecarGateway contains the configuration how to configure the Airlock Microgateway Engine when used as Sidecar Container within the Pod of an application. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Specification of the desired sidecar gateway behavior. + properties: + applications: + description: Applications defines applications which run on different ports. + items: + properties: + containerPort: + default: 8080 + description: |- + ContainerPort refers to the container port. + This must be a valid port number, 0 < x < 65536. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + downstream: + description: Downstream defines the downstream configuration for this application + properties: + protocol: + description: |- + Protocol defines the exposed HTTP protocol version. At most one of http1, http2 and auto can be set. + Default: auto: {} + properties: + auto: + description: Auto specifies that the protocol should be inferred. + properties: + http2: + description: HTTP2 specifies the settings for when HTTP/2 is inferred. + properties: + allowConnect: + default: false + description: Allows proxying Websocket and other upgrades over H2 connect. + type: boolean + type: object + type: object + http1: + description: HTTP1 specifies that the client is assumed to speak HTTP/1.1. + type: object + http2: + description: HTTP2 specifies that the client is assumed to speak HTTP/2. + properties: + allowConnect: + default: false + description: Allows proxying Websocket and other upgrades over H2 connect. + type: boolean + type: object + type: object + remoteIP: + description: |- + RemoteIP defines how the remote IP of a client is propagated. + Default: xff: {...} + properties: + connectionIP: + description: ConnectionIP configures to use the source IP address of the direct downstream connection. + type: object + customHeader: + description: CustomHeader specifies to use a custom header for remote IP extraction. + properties: + headerName: + description: HeaderName specifies the name of the custom header containing the remote IP. + minLength: 1 + type: string + required: + default: true + description: Required specifies if the custom header is required. If true and not available the request will be rejected with 403. + type: boolean + required: + - headerName + type: object + xff: + description: XFF configures to use the standard 'X-Forwarded-For' header for IP extraction. + properties: + numTrustedHops: + default: 1 + description: NumTrustedHops specifies to extract the client's originating IP from the nth rightmost entry in the X-Forwarded-For header. With the default value of 1, the IP is extracted from the rightmost entry. + format: int32 + minimum: 1 + type: integer + type: object + type: object + requestNormalizations: + description: RequestNormalizations defines a set of normalization actions which are applied to the request before route matching. + properties: + mergeSlashes: + default: true + description: MergeSlashes ensures that adjacent slashes in the path are merged into one. + type: boolean + normalizePath: + default: true + description: NormalizePath ensures normalization according to RFC 3986 without case normalization. + type: boolean + type: object + restrictions: + description: Restrictions defines restrictions for downstream. + properties: + http: + description: HTTP defines limits for the HTTP protocol. + properties: + headersLength: + anyOf: + - type: integer + - type: string + default: 60Ki + description: HeadersLength defines maximum size of all request headers combined. Requests that exceed this limit will receive a 431 response. + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + type: object + type: object + timeouts: + description: Timeouts defines timeouts for downstream + properties: + http: + description: HTTP defines the settings for HTTP timeouts. + properties: + idle: + default: 5m + description: |- + Idle defines the settings for the idle timeout when no data is sent or received. + A value of 0 will completely disable the timeout. + Default: 5m + type: string + maxDuration: + default: 5m + description: |- + MaxDuration defines the total duration for a HTTP request/response stream. + A value of 0 will completely disable the timeout. + Default: 5m + type: string + requestHeaders: + default: 10s + description: |- + RequestHeaders defines the duration before all request headers must be received. + A value of 0 will completely disable the timeout. + Default: 10s + type: string + type: object + type: object + tls: + description: TLS defines the TLS settings. + properties: + ciphers: + description: Ciphers defines a list of the supported TLS cipher suites. For details on cipher list refer to the envoy documentation on cipher_suites in common tls configuration. + items: + type: string + minItems: 1 + type: array + clientCertificate: + description: |- + ClientCertificate defines the TLS settings for verification of client certificates. + At most one of ignored, optional and required can be set. + Default: ignored: {} + properties: + ignored: + description: Ignored disables verification of the client certificate. + type: object + optional: + description: |- + Optional enables verification of the client certificate if one is presented. + In this mode only trustedCA and crl settings can be configured since certificatePinning and allowedSANs require a client certificate. + properties: + crl: + description: CRL defines the Certificate Revocation List (CRL) settings. + properties: + lists: + description: Lists defines the list of secretRefs containing Certificate Revocation Lists. + items: + properties: + secretRef: + description: SecretRef defines the reference to a secret containing one or more CRL's (in PEM format) under the key 'ca.crl'. + properties: + name: + description: Name of the resource + minLength: 1 + type: string + required: + - name + type: object + required: + - secretRef + type: object + minItems: 1 + type: array + validationMode: + default: VerifyChain + description: ValidationMode defines whether only the leaf certificate or also the CA certs should be checked. + enum: + - VerifyLeafCertOnly + - VerifyChain + type: string + type: object + trustedCA: + description: TrustedCA defines which CA certificates are trusted. + properties: + certificates: + description: Certificates defines the list of secretRefs containing trusted CA certificates. + items: + properties: + secretRef: + description: SecretRef defines the reference to a secret containing one or more CA certificates under the key 'ca.crt'. + properties: + name: + description: Name of the resource + minLength: 1 + type: string + required: + - name + type: object + required: + - secretRef + type: object + minItems: 1 + type: array + verificationDepth: + default: 1 + description: |- + VerificationDepth specifies the hops in the certificate chain at which validation is performed. + 1 means that either the leaf or the signing CA must be in the set of trusted certificates. + format: int32 + type: integer + required: + - certificates + type: object + required: + - trustedCA + type: object + required: + description: |- + Required contains settings for client certificate verification. A client must present a valid certificate. + At least one of trustedCA and certificatePinning must be set. + properties: + allowedSANs: + description: |- + AllowedSANs is a list of matchers to verify the Subject Alternative name. If specified, it will verify that the + Subject Alternative Name of the presented certificate matches one of the specified matchers. The matching uses “any” semantics, + that is to say, the SAN is verified if at least one matcher is matched. + AllowedSANs requires trustedCA to be set. + items: + description: |- + TLSValidationContextSANMatcher is a list of matchers to verify the Subject Alternative name. If specified, it will verify that the + Subject Alternative Name of the presented certificate matches one of the specified matchers. + properties: + matcher: + description: Matcher defines the string matcher for the SAN value. + properties: + contains: + description: |- + Contains defines a substring match on the substring specified here. Empty contains match is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + exact: + description: |- + Exact defines an explicit match on the string specified here. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + ignoreCase: + default: false + description: IgnoreCase indicates whether the matching should be case-insensitive. In case of a regex match, the regex gets wrapped with a group `(?i:...)`. + type: boolean + prefix: + description: |- + Prefix defines a prefix match on the prefix specified here. Empty prefix is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + regex: + description: |- + Regex defines a regex match on the regular expression specified here. Google's [RE2 regex engine](https://github.com/google/re2/wiki/Syntax) is used. + The regex matches only single-line by default, even with ".*". To match a multi-line string prepend (?s) to your regex. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + suffix: + description: |- + Suffix defines a suffix match on the suffix specified here. Empty suffix is not allowed, please use regex instead. + Only one of exact, prefix, suffix, regex or contains can be set. + minLength: 1 + type: string + type: object + sanType: + description: SanType defines the type of SAN matcher. + enum: + - DNS + - Email + - URI + - IPAddress + type: string + required: + - matcher + - sanType + type: object + minItems: 1 + type: array + certificatePinning: + description: |- + CertificatePinning defines the constraints a client certificate must fulfill. + If more than one constraint is configured only one must be satisfied. + At least one of allowedSPKIs and allowedHashes must be set. + properties: + allowedHashes: + description: |- + AllowedHashes is a list of hex-encoded SHA-256 hashes. + If specified, it will verify that the SHA-256 of the DER-encoded presented certificate matches one of the specified values. + items: + type: string + minItems: 1 + type: array + allowedSPKIs: + description: |- + AllowedSPKIs is a list of base64-encoded SHA-256 hashes. + If specified, it will verify that the SHA-256 of the DER-encoded Subject Public Key Information (SPKI) of the presented certificate matches one of the specified values. + items: + type: string + minItems: 1 + type: array + type: object + crl: + description: CRL defines the Certificate Revocation List (CRL) settings. + properties: + lists: + description: Lists defines the list of secretRefs containing Certificate Revocation Lists. + items: + properties: + secretRef: + description: SecretRef defines the reference to a secret containing one or more CRL's (in PEM format) under the key 'ca.crl'. + properties: + name: + description: Name of the resource + minLength: 1 + type: string + required: + - name + type: object + required: + - secretRef + type: object + minItems: 1 + type: array + validationMode: + default: VerifyChain + description: ValidationMode defines whether only the leaf certificate or also the CA certs should be checked. + enum: + - VerifyLeafCertOnly + - VerifyChain + type: string + type: object + trustedCA: + description: TrustedCA defines which CA certificates are trusted. + properties: + certificates: + description: Certificates defines the list of secretRefs containing trusted CA certificates. + items: + properties: + secretRef: + description: SecretRef defines the reference to a secret containing one or more CA certificates under the key 'ca.crt'. + properties: + name: + description: Name of the resource + minLength: 1 + type: string + required: + - name + type: object + required: + - secretRef + type: object + minItems: 1 + type: array + verificationDepth: + default: 1 + description: |- + VerificationDepth specifies the hops in the certificate chain at which validation is performed. + 1 means that either the leaf or the signing CA must be in the set of trusted certificates. + format: int32 + type: integer + required: + - certificates + type: object + type: object + type: object + enable: + default: false + description: Enable defines if the downstream connection is encrypted. + type: boolean + protocol: + description: Protocol defines the supported TLS protocol versions. + properties: + maximum: + description: Maximum supported TLS version. + enum: + - TLSv1_0 + - TLSv1_1 + - TLSv1_2 + - TLSv1_3 + type: string + minimum: + description: Minimum supported TLS version. + enum: + - TLSv1_0 + - TLSv1_1 + - TLSv1_2 + - TLSv1_3 + type: string + type: object + secretRef: + description: SecretRef defines the reference to the TLS server certificate (secret of type kubernetes.io/tls). + properties: + name: + description: Name of the resource + minLength: 1 + type: string + required: + - name + type: object + xfcc: + description: |- + XFCC defines the handling of X-Forwarded-Client-Cert header. Meaning of the possible values: + _Sanitize_: Do not send the XFCC header to the next hop. This is the default value. + _ForwardOnly_: When the client connection is mTLS (Mutual TLS), forward the XFCC header in the request. + _AppendAndForward_: When the client connection is mTLS, append the client certificate information to the request’s XFCC header and forward it. + _SanitizeAndSet_: When the client connection is mTLS, reset the XFCC header with the client certificate information and send it to the next hop. + _AlwaysForwardOnly_: Always forward the XFCC header in the request, regardless of whether the client connection is mTLS. + Note: When forwarding the XFCC header in the request you might have to adjust the header length restrictions (See sidecargateway.spec.applications.downstream.restrictions.http) + enum: + - Sanitize + - ForwardOnly + - AppendAndForward + - SanitizeAndSet + - AlwaysForwardOnly + type: string + type: object + type: object + envoyHTTPFilterRefs: + description: EnvoyHTTPFilterRefs selects the relevant EnvoyHTTPFilters. + properties: + prepend: + description: Prepend selects the relevant EnvoyHTTPFilters which are added before those configured by the Airlock Microgateway. + items: + properties: + name: + description: Name of the resource + minLength: 1 + type: string + required: + - name + type: object + type: array + type: object + routes: + description: Routes defines the security configurations for different paths. The first matching route (from top to bottom) applies. + items: + description: |- + SidecarGatewayApplicationRoute defines the security configurations for different paths. + At most one of secured and unsecured can be set. + Default: secured: {...} + properties: + pathPrefix: + default: / + description: PathPrefix defines the path prefix used during route selection. + minLength: 1 + type: string + secured: + description: Secured enables WAF processing for this route. + properties: + accessControlRef: + description: |- + AccessControlRef selects the relevant AccessControl configuration resource. + If undefined, Airlock Microgateway does not perform any access control. + properties: + name: + description: Name of the resource + minLength: 1 + type: string + required: + - name + type: object + contentSecurityRef: + description: |- + ContentSecurityRef selects the relevant ContentSecurity configuration resource. + If undefined, default settings are applied, designed to work with most upstream web application services. + properties: + name: + description: Name of the resource + minLength: 1 + type: string + required: + - name + type: object + type: object + unsecured: + description: |- + Unsecured disables all WAF functionality and therefore protection for this route. + WARNING: Using this setting when the application is exposed to untrusted downstream traffic is highly discouraged. + type: object + type: object + type: array + x-kubernetes-list-map-keys: + - pathPrefix + x-kubernetes-list-type: map + telemetryRef: + description: |- + TelemetryRef selects the relevant Telemetry configuration resource. + If undefined, default settings are applied, designed to work with most upstream web application services. + properties: + name: + description: Name of the resource + minLength: 1 + type: string + required: + - name + type: object + upstream: + description: Upstream defines the upstream configuration for this application + properties: + protocol: + description: |- + Protocol defines HTTP protocol version used to communicate with the upstream. At most one of http1, http2 and auto can be set. + Default: auto: {} + properties: + auto: + description: Auto specifies to negotiate the protocol with TLS ALPN (if TLS is enabled) or, as a fallback, use the same protocol that is used by the downstream connection. + properties: + http2: + description: HTTP2 specifies the settings for when HTTP/2 is inferred. + properties: + allowConnect: + default: false + description: Allows proxying Websocket and other upgrades over H2 connect. + type: boolean + type: object + type: object + http1: + description: HTTP1 specifies to use HTTP/1.1. + type: object + http2: + description: HTTP2 specifies to use HTTP/2. + properties: + allowConnect: + default: false + description: Allows proxying Websocket and other upgrades over H2 connect. + type: boolean + type: object + type: object + timeouts: + description: Timeouts defines the timeout settings. + properties: + http: + description: HTTP defines the settings for HTTP timeouts. + properties: + idle: + description: |- + Timeout defines the settings for http timeouts. If this setting is not specified, the value of applications[].downstream.timeouts.http.idle is inherited. + A value of 0 will completely disable the timeout. + type: string + maxDuration: + default: 15s + description: |- + MaxDuration defines the total duration for a HTTP request/response stream. + Default: 15s + type: string + type: object + type: object + tls: + description: TLS defines the TLS settings. + properties: + ciphers: + description: Ciphers defines a list of the supported TLS cipher suites. For details on cipher list refer to the envoy documentation on cipher_suites in common tls configuration. + items: + type: string + minItems: 1 + type: array + enable: + default: false + description: Enable defines if the upstream connection is encrypted. + type: boolean + protocol: + description: Protocol defines the supported TLS protocol versions. + properties: + maximum: + description: Maximum supported TLS version. + enum: + - TLSv1_0 + - TLSv1_1 + - TLSv1_2 + - TLSv1_3 + type: string + minimum: + description: Minimum supported TLS version. + enum: + - TLSv1_0 + - TLSv1_1 + - TLSv1_2 + - TLSv1_3 + type: string + type: object + type: object + type: object + type: object + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - containerPort + x-kubernetes-list-type: map + envoyClusterRefs: + description: EnvoyClusterRefs selects the relevant EnvoyClusters. + items: + properties: + name: + description: Name of the resource + minLength: 1 + type: string + required: + - name + type: object + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + podSelector: + description: PodSelector defines to which Pods the configuration will be applied to. + properties: + matchLabels: + additionalProperties: + type: string + description: MatchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels. + type: object + type: object + sessionHandlingRef: + description: SessionHandlingRef selects the SessionHandling configuration to apply. + properties: + name: + description: Name of the resource + minLength: 1 + type: string + required: + - name + type: object + required: + - applications + type: object + status: + description: Most recently observed status of the SidecarGateway which is populated by the system. This data is read-only and may not be up to date. + properties: + conditions: + items: + properties: + lastTransitionTime: + description: Last time the condition transitioned from one status to another. + format: date-time + type: string + message: + description: A human-readable message indicating details about the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type of SidecarGateway condition. + type: string + required: + - status + - type + type: object + type: array + pods: + items: + properties: + envoyConfig: + description: EnvoyConfig indicates the name of the EnvoyConfig CR for the Pod. + type: string + name: + description: Name indicates the name of a Pod selected by the SidecarGateway. + type: string + sessionAgentSecret: + type: string + required: + - name + type: object + type: array + status: + type: string + unmanagedPods: + items: + properties: + managedBy: + description: ManagedBy indicates the Airlock Microgateway Operator instance which manages this Pod. + type: string + name: + description: Name indicates the name of a Pod selected by the SidecarGateway. + type: string + sessionAgentSecret: + type: string + required: + - name + type: object + type: array + required: + - status + type: object + type: object + served: true + storage: true + subresources: + status: {} diff --git a/charts/airlock/microgateway/4.3.2/crds/telemetries.microgateway.airlock.com.yaml b/charts/airlock/microgateway/4.3.2/crds/telemetries.microgateway.airlock.com.yaml new file mode 100644 index 000000000..47d03cd4c --- /dev/null +++ b/charts/airlock/microgateway/4.3.2/crds/telemetries.microgateway.airlock.com.yaml @@ -0,0 +1,96 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.15.0 + labels: + app.kubernetes.io/name: airlock-microgateway-operator + app.kubernetes.io/version: 4.3.2 + name: telemetries.microgateway.airlock.com +spec: + group: microgateway.airlock.com + names: + categories: + - airlock-microgateway + kind: Telemetry + listKind: TelemetryList + plural: telemetries + singular: telemetry + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: Telemetry contains the configuration for telemetry (logging, metrics & tracing). + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Specification of the desired telemetry behavior. + properties: + correlation: + description: Correlation defines the correlation aspects of Telemetry. + properties: + idSource: + description: IDSource specifies how an external correlation ID should be obtained for a request. If not specified, no correlation ID will be logged. + properties: + header: + description: Header specifies to extract the correlation ID from a request header. If the header is absent from a request, no correlation ID will be logged. + properties: + name: + default: X-Correlation-Id + description: Name of the header (case-insensitive) from which to extract the correlation ID. + minLength: 1 + type: string + type: object + required: + - header + type: object + request: + description: Request defines the request related correlation settings of Telemetry. + properties: + allowDownstreamRequestID: + default: true + description: AllowDownstreamRequestID defines whether trace sampling will consider a provided x-request-id. + type: boolean + alterRequestID: + default: true + description: AlterRequestID defines whether to alter the UUID to reflect the trace sampling decision. If disabled no modification to the UUID will be performed, this may break tracing in the upstream. + type: boolean + type: object + type: object + logging: + description: Logging defines the logging aspects of Telemetry. + properties: + accessLog: + description: AccessLog defines the access log settings of Telemetry. + properties: + format: + description: Format defines the Access Log format of the sidecar. + properties: + json: + description: JSON defines the Access Log format as JSON. + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + type: object + type: object + type: object + type: object + served: true + storage: true diff --git a/charts/airlock/microgateway/4.3.2/dashboards/blockLogs.json b/charts/airlock/microgateway/4.3.2/dashboards/blockLogs.json new file mode 100644 index 000000000..ef0ce6d62 --- /dev/null +++ b/charts/airlock/microgateway/4.3.2/dashboards/blockLogs.json @@ -0,0 +1,510 @@ +{ + "__inputs": [ + { + "name": "DS_LOKI", + "label": "Loki", + "description": "", + "type": "datasource", + "pluginId": "loki", + "pluginName": "Loki" + }, + { + "name": "DS_PROMETHEUS", + "label": "Prometheus", + "description": "", + "type": "datasource", + "pluginId": "prometheus", + "pluginName": "Prometheus" + } + ], + "__elements": {}, + "__requires": [ + { + "type": "grafana", + "id": "grafana", + "name": "Grafana", + "version": "10.2.0" + }, + { + "type": "datasource", + "id": "loki", + "name": "Loki", + "version": "1.0.0" + }, + { + "type": "datasource", + "id": "prometheus", + "name": "Prometheus", + "version": "1.0.0" + }, + { + "type": "panel", + "id": "table", + "name": "Table", + "version": "" + } + ], + "annotations": { + "list": [ + { + "builtIn": 1, + "datasource": { + "type": "grafana", + "uid": "-- Grafana --" + }, + "enable": true, + "hide": true, + "iconColor": "rgba(0, 211, 255, 1)", + "name": "Annotations & Alerts", + "type": "dashboard" + } + ] + }, + "description": "Blocked requests by Airlock Microgateway retrieved from corresponding access logs.\n\nThe dashboard can be filtered by namespace and block type. Column filters on the table allow for even a more granular filtering of the logs.", + "editable": true, + "fiscalYearStartMonth": 0, + "graphTooltip": 0, + "id": null, + "links": [ + { + "asDropdown": true, + "icon": "external link", + "includeVars": true, + "keepTime": true, + "tags": [ + "airlock-microgateway" + ], + "targetBlank": true, + "title": "Airlock Microgateway", + "tooltip": "", + "type": "dashboards", + "url": "" + } + ], + "panels": [ + { + "datasource": { + "type": "loki", + "uid": "${DS_LOKI}" + }, + "fieldConfig": { + "defaults": { + "color": { + "fixedColor": "text", + "mode": "fixed" + }, + "custom": { + "align": "auto", + "cellOptions": { + "type": "auto" + }, + "filterable": true, + "inspect": true + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + } + ] + } + }, + "overrides": [ + { + "matcher": { + "id": "byName", + "options": "Namespace" + }, + "properties": [ + { + "id": "custom.width", + "value": 221 + }, + { + "id": "custom.filterable" + } + ] + }, + { + "matcher": { + "id": "byName", + "options": "Timestamp" + }, + "properties": [ + { + "id": "custom.width", + "value": 214 + }, + { + "id": "unit", + "value": "dateTimeAsIso" + }, + { + "id": "custom.filterable" + } + ] + }, + { + "matcher": { + "id": "byName", + "options": "Method" + }, + "properties": [ + { + "id": "custom.width", + "value": 89 + } + ] + }, + { + "matcher": { + "id": "byName", + "options": "Client IP" + }, + "properties": [ + { + "id": "custom.width", + "value": 138 + } + ] + }, + { + "matcher": { + "id": "byName", + "options": "Request ID" + }, + "properties": [ + { + "id": "custom.width", + "value": 328 + } + ] + }, + { + "matcher": { + "id": "byName", + "options": "Block Type" + }, + "properties": [ + { + "id": "custom.width", + "value": 116 + }, + { + "id": "custom.filterable", + "value": false + } + ] + }, + { + "matcher": { + "id": "byName", + "options": "Request Size" + }, + "properties": [ + { + "id": "custom.width", + "value": 126 + }, + { + "id": "unit", + "value": "bytes" + }, + { + "id": "custom.align", + "value": "right" + } + ] + }, + { + "matcher": { + "id": "byName", + "options": "Attack Type" + }, + "properties": [ + { + "id": "custom.width", + "value": 217 + } + ] + }, + { + "matcher": { + "id": "byName", + "options": "Application" + }, + "properties": [ + { + "id": "custom.width", + "value": 207 + } + ] + } + ] + }, + "gridPos": { + "h": 27, + "w": 24, + "x": 0, + "y": 0 + }, + "id": 2, + "options": { + "cellHeight": "sm", + "footer": { + "countRows": false, + "enablePagination": true, + "fields": "", + "reducer": [ + "sum" + ], + "show": false + }, + "showHeader": true, + "sortBy": [] + }, + "pluginVersion": "11.0.0", + "targets": [ + { + "datasource": { + "type": "loki", + "uid": "${DS_LOKI}" + }, + "editorMode": "code", + "expr": "{container=\"airlock-microgateway-engine\", namespace=~\"${namespace:regex}\"} |= \"airlock_request_blocked_deny_rule\" |= \"envoy.access\"\n| json http_method=\"http.request.method\", url=\"url.path\", request_size=\"http.request.bytes\", client_ip=\"network.forwarded_ip\", request_id=\"http.request.id\", details=\"airlock.deny_rules.matches\"\n| label_format block_type=\"deny_rules\", attack_type=`{{ range $q := fromJson .details }} {{ if eq $q.threat_handling_mode \"block\" }} {{ $q.rule_key }} {{ end }} {{ end }}` | block_type=~\"${blockType:regex}\"", + "hide": false, + "queryType": "range", + "refId": "Deny Rule Blocks" + }, + { + "datasource": { + "type": "loki", + "uid": "${DS_LOKI}" + }, + "editorMode": "code", + "expr": "{container=\"airlock-microgateway-engine\", namespace=~\"${namespace:regex}\"} |= \"airlock_request_blocked_limit\" |= \"envoy.access\"\n| json http_method=\"http.request.method\", url=\"url.path\", request_size=\"http.request.bytes\", client_ip=\"network.forwarded_ip\", request_id=\"http.request.id\", details=\"airlock.limits.matches\"\n| label_format block_type=\"limits\", attack_type=`{{ range $q := fromJson .details }} {{ if eq $q.threat_handling_mode \"block\" }} {{ $q.rule }} {{ end }} {{ end }}` | block_type=~\"${blockType:regex}\"", + "hide": false, + "queryType": "range", + "refId": "Limit Blocks" + }, + { + "datasource": { + "type": "loki", + "uid": "${DS_LOKI}" + }, + "editorMode": "code", + "expr": "{container=\"airlock-microgateway-engine\", namespace=~\"${namespace:regex}\"} |= \"airlock_request_blocked_openapi\" |= \"envoy.access\"\n| json http_method=\"http.request.method\", url=\"url.path\", request_size=\"http.request.bytes\", client_ip=\"network.forwarded_ip\", request_id=\"http.request.id\", reference=\"airlock.openapi.reference\", constraint=\"airlock.openapi.request.failed_validation.constraint\", position=\"airlock.openapi.request.failed_validation.position\", message=\"airlock.openapi.request.failed_validation.message\"\n| label_format block_type=\"openapi\", attack_type=\"openapi\", details=`{{.reference }}: {{.constraint }} at {{ .position }} ({{ .message }})` | block_type=~\"${blockType:regex}\"", + "hide": false, + "queryType": "range", + "refId": "OpenAPI Blocks" + }, + { + "datasource": { + "type": "loki", + "uid": "${DS_LOKI}" + }, + "editorMode": "code", + "expr": "{container=\"airlock-microgateway-engine\", namespace=~\"${namespace:regex}\"} |= \"airlock_request_blocked_parser\" |= \"envoy.access\"\n| json http_method=\"http.request.method\", url=\"url.path\", request_size=\"http.request.bytes\", client_ip=\"network.forwarded_ip\", request_id=\"http.request.id\", attack_type=\"airlock.parser\", failed_check=\"airlock.parser.matches[0].failed_check\", message=\"airlock.parser.matches[0].message\"\n| label_format block_type=\"parsing\", attack_type=\"parsing\", details=`{{.failed_check}}: {{.message}}` | block_type=~\"${blockType:regex}\"", + "hide": false, + "queryType": "range", + "refId": "Parser Blocks" + }, + { + "datasource": { + "type": "loki", + "uid": "${DS_LOKI}" + }, + "editorMode": "code", + "expr": "{container=\"airlock-microgateway-engine\", namespace=~\"${namespace:regex}\"} |= \"airlock_request_blocked_graphql\" |= \"envoy.access\"\n| json http_method=\"http.request.method\", url=\"url.path\", request_size=\"http.request.bytes\", client_ip=\"network.forwarded_ip\", request_id=\"http.request.id\", reference=\"airlock.graphql.reference\", message=\"airlock.graphql.request.failed_validation.message\"\n| label_format block_type=\"graphql\", attack_type=\"graphql\", details=`{{ .reference }}: {{ .message }}` | block_type=~\"${blockType:regex}\"", + "hide": false, + "queryType": "range", + "refId": "GraphQL Blocks" + } + ], + "title": "Blocked Request logs", + "transformations": [ + { + "id": "merge", + "options": {} + }, + { + "id": "extractFields", + "options": { + "format": "json", + "source": "labels" + } + }, + { + "id": "filterFieldsByName", + "options": { + "byVariable": false, + "include": { + "names": [ + "Time", + "attack_type", + "block_type", + "client_ip", + "details", + "http_method", + "namespace", + "request_id", + "request_size", + "url", + "pod" + ] + } + } + }, + { + "id": "organize", + "options": { + "excludeByName": { + "Line": true, + "id": true, + "labelTypes": true, + "labels": true, + "tsNs": false + }, + "includeByName": {}, + "indexByName": { + "Time": 0, + "attack_type": 7, + "block_type": 6, + "client_ip": 9, + "details": 8, + "http_method": 3, + "namespace": 1, + "pod": 2, + "request_id": 10, + "request_size": 5, + "url": 4 + }, + "renameByName": { + "Time": "Timestamp", + "attack_type": "Attack Type", + "block_type": "Block Type", + "client_ip": "Client IP", + "details": "Details", + "http_method": "Method", + "namespace": "Namespace", + "pod": "Pod", + "request_id": "Request ID", + "request_size": "Request Size", + "tsNs": "", + "url": "Path" + } + } + } + ], + "type": "table" + } + ], + "schemaVersion": 39, + "tags": [ + "airlock-microgateway" + ], + "templating": { + "list": [ + { + "current": { + "selected": false, + "text": "Loki", + "value": "P8E80F9AEF21F6940" + }, + "hide": 2, + "includeAll": false, + "label": "DS_LOKI", + "multi": false, + "name": "DS_LOKI", + "options": [], + "query": "loki", + "refresh": 1, + "regex": "", + "skipUrlSync": false, + "type": "datasource" + }, + { + "allValue": ".*", + "current": {}, + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "definition": "label_values(microgateway_license_http_rq_total,namespace)", + "hide": 0, + "includeAll": true, + "label": "Application Namespace", + "multi": true, + "name": "namespace", + "options": [], + "query": { + "qryType": 1, + "query": "label_values(microgateway_license_http_rq_total,namespace)", + "refId": "PrometheusVariableQueryEditor-VariableQuery" + }, + "refresh": 2, + "regex": "", + "skipUrlSync": false, + "sort": 5, + "type": "query" + }, + { + "allValue": ".*", + "current": {}, + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "definition": "label_values(microgateway_http_downstream_rq_threats_blocked_total,block_type)", + "hide": 0, + "includeAll": true, + "label": "Block Type", + "multi": true, + "name": "blockType", + "options": [], + "query": { + "qryType": 1, + "query": "label_values(microgateway_http_downstream_rq_threats_blocked_total,block_type)", + "refId": "PrometheusVariableQueryEditor-VariableQuery" + }, + "refresh": 2, + "regex": "", + "skipUrlSync": false, + "sort": 5, + "type": "query" + }, + { + "current": { + "selected": false, + "text": "Prometheus", + "value": "PBFA97CFB590B2093" + }, + "hide": 2, + "includeAll": false, + "label": "DS_PROMETHEUS", + "multi": false, + "name": "DS_PROMETHEUS", + "options": [], + "query": "prometheus", + "refresh": 1, + "regex": "", + "skipUrlSync": false, + "type": "datasource" + } + ] + }, + "time": { + "from": "now-15m", + "to": "now" + }, + "timeRangeUpdatedDuringEditOrView": false, + "timepicker": {}, + "timezone": "browser", + "title": "Airlock Microgateway Blocked Request Logs", + "uid": "adnyzcvwnyadcc", + "version": 3, + "weekStart": "" +} \ No newline at end of file diff --git a/charts/airlock/microgateway/4.3.2/dashboards/blockMetrics.json b/charts/airlock/microgateway/4.3.2/dashboards/blockMetrics.json new file mode 100644 index 000000000..ba383d22e --- /dev/null +++ b/charts/airlock/microgateway/4.3.2/dashboards/blockMetrics.json @@ -0,0 +1,758 @@ +{ + "__inputs": [ + { + "name": "DS_PROMETHEUS", + "label": "Prometheus", + "description": "", + "type": "datasource", + "pluginId": "prometheus", + "pluginName": "Prometheus" + } + ], + "__elements": {}, + "__requires": [ + { + "type": "panel", + "id": "barchart", + "name": "Bar chart", + "version": "" + }, + { + "type": "grafana", + "id": "grafana", + "name": "Grafana", + "version": "10.2.0" + }, + { + "type": "datasource", + "id": "prometheus", + "name": "Prometheus", + "version": "1.0.0" + }, + { + "type": "panel", + "id": "stat", + "name": "Stat", + "version": "" + }, + { + "type": "panel", + "id": "timeseries", + "name": "Time series", + "version": "" + } + ], + "annotations": { + "list": [ + { + "builtIn": 1, + "datasource": { + "type": "grafana", + "uid": "-- Grafana --" + }, + "enable": true, + "hide": true, + "iconColor": "rgba(0, 211, 255, 1)", + "name": "Annotations & Alerts", + "type": "dashboard" + } + ] + }, + "description": "Metrics on requests blocked by Airlock Microgateway.\n\nDashboard can be filtered by namespaces as well as block types.", + "editable": true, + "fiscalYearStartMonth": 0, + "graphTooltip": 0, + "id": null, + "links": [ + { + "asDropdown": true, + "icon": "external link", + "includeVars": true, + "keepTime": true, + "tags": [ + "airlock-microgateway" + ], + "targetBlank": true, + "title": "Airlock Microgateway", + "tooltip": "", + "type": "dashboards", + "url": "" + } + ], + "panels": [ + { + "gridPos": { + "h": 1, + "w": 24, + "x": 0, + "y": 0 + }, + "id": 6, + "title": "Airlock Microgateway Block Metrics", + "type": "row" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "description": "Total number of requests processed by Airlock Microgateway.", + "fieldConfig": { + "defaults": { + "color": { + "fixedColor": "text", + "mode": "fixed" + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + } + ] + }, + "unit": "short" + }, + "overrides": [] + }, + "gridPos": { + "h": 4, + "w": 4, + "x": 0, + "y": 1 + }, + "id": 1, + "options": { + "colorMode": "value", + "graphMode": "none", + "justifyMode": "auto", + "orientation": "auto", + "reduceOptions": { + "calcs": [ + "lastNotNull" + ], + "fields": "", + "values": false + }, + "showPercentChange": false, + "textMode": "auto", + "wideLayout": true + }, + "pluginVersion": "11.0.0", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "disableTextWrap": false, + "editorMode": "code", + "exemplar": false, + "expr": "round(sum(increase(microgateway_license_http_rq_total{namespace=~\"${namespace:regex}\", job=~\"${operator_namespace.regex}/.*-engine\"}[$__range])))", + "format": "time_series", + "fullMetaSearch": false, + "hide": false, + "includeNullMetadata": true, + "instant": true, + "legendFormat": "Processed Requests", + "range": false, + "refId": "A", + "useBackend": false + } + ], + "title": "Requests", + "type": "stat" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "description": "Ratio of blocked requests vs. processed requests by Airlock Microgateway.", + "fieldConfig": { + "defaults": { + "color": { + "fixedColor": "text", + "mode": "fixed" + }, + "mappings": [ + { + "options": { + "match": "nan", + "result": { + "index": 0, + "text": "n/a" + } + }, + "type": "special" + } + ], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + } + ] + }, + "unit": "percentunit" + }, + "overrides": [] + }, + "gridPos": { + "h": 4, + "w": 4, + "x": 4, + "y": 1 + }, + "id": 2, + "options": { + "colorMode": "value", + "graphMode": "area", + "justifyMode": "auto", + "orientation": "auto", + "reduceOptions": { + "calcs": [ + "last" + ], + "fields": "", + "values": false + }, + "showPercentChange": false, + "textMode": "auto", + "wideLayout": true + }, + "pluginVersion": "11.0.0", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "disableTextWrap": false, + "editorMode": "code", + "exemplar": false, + "expr": "sum(increase(microgateway_http_downstream_rq_threats_blocked_total{block_type=~\"${blockType:regex}\", namespace=~\"${namespace:regex}\", job=~\"${operator_namespace.regex}/.*-engine\"}[$__range])) / sum(increase(microgateway_license_http_rq_total{namespace=~\"${namespace:regex}\", job=~\"${operator_namespace.regex}/.*-engine\"}[$__range]))", + "fullMetaSearch": false, + "includeNullMetadata": true, + "instant": true, + "legendFormat": "Blocked Requests (%)", + "range": false, + "refId": "A", + "useBackend": false + } + ], + "title": "% Blocked Requests", + "type": "stat" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "description": "Requests per second processed by Airlock Microgateway along with the corresponding block rate.", + "fieldConfig": { + "defaults": { + "color": { + "fixedColor": "blue", + "mode": "fixed" + }, + "custom": { + "axisBorderShow": false, + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "left", + "barAlignment": 0, + "drawStyle": "line", + "fillOpacity": 0, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "insertNulls": false, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "auto", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "blue", + "value": null + } + ] + } + }, + "overrides": [ + { + "matcher": { + "id": "byName", + "options": "% Blocks" + }, + "properties": [ + { + "id": "custom.axisPlacement", + "value": "right" + }, + { + "id": "unit", + "value": "percentunit" + }, + { + "id": "color", + "value": { + "fixedColor": "orange", + "mode": "fixed" + } + }, + { + "id": "max", + "value": 1 + } + ] + }, + { + "matcher": { + "id": "byName", + "options": "Requests per second" + }, + "properties": [ + { + "id": "unit", + "value": "short" + }, + { + "id": "custom.fillOpacity", + "value": 25 + } + ] + } + ] + }, + "gridPos": { + "h": 10, + "w": 20, + "x": 0, + "y": 5 + }, + "id": 3, + "options": { + "legend": { + "calcs": [], + "displayMode": "list", + "placement": "bottom", + "showLegend": true + }, + "timezone": [ + "" + ], + "tooltip": { + "maxHeight": 600, + "mode": "single", + "sort": "none" + } + }, + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "editorMode": "code", + "exemplar": false, + "expr": "sum(rate(microgateway_license_http_rq_total{namespace=~\"${namespace:regex}\", job=~\"${operator_namespace.regex}/.*-engine\"}[1m]))", + "instant": false, + "legendFormat": "Requests per second", + "range": true, + "refId": "Requests per Second" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "editorMode": "code", + "expr": "sum(rate(microgateway_http_downstream_rq_threats_blocked_total{block_type=~\"${blockType:regex}\", namespace=~\"${namespace:regex}\", job=~\"${operator_namespace.regex}/.*-engine\"}[1m])) / sum(rate(microgateway_license_http_rq_total{namespace=~\"${namespace:regex}\", job=~\"${operator_namespace.regex}/.*-engine\"}[1m]))", + "hide": false, + "instant": false, + "legendFormat": "% Blocks", + "range": true, + "refId": "Blocks" + } + ], + "title": "Requests vs. % Blocks", + "type": "timeseries" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "description": "Blocked requests by block type.", + "fieldConfig": { + "defaults": { + "color": { + "fixedColor": "super-light-orange", + "mode": "fixed" + }, + "custom": { + "axisBorderShow": false, + "axisCenteredZero": false, + "axisColorMode": "text", + "axisGridShow": true, + "axisLabel": "", + "axisPlacement": "auto", + "fillOpacity": 80, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "lineWidth": 0, + "scaleDistribution": { + "type": "linear" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "fieldMinMax": false, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + } + ] + }, + "unit": "none" + }, + "overrides": [] + }, + "gridPos": { + "h": 11, + "w": 10, + "x": 0, + "y": 15 + }, + "id": 4, + "options": { + "barRadius": 0, + "barWidth": 0.8, + "fullHighlight": false, + "groupWidth": 0.7, + "legend": { + "calcs": [], + "displayMode": "list", + "placement": "bottom", + "showLegend": false + }, + "orientation": "horizontal", + "showValue": "never", + "stacking": "none", + "tooltip": { + "maxHeight": 600, + "mode": "single", + "sort": "asc" + }, + "xField": "block_type", + "xTickLabelRotation": 0, + "xTickLabelSpacing": 0 + }, + "pluginVersion": "10.4.3", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "editorMode": "code", + "exemplar": false, + "expr": "round(sum by (block_type) (increase(microgateway_http_downstream_rq_threats_blocked_total{block_type=~\"${blockType:regex}\", namespace=~\"${namespace:regex}\", job=~\"${operator_namespace.regex}/.*-engine\"}[$__range])))", + "format": "time_series", + "instant": true, + "legendFormat": "__auto", + "range": false, + "refId": "A" + } + ], + "title": "Block Type", + "transformations": [ + { + "id": "reduce", + "options": { + "includeTimeField": false, + "labelsToFields": true, + "mode": "seriesToRows", + "reducers": [ + "sum" + ] + } + } + ], + "type": "barchart" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "description": "Blocked requests by attack type, which are subsets of the various block types.", + "fieldConfig": { + "defaults": { + "color": { + "fixedColor": "light-orange", + "mode": "fixed" + }, + "custom": { + "axisBorderShow": false, + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "fillOpacity": 80, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "lineWidth": 1, + "scaleDistribution": { + "type": "linear" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + } + ] + } + }, + "overrides": [] + }, + "gridPos": { + "h": 11, + "w": 10, + "x": 10, + "y": 15 + }, + "id": 5, + "options": { + "barRadius": 0, + "barWidth": 0.8, + "fullHighlight": false, + "groupWidth": 0.7, + "legend": { + "calcs": [], + "displayMode": "list", + "placement": "bottom", + "showLegend": false + }, + "orientation": "horizontal", + "showValue": "never", + "stacking": "none", + "tooltip": { + "maxHeight": 600, + "mode": "single", + "sort": "none" + }, + "xField": "attack_type", + "xTickLabelRotation": 0, + "xTickLabelSpacing": 0 + }, + "pluginVersion": "10.4.3", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "editorMode": "code", + "exemplar": false, + "expr": "round(sum by (attack_type) (increase(microgateway_http_downstream_rq_threats_blocked_total{block_type=~\"${blockType:regex}\", namespace=~\"${namespace:regex}\", job=~\"${operator_namespace.regex}/.*-engine\"}[$__range])))", + "instant": true, + "legendFormat": "__auto", + "range": false, + "refId": "A" + } + ], + "title": "Attack Type", + "transformations": [ + { + "id": "reduce", + "options": { + "labelsToFields": true, + "reducers": [ + "sum" + ] + } + } + ], + "type": "barchart" + } + ], + "refresh": "", + "schemaVersion": 39, + "tags": [ + "airlock-microgateway" + ], + "templating": { + "list": [ + { + "current": { + "selected": false, + "text": "Prometheus", + "value": "PBFA97CFB590B2093" + }, + "hide": 2, + "includeAll": false, + "label": "Datasource Prometheus", + "multi": false, + "name": "DS_PROMETHEUS", + "options": [], + "query": "prometheus", + "refresh": 1, + "regex": "", + "skipUrlSync": false, + "type": "datasource" + }, + { + "current": { + "selected": false, + "text": "Loki", + "value": "P8E80F9AEF21F6940" + }, + "hide": 2, + "includeAll": false, + "label": "DS_LOKI", + "multi": false, + "name": "DS_LOKI", + "options": [], + "query": "loki", + "refresh": 1, + "regex": "", + "skipUrlSync": false, + "type": "datasource" + }, + { + "allValue": ".*", + "current": {}, + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "definition": "label_values(microgateway_license_valid,namespace)", + "hide": 0, + "includeAll": true, + "label": "Operator Namespace", + "multi": true, + "name": "operator_namespace", + "options": [], + "query": { + "qryType": 1, + "query": "label_values(microgateway_license_valid,namespace)", + "refId": "PrometheusVariableQueryEditor-VariableQuery" + }, + "refresh": 2, + "regex": ".*", + "skipUrlSync": false, + "sort": 0, + "type": "query" + }, + { + "allValue": ".*", + "current": {}, + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "definition": "label_values(microgateway_license_http_rq_total,namespace)", + "hide": 0, + "includeAll": true, + "label": "Application Namespace", + "multi": true, + "name": "namespace", + "options": [], + "query": { + "qryType": 1, + "query": "label_values(microgateway_license_http_rq_total,namespace)", + "refId": "PrometheusVariableQueryEditor-VariableQuery" + }, + "refresh": 2, + "regex": "", + "skipUrlSync": false, + "sort": 5, + "type": "query" + }, + { + "allValue": ".*", + "current": {}, + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "definition": "label_values(microgateway_http_downstream_rq_threats_blocked_total,block_type)", + "hide": 0, + "includeAll": true, + "label": "Block Type", + "multi": true, + "name": "blockType", + "options": [], + "query": { + "qryType": 1, + "query": "label_values(microgateway_http_downstream_rq_threats_blocked_total,block_type)", + "refId": "PrometheusVariableQueryEditor-VariableQuery" + }, + "refresh": 2, + "regex": "", + "skipUrlSync": false, + "sort": 5, + "type": "query" + } + ] + }, + "time": { + "from": "now-24h", + "to": "now" + }, + "timeRangeUpdatedDuringEditOrView": false, + "timepicker": { + "hidden": false + }, + "timezone": "browser", + "title": "Airlock Microgateway Block Metrics", + "uid": "ddnqoczu7qvb4cdd3dd", + "version": 3, + "weekStart": "" +} \ No newline at end of file diff --git a/charts/airlock/microgateway/4.3.2/dashboards/license.json b/charts/airlock/microgateway/4.3.2/dashboards/license.json new file mode 100644 index 000000000..b9d5777e2 --- /dev/null +++ b/charts/airlock/microgateway/4.3.2/dashboards/license.json @@ -0,0 +1,521 @@ +{ + "__inputs": [ + { + "name": "DS_PROMETHEUS", + "label": "Prometheus", + "description": "", + "type": "datasource", + "pluginId": "prometheus", + "pluginName": "Prometheus" + } + ], + "__elements": {}, + "__requires": [ + { + "type": "grafana", + "id": "grafana", + "name": "Grafana", + "version": "10.2.0" + }, + { + "type": "datasource", + "id": "prometheus", + "name": "Prometheus", + "version": "1.0.0" + }, + { + "type": "panel", + "id": "stat", + "name": "Stat", + "version": "" + }, + { + "type": "panel", + "id": "timeseries", + "name": "Time series", + "version": "" + } + ], + "annotations": { + "list": [ + { + "builtIn": 1, + "datasource": { + "type": "grafana", + "uid": "-- Grafana --" + }, + "enable": true, + "hide": true, + "iconColor": "rgba(0, 211, 255, 1)", + "name": "Annotations & Alerts", + "type": "dashboard" + } + ] + }, + "editable": true, + "fiscalYearStartMonth": 0, + "graphTooltip": 0, + "id": null, + "links": [ + { + "asDropdown": true, + "icon": "external link", + "includeVars": true, + "keepTime": true, + "tags": [ + "airlock-microgateway" + ], + "targetBlank": true, + "title": "Airlock Microgateway", + "tooltip": "", + "type": "dashboards", + "url": "" + } + ], + "panels": [ + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "description": "License status of Airlock Microgateway.", + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "mappings": [ + { + "options": { + "0": { + "color": "red", + "index": 1, + "text": "Invalid" + }, + "1": { + "color": "green", + "index": 0, + "text": "Valid" + } + }, + "type": "value" + } + ], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + } + ] + } + }, + "overrides": [] + }, + "gridPos": { + "h": 4, + "w": 3, + "x": 0, + "y": 0 + }, + "id": 1, + "options": { + "colorMode": "value", + "graphMode": "area", + "justifyMode": "auto", + "orientation": "auto", + "reduceOptions": { + "calcs": [ + "lastNotNull" + ], + "fields": "", + "values": false + }, + "showPercentChange": false, + "textMode": "auto", + "wideLayout": true + }, + "pluginVersion": "11.0.0", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "editorMode": "code", + "exemplar": false, + "expr": "min(microgateway_license_valid{namespace=~\"${operator_namespace.regex}\"})", + "instant": true, + "legendFormat": "License Status", + "range": false, + "refId": "Licenses" + } + ], + "title": "License Status", + "type": "stat" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "description": "Expiry date of the Airlock Microgateway license associated with the selected operator.", + "fieldConfig": { + "defaults": { + "color": { + "fixedColor": "text", + "mode": "fixed" + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + } + ] + }, + "unit": "time: L" + }, + "overrides": [] + }, + "gridPos": { + "h": 4, + "w": 4, + "x": 3, + "y": 0 + }, + "id": 4, + "options": { + "colorMode": "value", + "graphMode": "none", + "justifyMode": "auto", + "orientation": "auto", + "reduceOptions": { + "calcs": [ + "lastNotNull" + ], + "fields": "", + "values": false + }, + "showPercentChange": false, + "textMode": "auto", + "wideLayout": true + }, + "pluginVersion": "11.0.0", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "editorMode": "code", + "exemplar": false, + "expr": "min(microgateway_license_expiry_timestamp_seconds{namespace=~\"${operator_namespace.regex}\"})*1000", + "instant": true, + "legendFormat": "Expiry Date (MM/DD/YYYY)", + "range": false, + "refId": "A" + } + ], + "title": "License Expiry Date", + "type": "stat" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "description": "Number of licensed requests for applications protected by Airlock Microgateway.", + "fieldConfig": { + "defaults": { + "color": { + "fixedColor": "text", + "mode": "fixed" + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + } + ] + }, + "unit": "short" + }, + "overrides": [] + }, + "gridPos": { + "h": 4, + "w": 4, + "x": 7, + "y": 0 + }, + "id": 6, + "options": { + "colorMode": "value", + "graphMode": "none", + "justifyMode": "auto", + "orientation": "auto", + "reduceOptions": { + "calcs": [ + "lastNotNull" + ], + "fields": "", + "values": false + }, + "showPercentChange": false, + "textMode": "auto", + "wideLayout": true + }, + "pluginVersion": "11.0.0", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "editorMode": "code", + "exemplar": false, + "expr": "sum(microgateway_license_max_rq_count_per_month{namespace=~\"${operator_namespace.regex}\"})", + "instant": true, + "legendFormat": "Licensed Requests", + "range": false, + "refId": "A" + } + ], + "title": "Licensed Requests", + "type": "stat" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "description": "Estimated number of requests protected by Airlock Microgateway over 30 days based on the last 7 days.", + "fieldConfig": { + "defaults": { + "color": { + "fixedColor": "text", + "mode": "fixed" + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + } + ] + }, + "unit": "short" + }, + "overrides": [] + }, + "gridPos": { + "h": 4, + "w": 5, + "x": 11, + "y": 0 + }, + "id": 2, + "options": { + "colorMode": "value", + "graphMode": "none", + "justifyMode": "auto", + "orientation": "auto", + "reduceOptions": { + "calcs": [ + "lastNotNull" + ], + "fields": "", + "values": false + }, + "showPercentChange": false, + "textMode": "auto", + "wideLayout": true + }, + "pluginVersion": "11.0.0", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "editorMode": "code", + "exemplar": false, + "expr": "sum(increase(microgateway_license_http_rq_total{job=~\"${operator_namespace.regex}/.*-engine\"}[7d]))/7*30", + "instant": true, + "legendFormat": "Estimated Requests", + "range": false, + "refId": "A" + } + ], + "title": "Requests over 30 days (estimated)", + "type": "stat" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "description": "Number of requests per week processed by Airlock Microgateway.", + "fieldConfig": { + "defaults": { + "color": { + "fixedColor": "blue", + "mode": "fixed" + }, + "custom": { + "axisBorderShow": false, + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "drawStyle": "line", + "fillOpacity": 0, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "insertNulls": false, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "auto", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + } + ] + }, + "unit": "short" + }, + "overrides": [] + }, + "gridPos": { + "h": 12, + "w": 16, + "x": 0, + "y": 4 + }, + "id": 5, + "options": { + "legend": { + "calcs": [], + "displayMode": "list", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "maxHeight": 600, + "mode": "single", + "sort": "none" + } + }, + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "editorMode": "code", + "expr": "sum(avg_over_time(increase(microgateway_license_http_rq_total{job=~\"${operator_namespace.regex}/.*-engine\"}[7d])[2m:30s]))", + "instant": false, + "legendFormat": "# Requests per week", + "range": true, + "refId": "A" + } + ], + "title": "Processed Requests per week", + "type": "timeseries" + } + ], + "schemaVersion": 39, + "tags": [ + "airlock-microgateway" + ], + "templating": { + "list": [ + { + "current": { + "selected": false, + "text": "Prometheus", + "value": "PBFA97CFB590B2093" + }, + "hide": 2, + "includeAll": false, + "label": "DS_PROMETHEUS", + "multi": false, + "name": "DS_PROMETHEUS", + "options": [], + "query": "prometheus", + "refresh": 1, + "regex": "", + "skipUrlSync": false, + "type": "datasource" + }, + { + "allValue": ".*", + "current": {}, + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "definition": "label_values(microgateway_license_valid,namespace)", + "description": "", + "hide": 0, + "includeAll": false, + "label": "Operator Namespace", + "multi": false, + "name": "operator_namespace", + "options": [], + "query": { + "qryType": 1, + "query": "label_values(microgateway_license_valid,namespace)", + "refId": "PrometheusVariableQueryEditor-VariableQuery" + }, + "refresh": 2, + "regex": "", + "skipUrlSync": false, + "sort": 0, + "type": "query" + } + ] + }, + "time": { + "from": "now-7d", + "to": "now" + }, + "timeRangeUpdatedDuringEditOrView": false, + "timepicker": {}, + "timezone": "browser", + "title": "Airlock Microgateway License", + "uid": "cdpq79bzrr01se", + "version": 2, + "weekStart": "" +} \ No newline at end of file diff --git a/charts/airlock/microgateway/4.3.2/dashboards/overview.json b/charts/airlock/microgateway/4.3.2/dashboards/overview.json new file mode 100644 index 000000000..094276621 --- /dev/null +++ b/charts/airlock/microgateway/4.3.2/dashboards/overview.json @@ -0,0 +1,1138 @@ +{ + "__inputs": [ + { + "name": "DS_PROMETHEUS", + "label": "Prometheus", + "description": "", + "type": "datasource", + "pluginId": "prometheus", + "pluginName": "Prometheus" + } + ], + "__elements": {}, + "__requires": [ + { + "type": "grafana", + "id": "grafana", + "name": "Grafana", + "version": "10.2.0" + }, + { + "type": "datasource", + "id": "prometheus", + "name": "Prometheus", + "version": "1.0.0" + }, + { + "type": "panel", + "id": "stat", + "name": "Stat", + "version": "" + }, + { + "type": "panel", + "id": "table", + "name": "Table", + "version": "" + }, + { + "type": "panel", + "id": "timeseries", + "name": "Time series", + "version": "" + } + ], + "annotations": { + "list": [ + { + "builtIn": 1, + "datasource": { + "type": "grafana", + "uid": "-- Grafana --" + }, + "enable": true, + "hide": true, + "iconColor": "rgba(0, 211, 255, 1)", + "name": "Annotations & Alerts", + "type": "dashboard" + } + ] + }, + "editable": true, + "fiscalYearStartMonth": 0, + "graphTooltip": 0, + "id": null, + "links": [ + { + "asDropdown": true, + "icon": "external link", + "includeVars": true, + "keepTime": true, + "tags": [ + "airlock-microgateway" + ], + "targetBlank": true, + "title": "Airlock Microgateway", + "tooltip": "", + "type": "dashboards", + "url": "" + } + ], + "panels": [ + { + "gridPos": { + "h": 1, + "w": 24, + "x": 0, + "y": 0 + }, + "id": 3, + "title": "Overview", + "type": "row" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "description": "Number of pods that are protected by Airlock Microgateway.", + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "text", + "value": null + } + ] + } + }, + "overrides": [] + }, + "gridPos": { + "h": 4, + "w": 3, + "x": 0, + "y": 1 + }, + "id": 11, + "options": { + "colorMode": "value", + "graphMode": "none", + "justifyMode": "auto", + "orientation": "auto", + "reduceOptions": { + "calcs": [ + "last" + ], + "fields": "", + "values": false + }, + "showPercentChange": false, + "textMode": "auto", + "wideLayout": true + }, + "pluginVersion": "11.0.0", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "editorMode": "code", + "exemplar": false, + "expr": "sum(microgateway_sidecars{namespace=~\"${operator_namespace.regex}\"})", + "instant": true, + "legendFormat": "Protected Pods", + "range": false, + "refId": "A" + } + ], + "title": "Protected Pods", + "type": "stat" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "description": "Total number of requests processed by Airlock Microgateway.", + "fieldConfig": { + "defaults": { + "color": { + "fixedColor": "text", + "mode": "fixed" + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + } + ] + }, + "unit": "short" + }, + "overrides": [] + }, + "gridPos": { + "h": 4, + "w": 3, + "x": 3, + "y": 1 + }, + "id": 4, + "options": { + "colorMode": "value", + "graphMode": "none", + "justifyMode": "auto", + "orientation": "auto", + "reduceOptions": { + "calcs": [ + "last" + ], + "fields": "", + "values": false + }, + "showPercentChange": false, + "textMode": "auto", + "wideLayout": true + }, + "pluginVersion": "11.0.0", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "disableTextWrap": false, + "editorMode": "code", + "exemplar": false, + "expr": "round(sum(increase(microgateway_license_http_rq_total{namespace=~\"${namespace:regex}\", job=~\"${operator_namespace.regex}/.*-engine\"}[$__range])))", + "format": "time_series", + "fullMetaSearch": false, + "hide": false, + "includeNullMetadata": true, + "instant": true, + "legendFormat": "Processed Requests", + "range": false, + "refId": "A", + "useBackend": false + } + ], + "title": "Requests", + "type": "stat" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "description": "Ratio of blocked requests vs. processed requests by Airlock Microgateway.", + "fieldConfig": { + "defaults": { + "color": { + "fixedColor": "text", + "mode": "fixed" + }, + "mappings": [ + { + "options": { + "match": "nan", + "result": { + "index": 0, + "text": "n/a" + } + }, + "type": "special" + } + ], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + } + ] + }, + "unit": "percentunit" + }, + "overrides": [] + }, + "gridPos": { + "h": 4, + "w": 3, + "x": 6, + "y": 1 + }, + "id": 5, + "options": { + "colorMode": "value", + "graphMode": "area", + "justifyMode": "auto", + "orientation": "auto", + "reduceOptions": { + "calcs": [ + "last" + ], + "fields": "", + "values": false + }, + "showPercentChange": false, + "textMode": "auto", + "wideLayout": true + }, + "pluginVersion": "11.0.0", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "disableTextWrap": false, + "editorMode": "code", + "exemplar": false, + "expr": "sum(increase(microgateway_http_downstream_rq_threats_blocked_total{namespace=~\"${namespace:regex}\", job=~\"${operator_namespace.regex}/.*-engine\"}[$__range])) / sum(increase(microgateway_license_http_rq_total{namespace=~\"${namespace:regex}\", job=~\"${operator_namespace.regex}/.*-engine\"}[$__range]))", + "fullMetaSearch": false, + "includeNullMetadata": true, + "instant": true, + "legendFormat": "Blocked Requests (%)", + "range": false, + "refId": "A", + "useBackend": false + } + ], + "title": "% Blocked Requests", + "type": "stat" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "description": "License status of Airlock Microgateway.", + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "mappings": [ + { + "options": { + "0": { + "color": "red", + "index": 1, + "text": "Invalid" + }, + "1": { + "color": "green", + "index": 0, + "text": "Valid" + } + }, + "type": "value" + } + ], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + } + ] + } + }, + "overrides": [] + }, + "gridPos": { + "h": 4, + "w": 3, + "x": 9, + "y": 1 + }, + "id": 10, + "options": { + "colorMode": "value", + "graphMode": "area", + "justifyMode": "auto", + "orientation": "auto", + "reduceOptions": { + "calcs": [ + "lastNotNull" + ], + "fields": "", + "values": false + }, + "showPercentChange": false, + "textMode": "auto", + "wideLayout": true + }, + "pluginVersion": "11.0.0", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "editorMode": "code", + "exemplar": false, + "expr": "min(microgateway_license_valid{namespace=~\"${operator_namespace.regex}\"})", + "instant": true, + "legendFormat": "License Status", + "range": false, + "refId": "Licenses" + } + ], + "title": "License", + "type": "stat" + }, + { + "gridPos": { + "h": 1, + "w": 24, + "x": 0, + "y": 5 + }, + "id": 2, + "title": "Blocks", + "type": "row" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "description": "Requests per second processed by Airlock Microgateway along with the corresponding block rate.", + "fieldConfig": { + "defaults": { + "color": { + "fixedColor": "blue", + "mode": "fixed" + }, + "custom": { + "axisBorderShow": false, + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "left", + "barAlignment": 0, + "drawStyle": "line", + "fillOpacity": 0, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "insertNulls": false, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "auto", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "blue", + "value": null + } + ] + } + }, + "overrides": [ + { + "matcher": { + "id": "byName", + "options": "% Blocks" + }, + "properties": [ + { + "id": "custom.axisPlacement", + "value": "right" + }, + { + "id": "unit", + "value": "percentunit" + }, + { + "id": "color", + "value": { + "fixedColor": "orange", + "mode": "fixed" + } + }, + { + "id": "max", + "value": 1 + } + ] + }, + { + "matcher": { + "id": "byName", + "options": "Requests per second" + }, + "properties": [ + { + "id": "unit", + "value": "short" + }, + { + "id": "custom.fillOpacity", + "value": 25 + } + ] + } + ] + }, + "gridPos": { + "h": 10, + "w": 12, + "x": 0, + "y": 6 + }, + "id": 6, + "options": { + "legend": { + "calcs": [], + "displayMode": "list", + "placement": "bottom", + "showLegend": true + }, + "timezone": [ + "" + ], + "tooltip": { + "maxHeight": 600, + "mode": "single", + "sort": "none" + } + }, + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "editorMode": "code", + "exemplar": false, + "expr": "sum(rate(microgateway_license_http_rq_total{namespace=~\"${namespace:regex}\", job=~\"${operator_namespace.regex}/.*-engine\"}[1m]))", + "instant": false, + "legendFormat": "Requests per second", + "range": true, + "refId": "Requests per Second" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "editorMode": "code", + "expr": "sum(rate(microgateway_http_downstream_rq_threats_blocked_total{namespace=~\"${namespace:regex}\", job=~\"${operator_namespace.regex}/.*-engine\"}[1m])) / sum(rate(microgateway_license_http_rq_total{namespace=~\"${namespace:regex}\", job=~\"${operator_namespace.regex}/.*-engine\"}[1m]))", + "hide": false, + "instant": false, + "legendFormat": "% Blocks", + "range": true, + "refId": "Blocks" + } + ], + "title": "Requests vs. % Blocks", + "type": "timeseries" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "description": "Requests blocked by Airlock Microgateway categorized by their corresponding type.", + "fieldConfig": { + "defaults": { + "color": { + "mode": "thresholds" + }, + "custom": { + "align": "auto", + "cellOptions": { + "barAlignment": 0, + "drawStyle": "line", + "gradientMode": "none", + "hideValue": false, + "lineInterpolation": "linear", + "lineStyle": { + "dash": [ + 10, + 10 + ], + "fill": "solid" + }, + "showPoints": "never", + "spanNulls": false, + "type": "sparkline" + }, + "inspect": false + }, + "displayName": "Block Type", + "fieldMinMax": false, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + } + ] + } + }, + "overrides": [ + { + "matcher": { + "id": "byName", + "options": "block_type" + }, + "properties": [ + { + "id": "custom.width", + "value": 153 + }, + { + "id": "custom.cellOptions", + "value": { + "type": "auto" + } + } + ] + }, + { + "matcher": { + "id": "byName", + "options": "Trend #Block Types" + }, + "properties": [ + { + "id": "color", + "value": { + "fixedColor": "orange", + "mode": "fixed" + } + } + ] + } + ] + }, + "gridPos": { + "h": 10, + "w": 12, + "x": 12, + "y": 6 + }, + "id": 7, + "options": { + "cellHeight": "lg", + "footer": { + "countRows": false, + "enablePagination": false, + "fields": [ + "Value" + ], + "reducer": [ + "sum" + ], + "show": false + }, + "showHeader": false, + "sortBy": [ + { + "desc": true, + "displayName": "block_type" + } + ] + }, + "pluginVersion": "11.0.0", + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "editorMode": "code", + "expr": "sum by (block_type) (increase(microgateway_http_downstream_rq_threats_blocked_total{namespace=~\"${namespace:regex}\", job=~\"${operator_namespace.regex}/.*-engine\"}[1m] offset -1m))/(60000/$__interval_ms)", + "format": "time_series", + "instant": false, + "legendFormat": "__auto", + "range": true, + "refId": "Block Types" + } + ], + "title": "Blocked Requests by Type", + "transformations": [ + { + "id": "timeSeriesTable", + "options": { + "A": { + "timeField": "Time" + }, + "Block Types": { + "stat": "sum", + "timeField": "Time" + } + } + } + ], + "type": "table" + }, + { + "gridPos": { + "h": 1, + "w": 24, + "x": 0, + "y": 16 + }, + "id": 1, + "title": "Latency", + "type": "row" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "description": "Percentiles of the application downstream latency over one minute.", + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisBorderShow": false, + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "drawStyle": "line", + "fillOpacity": 0, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "insertNulls": false, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "auto", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + } + ] + }, + "unit": "ms" + }, + "overrides": [ + { + "matcher": { + "id": "byName", + "options": "25th Percentile" + }, + "properties": [ + { + "id": "color", + "value": { + "fixedColor": "super-light-purple", + "mode": "fixed" + } + } + ] + }, + { + "matcher": { + "id": "byName", + "options": "50th Percentile" + }, + "properties": [ + { + "id": "color", + "value": { + "fixedColor": "purple", + "mode": "fixed" + } + } + ] + }, + { + "matcher": { + "id": "byName", + "options": "95th Percentile" + }, + "properties": [ + { + "id": "color", + "value": { + "fixedColor": "dark-purple", + "mode": "fixed" + } + } + ] + } + ] + }, + "gridPos": { + "h": 9, + "w": 12, + "x": 0, + "y": 17 + }, + "id": 8, + "options": { + "legend": { + "calcs": [], + "displayMode": "list", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "maxHeight": 600, + "mode": "single", + "sort": "none" + } + }, + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "editorMode": "code", + "expr": "histogram_quantile(0.25, sum(rate(envoy_http_downstream_rq_time_bucket{envoy_http_conn_manager_prefix=\"http\", namespace=~\"${namespace:regex}\", job=~\"${operator_namespace.regex}/.*-engine\"}[1m])) by (le))", + "instant": false, + "legendFormat": "25th Percentile", + "range": true, + "refId": "25th Percentile" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "editorMode": "code", + "expr": "histogram_quantile(0.5, sum(rate(envoy_http_downstream_rq_time_bucket{envoy_http_conn_manager_prefix=\"http\", namespace=~\"${namespace:regex}\", job=~\"${operator_namespace.regex}/.*-engine\"}[1m])) by (le))", + "hide": false, + "instant": false, + "legendFormat": "50th Percentile", + "range": true, + "refId": "50th Percentile" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "editorMode": "code", + "expr": "histogram_quantile(0.95, sum(rate(envoy_http_downstream_rq_time_bucket{envoy_http_conn_manager_prefix=\"http\", namespace=~\"${namespace:regex}\", job=~\"${operator_namespace.regex}/.*-engine\"}[1m])) by (le))", + "hide": false, + "instant": false, + "legendFormat": "95th Percentile", + "range": true, + "refId": "95th Percentile" + } + ], + "title": "Application Downstream Latency", + "type": "timeseries" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "description": "Percentiles of the Airlock Microgateway processing time over one minute.", + "fieldConfig": { + "defaults": { + "color": { + "mode": "palette-classic" + }, + "custom": { + "axisBorderShow": false, + "axisCenteredZero": false, + "axisColorMode": "text", + "axisLabel": "", + "axisPlacement": "auto", + "barAlignment": 0, + "drawStyle": "line", + "fillOpacity": 0, + "gradientMode": "none", + "hideFrom": { + "legend": false, + "tooltip": false, + "viz": false + }, + "insertNulls": false, + "lineInterpolation": "linear", + "lineWidth": 1, + "pointSize": 5, + "scaleDistribution": { + "type": "linear" + }, + "showPoints": "auto", + "spanNulls": false, + "stacking": { + "group": "A", + "mode": "none" + }, + "thresholdsStyle": { + "mode": "off" + } + }, + "mappings": [], + "thresholds": { + "mode": "absolute", + "steps": [ + { + "color": "green", + "value": null + } + ] + }, + "unit": "ms" + }, + "overrides": [ + { + "matcher": { + "id": "byName", + "options": "25th Percentile" + }, + "properties": [ + { + "id": "color", + "value": { + "fixedColor": "super-light-purple", + "mode": "fixed" + } + } + ] + }, + { + "matcher": { + "id": "byName", + "options": "50th Percentile" + }, + "properties": [ + { + "id": "color", + "value": { + "fixedColor": "purple", + "mode": "fixed" + } + } + ] + }, + { + "matcher": { + "id": "byName", + "options": "95th Percentile" + }, + "properties": [ + { + "id": "color", + "value": { + "fixedColor": "dark-purple", + "mode": "fixed" + } + } + ] + } + ] + }, + "gridPos": { + "h": 9, + "w": 12, + "x": 12, + "y": 17 + }, + "id": 9, + "options": { + "legend": { + "calcs": [], + "displayMode": "list", + "placement": "bottom", + "showLegend": true + }, + "tooltip": { + "maxHeight": 600, + "mode": "single", + "sort": "none" + } + }, + "targets": [ + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "editorMode": "code", + "expr": "histogram_quantile(0.25, sum(rate(microgateway_rq_processing_time_ms_bucket{namespace=~\"${namespace:regex}\", job=~\"${operator_namespace.regex}/.*-engine\"}[1m])) by (le))", + "instant": false, + "legendFormat": "25th Percentile", + "range": true, + "refId": "0.25 Percentile" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "editorMode": "code", + "expr": "histogram_quantile(0.5, sum(rate(microgateway_rq_processing_time_ms_bucket{namespace=~\"${namespace:regex}\", job=~\"${operator_namespace.regex}/.*-engine\"}[1m])) by (le))", + "hide": false, + "instant": false, + "legendFormat": "50th Percentile", + "range": true, + "refId": "0.5 Percentile" + }, + { + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "editorMode": "code", + "expr": "histogram_quantile(0.95, sum(rate(microgateway_rq_processing_time_ms_bucket{namespace=~\"${namespace:regex}\", job=~\"${operator_namespace.regex}/.*-engine\"}[1m])) by (le))", + "hide": false, + "instant": false, + "legendFormat": "95th Percentile", + "range": true, + "refId": "0.95 Percentile" + } + ], + "title": "Airlock Microgateway Processing Time", + "type": "timeseries" + } + ], + "refresh": "", + "schemaVersion": 39, + "tags": [ + "airlock-microgateway" + ], + "templating": { + "list": [ + { + "current": { + "selected": false, + "text": "Prometheus", + "value": "PBFA97CFB590B2093" + }, + "hide": 2, + "includeAll": false, + "label": "DS_PROMETHEUS", + "multi": false, + "name": "DS_PROMETHEUS", + "options": [], + "query": "prometheus", + "refresh": 1, + "regex": "", + "skipUrlSync": false, + "type": "datasource" + }, + { + "allValue": ".*", + "current": {}, + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "definition": "label_values(microgateway_license_valid,namespace)", + "hide": 0, + "includeAll": true, + "label": "Operator Namespace", + "multi": true, + "name": "operator_namespace", + "options": [], + "query": { + "qryType": 1, + "query": "label_values(microgateway_license_valid,namespace)", + "refId": "PrometheusVariableQueryEditor-VariableQuery" + }, + "refresh": 2, + "regex": ".*", + "skipUrlSync": false, + "sort": 0, + "type": "query" + }, + { + "allValue": ".*", + "current": {}, + "datasource": { + "type": "prometheus", + "uid": "${DS_PROMETHEUS}" + }, + "definition": "label_values(microgateway_license_http_rq_total,namespace)", + "hide": 0, + "includeAll": true, + "label": "Application Namespace", + "multi": true, + "name": "namespace", + "options": [], + "query": { + "qryType": 1, + "query": "label_values(microgateway_license_http_rq_total,namespace)", + "refId": "PrometheusVariableQueryEditor-VariableQuery" + }, + "refresh": 2, + "regex": "", + "skipUrlSync": false, + "sort": 0, + "type": "query" + } + ] + }, + "time": { + "from": "now-24h", + "to": "now" + }, + "timeRangeUpdatedDuringEditOrView": false, + "timepicker": {}, + "timezone": "browser", + "title": "Airlock Microgateway Overview", + "uid": "fdp5jb8fnrmyoa", + "version": 1, + "weekStart": "" +} \ No newline at end of file diff --git a/charts/airlock/microgateway/4.3.2/templates/NOTES.txt b/charts/airlock/microgateway/4.3.2/templates/NOTES.txt new file mode 100644 index 000000000..6e5ce218a --- /dev/null +++ b/charts/airlock/microgateway/4.3.2/templates/NOTES.txt @@ -0,0 +1,47 @@ +Thank you for installing Airlock Microgateway. + +Please ensure the following prerequisites are fulfilled: +* Cert-Manager is installed. + https://cert-manager.io/docs/installation/helm/ +* Airlock Microgateway CNI is also installed on the cluster. + https://artifacthub.io/packages/helm/airlock-microgateway-cni/microgateway-cni +* A valid Airlock Microgateway license is deployed in the Kubernetes secret 'airlock-microgateway-license'. + * Get a free Community license: https://airlock.com/en/microgateway-community + * Order a Premium license: https://airlock.com/en/microgateway-premium + +Further information: +* Documentation: https://docs.airlock.com/microgateway/{{ include "airlock-microgateway.docsVersion" . }} +* CRD API reference documentation: https://docs.airlock.com/microgateway/{{ include "airlock-microgateway.docsVersion" . }}/api/crds +* Airlock Microgateway Labs: https://play.instruqt.com/airlock/invite/hyi9fy4b4jzc?icp_referrer=helm +{{- if .Values.crds.skipVersionCheck }} + +Warning: CRD version check skipped +{{- else -}} +{{- $outdatedCRDs := (include "airlock-microgateway.outdatedCRDs" .) -}} +{{- if $outdatedCRDs -}} + {{- fail (printf ` + +Helm does not automatically upgrade CRDs from the chart's 'crds/' directory during 'helm install/upgrade'. +Therefore, the CRDs must be manually upgraded with the following command before deploying this chart: + +kubectl apply -k https://github.com/airlock/microgateway/deploy/charts/airlock-microgateway/crds/?ref=%s --server-side --force-conflicts + +If you are not using the helm install/upgrade command and instead rely on some other mechanism which is able to upgrade CRDs for deploying this chart, you can suppress this error by setting the helm value 'crds.skipVersionCheck=true'.` + .Chart.AppVersion) + -}} +{{- end -}} +{{- end -}} +{{- if .Values.tests.enabled -}} + {{- if .Values.operator.watchNamespaces -}} + {{- if not (has .Release.Namespace .Values.operator.watchNamespaces) -}} + {{- fail (printf ` + +To execute 'helm test', it is necessary that the release namespace '%s' is part of the operator's watch scope. Either disable the tests or ensure that the release namespace is added to watch namspace list ('operator.watchNamespaces') in the helm values. +` + .Release.Namespace) + -}} + {{- end -}} + {{- end -}} +{{- end }} + +Your release version is {{ .Chart.Version }}. \ No newline at end of file diff --git a/charts/airlock/microgateway/4.3.2/templates/_helpers.tpl b/charts/airlock/microgateway/4.3.2/templates/_helpers.tpl new file mode 100644 index 000000000..733ba9648 --- /dev/null +++ b/charts/airlock/microgateway/4.3.2/templates/_helpers.tpl @@ -0,0 +1,153 @@ +{{/* +Expand the name of the chart. +We truncate at 49 chars because some Kubernetes name fields are limited to 63 chars (by the DNS naming spec) +and the longest explicit suffix is 14 characters. +*/}} +{{- define "airlock-microgateway.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 49 | trimSuffix "-" }} +{{- end }} + +{{/* +Convert an image configuration object into an image ref string. +*/}} +{{- define "airlock-microgateway.image" -}} + {{- if .digest -}} + {{- printf "%s@%s" .repository .digest -}} + {{- else if .tag -}} + {{- printf "%s:%s" .repository .tag -}} + {{- else -}} + {{- printf "%s" .repository -}} + {{- end -}} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 36 chars because some Kubernetes name fields are limited to 63 chars (by the DNS naming spec) +and the longest implicit suffix is 27 characters. +If release name contains chart name it will be used as a full name. +*/}} +{{- define "airlock-microgateway.fullname" -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 36 | trimSuffix "-" }} +{{- else }} +{{- $name := default .Chart.Name .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 36 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 36 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "airlock-microgateway.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "airlock-microgateway.sharedLabels" -}} +helm.sh/chart: {{ include "airlock-microgateway.chart" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +app.kubernetes.io/part-of: {{ .Chart.Name }} +{{- with .Values.commonLabels }} +{{ toYaml .}} +{{- end }} +{{- end }} + +{{/* +Common Selector labels +*/}} +{{- define "airlock-microgateway.sharedSelectorLabels" -}} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} + +{{/* +Restricted Container Security Context +*/}} +{{- define "airlock-microgateway.restrictedSecurityContext" -}} +allowPrivilegeEscalation: false +privileged: false +runAsNonRoot: true +capabilities: + drop: ["ALL"] +readOnlyRootFilesystem: true +seccompProfile: + type: RuntimeDefault +{{- end }} + +{{/* Precondition: May only be used if AppVersion is isSemver */}} +{{- define "airlock-microgateway.supportedCRDVersionPattern" -}} +{{- $version := (semver .Chart.AppVersion) -}} +{{- if $version.Prerelease -}} +>= {{ $version.Major }}.{{ $version.Minor }}.{{ $version.Patch }}-{{ $version.Prerelease }} +{{- else -}} +>= {{ $version.Major }}.{{ $version.Minor }}.0 || >= {{ $version.Major }}.{{ $version.Minor }}.{{ add1 $version.Patch }}-0 +{{- end -}} +{{- end -}} + +{{- define "airlock-microgateway.outdatedCRDs" -}} +{{- if (eq "true" (include "airlock-microgateway.isSemver" .Chart.AppVersion)) -}} + {{- $supportedVersion := (include "airlock-microgateway.supportedCRDVersionPattern" .) -}} + {{- range $path, $_ := .Files.Glob "crds/*.yaml" -}} + {{- $api := ($.Files.Get $path | fromYaml).metadata.name -}} + {{- $crd := (lookup "apiextensions.k8s.io/v1" "CustomResourceDefinition" "" $api) -}} + {{- $isOutdated := false -}} + {{- if $crd -}} + {{/* If CRD is already present in the cluster, it must have the minimum supported version */}} + {{- $isOutdated = true -}} + {{- if hasKey $crd.metadata "labels" -}} + {{- $crdVersion := get $crd.metadata.labels "app.kubernetes.io/version" -}} + {{- if (eq "true" (include "airlock-microgateway.isSemver" $crdVersion)) -}} + {{- if (semverCompare $supportedVersion $crdVersion) }} + {{- $isOutdated = false -}} + {{- end }} + {{- end -}} + {{- end -}} + {{- end -}} + {{- if $isOutdated }} +{{ base $path }} + {{- end }} + {{- end -}} +{{- end -}} +{{- end -}} + +{{- define "airlock-microgateway.isSemver" -}} +{{- regexMatch `^(0|[1-9]\d*)\.(0|[1-9]\d*)\.(0|[1-9]\d*)(?:-((?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\.(?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\+([0-9a-zA-Z-]+(?:\.[0-9a-zA-Z-]+)*))?$` . -}} +{{- end -}} + +{{- define "airlock-microgateway.docsVersion" -}} +{{- if and (eq "true" (include "airlock-microgateway.isSemver" .Chart.AppVersion)) (not (contains "-" .Chart.AppVersion)) -}} + {{- $version := (semver .Chart.AppVersion) -}} + {{- $version.Major }}.{{ $version.Minor -}} +{{- else -}} + {{- print "latest" -}} +{{- end -}} +{{- end -}} + +{{- define "airlock-microgateway.watchNamespaceSelector.labelQuery" -}} +{{- $list := list -}} +{{- with .matchLabels -}} + {{- range $key, $value := . -}} + {{- $list = append $list (printf "%s=%s" $key $value) -}} + {{- end -}} +{{- end -}} +{{- with .matchExpressions -}} + {{- range . -}} + {{- if has .operator (list "In" "NotIn") -}} + {{- $list = append $list (printf "%s %s (%s)" .key (lower .operator) (join "," .values)) -}} + {{- else if eq .operator "Exists" -}} + {{- $list = append $list .key -}} + {{- else if eq .operator "DoesNotExist" -}} + {{- $list = append $list (printf "!%s" .key) -}} + {{- end -}} + {{- end -}} +{{- end -}} +{{- join "," $list -}} +{{- end -}} \ No newline at end of file diff --git a/charts/airlock/microgateway/4.3.2/templates/operator/_operator_helpers.tpl b/charts/airlock/microgateway/4.3.2/templates/operator/_operator_helpers.tpl new file mode 100644 index 000000000..a540ff9f4 --- /dev/null +++ b/charts/airlock/microgateway/4.3.2/templates/operator/_operator_helpers.tpl @@ -0,0 +1,42 @@ +{{/* +Create a default fully qualified name for operator components. +*/}} +{{- define "airlock-microgateway.operator.fullname" -}} +{{ include "airlock-microgateway.fullname" . }}-operator +{{- end }} + + +{{/* +Common operator labels +*/}} +{{- define "airlock-microgateway.operator.labels" -}} +{{ include "airlock-microgateway.sharedLabels" . }} +{{ include "airlock-microgateway.operator.selectorLabels" . }} +{{- end }} + +{{/* +Operator Selector labels +*/}} +{{- define "airlock-microgateway.operator.selectorLabels" -}} +{{ include "airlock-microgateway.sharedSelectorLabels" . }} +app.kubernetes.io/name: {{ include "airlock-microgateway.name" . }}-operator +app.kubernetes.io/component: controller +{{- end }} + +{{/* +Create the name of the service account to use for the operator +*/}} +{{- define "airlock-microgateway.operator.serviceAccountName" -}} +{{- if .Values.operator.serviceAccount.create }} +{{- default (include "airlock-microgateway.operator.fullname" .) .Values.operator.serviceAccount.name }} +{{- else }} +{{- default "default" .Values.operator.serviceAccount.name }} +{{- end }} +{{- end }} + +{{/* +ServiceMonitor metrics regex pattern for leader only metrics +*/}} +{{- define "airlock-microgateway.operator.metricsLeaderOnlyRegexPattern" -}} +^(microgateway_license|microgateway_sidecars).*$ +{{- end }} diff --git a/charts/airlock/microgateway/4.3.2/templates/operator/_rbac.gen.tpl b/charts/airlock/microgateway/4.3.2/templates/operator/_rbac.gen.tpl new file mode 100644 index 000000000..83b314cbc --- /dev/null +++ b/charts/airlock/microgateway/4.3.2/templates/operator/_rbac.gen.tpl @@ -0,0 +1,237 @@ +{{/* AUTOGENERATED FILE DO NOT EDIT */}} + +{{/* +Operator rbac permission rules +*/}} +{{- define "airlock-microgateway-operator.rbacRules" -}} +- apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch +- apiGroups: + - "" + resources: + - namespaces + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - pods + verbs: + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - "" + resources: + - pods/finalizers + verbs: + - update +- apiGroups: + - "" + resources: + - pods/status + verbs: + - patch + - update +- apiGroups: + - "" + resources: + - secrets + verbs: + - create + - delete + - get + - list + - update + - watch +- apiGroups: + - microgateway.airlock.com + resources: + - accesscontrols + verbs: + - get + - list + - watch +- apiGroups: + - microgateway.airlock.com + resources: + - contentsecurities + verbs: + - get + - list + - watch +- apiGroups: + - microgateway.airlock.com + resources: + - denyrules + verbs: + - get + - list + - watch +- apiGroups: + - microgateway.airlock.com + resources: + - envoyclusters + verbs: + - get + - list + - watch +- apiGroups: + - microgateway.airlock.com + resources: + - envoyconfigurations + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - microgateway.airlock.com + resources: + - envoyconfigurations/status + verbs: + - get + - patch + - update +- apiGroups: + - microgateway.airlock.com + resources: + - envoyhttpfilters + verbs: + - get + - list + - watch +- apiGroups: + - microgateway.airlock.com + resources: + - graphqls + verbs: + - get + - list + - watch +- apiGroups: + - microgateway.airlock.com + resources: + - headerrewrites + verbs: + - get + - list + - watch +- apiGroups: + - microgateway.airlock.com + resources: + - identitypropagations + verbs: + - get + - list + - watch +- apiGroups: + - microgateway.airlock.com + resources: + - limits + verbs: + - get + - list + - watch +- apiGroups: + - microgateway.airlock.com + resources: + - oidcproviders + verbs: + - get + - list + - watch +- apiGroups: + - microgateway.airlock.com + resources: + - oidcrelyingparties + verbs: + - get + - list + - watch +- apiGroups: + - microgateway.airlock.com + resources: + - openapis + verbs: + - get + - list + - watch +- apiGroups: + - microgateway.airlock.com + resources: + - parsers + verbs: + - get + - list + - watch +- apiGroups: + - microgateway.airlock.com + resources: + - redisproviders + verbs: + - get + - list + - watch +- apiGroups: + - microgateway.airlock.com + resources: + - sessionhandlings + verbs: + - get + - list + - watch +- apiGroups: + - microgateway.airlock.com + resources: + - sidecargateways + verbs: + - get + - list + - patch + - update + - watch +- apiGroups: + - microgateway.airlock.com + resources: + - sidecargateways/finalizers + verbs: + - update +- apiGroups: + - microgateway.airlock.com + resources: + - sidecargateways/status + verbs: + - get + - patch + - update +- apiGroups: + - microgateway.airlock.com + resources: + - telemetries + verbs: + - get + - list + - watch +{{- end }} diff --git a/charts/airlock/microgateway/4.3.2/templates/operator/_webhooks.gen.tpl b/charts/airlock/microgateway/4.3.2/templates/operator/_webhooks.gen.tpl new file mode 100644 index 000000000..02e304890 --- /dev/null +++ b/charts/airlock/microgateway/4.3.2/templates/operator/_webhooks.gen.tpl @@ -0,0 +1,339 @@ +{{/* AUTOGENERATED FILE DO NOT EDIT */}} + +{{/* +Operator mutating webhooks +*/}} +{{- define "airlock-microgateway-operator.mutatingWebhooks" -}} +- admissionReviewVersions: + - v1 + clientConfig: + service: + name: airlock-microgateway-operator-webhook + namespace: '{{ .Release.Namespace }}' + path: /mutate-v1-pod + failurePolicy: Fail + name: mutate-pod.microgateway.airlock.com + reinvocationPolicy: IfNeeded + rules: + - apiGroups: + - "" + apiVersions: + - v1 + operations: + - CREATE + resources: + - pods + sideEffects: None + objectSelector: + matchLabels: + sidecar.microgateway.airlock.com/inject: "true" +{{- end }} + +{{/* +Operator validating webhooks +*/}} +{{- define "airlock-microgateway-operator.validatingWebhooks" -}} +- admissionReviewVersions: + - v1 + clientConfig: + service: + name: airlock-microgateway-operator-webhook + namespace: '{{ .Release.Namespace }}' + path: /validate-v1-pod + failurePolicy: Fail + name: validate-pod.microgateway.airlock.com + rules: + - apiGroups: + - "" + apiVersions: + - v1 + operations: + - CREATE + - UPDATE + resources: + - pods + sideEffects: None + objectSelector: + matchLabels: + sidecar.microgateway.airlock.com/inject: "true" +- admissionReviewVersions: + - v1 + clientConfig: + service: + name: airlock-microgateway-operator-webhook + namespace: '{{ .Release.Namespace }}' + path: /validate-microgateway-airlock-com-v1alpha1-accesscontrol + failurePolicy: Fail + name: validate-accesscontrol.microgateway.airlock.com + rules: + - apiGroups: + - microgateway.airlock.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - accesscontrols + sideEffects: None +- admissionReviewVersions: + - v1 + clientConfig: + service: + name: airlock-microgateway-operator-webhook + namespace: '{{ .Release.Namespace }}' + path: /validate-microgateway-airlock-com-v1alpha1-denyrules + failurePolicy: Fail + name: validate-denyrules.microgateway.airlock.com + rules: + - apiGroups: + - microgateway.airlock.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - denyrules + sideEffects: None +- admissionReviewVersions: + - v1 + clientConfig: + service: + name: airlock-microgateway-operator-webhook + namespace: '{{ .Release.Namespace }}' + path: /validate-microgateway-airlock-com-v1alpha1-envoycluster + failurePolicy: Fail + name: validate-envoycluster.microgateway.airlock.com + rules: + - apiGroups: + - microgateway.airlock.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - envoyclusters + sideEffects: None +- admissionReviewVersions: + - v1 + clientConfig: + service: + name: airlock-microgateway-operator-webhook + namespace: '{{ .Release.Namespace }}' + path: /validate-microgateway-airlock-com-v1alpha1-envoyhttpfilter + failurePolicy: Fail + name: validate-envoyhttpfilter.microgateway.airlock.com + rules: + - apiGroups: + - microgateway.airlock.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - envoyhttpfilters + sideEffects: None +- admissionReviewVersions: + - v1 + clientConfig: + service: + name: airlock-microgateway-operator-webhook + namespace: '{{ .Release.Namespace }}' + path: /validate-microgateway-airlock-com-v1alpha1-graphql + failurePolicy: Fail + name: validate-graphql.microgateway.airlock.com + rules: + - apiGroups: + - microgateway.airlock.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - graphqls + sideEffects: None +- admissionReviewVersions: + - v1 + clientConfig: + service: + name: airlock-microgateway-operator-webhook + namespace: '{{ .Release.Namespace }}' + path: /validate-microgateway-airlock-com-v1alpha1-headerrewrites + failurePolicy: Fail + name: validate-headerrewrites.microgateway.airlock.com + rules: + - apiGroups: + - microgateway.airlock.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - headerrewrites + sideEffects: None +- admissionReviewVersions: + - v1 + clientConfig: + service: + name: airlock-microgateway-operator-webhook + namespace: '{{ .Release.Namespace }}' + path: /validate-microgateway-airlock-com-v1alpha1-identitypropagation + failurePolicy: Fail + name: validate-identitypropagation.microgateway.airlock.com + rules: + - apiGroups: + - microgateway.airlock.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - identitypropagations + sideEffects: None +- admissionReviewVersions: + - v1 + clientConfig: + service: + name: airlock-microgateway-operator-webhook + namespace: '{{ .Release.Namespace }}' + path: /validate-microgateway-airlock-com-v1alpha1-limits + failurePolicy: Fail + name: validate-limits.microgateway.airlock.com + rules: + - apiGroups: + - microgateway.airlock.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - limits + sideEffects: None +- admissionReviewVersions: + - v1 + clientConfig: + service: + name: airlock-microgateway-operator-webhook + namespace: '{{ .Release.Namespace }}' + path: /validate-microgateway-airlock-com-v1alpha1-oidcprovider + failurePolicy: Fail + name: validate-oidcprovider.microgateway.airlock.com + rules: + - apiGroups: + - microgateway.airlock.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - oidcproviders + sideEffects: None +- admissionReviewVersions: + - v1 + clientConfig: + service: + name: airlock-microgateway-operator-webhook + namespace: '{{ .Release.Namespace }}' + path: /validate-microgateway-airlock-com-v1alpha1-oidcrelyingparty + failurePolicy: Fail + name: validate-oidcrelyingparty.microgateway.airlock.com + rules: + - apiGroups: + - microgateway.airlock.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - oidcrelyingparties + sideEffects: None +- admissionReviewVersions: + - v1 + clientConfig: + service: + name: airlock-microgateway-operator-webhook + namespace: '{{ .Release.Namespace }}' + path: /validate-microgateway-airlock-com-v1alpha1-openapi + failurePolicy: Fail + name: validate-openapi.microgateway.airlock.com + rules: + - apiGroups: + - microgateway.airlock.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - openapis + sideEffects: None +- admissionReviewVersions: + - v1 + clientConfig: + service: + name: airlock-microgateway-operator-webhook + namespace: '{{ .Release.Namespace }}' + path: /validate-microgateway-airlock-com-v1alpha1-parser + failurePolicy: Fail + name: validate-parser.microgateway.airlock.com + rules: + - apiGroups: + - microgateway.airlock.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - parsers + sideEffects: None +- admissionReviewVersions: + - v1 + clientConfig: + service: + name: airlock-microgateway-operator-webhook + namespace: '{{ .Release.Namespace }}' + path: /validate-microgateway-airlock-com-v1alpha1-redisprovider + failurePolicy: Fail + name: validate-redisprovider.microgateway.airlock.com + rules: + - apiGroups: + - microgateway.airlock.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - redisproviders + sideEffects: None +- admissionReviewVersions: + - v1 + clientConfig: + service: + name: airlock-microgateway-operator-webhook + namespace: '{{ .Release.Namespace }}' + path: /validate-microgateway-airlock-com-v1alpha1-sidecargateway + failurePolicy: Fail + name: validate-sidecargateway.microgateway.airlock.com + rules: + - apiGroups: + - microgateway.airlock.com + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - sidecargateways + sideEffects: None +{{- end }} diff --git a/charts/airlock/microgateway/4.3.2/templates/operator/configmap.yaml b/charts/airlock/microgateway/4.3.2/templates/operator/configmap.yaml new file mode 100644 index 000000000..95e52d7df --- /dev/null +++ b/charts/airlock/microgateway/4.3.2/templates/operator/configmap.yaml @@ -0,0 +1,394 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "airlock-microgateway.operator.fullname" . }}-config + namespace: {{ .Release.Namespace }} + labels: + {{- include "airlock-microgateway.operator.labels" . | nindent 4 }} + {{- with .Values.commonAnnotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +data: + engine_bootstrap_config_template.yaml: | + # Base configuration, admin interface on port 19000 + admin: + address: + socket_address: + address: 127.0.0.1 + port_value: 19000 + dynamic_resources: + cds_config: + initial_fetch_timeout: 10s + resource_api_version: V3 + api_config_source: + api_type: GRPC + transport_api_version: V3 + grpc_services: + - envoy_grpc: + cluster_name: xds_cluster + set_node_on_first_message_only: true + # Prevent Envoy Node from overloading the xDS server due to rejected configuration when using xDS SotW gRPC + rate_limit_settings: + max_tokens: 5 + fill_rate: 0.2 + lds_config: + resource_api_version: V3 + initial_fetch_timeout: 10s + api_config_source: + api_type: GRPC + transport_api_version: V3 + grpc_services: + - envoy_grpc: + cluster_name: xds_cluster + set_node_on_first_message_only: true + # Prevent Envoy Node from overloading the xDS server due to rejected configuration when using xDS SotW gRPC + rate_limit_settings: + max_tokens: 5 + fill_rate: 0.2 + static_resources: + listeners: + - name: probe + address: + socket_address: + address: 0.0.0.0 + port_value: 19001 + filter_chains: + - filters: + - name: http_connection_manager + typed_config: + '@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager + stat_prefix: probe + codec_type: AUTO + http2_protocol_options: + initial_connection_window_size: 1048576 + initial_stream_window_size: 65536 + max_concurrent_streams: 100 + route_config: + name: probe + virtual_hosts: + - name: probe + domains: + - '*' + routes: + - name: ready + match: + path: /ready + headers: + - name: ':method' + string_match: + exact: 'GET' + route: + cluster: airlock_microgateway_engine_admin + http_filters: + - name: envoy.filters.http.router + typed_config: + '@type': type.googleapis.com/envoy.extensions.filters.http.router.v3.Router + - name: metrics + address: + socket_address: + address: 0.0.0.0 + port_value: 19002 + filter_chains: + - filters: + - name: http_connection_manager + typed_config: + '@type': type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager + stat_prefix: metrics + codec_type: AUTO + http2_protocol_options: + initial_connection_window_size: 1048576 + initial_stream_window_size: 65536 + max_concurrent_streams: 100 + route_config: + name: metrics + virtual_hosts: + - name: metrics + domains: + - '*' + routes: + - name: metrics + match: + path: /metrics + headers: + - name: ':method' + string_match: + exact: 'GET' + route: + prefix_rewrite: '/stats/prometheus' + cluster: airlock_microgateway_engine_admin + http_filters: + - name: envoy.filters.http.router + typed_config: + '@type': type.googleapis.com/envoy.extensions.filters.http.router.v3.Router + clusters: + - name: xds_cluster + connect_timeout: 1s + type: STRICT_DNS + load_assignment: + cluster_name: xds_cluster + endpoints: + - lb_endpoints: + - endpoint: + address: + socket_address: + address: airlock-microgateway-operator-xds.$(OPERATOR_NAMESPACE).svc.cluster.local + port_value: 13377 + typed_extension_protocol_options: + envoy.extensions.upstreams.http.v3.HttpProtocolOptions: + '@type': type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions + explicit_http_config: + http2_protocol_options: + connection_keepalive: + interval: 360s + timeout: 5s + transport_socket: + name: envoy.transport_sockets.tls + typed_config: + '@type': type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext + common_tls_context: + tls_params: + tls_minimum_protocol_version: TLSv1_3 + tls_maximum_protocol_version: TLSv1_3 + validation_context_sds_secret_config: + name: validation_context_sds + sds_config: + resource_api_version: V3 + path_config_source: + path: /etc/envoy/validation_context_sds_secret.yaml + watched_directory: + path: /etc/envoy/ + tls_certificate_sds_secret_configs: + - name: tls_certificate_sds + sds_config: + resource_api_version: V3 + path_config_source: + path: /etc/envoy/tls_certificate_sds_secret.yaml + watched_directory: + path: /etc/envoy/ + - name: airlock_microgateway_engine_admin + connect_timeout: 1s + type: STATIC + load_assignment: + cluster_name: airlock_microgateway_engine_admin + endpoints: + - lb_endpoints: + - endpoint: + address: + socket_address: + address: 127.0.0.1 + port_value: 19000 + typed_extension_protocol_options: + envoy.extensions.upstreams.http.v3.HttpProtocolOptions: + '@type': type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions + explicit_http_config: + http2_protocol_options: + connection_keepalive: + interval: 360s + timeout: 5s + stats_config: + stats_tags: + - tag_name: "block_type" + regex: "\\.(block_type\\.([^.]+))" + - tag_name: "attack_type" + regex: "\\.(attack_type\\.([^.]+))" + - tag_name: "envoy_cluster_name" + regex: "\\.(cluster\\.([^.]+))" + - tag_name: "version" + regex: "\\.(version\\.([^.]+))" + use_all_default_tags: true + overload_manager: + resource_monitors: + - name: "envoy.resource_monitors.global_downstream_max_connections" + typed_config: + "@type": type.googleapis.com/envoy.extensions.resource_monitors.downstream_connections.v3.DownstreamConnectionsConfig + max_active_downstream_connections: 50000 + bootstrap_extensions: + - name: airlock.bootstrap.engine_build_info + typed_config: + '@type': type.googleapis.com/airlock.extensions.bootstrap.stats.v1alpha.Stats + application_log_config: + log_format: + text_format: '{"@timestamp":"%Y-%m-%dT%T.%e%z","log":{"logger":"%n","level":"%l","origin":{"file":{"name":"%g","line":%#},"function":"%!"}},"event":{"module":"envoy","dataset":"envoy.application"},"process":{"pid":%P,"thread":{"id":%t}},"ecs":{"version":"8.5"},"message":"%j"}' + engine_container_template.yaml: | + name: "$(ENGINE_NAME)" + image: "$(ENGINE_IMAGE)" + imagePullPolicy: {{ .Values.engine.image.pullPolicy }} + args: + - "--config-path" + - "/etc/envoy/bootstrap_config.yaml" + - "--base-id" + - "$(BASE_ID)" + - "--file-flush-interval-msec" + - '1000' + - "--drain-time-s" + - '60' + - "--service-node" + - "$(POD_NAME).$(POD_NAMESPACE)" + - "--service-cluster" + - "$(APP_NAME).$(POD_NAMESPACE)" + - "--log-path" + - "/dev/stdout" + - "--log-level" + - "$(LOG_LEVEL)" + volumeMounts: + - name: airlock-microgateway-bootstrap-secret-volume + mountPath: /etc/envoy + readOnly: true + env: + - name: POD_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: POD_IP + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: status.podIP + ports: + - containerPort: 13378 + protocol: TCP + - containerPort: 19001 + protocol: TCP + - containerPort: 19002 + protocol: TCP + livenessProbe: + httpGet: + path: /ready + port: 19001 + scheme: HTTP + initialDelaySeconds: 5 + periodSeconds: 5 + failureThreshold: 5 + successThreshold: 1 + timeoutSeconds: 1 + readinessProbe: + httpGet: + path: /ready + port: 19001 + scheme: HTTP + initialDelaySeconds: 5 + periodSeconds: 5 + failureThreshold: 3 + successThreshold: 1 + timeoutSeconds: 1 + securityContext: + {{- include "airlock-microgateway.restrictedSecurityContext" . | nindent 6 }} + runAsUser: $(SECURITYCONTEXT_UID) + {{- with .Values.engine.resources }} + resources: + {{- toYaml . | nindent 6 }} + {{- end }} + session_agent_container_template.yaml: | + name: "$(SESSION_AGENT_NAME)" + image: "$(SESSION_AGENT_IMAGE)" + imagePullPolicy: {{ .Values.sessionAgent.image.pullPolicy }} + args: + - "--port" + - "19004" + - "--config-path" + - "/etc/microgateway-session-agent/config.json" + volumeMounts: + - name: airlock-microgateway-session-agent-volume + mountPath: /etc/microgateway-session-agent + readOnly: true + env: + - name: POD_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + ports: + - containerPort: 19004 + livenessProbe: + {{- if (semverCompare ">=1.27 || >=1.27.1-0" .Capabilities.KubeVersion.Version)}} + grpc: + port: 19004 + {{- else }} + tcpSocket: + port: 19004 + {{- end }} + initialDelaySeconds: 5 + periodSeconds: 5 + failureThreshold: 5 + successThreshold: 1 + timeoutSeconds: 5 + readinessProbe: + {{- if (semverCompare ">=1.27 || >=1.27.1-0" .Capabilities.KubeVersion.Version)}} + grpc: + port: 19004 + {{- else }} + tcpSocket: + port: 19004 + {{- end }} + initialDelaySeconds: 5 + periodSeconds: 5 + failureThreshold: 3 + successThreshold: 1 + timeoutSeconds: 5 + securityContext: + {{- include "airlock-microgateway.restrictedSecurityContext" . | nindent 6 }} + runAsUser: $(SECURITYCONTEXT_UID) + {{- with .Values.sessionAgent.resources }} + resources: + {{- toYaml . | nindent 6 }} + {{- end }} + network_validator_container_template.yaml: | + name: "$(NETWORK_VALIDATOR_NAME)" + image: "$(NETWORK_VALIDATOR_IMAGE)" + imagePullPolicy: {{ .Values.networkValidator.image.pullPolicy }} + command: ["/bin/sh", "-c"] + args: + - |- + echo 'pong' | nc -v -l 127.0.0.1 13378 & + for i in 1 2 3; do + sleep 1s + if r=$(echo 'ping' | nc -v -q 0 127.0.0.1 19003) && [ $r == pong ]; then + echo -n 'Traffic redirection to Airlock Microgateway Engine is working.' > /dev/termination-log + exit 0 + fi + done + echo -en 'Traffic redirection to Airlock Microgateway Engine is not working.\nRestart the pod after ensuring that hostNetwork is disabled and a compatible Airlock Microgateway CNI version is installed on the node.\nCertain environments may also require additional configuration (see docs.airlock.com for more information).' > /dev/termination-log + exit 1 + securityContext: + {{- include "airlock-microgateway.restrictedSecurityContext" . | nindent 6 }} + runAsUser: $(SECURITYCONTEXT_UID) + operator_config.yaml: | + apiVersion: config.airlock.com/v1alpha1 + kind: OperatorConfig + health: + healthProbeBindAddress: :8081 + metrics: + bindAddress: 0.0.0.0:8080 + webhook: + port: 9443 + deployment: + sidecar: + engineContainerTemplate: "/sidecar/engine_container_template.yaml" + networkValidatorContainerTemplate: "/sidecar/network_validator_container_template.yaml" + sessionAgentContainerTemplate: "/sidecar/session_agent_container_template.yaml" + engine: + bootstrapConfigTemplate: "/engine_bootstrap_config_template.yaml" + log: + level: {{ .Values.operator.config.logLevel }} + {{- with $.Values.operator.watchNamespaceSelector }} + namespaces: + selector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with $.Values.operator.watchNamespaces }} + namespaces: + list: + {{- toYaml . | nindent 8 }} + {{- end }} diff --git a/charts/airlock/microgateway/4.3.2/templates/operator/dashboard-configmap.yaml b/charts/airlock/microgateway/4.3.2/templates/operator/dashboard-configmap.yaml new file mode 100644 index 000000000..b71ac89b6 --- /dev/null +++ b/charts/airlock/microgateway/4.3.2/templates/operator/dashboard-configmap.yaml @@ -0,0 +1,28 @@ +{{- if .Values.dashboards.create -}} +{{- range $instance := (keys .Values.dashboards.instances | sortAlpha) -}} +{{- $dashboard := get $.Values.dashboards.instances $instance -}} +{{- if $dashboard.create }} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "airlock-microgateway.fullname" $ }}-dashboard-{{ $instance | lower }} + namespace: {{ $.Release.Namespace }} + labels: + {{- include "airlock-microgateway.operator.labels" $ | nindent 4 }} + {{- with $.Values.dashboards.config.grafana.dashboardLabel -}} + {{- .name | nindent 4 -}}: {{ .value | quote }} + {{- end }} + annotations: + {{- with $.Values.dashboards.config.grafana.folderAnnotation -}} + {{- .name | nindent 4 -}}: {{ .value | quote }} + {{- end }} + {{- with $.Values.commonAnnotations }} + {{- toYaml . | nindent 4 }} + {{- end }} +data: + {{- printf "%s.json" $instance | nindent 2 }}: |- + {{- ($.Files.Get (printf "dashboards/%s.json" $instance)) | nindent 4 -}} +{{- end -}} +{{- end -}} +{{- end -}} \ No newline at end of file diff --git a/charts/airlock/microgateway/4.3.2/templates/operator/deployment.yaml b/charts/airlock/microgateway/4.3.2/templates/operator/deployment.yaml new file mode 100644 index 000000000..db340cdec --- /dev/null +++ b/charts/airlock/microgateway/4.3.2/templates/operator/deployment.yaml @@ -0,0 +1,143 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "airlock-microgateway.operator.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "airlock-microgateway.operator.labels" . | nindent 4 }} + {{- with .Values.commonAnnotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + replicas: {{ .Values.operator.replicaCount }} + {{- with .Values.operator.updateStrategy }} + strategy: + {{- toYaml . | trim | nindent 4 }} + {{- end }} + selector: + matchLabels: + {{- include "airlock-microgateway.operator.selectorLabels" . | nindent 6 }} + template: + metadata: + annotations: + checksum/config: {{ include (print $.Template.BasePath "/operator/configmap.yaml") . | sha256sum }} + kubectl.kubernetes.io/default-container: manager + {{- with mustMerge .Values.operator.podAnnotations .Values.commonAnnotations}} + {{- toYaml . | nindent 8 }} + {{- end }} + labels: + {{- include "airlock-microgateway.operator.labels" . | nindent 8 }} + {{- with .Values.operator.podLabels }} + {{- toYaml . | nindent 8 }} + {{- end }} + spec: + containers: + - args: + - --config=operator_config.yaml + env: + - name: ENGINE_IMAGE + value: {{ include "airlock-microgateway.image" .Values.engine.image }} + - name: NETWORK_VALIDATOR_IMAGE + value: {{ include "airlock-microgateway.image" .Values.networkValidator.image }} + - name: SESSION_AGENT_IMAGE + value: {{ include "airlock-microgateway.image" .Values.sessionAgent.image }} + - name: OPERATOR_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: OPERATOR_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + image: {{ include "airlock-microgateway.image" .Values.operator.image }} + imagePullPolicy: {{ .Values.operator.image.pullPolicy }} + livenessProbe: + httpGet: + path: /healthz + port: 8081 + initialDelaySeconds: 15 + periodSeconds: 20 + timeoutSeconds: 5 + name: manager + ports: + - containerPort: 9443 + name: webhook-server + protocol: TCP + - containerPort: 13377 + name: xds-server + protocol: TCP + - containerPort: 8080 + protocol: TCP + - containerPort: 8081 + protocol: TCP + readinessProbe: + httpGet: + path: /readyz + port: 8081 + initialDelaySeconds: 5 + periodSeconds: 10 + timeoutSeconds: 5 + {{- with .Values.operator.resources }} + resources: + {{- toYaml . | nindent 10 }} + {{- end }} + securityContext: + {{- include "airlock-microgateway.restrictedSecurityContext" . | nindent 10 }} + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: FallbackToLogsOnError + volumeMounts: + - mountPath: /tmp/k8s-webhook-server/serving-certs + name: cert + readOnly: true + - mountPath: /opt/airlock/license/ + name: airlock-microgateway-license + readOnly: true + - mountPath: /operator_config.yaml + name: operator-config + subPath: operator_config.yaml + - mountPath: /sidecar/engine_container_template.yaml + name: operator-config + subPath: engine_container_template.yaml + - mountPath: /sidecar/network_validator_container_template.yaml + name: operator-config + subPath: network_validator_container_template.yaml + - mountPath: /sidecar/session_agent_container_template.yaml + name: operator-config + subPath: session_agent_container_template.yaml + - mountPath: /engine_bootstrap_config_template.yaml + name: operator-config + subPath: engine_bootstrap_config_template.yaml + securityContext: + runAsNonRoot: true + serviceAccountName: {{ include "airlock-microgateway.operator.serviceAccountName" . }} + terminationGracePeriodSeconds: 10 + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.operator.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.operator.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.operator.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + volumes: + - name: cert + secret: + defaultMode: 420 + secretName: {{ include "airlock-microgateway.operator.fullname" . }}-webhook-server-cert + - name: airlock-microgateway-license + secret: + defaultMode: 292 + optional: true + secretName: {{ .Values.license.secretName }} + - configMap: + name: {{ include "airlock-microgateway.operator.fullname" . }}-config + name: operator-config diff --git a/charts/airlock/microgateway/4.3.2/templates/operator/manager-role.yaml b/charts/airlock/microgateway/4.3.2/templates/operator/manager-role.yaml new file mode 100644 index 000000000..90335bcfe --- /dev/null +++ b/charts/airlock/microgateway/4.3.2/templates/operator/manager-role.yaml @@ -0,0 +1,33 @@ +{{- if .Values.operator.rbac.create }} +{{- if empty .Values.operator.watchNamespaces }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ include "airlock-microgateway.operator.fullname" . }}-manager-{{ .Release.Namespace }} + labels: + {{- include "airlock-microgateway.operator.labels" . | nindent 4 }} + {{- with .Values.commonAnnotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +rules: +{{ include "airlock-microgateway-operator.rbacRules" . -}} +{{- else }} +{{- range $namespace := (append .Values.operator.watchNamespaces .Release.Namespace | uniq) }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ include "airlock-microgateway.operator.fullname" $ }}-manager + namespace: {{ $namespace }} + labels: + {{- include "airlock-microgateway.operator.labels" $ | nindent 4 }} + {{- with $.Values.commonAnnotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +rules: +{{ include "airlock-microgateway-operator.rbacRules" $ }} +--- +{{- end -}} +{{- end -}} +{{- end -}} diff --git a/charts/airlock/microgateway/4.3.2/templates/operator/manager-rolebinding.yaml b/charts/airlock/microgateway/4.3.2/templates/operator/manager-rolebinding.yaml new file mode 100644 index 000000000..ae99cfb7b --- /dev/null +++ b/charts/airlock/microgateway/4.3.2/templates/operator/manager-rolebinding.yaml @@ -0,0 +1,45 @@ +{{- if .Values.operator.rbac.create }} +{{- if empty .Values.operator.watchNamespaces }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ include "airlock-microgateway.operator.fullname" . }}-manager-{{ .Release.Namespace }} + labels: + {{- include "airlock-microgateway.operator.labels" . | nindent 4 }} + {{- with .Values.commonAnnotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ include "airlock-microgateway.operator.fullname" . }}-manager-{{ .Release.Namespace }} +subjects: + - kind: ServiceAccount + name: {{ include "airlock-microgateway.operator.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} +{{- else }} +{{- range $namespace := (append .Values.operator.watchNamespaces .Release.Namespace | uniq) }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ include "airlock-microgateway.operator.fullname" $ }}-manager + namespace: {{ $namespace }} + labels: + {{- include "airlock-microgateway.operator.labels" $ | nindent 4 }} + {{- with $.Values.commonAnnotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ include "airlock-microgateway.operator.fullname" $ }}-manager +subjects: + - kind: ServiceAccount + name: {{ include "airlock-microgateway.operator.serviceAccountName" $ }} + namespace: {{ $.Release.Namespace }} +--- +{{- end -}} +{{- end -}} +{{- end -}} diff --git a/charts/airlock/microgateway/4.3.2/templates/operator/metrics-service.yaml b/charts/airlock/microgateway/4.3.2/templates/operator/metrics-service.yaml new file mode 100644 index 000000000..34d23f6d6 --- /dev/null +++ b/charts/airlock/microgateway/4.3.2/templates/operator/metrics-service.yaml @@ -0,0 +1,47 @@ +apiVersion: v1 +kind: Service +metadata: + name: airlock-microgateway-operator-metrics + namespace: {{ .Release.Namespace }} + labels: + {{- include "airlock-microgateway.operator.labels" . | nindent 4 }} + {{- with .Values.operator.serviceLabels }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with mustMerge .Values.operator.serviceAnnotations .Values.commonAnnotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + ports: + - appProtocol: http + name: metrics + port: 8080 + protocol: TCP + selector: + {{- include "airlock-microgateway.operator.selectorLabels" . | nindent 4 }} +--- +apiVersion: v1 +kind: Service +metadata: + name: airlock-microgateway-operator-leader-metrics + namespace: {{ .Release.Namespace }} + labels: + {{- include "airlock-microgateway.operator.labels" . | nindent 4 }} + {{- with .Values.operator.serviceLabels }} + {{- toYaml . | nindent 4 }} + {{- end }} + operator.microgateway.airlock.com/isLeader: "true" + {{- with mustMerge .Values.operator.serviceAnnotations .Values.commonAnnotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + ports: + - appProtocol: http + name: metrics + port: 8080 + protocol: TCP + selector: + {{- include "airlock-microgateway.operator.selectorLabels" . | nindent 4 }} + operator.microgateway.airlock.com/isLeader: "true" \ No newline at end of file diff --git a/charts/airlock/microgateway/4.3.2/templates/operator/mutating-webhook.yaml b/charts/airlock/microgateway/4.3.2/templates/operator/mutating-webhook.yaml new file mode 100644 index 000000000..311f9726a --- /dev/null +++ b/charts/airlock/microgateway/4.3.2/templates/operator/mutating-webhook.yaml @@ -0,0 +1,28 @@ +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: + name: {{ include "airlock-microgateway.operator.fullname" . }}-webhook-{{ .Release.Namespace }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "airlock-microgateway.operator.labels" . | nindent 4 }} + annotations: + cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "airlock-microgateway.operator.fullname" . }}-serving-cert + {{- with .Values.commonAnnotations }} + {{- toYaml . | nindent 4 }} + {{- end }} +webhooks: +{{- range $webhook := (include "airlock-microgateway-operator.mutatingWebhooks" .) | fromYamlArray }} +- {{ toYaml $webhook | indent 2 | trim }} + {{- with $.Values.operator.watchNamespaceSelector }} + namespaceSelector: + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with $.Values.operator.watchNamespaces }} + namespaceSelector: + matchExpressions: + - key: kubernetes.io/metadata.name + operator: In + values: + {{- toYaml . | nindent 10 }} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/airlock/microgateway/4.3.2/templates/operator/podmonitor.yaml b/charts/airlock/microgateway/4.3.2/templates/operator/podmonitor.yaml new file mode 100644 index 000000000..1fe34fcb3 --- /dev/null +++ b/charts/airlock/microgateway/4.3.2/templates/operator/podmonitor.yaml @@ -0,0 +1,27 @@ +{{- if .Values.engine.sidecar.podMonitor.create }} +apiVersion: monitoring.coreos.com/v1 +kind: PodMonitor +metadata: + name: {{ include "airlock-microgateway.fullname" . }}-engine + namespace: {{ .Release.Namespace }} + labels: + {{- include "airlock-microgateway.operator.labels" . | nindent 4 }} + {{- with .Values.engine.sidecar.podMonitor.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.commonAnnotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + namespaceSelector: + any: true + selector: + matchLabels: + sidecar.microgateway.airlock.com/inject: "true" + microgateway.airlock.com/managedBy: {{ .Release.Namespace }} + podMetricsEndpoints: + - targetPort: 19002 + path: /metrics + scheme: http +{{- end -}} \ No newline at end of file diff --git a/charts/airlock/microgateway/4.3.2/templates/operator/role.yaml b/charts/airlock/microgateway/4.3.2/templates/operator/role.yaml new file mode 100644 index 000000000..5378be8ef --- /dev/null +++ b/charts/airlock/microgateway/4.3.2/templates/operator/role.yaml @@ -0,0 +1,45 @@ +{{- if .Values.operator.rbac.create -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ include "airlock-microgateway.operator.fullname" . }}-leader-election + namespace: {{ .Release.Namespace }} + labels: + {{- include "airlock-microgateway.operator.labels" . | nindent 4 }} + {{- with .Values.commonAnnotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +rules: + - apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch + - create + - update + - patch + - delete + - apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - list + - watch + - create + - update + - patch + - delete + - apiGroups: + - "" + resources: + - events + verbs: + - create + - patch +{{- end -}} \ No newline at end of file diff --git a/charts/airlock/microgateway/4.3.2/templates/operator/rolebinding.yaml b/charts/airlock/microgateway/4.3.2/templates/operator/rolebinding.yaml new file mode 100644 index 000000000..bafec1015 --- /dev/null +++ b/charts/airlock/microgateway/4.3.2/templates/operator/rolebinding.yaml @@ -0,0 +1,20 @@ +{{- if .Values.operator.rbac.create -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ include "airlock-microgateway.operator.fullname" . }}-leader-election + namespace: {{ .Release.Namespace }} + labels: + {{- include "airlock-microgateway.operator.labels" . | nindent 4 }} + {{- with .Values.commonAnnotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ include "airlock-microgateway.operator.fullname" . }}-leader-election +subjects: + - kind: ServiceAccount + name: {{ include "airlock-microgateway.operator.serviceAccountName" . }} +{{- end -}} diff --git a/charts/airlock/microgateway/4.3.2/templates/operator/selfsigned-issuer.yaml b/charts/airlock/microgateway/4.3.2/templates/operator/selfsigned-issuer.yaml new file mode 100644 index 000000000..466c56338 --- /dev/null +++ b/charts/airlock/microgateway/4.3.2/templates/operator/selfsigned-issuer.yaml @@ -0,0 +1,13 @@ +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + name: {{ include "airlock-microgateway.operator.fullname" . }}-selfsigned-issuer + namespace: {{ .Release.Namespace }} + labels: + {{- include "airlock-microgateway.operator.labels" . | nindent 4 }} + {{- with .Values.commonAnnotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + selfSigned: {} diff --git a/charts/airlock/microgateway/4.3.2/templates/operator/serviceaccount.yaml b/charts/airlock/microgateway/4.3.2/templates/operator/serviceaccount.yaml new file mode 100644 index 000000000..434d7e9d3 --- /dev/null +++ b/charts/airlock/microgateway/4.3.2/templates/operator/serviceaccount.yaml @@ -0,0 +1,13 @@ +{{- if .Values.operator.serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "airlock-microgateway.operator.serviceAccountName" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "airlock-microgateway.operator.labels" . | nindent 4 }} + {{- with mustMerge .Values.operator.serviceAccount.annotations .Values.commonAnnotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +{{- end -}} diff --git a/charts/airlock/microgateway/4.3.2/templates/operator/servicemonitor.yaml b/charts/airlock/microgateway/4.3.2/templates/operator/servicemonitor.yaml new file mode 100644 index 000000000..ff85a9a31 --- /dev/null +++ b/charts/airlock/microgateway/4.3.2/templates/operator/servicemonitor.yaml @@ -0,0 +1,60 @@ +{{- if .Values.operator.serviceMonitor.create }} +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: {{ include "airlock-microgateway.operator.fullname" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "airlock-microgateway.operator.labels" . | nindent 4 }} + {{- with .Values.operator.serviceMonitor.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.commonAnnotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + selector: + matchLabels: + {{- include "airlock-microgateway.operator.selectorLabels" . | nindent 6 }} + matchExpressions: + - { key: "operator.microgateway.airlock.com/isLeader", operator: DoesNotExist } + endpoints: + - path: /metrics + port: metrics + scheme: http + metricRelabelings: + - sourceLabels: + - __name__ + regex: {{ include "airlock-microgateway.operator.metricsLeaderOnlyRegexPattern" . }} + action: drop +--- +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: {{ include "airlock-microgateway.operator.fullname" . }}-leader + namespace: {{ .Release.Namespace }} + labels: + {{- include "airlock-microgateway.operator.labels" . | nindent 4 }} + {{- with .Values.operator.serviceMonitor.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.commonAnnotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + selector: + matchLabels: + {{- include "airlock-microgateway.operator.selectorLabels" . | nindent 6 }} + operator.microgateway.airlock.com/isLeader: "true" + endpoints: + - path: /metrics + port: metrics + scheme: http + metricRelabelings: + - sourceLabels: + - __name__ + regex: {{ include "airlock-microgateway.operator.metricsLeaderOnlyRegexPattern" . }} + action: keep +{{- end -}} \ No newline at end of file diff --git a/charts/airlock/microgateway/4.3.2/templates/operator/serving-certificate.yaml b/charts/airlock/microgateway/4.3.2/templates/operator/serving-certificate.yaml new file mode 100644 index 000000000..60b92e1e2 --- /dev/null +++ b/charts/airlock/microgateway/4.3.2/templates/operator/serving-certificate.yaml @@ -0,0 +1,19 @@ +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: {{ include "airlock-microgateway.operator.fullname" . }}-serving-cert + namespace: {{ .Release.Namespace }} + labels: + {{- include "airlock-microgateway.operator.labels" . | nindent 4 }} + {{- with .Values.commonAnnotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + dnsNames: + - airlock-microgateway-operator-webhook.{{ .Release.Namespace }}.svc + - airlock-microgateway-operator-webhook.{{ .Release.Namespace }}.svc.cluster.local + issuerRef: + kind: Issuer + name: {{ include "airlock-microgateway.operator.fullname" . }}-selfsigned-issuer + secretName: {{ include "airlock-microgateway.operator.fullname" . }}-webhook-server-cert diff --git a/charts/airlock/microgateway/4.3.2/templates/operator/validating-webhook.yaml b/charts/airlock/microgateway/4.3.2/templates/operator/validating-webhook.yaml new file mode 100644 index 000000000..5d6b4396b --- /dev/null +++ b/charts/airlock/microgateway/4.3.2/templates/operator/validating-webhook.yaml @@ -0,0 +1,28 @@ +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + name: {{ include "airlock-microgateway.operator.fullname" . }}-webhook-{{ .Release.Namespace }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "airlock-microgateway.operator.labels" . | nindent 4 }} + annotations: + cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "airlock-microgateway.operator.fullname" . }}-serving-cert + {{- with .Values.commonAnnotations }} + {{- toYaml . | nindent 4 }} + {{- end }} +webhooks: +{{- range $webhook := (include "airlock-microgateway-operator.validatingWebhooks" .) | fromYamlArray }} +- {{ toYaml $webhook | indent 2 | trim }} + {{- with $.Values.operator.watchNamespaceSelector }} + namespaceSelector: + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with $.Values.operator.watchNamespaces }} + namespaceSelector: + matchExpressions: + - key: kubernetes.io/metadata.name + operator: In + values: + {{- toYaml . | nindent 10 }} + {{- end }} +{{- end }} \ No newline at end of file diff --git a/charts/airlock/microgateway/4.3.2/templates/operator/webhook-service.yaml b/charts/airlock/microgateway/4.3.2/templates/operator/webhook-service.yaml new file mode 100644 index 000000000..477ea839f --- /dev/null +++ b/charts/airlock/microgateway/4.3.2/templates/operator/webhook-service.yaml @@ -0,0 +1,23 @@ +apiVersion: v1 +kind: Service +metadata: + name: airlock-microgateway-operator-webhook + namespace: {{ .Release.Namespace }} + labels: + {{- include "airlock-microgateway.operator.labels" . | nindent 4 }} + {{- with .Values.operator.serviceLabels }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with mustMerge .Values.operator.serviceAnnotations .Values.commonAnnotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + ports: + - appProtocol: https + name: webhook + port: 443 + protocol: TCP + targetPort: 9443 + selector: + {{- include "airlock-microgateway.operator.selectorLabels" . | nindent 4 }} \ No newline at end of file diff --git a/charts/airlock/microgateway/4.3.2/templates/operator/xds-service.yaml b/charts/airlock/microgateway/4.3.2/templates/operator/xds-service.yaml new file mode 100644 index 000000000..81b41acf5 --- /dev/null +++ b/charts/airlock/microgateway/4.3.2/templates/operator/xds-service.yaml @@ -0,0 +1,24 @@ +apiVersion: v1 +kind: Service +metadata: + name: airlock-microgateway-operator-xds + namespace: {{ .Release.Namespace }} + labels: + {{- include "airlock-microgateway.operator.labels" . | nindent 4 }} + {{- with .Values.operator.serviceLabels }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with mustMerge .Values.operator.serviceAnnotations .Values.commonAnnotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + ports: + - appProtocol: grpc + name: xds + port: 13377 + protocol: TCP + targetPort: 13377 + selector: + {{- include "airlock-microgateway.operator.selectorLabels" . | nindent 4 }} + operator.microgateway.airlock.com/isLeader: "true" diff --git a/charts/airlock/microgateway/4.3.2/templates/tests/rbac.yaml b/charts/airlock/microgateway/4.3.2/templates/tests/rbac.yaml new file mode 100644 index 000000000..93bd4cd1b --- /dev/null +++ b/charts/airlock/microgateway/4.3.2/templates/tests/rbac.yaml @@ -0,0 +1,143 @@ +{{- if .Values.tests.enabled -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app.kubernetes.io/component: tests + app.kubernetes.io/name: {{ include "airlock-microgateway.name" . }}-tests + {{- include "airlock-microgateway.sharedLabels" . | nindent 4 }} + name: "{{ include "airlock-microgateway.fullname" . }}-tests" + namespace: {{ .Release.Namespace }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + app.kubernetes.io/component: tests + app.kubernetes.io/name: {{ include "airlock-microgateway.name" . }}-tests + {{- include "airlock-microgateway.sharedLabels" . | nindent 4 }} + name: "{{ include "airlock-microgateway.fullname" . }}-tests" + namespace: {{ .Release.Namespace }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: "{{ include "airlock-microgateway.fullname" . }}-tests" +subjects: +- kind: ServiceAccount + name: "{{ include "airlock-microgateway.fullname" . }}-tests" +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + labels: + app.kubernetes.io/component: tests + app.kubernetes.io/name: {{ include "airlock-microgateway.name" . }}-tests + {{- include "airlock-microgateway.sharedLabels" . | nindent 4 }} + name: "{{ include "airlock-microgateway.fullname" . }}-tests" + namespace: {{ .Release.Namespace }} +rules: +- apiGroups: + - microgateway.airlock.com + resources: + - sidecargateways + resourceNames: + - "{{ include "airlock-microgateway.fullname" . }}-test-sidecargateway" + verbs: + - get + - list + - watch + - delete +- apiGroups: + - microgateway.airlock.com + resources: + - sidecargateways + verbs: + - create +- apiGroups: + - "" + resources: + - events + verbs: + - list +- apiGroups: + - "apps" + resources: + - deployments + resourceNames: + - "{{ include "airlock-microgateway.operator.fullname" . }}" + verbs: + - get + - list + - watch +- apiGroups: + - "apps" + resources: + - statefulsets + - statefulsets/scale + resourceNames: + - "{{ include "airlock-microgateway.fullname" . }}-test-backend" + verbs: + - get + - list + - watch + - patch +- apiGroups: + - "" + resources: + - pods + - pods/log + - pods/status + - pods/attach + resourceNames: + - "{{ include "airlock-microgateway.fullname" . }}-test-backend-0" + - "{{ include "airlock-microgateway.fullname" . }}-test-valid-request" + - "{{ include "airlock-microgateway.fullname" . }}-test-injection-request" + verbs: + - get + - list + - create + - watch + - delete +- apiGroups: + - "" + resources: + - pods + verbs: + - create +{{- if .Values.operator.watchNamespaceSelector }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app.kubernetes.io/component: tests + app.kubernetes.io/name: {{ include "airlock-microgateway.name" . }}-tests + {{- include "airlock-microgateway.sharedLabels" . | nindent 4 }} + name: "{{ include "airlock-microgateway.fullname" . }}-tests-{{ .Release.Namespace }}" +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: "{{ include "airlock-microgateway.fullname" . }}-tests-{{ .Release.Namespace }}" +subjects: + - kind: ServiceAccount + name: "{{ include "airlock-microgateway.fullname" . }}-tests" + namespace: {{ .Release.Namespace }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/component: tests + app.kubernetes.io/name: {{ include "airlock-microgateway.name" . }}-tests + {{- include "airlock-microgateway.sharedLabels" . | nindent 4 }} + name: "{{ include "airlock-microgateway.fullname" . }}-tests-{{ .Release.Namespace }}" +rules: +- apiGroups: + - "" + resources: + - namespaces + verbs: + - get + - list +{{- end }} +{{- end -}} diff --git a/charts/airlock/microgateway/4.3.2/templates/tests/service.yaml b/charts/airlock/microgateway/4.3.2/templates/tests/service.yaml new file mode 100644 index 000000000..30ddc278d --- /dev/null +++ b/charts/airlock/microgateway/4.3.2/templates/tests/service.yaml @@ -0,0 +1,23 @@ +{{- if .Values.tests.enabled -}} +apiVersion: v1 +kind: Service +metadata: + name: "{{ include "airlock-microgateway.fullname" . }}-test-service" + namespace: {{ .Release.Namespace }} + labels: + app: test-service + app.kubernetes.io/component: test-install + app.kubernetes.io/name: {{ include "airlock-microgateway.name" . }}-tests + {{- include "airlock-microgateway.sharedLabels" . | nindent 4 }} + {{- include "airlock-microgateway.sharedSelectorLabels" . | nindent 4 }} +spec: + selector: + app.kubernetes.io/component: test-install + app.kubernetes.io/name: {{ include "airlock-microgateway.name" . }}-tests + app: "{{ include "airlock-microgateway.fullname" . }}-test-backend" + {{- include "airlock-microgateway.sharedSelectorLabels" . | nindent 4 }} + ports: + - name: http + port: 8080 + targetPort: 8080 +{{- end -}} \ No newline at end of file diff --git a/charts/airlock/microgateway/4.3.2/templates/tests/statefulset.yaml b/charts/airlock/microgateway/4.3.2/templates/tests/statefulset.yaml new file mode 100644 index 000000000..710a7b9f6 --- /dev/null +++ b/charts/airlock/microgateway/4.3.2/templates/tests/statefulset.yaml @@ -0,0 +1,56 @@ +{{- if .Values.tests.enabled -}} +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: "{{ include "airlock-microgateway.fullname" . }}-test-backend" + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/component: test-install + app.kubernetes.io/name: {{ include "airlock-microgateway.name" . }}-tests + app: "{{ include "airlock-microgateway.fullname" . }}-test-backend" + {{- include "airlock-microgateway.sharedLabels" . | nindent 4 }} + {{- include "airlock-microgateway.sharedSelectorLabels" . | nindent 4 }} +spec: + serviceName: nginx + replicas: 0 + selector: + matchLabels: + app.kubernetes.io/component: test-install + app.kubernetes.io/name: {{ include "airlock-microgateway.name" . }}-tests + app: "{{ include "airlock-microgateway.fullname" . }}-test-backend" + {{- include "airlock-microgateway.sharedSelectorLabels" . | nindent 6 }} + template: + metadata: + annotations: + k8s.v1.cni.cncf.io/networks: default/airlock-microgateway-cni + labels: + sidecar.microgateway.airlock.com/inject: "true" + sidecar.istio.io/inject: "false" + app.kubernetes.io/component: test-install + app.kubernetes.io/name: {{ include "airlock-microgateway.name" . }}-tests + app: "{{ include "airlock-microgateway.fullname" . }}-test-backend" + {{- include "airlock-microgateway.sharedLabels" . | nindent 8 }} + {{- include "airlock-microgateway.sharedSelectorLabels" . | nindent 8 }} + spec: + containers: + - image: cgr.dev/chainguard/nginx + name: nginx + ports: + - containerPort: 8080 + volumeMounts: + - mountPath: /var/lib/nginx/tmp/ + name: nginx-tmp + - mountPath: /var/run + name: nginx-run + securityContext: + {{- include "airlock-microgateway.restrictedSecurityContext" . | nindent 12 }} + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + volumes: + - emptyDir: {} + name: nginx-tmp + - emptyDir: {} + name: nginx-run +{{- end -}} \ No newline at end of file diff --git a/charts/airlock/microgateway/4.3.2/templates/tests/test-install.yaml b/charts/airlock/microgateway/4.3.2/templates/tests/test-install.yaml new file mode 100644 index 000000000..ab82abea7 --- /dev/null +++ b/charts/airlock/microgateway/4.3.2/templates/tests/test-install.yaml @@ -0,0 +1,227 @@ +{{- if .Values.tests.enabled -}} +apiVersion: v1 +kind: Pod +metadata: + name: "{{ include "airlock-microgateway.fullname" . }}-test-install" + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/component: test-install + app.kubernetes.io/name: {{ include "airlock-microgateway.name" . }}-tests + sidecar.istio.io/inject: "false" + {{- include "airlock-microgateway.sharedLabels" . | nindent 4 }} + {{- include "airlock-microgateway.sharedSelectorLabels" . | nindent 4 }} + annotations: + helm.sh/hook: test + helm.sh/hook-delete-policy: before-hook-creation +spec: + restartPolicy: Never + containers: + - name: test + image: "bitnami/kubectl:{{ .Capabilities.KubeVersion.Major }}.{{ .Capabilities.KubeVersion.Minor }}" + securityContext: + {{- include "airlock-microgateway.restrictedSecurityContext" . | nindent 6 }} + command: + - sh + - -c + - | + set -eu + + clean_up() { + echo "" + echo "### Clean up test resources" + kubectl delete --ignore-not-found=true -n {{ .Release.Namespace }} sidecargateways.microgateway.airlock.com {{ include "airlock-microgateway.fullname" . }}-test-sidecargateway || true + echo "" + echo "### Scale down '{{ include "airlock-microgateway.fullname" . }}-test-backend'" + kubectl scale -n {{ .Release.Namespace }} statefulset/{{ include "airlock-microgateway.fullname" . }}-test-backend --replicas=0 --timeout=60s + sleep 3s + echo "" + } + + fail() { + echo "" + echo "### Error: ${1}" + echo "" + + if kubectl get -n {{ .Release.Namespace }} sidecargateway.microgateway.airlock.com/{{ include "airlock-microgateway.fullname" . }}-test-sidecargateway >/dev/null 2>&1; then + echo "" + echo 'Microgateway Sidecargateway status:' + kubectl get -n {{ .Release.Namespace }} sidecargateway.microgateway.airlock.com/{{ include "airlock-microgateway.fullname" . }}-test-sidecargateway -o jsonpath-as-json='{.status}' || true + echo "" + echo "" + fi + + if kubectl get -n {{ .Release.Namespace }} pods/{{ include "airlock-microgateway.fullname" . }}-test-backend-0 >/dev/null 2>&1; then + echo "Pod '{{ include "airlock-microgateway.fullname" . }}-test-backend-0':" + kubectl describe -n {{ .Release.Namespace }} pods/{{ include "airlock-microgateway.fullname" . }}-test-backend-0 || true + echo "" + echo "" + echo 'Logs of Nginx container:' + kubectl logs -n {{ .Release.Namespace }} pods/{{ include "airlock-microgateway.fullname" . }}-test-backend-0 -c nginx --tail 5 || true + echo "" + echo "" + # Wait for engine logs + sleep 10s + echo 'Logs of Microgateway Engine container:' + kubectl logs -n {{ .Release.Namespace }} pods/{{ include "airlock-microgateway.fullname" . }}-test-backend-0 -c airlock-microgateway-engine --tail 5 || true + fi + + exit 1 + } + + create_sidecargateway() { + # create SidecarGateway resource for testing purposes + kubectl delete --ignore-not-found=true -n {{ .Release.Namespace }} sidecargateways.microgateway.airlock.com {{ include "airlock-microgateway.fullname" . }}-test-sidecargateway || true + kubectl apply -f - </dev/null 2>&1; do sleep 1s; i=$((i+1)); done + kubectl logs -f -n {{ .Release.Namespace }} {{ include "airlock-microgateway.fullname" . }}-test-valid-request + kubectl delete pod --ignore-not-found=true -n {{ .Release.Namespace }} {{ include "airlock-microgateway.fullname" . }}-test-valid-request + } + + {{- if .Values.operator.watchNamespaceSelector }} + echo "### Verify that Namespace Selector matches Namespace '{{ .Release.Namespace }}'" + if ! kubectl get namespace -l '{{ include "airlock-microgateway.watchNamespaceSelector.labelQuery" .Values.operator.watchNamespaceSelector }}' | grep -q {{ .Release.Namespace }}; then + labels=$(kubectl get namespace {{ .Release.Namespace }} -o jsonpath={.metadata.labels} | jq | awk '{print " " $0}') + fail {{printf `"Operator namespace '%s' is not part of the operator's watch scope. To execute 'helm test', the selector configured in the helm value 'operator.watchNamespaceSelector' must match the namespace's labels:\n* Current selector:\n%s\n\n* Current labels:\n$labels\n###"` + .Release.Namespace + (replace "\"" "\\\"" (replace "\n" "\\n" (.Values.operator.watchNamespaceSelector | toPrettyJson | indent 2))) + }} + fi + echo "" + {{- end }} + + trap clean_up EXIT + echo "" + + echo "### Waiting for Microgateway Operator Deployments to be ready" + if ! kubectl rollout status -n {{ .Release.Namespace }} --timeout=90s \ + deployments/{{ include "airlock-microgateway.operator.fullname" . }}; then + fail 'Timout occurred' + fi + echo "" + + echo "### Scale '{{ include "airlock-microgateway.fullname" . }}-test-backend' to '1' replica" + # scale to zero replicas to ensure no pods are present from previous runs + kubectl scale -n {{ .Release.Namespace }} statefulset/{{ include "airlock-microgateway.fullname" . }}-test-backend --replicas=0 --timeout=10s + kubectl scale -n {{ .Release.Namespace }} statefulset/{{ include "airlock-microgateway.fullname" . }}-test-backend --replicas=1 --timeout=10s + echo "" + + echo "### Waiting for backend pod" + i=0 + while true; do + if kubectl get -n {{ .Release.Namespace }} pods/{{ include "airlock-microgateway.fullname" . }}-test-backend-0; then + break + elif [ $i -gt 3 ]; then + fail 'Pod not ready' + fi + sleep 2s + i=$((i+1)) + done + + echo "### Checking Microgateway Engine sidecar container was injected" + if ! kubectl get -n {{ .Release.Namespace }} pods/{{ include "airlock-microgateway.fullname" . }}-test-backend-0 -o jsonpath='{.spec.containers[?(@.name=="airlock-microgateway-engine")]}' | grep -q "airlock-microgateway-engine"; then + fail 'Microgateway Engine sidecar container not injected' + fi + echo "True" + echo "" + + echo "### Checking for valid license" + i=0 + while true; do + if [ "$(kubectl get -n {{ .Release.Namespace }} pods/{{ include "airlock-microgateway.fullname" . }}-test-backend-0 -o jsonpath='{.metadata.labels.sidecar\.microgateway\.airlock\.com/licensed}')" = 'true' ]; then + break + elif [ $i -gt 30 ]; then + fail 'Microgateway license is missing or invalid' + fi + sleep 2s + i=$((i+1)) + done + echo "True" + echo "" + + echo "### Create SidecarGateway resource for testing" + if ! create_sidecargateway ; then + fail 'Creation of SidecarGateway resource failed' + fi + echo "" + + echo "### Waiting for '{{ include "airlock-microgateway.fullname" . }}-test-backend' to be ready" + if ! kubectl rollout status -n {{ .Release.Namespace }} statefulset/{{ include "airlock-microgateway.fullname" . }}-test-backend --timeout=90s; then + fail 'Timout occurred' + fi + echo "" + + echo "### Waiting for 'engine-config-valid' condition" + if ! kubectl wait -n {{ .Release.Namespace }} pods --field-selector=metadata.name={{ include "airlock-microgateway.fullname" . }}-test-backend-0 --timeout=90s --for=condition=microgateway.airlock.com/engine-config-valid=True; then + fail 'Configuration was never accepted by the Microgateway Engine' + fi + sleep 5s + echo "" + echo "" + + echo "### Checking whether a valid request is successful and returns HTTP status code '200'" + out=$(curl -vsS --retry 3 --retry-connrefused --connect-timeout 10 "http://{{ include "airlock-microgateway.fullname" . }}-test-service:8080/" || true) + echo "Response:" + echo "${out}" + if ! echo "${out}" | grep -q "200 OK"; then + fail 'A valid request was not successful' + fi + echo "" + echo "" + + echo "### Checking whether a request with an injection attack is blocked and returns HTTP status code '400'" + out=$(curl -vsS --retry 3 --retry-connrefused --connect-timeout 10 "http://{{ include "airlock-microgateway.fullname" . }}-test-service:8080/?token='%20UnION%20all%20select%20A" || true) + echo "Response:" + echo "${out}" + if ! echo "${out}" | grep -q "400 Bad Request"; then + fail 'A malicious request was not blocked' + fi + echo "" + echo "" + + echo "### Installation of '{{ include "airlock-microgateway.fullname" . }}' succeeded" + exit 0 + serviceAccountName: "{{ include "airlock-microgateway.fullname" . }}-tests" +{{- end -}} diff --git a/charts/airlock/microgateway/4.3.2/values.schema.json b/charts/airlock/microgateway/4.3.2/values.schema.json new file mode 100644 index 000000000..173d6b084 --- /dev/null +++ b/charts/airlock/microgateway/4.3.2/values.schema.json @@ -0,0 +1,540 @@ +{ + "$schema": "https://json-schema.org/draft/2020-12/schema", + "type": "object", + "properties": { + "nameOverride": { + "type": "string" + }, + "fullnameOverride": { + "type": "string" + }, + "commonLabels": { + "$ref": "#/definitions/StringMap" + }, + "commonAnnotations": { + "$ref": "#/definitions/StringMap" + }, + "crds": { + "type": "object", + "properties": { + "skipVersionCheck": { + "type": "boolean" + } + }, + "additionalProperties": false + }, + "imagePullSecrets": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string", + "minLength": 1 + } + }, + "required": [ + "name" + ], + "additionalProperties": true + } + }, + "operator": { + "type": "object", + "properties": { + "replicaCount": { + "type": "integer", + "minimum": 0 + }, + "updateStrategy": { + "$ref": "#/definitions/UpdateStrategy" + }, + "image": { + "$ref": "#/definitions/Image" + }, + "podAnnotations": { + "$ref": "#/definitions/StringMap" + }, + "podLabels": { + "$ref": "#/definitions/StringMap" + }, + "serviceAnnotations": { + "$ref": "#/definitions/StringMap" + }, + "serviceLabels": { + "$ref": "#/definitions/StringMap" + }, + "resources": { + "type": "object" + }, + "nodeSelector": { + "$ref": "#/definitions/StringMap" + }, + "tolerations": { + "type": "array", + "items": { + "type": "object" + } + }, + "affinity": { + "type": "object" + }, + "config": { + "type": "object", + "properties": { + "logLevel": { + "type": "string", + "enum": [ + "debug", + "info", + "warn", + "error" + ] + } + }, + "required": [ + "logLevel" + ], + "additionalProperties": false + }, + "serviceAccount": { + "type": "object", + "properties": { + "create": { + "type": "boolean" + }, + "annotations": { + "$ref": "#/definitions/StringMap" + }, + "name": { + "type": "string" + } + }, + "required": [ + "annotations", + "create", + "name" + ], + "additionalProperties": false + }, + "watchNamespaces": { + "type": "array", + "items": { + "type": "string" + } + }, + "watchNamespaceSelector": { + "$ref": "#/definitions/LabelSelector" + }, + "rbac": { + "type": "object", + "properties": { + "create": { + "type": "boolean" + } + }, + "required": [ + "create" + ], + "additionalProperties": false + }, + "serviceMonitor": { + "type": "object", + "properties": { + "create": { + "type": "boolean" + }, + "labels": { + "$ref": "#/definitions/StringMap" + } + }, + "required": [ + "create" + ], + "additionalProperties": false + } + }, + "oneOf": [ + { + "properties": { + "watchNamespaces": { + "minItems": 1 + }, + "watchNamespaceSelector": { + "additionalProperties": false + } + } + }, + { + "properties": { + "watchNamespaces": { + "maxItems": 0 + }, + "watchNamespaceSelector": { + "$ref": "#/definitions/LabelSelector" + } + } + } + ], + "required": [ + "affinity", + "config", + "image", + "updateStrategy", + "nodeSelector", + "podAnnotations", + "podLabels", + "rbac", + "replicaCount", + "resources", + "serviceAccount", + "serviceAnnotations", + "serviceLabels", + "serviceMonitor", + "tolerations" + ], + "additionalProperties": false + }, + "engine": { + "type": "object", + "properties": { + "image": { + "$ref": "#/definitions/Image" + }, + "resources": { + "type": "object" + }, + "sidecar": { + "type": "object", + "properties":{ + "podMonitor": { + "type": "object", + "properties": { + "create": { + "type": "boolean" + }, + "labels": { + "$ref": "#/definitions/StringMap" + } + }, + "required": [ + "create" + ], + "additionalProperties": false + } + }, + "required": [ + "podMonitor" + ], + "additionalProperties": false + } + }, + "required": [ + "image", + "resources", + "sidecar" + ], + "additionalProperties": false + }, + "networkValidator": { + "type": "object", + "properties": { + "image": { + "$ref": "#/definitions/Image" + } + }, + "required": [ + "image" + ], + "additionalProperties": false + }, + "sessionAgent": { + "type": "object", + "properties": { + "image": { + "$ref": "#/definitions/Image" + }, + "resources": { + "type": "object" + } + }, + "required": [ + "image", + "resources" + ], + "additionalProperties": false + }, + "license": { + "type": "object", + "properties": { + "secretName": { + "type": "string", + "minLength": 1 + } + }, + "required": [ + "secretName" + ], + "additionalProperties": false + }, + "dashboards": { + "type": "object", + "properties" : { + "create": { + "type": "boolean" + }, + "config": { + "type": "object", + "properties": { + "grafana": { + "type": "object", + "properties": { + "folderAnnotation": { + "$ref": "#/definitions/NameValuePair" + }, + "dashboardLabel": { + "$ref": "#/definitions/NameValuePair" + } + }, + "required": [ + "folderAnnotation", + "dashboardLabel" + ], + "additionalProperties": false + } + }, + "required": [ + "grafana" + ], + "additionalProperties": false + }, + "instances": { + "type": "object", + "properties": { + "overview": { + "$ref": "#/definitions/DashboardInstance" + }, + "license" : { + "$ref": "#/definitions/DashboardInstance" + }, + "blockMetrics" : { + "$ref": "#/definitions/DashboardInstance" + }, + "blockLogs" : { + "$ref": "#/definitions/DashboardInstance" + } + }, + "required": [ + "overview", + "license", + "blockMetrics", + "blockLogs" + ], + "additionalProperties": false + } + }, + "required": [ + "create", + "config", + "instances" + ], + "additionalProperties": false + }, + "tests": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + } + }, + "required": [ + "enabled" + ], + "additionalProperties": false + }, + "global": { + "type": "object" + } + }, + "required": [ + "commonAnnotations", + "commonLabels", + "crds", + "engine", + "fullnameOverride", + "imagePullSecrets", + "license", + "nameOverride", + "operator", + "networkValidator", + "sessionAgent", + "dashboards", + "tests" + ], + "additionalProperties": false, + "definitions": { + "StringMap": { + "type": "object", + "additionalProperties": { + "type": "string" + } + }, + "Image": { + "type": "object", + "properties": { + "repository": { + "type": "string", + "minLength": 1 + }, + "tag": { + "type": "string" + }, + "digest": { + "type": "string", + "pattern": "^$|^sha256:[a-f0-9]{64}$" + }, + "pullPolicy": { + "type": "string", + "enum": [ + "Always", + "IfNotPresent", + "Never" + ] + } + }, + "required": [ + "digest", + "pullPolicy", + "repository", + "tag" + ], + "additionalProperties": false + }, + "LabelSelector": { + "type": "object", + "properties": { + "matchExpressions": { + "type": "array", + "items": { + "type": "object", + "required": [ + "key", + "operator" + ], + "properties": { + "key": { + "type": "string" + }, + "operator": { + "type": "string" + }, + "values": { + "type": "array", + "items": { + "type": "string" + } + } + }, + "additionalProperties": false + } + }, + "matchLabels": { + "$ref": "#/definitions/StringMap" + } + }, + "additionalProperties": false + }, + "UpdateStrategy": { + "type": "object", + "oneOf" : [ + { + "properties": { + "type": { + "$ref": "#/definitions/RecreateType" + } + }, + "required": [ + "type" + ], + "additionalProperties": false + }, + { + "properties": { + "type": { + "$ref": "#/definitions/RollingUpdateType" + }, + "rollingUpdate": { + "$ref": "#/definitions/RollingUpdate" + } + }, + "required": [ + "type" + ], + "additionalProperties": false + } + ] + }, + "RecreateType": { + "type": "string", + "enum": [ + "Recreate" + ] + }, + "RollingUpdateType": { + "type": "string", + "enum": [ + "RollingUpdate" + ] + }, + "RollingUpdate": { + "type": "object", + "properties": { + "maxSurge": { + "type": ["integer", "string"], + "minimum": 0, + "pattern": "^\\d+%?$" + }, + "maxUnavailable": { + "type": ["integer", "string"], + "minimum": 0, + "pattern": "^\\d+%?$" + } + }, + "anyOf": [ + {"required": ["maxSurge"]}, + {"required": ["maxUnavailable"]} + ], + "additionalProperties": false + }, + "DashboardInstance" : { + "type" : "object", + "properties" : { + "create" : { + "type" : "boolean" + } + }, + "required" : [ + "create" + ], + "additionalProperties": false + }, + "NameValuePair" : { + "type" : "object", + "properties" : { + "name" : { + "type": "string", + "minLength": 1 + }, + "value" : { + "type" : "string", + "minLength": 1 + } + }, + "required" : [ + "name", + "value" + ], + "additionalProperties": false + } + } +} diff --git a/charts/airlock/microgateway/4.3.2/values.yaml b/charts/airlock/microgateway/4.3.2/values.yaml new file mode 100644 index 000000000..36f513b48 --- /dev/null +++ b/charts/airlock/microgateway/4.3.2/values.yaml @@ -0,0 +1,213 @@ +# -- Allows overriding the name to use instead of "microgateway". +nameOverride: "" +# -- Allows overriding the name to use as full name of resources. +fullnameOverride: "" +# -- Labels to add to all resources. +commonLabels: {} +# -- Annotations to add to all resources. +commonAnnotations: {} +# -- ImagePullSecrets to use when pulling images. +imagePullSecrets: [] +# - name: myRegistryKeySecretName + +crds: + # -- Whether to skip the sanity check which prevents installing/upgrading the helm chart in a cluster with outdated Airlock Microgateway CRDs. + # The check aims to prevent unexpected behavior and issues due to Helm v3 not automatically upgrading CRDs which are already present in the cluster + # when performing a "helm install/upgrade". + skipVersionCheck: false +operator: + # -- Number of replicas for the operator Deployment. + replicaCount: 2 + # -- Specifies the operator update strategy. + updateStrategy: + type: RollingUpdate + # Specifies the Airlock Microgateway Operator image. + image: + # -- Image repository from which to pull the Airlock Microgateway Operator image. + repository: "quay.io/airlock/microgateway-operator" + # -- Image tag to pull. + tag: "4.3.2" + # -- SHA256 image digest to pull (in the format "sha256:c79ee3f85862fb386e9dd62b901b607161d27807f512d7fbdece05e9ee3d7c63"). + # Overrides tag when specified. + digest: "sha256:d22f2ca35603b805caa67dd07aba524c3e4d68c3b59f7ddfc0e22e7fc09a200c" + # -- Pull policy for this image. + pullPolicy: IfNotPresent + # -- Annotations to add to all Pods. + podAnnotations: {} + # -- Labels to add to all Pods. + podLabels: {} + # -- Annotations to add to the Service. + serviceAnnotations: {} + # prometheus.io/scrape: "true" + # prometheus.io/port: "8080" + + # -- Labels to add to the Service. + serviceLabels: {} + # -- Resource restrictions to apply to the operator container. + resources: {} + # We recommend at least the following resource specification. + # limits: + # cpu: 1000m + # memory: 512Mi + # requests: + # cpu: 100m + # memory: 512Mi + + # -- Custom nodeSelector to apply to the operator Deployment in order to constrain its Pods to certain nodes. + nodeSelector: {} + # -- Custom tolerations to apply to the operator Deployment in order to allow its Pods to run on tainted nodes. + tolerations: [] + # -- Custom affinity to apply to the operator Deployment. Used to influence the scheduling. + affinity: {} + # Parameters for the operator configuration. + config: + # -- Operator application log level. + logLevel: "info" + # Configures the generation of the ServiceAccount. + serviceAccount: + # -- Whether a ServiceAccount should be created. + create: true + # -- Annotations to add to the ServiceAccount. + annotations: {} + # -- Name of the ServiceAccount to use. + # If not set and create is true, a name is generated using the fullname template. + name: "" + # -- Allows to restrict the operator to specific namespaces, depending on your needs. + # For a `OwnNamespace` or `SingleNamespace` installation the list may only contain one namespace (e.g., `watchNamespaces: ["airlock-microgateway-system"]`). + # In case of the `OwnNamespace` installation mode the specified namespace should be equal to the installation namespace. + # For a static `MultiNamespace` installation, the complete list of namespaces must be provided in the `watchNamespaces`. + # An `AllNamespaces` installation or the usage of the `watchNamespaceSelector` requires the `watchNamespaces` to be empty. + # Regardless of the installation modes supported by `watchNamespaces`, RBAC is created only namespace-scoped (using Roles and RoleBindings) in the respective namespaces. + # Please note that this feature requires a Premium license. + watchNamespaces: [] + # -- Allows to dynamically select watch namespaces of the operator and the scope of the webhooks based on a Namespace label selector. + # It is able to detect and reconcile resources in all namespaces that match the label selector automatically, even for new namespaces, without restarting the operator. + # This facilitates a dynamic `MultiNamespace` installation mode, but still requires cluster-scoped permissions (i.e., ClusterRoles and ClusterRoleBindings). + # An `AllNamespaces` installation or the usage of the `watchNamespaces` requires the `watchNamespaceSelector` to be empty. + # Please note that this feature requires a Premium license. + watchNamespaceSelector: {} + # For further examples, see: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#resources-that-support-set-based-requirements. + # matchLabels: + # microgateway.airlock.com/enable: "true" + # matchExpressions: + # - { key: environment, operator: NotIn, values: [dev] } + + # Configures the generation of Role and RoleBinding as well as ClusterRoles and ClusterRoleBinding pairs for the ServiceAccount specified above. + rbac: + # -- Whether to create RBAC resources which are required for the Airlock Microgateway Operator to function. + create: true + # Configures the generation of a Prometheus Operator ServiceMonitor. + serviceMonitor: + # -- Whether to create a ServiceMonitor resource for monitoring. + create: false + # -- Labels to add to the ServiceMonitor. + labels: {} + # release: "" +engine: + # Specifies the Airlock Microgateway Engine image. + image: + # -- Image repository from which to pull the Airlock Microgateway Engine image. + repository: "quay.io/airlock/microgateway-engine" + # -- Image tag to pull. + tag: "4.3.2" + # -- SHA256 image digest to pull (in the format "sha256:a3051f42d3013813b05f7513bb86ed6a3209cb3003f1bb2f7b72df249aa544d3"). + # Overrides tag when specified. + digest: "sha256:8d42759d999e6b69efa9ef1ecfdc84dc1f8f6f1ca822c8d2d3ef8ff1e335b9c9" + # -- Pull policy for this image. + pullPolicy: IfNotPresent + # -- Resource restrictions to apply to the Airlock Microgateway Engine container. + resources: {} + # We recommend at least the following resource specification. + # limits: + # cpu: 500m + # memory: 128Mi + # requests: + # cpu: 10m + # memory: 40Mi + + # Additional configuration when deployed as a sidecar. + sidecar: + # Configures the generation of a Prometheus Operator PodMonitor. + podMonitor: + # -- Whether to create a PodMonitor resource for monitoring. + create: false + # -- Labels to add to the PodMonitor. + labels: {} + # release: "" +networkValidator: + # Specifies the Airlock Microgateway Network Validator image to be injected as an init-container. + image: + # -- Image repository from which to pull the netcat image for the Airlock Microgateway Network Validator init-container. + repository: "cgr.dev/chainguard/netcat" + # -- Image tag to pull. + tag: "" + # -- SHA256 image digest to pull (in the format "sha256:d1c484f4b9ea6218e2b1925f6b08d54dd352c7aaf653977bbbbeeb21eb3e19dd"). + # Overrides tag when specified. + digest: "sha256:d1c484f4b9ea6218e2b1925f6b08d54dd352c7aaf653977bbbbeeb21eb3e19dd" + # -- Pull policy for this image. + pullPolicy: IfNotPresent +sessionAgent: + # Specifies the Airlock Microgateway Session Agent image. + image: + # -- Image repository from which to pull the Airlock Microgateway Session Agent image. + repository: "quay.io/airlock/microgateway-session-agent" + # -- Image tag to pull. + tag: "4.3.2" + # -- SHA256 image digest to pull (in the format "sha256:a3051f42d3013813b05f7513bb86ed6a3209cb3003f1bb2f7b72df249aa544d3"). + # Overrides tag when specified. + digest: "sha256:d487f4099c267310debffe5d5cac168deeddf6082dafbee352550f2792b9609c" + # -- Pull policy for this image. + pullPolicy: IfNotPresent + # -- Resource restrictions to apply to the Airlock Microgateway Session Agent container. + resources: {} + # We recommend at least the following resource specification. + # limits: + # cpu: 150m + # memory: 32Mi + # requests: + # cpu: 10m + # memory: 8Mi +license: + # -- Name of the secret containing the "microgateway-license.txt" key. + secretName: "airlock-microgateway-license" +# Creates dashboards in the form of ConfigMaps that can be imported +# by Grafana using its sidecar setup. +dashboards: + # -- Whether to create any ConfigMaps containing Grafana dashboards to import. + create: false + config: + # Configures the necessary label and annotations along with their values + # to enable Grafana to correctly identify the ConfigMaps containing + # dashboards and file them within a dedicated folder in the dashboard overview. + # These settings need to match the Grafana sidecar configuration. + grafana: + folderAnnotation: + # -- Name of the annotation containing the folder name to file dashboards into. + name: "grafana_folder" + # -- Name of the folder dashboards are filed into within the Grafana UI. + value: "Airlock Microgateway" + dashboardLabel: + # -- Name of the label that lets Grafana identify ConfigMaps that represent dashboards. + name: "grafana_dashboard" + # -- Value of the label that lets Grafana identify ConfigMaps that represent dashboards. + value: "1" + instances: + # Available dashboard instances that can be individually created/deployed. + overview: + # -- Whether to create the overview dashboard. + create: true + license: + # -- Whether to create the license dashboard. + create: true + blockMetrics: + # -- Whether to create the block metrics dashboard. + create: true + blockLogs: + # -- Whether to create the block logs dashboard. + create: true +# Check whether the installation of the Airlock Microgateway Helm Chart was successful. +# Requires a secret with a valid Airlock Microgateway license key already to be present. +tests: + # -- Whether additional resources required for running `helm test` should be created (e.g. Roles and ServiceAccounts). + # If set to false, `helm test` will not run any tests. + enabled: false diff --git a/charts/kong/kong/2.41.0/CHANGELOG.md b/charts/kong/kong/2.41.0/CHANGELOG.md new file mode 100644 index 000000000..f7656c460 --- /dev/null +++ b/charts/kong/kong/2.41.0/CHANGELOG.md @@ -0,0 +1,1932 @@ +# Changelog + +## 2.41.0 + +### Changes + +* Bumped default `kong/kubernetes-ingress-controller` image tag to 3.3. + [#1121](https://github.com/Kong/charts/pull/1121) + +## 2.40.0 + +* Add `deployment.revisionHistoryLimit` to set how many old `ReplicaSet`s you want to retain. + +### Changes +* Added support for ServiceMonitor relabelings allowing labels manipulation before scraping. + [#1095](https://github.com/Kong/charts/pull/1095) + +### Fixed +* Populate `KONG_ADMIN_GUI_SESSION_CONF` even if `enterprise.rbac.admin_gui_auth` is set to `openid-connect` + for Kong versions < 3.6.0. + [#1101](https://github.com/Kong/charts/pull/1101) + +### Breaking changes + +* Added `ingressController.konnect.controlPlaneID` and deprecated `ingressController.konnect.runtimeGroupID` + [#1099](https://github.com/Kong/charts/pull/1099) + +## 2.39.3 + +### Fixed + +* `KONG_ADMIN_GUI_SESSION_CONF` is not populated only when `enterprise.rbac.admin_gui_auth` + is set to `openid-connect`. The default value of `enterprise.rbac.session_conf_secret` is + restored to `kong-session-config` to avoid breaking changes. + [#1093](https://github.com/Kong/charts/pull/1093) + +## 2.39.2 + +### Fixed + +* Fixes `KongLicense` policy rules for Ingress controller when using `watchNamespaces` + [#1084](https://github.com/Kong/charts/pull/1084) + +## 2.39.1 + +### Fixed + +* Added missing `KongCustomEntity` CRD for KIC 3.2. + +## 2.39.0 + +### Changes + +* Updated handling of `session_conf_secret` to accommodate Kong 3.6. + It can now be omitted [when using OIDC](https://docs.konghq.com/gateway/3.6.x/kong-manager/auth/oidc/migrate/). + [#1033](https://github.com/Kong/charts/pull/1033) +* Setting a Service's `servicePort` to 0 now disables that port on the Service, + for use when the external Service and container listens should differ, such + as when terminating TLS at a LoadBalancer. + [#1021](https://github.com/Kong/charts/pull/1021) +* Added an `ingressController.admissionWebhook.filterSecrets` option. When + enabled, the webhook will only validate Secrets that have one of the + recognized KIC labels: + + * `konghq.com/credential: <"key-auth", "jwt", etc. credential types>` + * `konghq.com/validate: <"plugin", "custom">` + + Earlier versions checked all Secrets and did not require labels, interfering + with non-KIC labels. Requires KIC 3.0+. + [#1061](https://github.com/Kong/charts/pull/1061) +* Add RBAC policy rules for Custom Entities + [#1081](https://github.com/Kong/charts/pull/1081) +* Bumped default `kong/kubernetes-ingress-controller` image tag to 3.2. + [#1085](https://github.com/Kong/charts/pull/1085) + +## 2.38.0 + +### Changes + +* Added support for setting `SVC.tls.appProtocol` and `SVC.http.appProtocol` values to configure the appProtocol fields + for Kubernetes Service HTTP and TLS ports. It might be useful for integration with external load balancers like GCP. + [#1018](https://github.com/Kong/charts/pull/1018) + +## 2.37.1 + +* Rename the controller status port. This fixes a collision with the proxy status port in the Prometheus ServiceMonitor. + [#1008](https://github.com/Kong/charts/pull/1008) + +## 2.37.0 + +### Changes + +* Bumped default `kong/kubernetes-ingress-controller` image tag and updated CRDs to 3.1. + [#1011](https://github.com/Kong/charts/pull/1011) +* Bumped default `kong` image tag to 3.6. + [#1011](https://github.com/Kong/charts/pull/1011) + +## 2.36.0 + +### Fixed + +* Add `KongLicense` RBAC rules. + [#1006](https://github.com/Kong/charts/pull/1006) + +## 2.35.1 + +### Fixed + +* The plugin helper no longer sets the plugin list when not in use. + [#1002](https://github.com/Kong/charts/pull/1002) + +## 2.35.0 + +### Added + +* Added controller's RBAC rules for `KongVault` CRD (installed only when KIC + version >= 3.1.0). + [#992](https://github.com/Kong/charts/pull/992) + +### Fixed + +* Added a missing `envFrom` render in the main Kong proxy container. + [#994](https://github.com/Kong/charts/pull/994) + +## 2.34.0 + +### Added + +* The `envFrom` and `ingressController.envFrom` values.yaml keys now populate + the container field of the same name. This loads environment variables from + ConfigMap or Secret resource keys in bulk: + https://kubernetes.io/docs/tasks/configure-pod-container/configure-pod-configmap/#configure-all-key-value-pairs-in-a-configmap-as-container-environment-variables + [#987](https://github.com/Kong/charts/pull/987) +* Kong listens now use both IPv4 and IPv6 addresses. + [#986](https://github.com/Kong/charts/pull/986) + +## 2.33.3 + +### Fixed + +* Add RBAC rules for get, list and watch operations on namespaces so that Gateway API + controllers in KIC can access using a cached controller-runtime client. + [#974](https://github.com/Kong/charts/pull/974) + +## 2.33.2 + +### Fixed + +* Fix a template bug related to the `affinity` field for migrations Pods. + [#972](https://github.com/Kong/charts/pull/972) + +## 2.33.1 + +### Fixed + +* Use changed `incubator.ingress-controller.konghq.com` API group name in `KongServiceFacade` + RBAC rules. Refer to [KIC#5302](https://github.com/Kong/kubernetes-ingress-controller/pull/5302) + for rename reasoning. + [#968](https://github.com/Kong/charts/pull/968) + +## 2.33.0 + +### Improvements + +* Only allow `None` ClusterIPs on ClusterIP-type Services. + [#961](https://github.com/Kong/charts/pull/961) + [#962](https://github.com/Kong/charts/pull/962) +* Bumped Kong version to 3.5. + [#957](https://github.com/Kong/charts/pull/957) +* Support for `affinity` configuration has been added to migration job templates. +* Display a warning message when Kong Manager is enabled and the Admin API is disabled. +* Validate Gateway API's `Gateway` and `HTTPRoute` resources in the controller's + admission webhook only when KIC version is 3.0 or higher. + [#954](https://github.com/Kong/charts/pull/954) +* Added controller's RBAC rules for `KongServiceFacade` CRD (installed only when + KongServiceFacade feature gate turned on and KIC version >= 3.1.0). + [#963](https://github.com/Kong/charts/pull/963) + +## 2.32.0 + +### Improvements + +* Add new `deployment.hostname` value to make identifying instances in + controlplane/dataplane configurations easier. + [#943](https://github.com/Kong/charts/pull/943) + +## 2.31.0 + +### Improvements + +* Added controller's RBAC rules for `KongUpstreamPolicy` CRD. + [#917](https://github.com/Kong/charts/pull/917) +* Added services resource to admission webhook config for KIC >= 3.0.0. + [#919](https://github.com/Kong/charts/pull/919) +* Update default ingress controller version to v3.0 + [#929](https://github.com/Kong/charts/pull/929) + [#930](https://github.com/Kong/charts/pull/930) + +### Fixed + +* The target port for cmetrics should only be applied if the ingress controller is enabled. + [#926](https://github.com/Kong/charts/pull/926) +* Fix RBAC for Gateway API v1. + [#928](https://github.com/Kong/charts/pull/928) +* Enable Admission webhook for Gateway API v1 resources. + [#928](https://github.com/Kong/charts/pull/928) + +## 2.30.0 + +### Improvements + +* Prevent installing PodDisruptionBudget for `replicaCount: 1` or `autoscaling.minReplicas: 1`. + [#896](https://github.com/Kong/charts/pull/896) +* The admission webhook now will be triggered on Secrets creation for KIC 2.12.1+. + [#907](https://github.com/Kong/charts/pull/907) +* Container security context defaults now comply with the restricted pod + security standard. This includes an enforced run as user ID set to 1000. UID + 1000 is used for official Kong images other than Alpine images (which use UID + 100) and for KIC images 3.0.0+ (older images use UID 65532). Images that do + not use UID 1000 can still run with this user, as static image files are + world-accessible and runtime-created files are created in temporary + directories created for the run as user. + [#911](https://github.com/Kong/charts/pull/911) +* Allow using templates (via `tpl`) when specifying `proxy.nameOverride`. + [#914](https://github.com/Kong/charts/pull/914) + +## 2.29.0 + +### Improvements +* Make it possible to set the admission webhook's `timeoutSeconds`. + [#894](https://github.com/Kong/charts/pull/894) + +## 2.28.1 + +### Fixed + +* The admission webhook now includes Gateway API resources and Ingress + resources for controller versions 2.12+. This version introduces new + validations for Kong's regex path implementation. + [#892](https://github.com/Kong/charts/pull/892) + +## 2.28.0 + +### Improvements + +* Bump default `kong` image tag to 3.4. + [#883](https://github.com/Kong/charts/pull/883) +* Bump default ingress controller image tag to 2.12. +* Added validation rule for `latency` upstream load balancing algorithm to + CRDs. [Upgrade your CRDs](https://github.com/Kong/charts/blob/main/charts/kong/UPGRADE.md#updates-to-crds) + when installing this release. + +## 2.27.0 + +### Improvements + +* Listens now all support `.address` configuration. This was an existing + setting that was not applied properly for some listens. + [#881](https://github.com/Kong/charts/pull/881) + +## 2.26.5 + +### Fixed + +* Kuma ServiceAccount Token hints and volumes are also available in migrations + Pods. + [#877](https://github.com/Kong/charts/pull/877) + +## 2.26.4 + +### Fixed + +* updated `admin_api_uri` to `admin_gui_api_url` as per [kong documentation](https://docs.konghq.com/gateway/3.4.x/reference/configuration/#admin_api_uri). + +## 2.26.3 + +### Fixed + +* Enabled Service and Ingress in Kong Manager for non enterprise users. + +## 2.26.2 + +### Fixed + +* Add missing CRD KongConsumerGroup and extend status subresource for CRDs + +## 2.26.1 + +### Fixed + +* Fix parsing enterprise tags (like e.g. `3.4.0.0`) + [#857](https://github.com/Kong/charts/pull/857) + +## 2.26.0 + +### Breaking changes + +2.26 changes the default proxy readiness endpoint for newer Kong versions. This +causes an issue in a narrow edge case. If all of the following are true: + +* You use Kong 3.3 or newer. +* You use controller 2.10 or older. +* You run the controller and proxy in separate Deployments. + +you are affected and should review [the 2.26 upgrade instructions](https://github.com/Kong/charts/blob/main/charts/kong/UPGRADE.md#2260). + +### Improvements + +* Use the Kong 3.3 `/status/ready` endpoint for readiness probes by default if + available. If not available, use the old `/status` default. + [#844](https://github.com/Kong/charts/pull/844) +* Add ArgoCD `Sync` and `BeforeHookCreation` [hook policies](https://argo-cd.readthedocs.io/en/stable/user-guide/resource_hooks/) + to the the init and pre-upgrade migrations Jobs. +* Add controller's RBAC rules for `KongConsumerGroups` CRD. + [#850](https://github.com/Kong/charts/pull/850) +* Updated controller version to 2.11. + +## 2.25.0 + +- Generate the `adminApiService.name` value from `.Release.Name` rather than + hardcoding to `kong` + [#839](https://github.com/Kong/charts/pull/839) + +## 2.24.0 + +### Improvements + +* Running `tpl` against user-supplied labels and annotations used in Deployment + [#814](https://github.com/Kong/charts/pull/814) + + Example: + ```yaml + podLabels: + version: "{{ .Values.image.tag }}" # Will render dynamically when overridden downstream + ``` + +* Fail to render templates when PodSecurityPolicy was requested but cluster doesn't + serve its API. + [#823](https://github.com/Kong/charts/pull/823) +* Add support for multiple hosts and tls configurations for Kong proxy `Ingress`. + [#813](https://github.com/Kong/charts/pull/813) +* Bump postgres default tag to `13.11.0-debian-11-r20` which includes arm64 images. + [#834](https://github.com/Kong/charts/pull/834) + +### Fixed + +* Fix Ingress and HPA API versions during capabilities checking + [#827](https://github.com/Kong/charts/pull/827) + +## 2.23.0 + +### Improvements + +* Add custom label configuration option for Kong proxy `Ingress`. + [#812](https://github.com/Kong/charts/pull/812) +* Bump default `kong/kubernetes-ingress-controller` image tag to 2.10. + Bump default `kong` image tag to 3.3. + [#815](https://github.com/Kong/charts/pull/815) + +## 2.22.0 + +### Improvements + +* Removed redundant RBAC permissions for non-existing subresources `secrets/status` + and `endpoints/status`. + [#798](https://github.com/Kong/charts/pull/798) +* For Kong Ingress Controller in version >= 2.10, RBAC permissions for `Endpoints` + are not configured anymore (because it uses `EndpointSlices`). + [#798](https://github.com/Kong/charts/pull/798) +* Added support for setting `certificates.cluster.commonName`. This allows a custom + certificate `CommonName` to be provided when deploying Kong Gateway in hybrid + mode using Cert Manager [#804](https://github.com/Kong/charts/pull/804) + +## 2.21.0 + +### Improvements + +* Added support for `startupProbe` on Kong pods. This can be configured via + `.Values.startupProbe`. To maintain backward compatibility, it is disabled by default. + [#792](https://github.com/Kong/charts/pull/792) +* Customize Admission Webhook namespaceSelectors and compose them from values. + [#794](https://github.com/Kong/charts/pull/794) +* Added `CustomResourceDefinition` `list` and `watch` permissions to controller's ClusterRole. + [#796](https://github.com/Kong/charts/pull/796) + +## 2.20.2 + +### Fixed + +* Automatic license provisioning for Gateways managed by Ingress Controllers in Konnect mode + is disabled by default. + To enable it, set `.Values.ingressController.konnect.license.enabled=true`. + [#793](https://github.com/Kong/charts/pull/793) + +## 2.20.1 + +### Fixed + +* Fix correct timestamp format and remove `isCA` in certificates + [#791](https://github.com/Kong/charts/pull/791) + +## 2.20.0 + +### Improvements + +* Added support for automatic license provisioning for Gateways managed by + Ingress Controllers in Konnect mode (`.Values.ingressController.konnect.enabled=true`). + [#787](https://github.com/Kong/charts/pull/787) + +## 2.19.1 + +### Fixed + +* Fix `webhook-cert` being mounted regardless if `.Values.ingressController.enabled` + is set. + [#779](https://github.com/Kong/charts/pull/779) + +## 2.19.0 + +### Improvements + +* Security context enforces read-only root filesystem by default. This is not + expected to affect most configurations, but [will affect custom plugins that + write to the container filesystem](https://github.com/Kong/charts/blob/main/charts/kong/UPGRADE.md#2170). + [#770](https://github.com/Kong/charts/pull/770) + +## 2.18.0 + +### Improvements + +* Added support for the Admin API service TLS client verification. + [#780](https://github.com/Kong/charts/pull/780 + +## 2.17.1 + +### Fixed + +* The `-redhat` suffix on official KIC images is no longer considered part of + the semver string for version checks. + [#779](https://github.com/Kong/charts/pull/779) + +## 2.17.0 + +### Improvements + +* Added support for controller's gateway discovery. + With `ingressController.gatewayDiscovery.enabled` set to `true` Kong Ingress Controller + will enable gateway discovery using an Admin API service. + For more information on this please see [the corresponding README.md section][kic_gateway_discovery_readme]. + This feature is only available when deploying chart with Kong Ingress Controller in version 2.9 or higher. + [#747](https://github.com/Kong/charts/pull/747) +* Added experimental support for the ingress controller's Konnect sync feature via `ingressController.konnect.*` values. + This feature is only available when deploying chart with Kong Ingress Controller in version 2.9 or higher and + requires `ingressController.gatewayDiscovery.enabled` set to `true`. + [#746](https://github.com/Kong/charts/pull/746) +* Added support for annotations on the admission webhook ValidatingWebhookConfiguration. + [#760](https://github.com/Kong/charts/pull/760) +* Added support for `subject` and `privateKey` properties on certificates. + [#762](https://github.com/Kong/charts/pull/762) +* Added support for loadBalancerClass in LoadBalancer type services. + [#767](https://github.com/Kong/charts/pull/767) +* Added support for `GRPCRoute`s. + [#772](https://github.com/Kong/charts/pull/772) +* Default Kong version is bumped to 3.2. + [#773](https://github.com/Kong/charts/pull/773) +* Added support for admissionhook to include labels. + [#768](https://github.com/Kong/charts/pull/768) + +### Under the hood + +* Add kube-linter to the CI pipeline to ensure produced manifests comply + with community best practices. + [#751](https://github.com/Kong/charts/pull/751) + +[kic_gateway_discovery_readme]: ./README.md#the-gatewaydiscovery-section + +## 2.16.5 + +### Fixed + +* Fix autoscaling version detection. + [#752](https://github.com/Kong/charts/pull/752) +* Don't include a clear-stale-pid initContainer when kong gateway is not + enabled in the deployment. + [#749](https://github.com/Kong/charts/pull/749) + +## 2.16.4 + +### Fixed + +* HorizontalPodAutoscaler's API version is detected properly. + [#744](https://github.com/Kong/charts/pull/744) + +## 2.16.3 + +### Fixed + +* Fix template issue preventing custom dblessconfig volume from being mounted. + [#741](https://github.com/Kong/charts/pull/741) + +## 2.16.2 + +### Fixed + +* The admission webhook is disabled when the ingress controller is disabled, as + the admission webhook requires a service provided by the ingress controller. + +## 2.16.1 + +### Fixed + +* serviceAccount projected volume is properly provisioned for GKE clusters >= 1.20. + [#735](https://github.com/Kong/charts/pull/735) + +## 2.16.0 + +### Improvements + +* Let users specify their own labels and annotations for generated PodSecurityPolicy. + [#721](https://github.com/Kong/charts/pull/721) +* Enable the admission webhook by default. This can reject configuration, but + is not expected to be a meaningfully breaking change. Existing configuration + is not affected, and any new changes that the webhook would reject would also + be rejected by Kong. + [#727](https://github.com/Kong/charts/pull/727) +* Replaced static secret with projected volume in deployment. + [#722](https://github.com/Kong/charts/pull/722) +* Reject invalid log config values. + [#733](https://github.com/Kong/charts/pull/733) +* Update custom resource definitions to latest v2.8.1 from + kong/kubernetes-ingress-controller + [#730](https://github.com/Kong/charts/pull/730) +* Respect setting `.Values.deployment.serviceAccount.automountServiceAccountToken` in + migrations Jobs. This was already the case for the Deployment. + [#729](https://github.com/Kong/charts/pull/729) + +## 2.15.3 + +### Fixed + +* Changed `ingressController.readinessProbe` to use `/readyz` to prevent pods from becoming ready and serving 404s prior to the `ingress-controller` first syncing config to the `proxy` [#716](https://github.com/Kong/charts/pull/716). +* Fixed incorrect `if` block order in volume mount templates. + +## 2.15.2 + +### Fixed + +* Do not attempt to mount DB-less config if none provided by chart. + +## 2.15.1 + +### Fixed + +* Remove unnecessary failure condition from [#695](https://github.com/Kong/charts/pull/695). + +## 2.15.0 + +### Improvements + +* Add the `dblessConfig.secret` key to the values file, allowing the user to + supply a Secret for their dbless config file. + [#695](https://github.com/Kong/charts/pull/695) +* Add support for version `v1beta1` of the Gateway API when generating RBAC rules. +* Add support for version `v1beta1` of the Gateway API when generating RBAC rules. + ([#706](https://github.com/Kong/charts/pull/706)) +* Prevent supplying duplicate plugin inclusion to `KONG_PLUGINS` env variable. + ([#711](https://github.com/Kong/charts/pull/711)) + +### Fixed + +* Removed appProtocol to fix AKS load balancer + ([#705](https://github.com/Kong/charts/pull/705)) +* Fix lookup for CA certificate secret for admission webhook. + ([#704](https://github.com/Kong/charts/pull/704)) + +## 2.14.0 + +Note: KIC 2.8 does include several updates to CRDs, but only for documentation and validation. +You can [upgrade CRDs](https://github.com/Kong/charts/blob/main/charts/kong/UPGRADE.md#updates-to-crds), +but doing so is not required. + +### Improvements + +* Default Kong and KIC versions bumped to 3.1 and 2.8. +* UDP proxy (udpProxy) assumes the UDP protocol by default for stream entries (udpProxy.stream). + This can be still overridden to TCP by specifying the protocol explicitly, but it is not recommended to do so. + [#682](https://github.com/Kong/charts/pull/682) +* Supported `autoscaling/v2` API + ([#679](https://github.com/Kong/charts/pull/679)) +* Add support for specifying the minium number of seconds for which newly created pods should be ready without + any of its container crashing, for it to be considered available. (`deployment.minReadySeconds`) + ([#688](https://github.com/Kong/charts/pull/688)) +* Increased the default memory requests and limits for the Kong pod to 2G + ([#690](https://github.com/Kong/charts/pull/690)) +* Add a rule for `KongIngress` to the ValidatingWebhookConfiguration. + ([#702](https://github.com/Kong/charts/pull/702)) + +### Fixed + +* Removed `PodSecurityPolicy` if the API is not supported in k8s cluster + to be compatible to k8s 1.25+. + [#680](https://github.com/Kong/charts/pull/680) + + +## 2.13.1 + +### Improvements + +* Updated default controller version to [KIC 2.7](https://github.com/Kong/kubernetes-ingress-controller/blob/main/CHANGELOG.md#270). + +## 2.13.0 + +### Improvements + +* Added cert-manager issuer support for proxy default and cluster mtls certificates + ([#592](https://github.com/Kong/charts/pull/592)) +* Updated CRDs with the new ordering field for KongPlugins, the new + IngressClassParameters resource, and assorted field description updates. + These [require a manual update](https://github.com/Kong/charts/blob/main/charts/kong/UPGRADE.md#updates-to-crds). +* Updated default tags to Kong 3.0 and KIC 2.6. + +## 2.12.0 + +### Improvements + +* Added ClusterRole for cluster-scoped resources when using watchNamespaces. + [#611](https://github.com/Kong/charts/issues/611) +* Added `extraObjects` to create additional k8s resources as part of the helm release. + [#652](https://github.com/Kong/charts/issues/652) + +## 2.11.0 + +### Fixed + +* Fixed Deployment missing if in case of empty tolerations + [#630](https://github.com/Kong/charts/issues/630) +* Use stdout and stderr by default for all logs. Several were writing to prefix + directory files. + [#634](https://github.com/Kong/charts/issues/634) +* Remove `terminationGracePeriodSeconds` from KIC's container spec since this + field is only applicable for pods, not containers. + [#640](https://github.com/Kong/charts/issues/640) + +### Improvements + +* Bump controller version to 2.5. + [#642](https://github.com/Kong/charts/issues/642) +* Added `fullnameOverride` to override the normal resource name string. + [#635](https://github.com/Kong/charts/issues/635) +* Added size limits for emptyDir mounts. + [#632](https://github.com/Kong/charts/issues/632) + +## 2.10.2 + +### Fixed + +* Kuma now also mounts ServiceAccount tokens on releases without a controller + container. + +## 2.10.1 + +### Fixed + +* Updated manual ServiceAccount Secret mount format for compatibility with + Kuma. + +## 2.10.0 + +### Added + +* Added option to disable test job pods. + [#598](https://github.com/Kong/charts/issues/598) +* Changed default admission failure policy from `Fail` to `Ignore`. + [#612](https://github.com/Kong/charts/issues/612) +* ServiceAccount tokens are now only mounted in the controller container to + limit attack surface. + [#619](https://github.com/Kong/charts/issues/619) + +## 2.9.1 + +### Fixed + +* Fixed another unwanted newline chomp that broke GatewayClass + permissions. + +## 2.9.0 + +* Added terminationDelaySeconds for Ingress Controller. + ([597](https://github.com/Kong/charts/pull/597)) +* Made KNative permissions conditional on CRD availability. + +### Fixed + +* Removed KNative permission from the Gateway permissions set. + +## 2.8.2 + +### Fixed + +* Fixed an unwanted newline chomp in fix PR #595. + ([594](https://github.com/Kong/charts/pull/594)) + +## 2.8.1 + +### Fixed + +* Fixed the stream default type, which should have been an empty array, not an + empty map. This had no effect on chart behavior, but resulted in warning + messages when user values.yamls contained non-empty stream configuration. + ([594](https://github.com/Kong/charts/pull/594)) +* Gateway API permissions are no longer created if Gateway API CRDs are not + installed on the cluster. This would block installs by non-super admin users. + ([595](https://github.com/Kong/charts/pull/595)) + +## 2.8.0 + +### Breaking changes + +2.8 requires manual removal of existing IngressClass resources and updates the +Postgres sub-chart version. Further details are available [in the upgrade guide](https://github.com/Kong/charts/blob/main/charts/kong/UPGRADE.md#280). + +The chart honors `ingressController.installCRDs: false` again. Remove it from +your values.yaml if it is currently present. Unless your install user [lacks +permissions to read +CRDs](https://github.com/Kong/charts/blob/main/charts/kong/README.md#removing-c +luster-scoped-permissions), which would have prevented you from installing +earlier chart versions, you should omit this setting and let the templates +detect whether you use the legacy CRD installation method automatically. + +### Improvements + +* Added Ingress for cluster sync. + ([583](https://github.com/Kong/charts/pull/583)) +* Added controller support for custom environment variables. + ([568](https://github.com/Kong/charts/pull/568)) +* Ingress `pathType` field is now configurable. + ([564](https://github.com/Kong/charts/pull/564)) +* Added IngressClass resources to RBAC roles. + ([563](https://github.com/Kong/charts/pull/563)) +* Ingresses now support wildcard hostnames. + ([559](https://github.com/Kong/charts/pull/559)) +* Enables the option to add sidecar containers to the migration containers. + ([540](https://github.com/Kong/charts/pull/540)) +* Update the IngressClass controller string to match the value used upstream. + ([557](https://github.com/Kong/charts/pull/557)) +* Added support for user-defined controller volume mounts. + ([560](https://github.com/Kong/charts/pull/560)) +* Added support for autoscaling `behavior`. + ([561](https://github.com/Kong/charts/pull/561)) +* Improved support and documentation for installations that [lack + cluster-scoped permissions](https://github.com/Kong/charts/blob/main/charts/kong/README.md#removing-cluster-scoped-permissions). + ([565](https://github.com/Kong/charts/pull/565)) +* Updated podDisruptionBudget from `policy/v1beta1` to `policy/v1`. + ([574](https://github.com/Kong/charts/pull/574)) +* Updated controller version to 2.3. + +### Fixed + +* Removed CREATE from ValidatingWebhookConfiguration objectSelector for Secrets to align with changes in Kong/kubernetes-ingress-controller. + ([#542](https://github.com/Kong/charts/pull/542)) +* Fixed traffic routing from Istio's envoy proxy to Kong proxy when using Istio's AuthorizationPolicy. + ([#550](https://github.com/Kong/charts/pull/550)) +* Fixed creation of non-default IngressClasses + ([#552](https://github.com/Kong/charts/pull/552)) +* Fixed: wait_for_db no longer tries to instantiate the keyring in Kong Enterprise + ([#556](https://github.com/Kong/charts/pull/556)) + +## 2.7.0 + +2.7.0 includes CRD updates, which [must be applied manually](https://github.com/Kong/charts/blob/main/charts/kong/UPGRADE.md#270). + +### Breaking Changes + +* There are upstream changes to the Postgres sub-chart that change many + values.yaml keys. The default `postgresqlUsername` and `postgresqlDatabase` + keys used in this chart's values.yaml are now `auth.username` and + `auth.database`. If you set other Postgres sub-chart values, consult the + [upstream README](https://github.com/bitnami/charts/tree/master/bitnami/postgresql) + and [upgrade guide](https://docs.bitnami.com/kubernetes/infrastructure/postgresql/administration/upgrade/#to-1100) + to see what you need to change. + +### Improvements + +* Added Gateway API resources to RBAC rules. + ([#536](https://github.com/Kong/charts/pull/536)) +* Replaced `sleep 15` in `preStop` command with `--wait=15` argument to `kong quit`. + ([#531](https://github.com/Kong/charts/pull/531)) +* Added support for non `KONG_` prefixed custom environment variables + ([#530](https://github.com/Kong/charts/pull/530)) +* Updated to latest CRDs from upstream. + +## 2.6.5 + +### Fixed + +* Generated IngressClass resources persist across updates properly. + ([#518](https://github.com/Kong/charts/pull/518)) + +## 2.6.4 + +### Improvements + +* Updated default tags to Kong 2.7, Kong Enterprise 2.7.0.0, and Kong Ingress + Controller 2.1. + +### Fixed + +* Corrected a misnamed field in podDisruptionBudget. + ([#519](https://github.com/Kong/charts/pull/519)) + +## 2.6.3 + +### Improvements + +* Increased example resources for the Kong container. + ([#511](https://github.com/Kong/charts/pull/511)) + +### Fixed + +* Corrected an invalid label match condition for the admission webhook. + ([#513](https://github.com/Kong/charts/pull/513)) + +## 2.6.2 + +### Improvements + +* Added `app` and `version` labels to pods. + ([#504](https://github.com/Kong/charts/pull/504)) +* Reworked leftover socket file cleanup to avoid similar problems of the same + class. + ([#508](https://github.com/Kong/charts/pull/508)) + +### Fixed + +* SecurityContext and resources applied to PID cleanup initContainer also. + ([#503](https://github.com/Kong/charts/pull/503)) +* Disabled the admission webhook on Helm Secrets, fixing an issue where it + prevented Helm from updating release metadata. + ([#500](https://github.com/Kong/charts/pull/500)) +* initContainers that use the Kong image use the same imagePullPolicy as the + main Kong container. + ([#501](https://github.com/Kong/charts/pull/501)) +* Applied mesh sidecar annotations to the Pod, not the Deployment. + ([#507](https://github.com/Kong/charts/pull/507)) + +## 2.6.1 + +### Fixed + +* Disabled IngressClass creation on Kubernetes versions that do not support it. +* Added missing resources (Secrets, KongClusterPlugins) to the admission + controller configuration. + ([#492](https://github.com/Kong/charts/pull/492)) + +## 2.6.0 + +**Note:** chart versions 2.3.0 through 2.5.0 contained an incorrect +KongIngress CRD. The `proxy.path` field was missing. Helm will not fix this +automatically on upgrade. You can fix it by running: + +``` +kubectl apply -f https://raw.githubusercontent.com/Kong/charts/main/charts/kong/crds/custom-resource-definitions.yaml +``` + +### Improvements + +* Added an initContainer to clear leftover PID file in the event of a Kong + container crash, allowing the container to restart. + ([#480](https://github.com/Kong/charts/pull/480)) +* Added deployment.hostNetwork to enable host network access. + ([#486](https://github.com/Kong/charts/pull/486)) + +### Fixed + +* NOTES.txt documentation link now uses up-to-date location. +* Ingress availability check tightened to require the Ingress API specifically + in `networking.k8s.io/v1`. + ([#484](https://github.com/Kong/charts/pull/484)) +* Flipped backwards logic for creating an IngressClass when no IngressClass was + present. + ([#485](https://github.com/Kong/charts/pull/485)) +* Removed unnecessary hardcoded controller container argument. + ([#481](https://github.com/Kong/charts/pull/481)) +* Restored missing `proxy.path` field to KongIngress CRD. + +## 2.5.0 + +### Improvements + +* Default Kong proxy version updated to 2.6. + +### Fixed + +* Properly disable KongClusterPlugin when watchNamespaces is set. + ([#475](https://github.com/Kong/charts/pull/475)) + +## 2.4.0 + +### Breaking Changes + +* KIC now defaults to version 2.0. If you use a database, you must first + perform a temporary intermediate upgrade to disable KIC before upgrading it + to 2.0 and re-enabling it. See the [upgrade guide](https://github.com/Kong/charts/blob/main/charts/kong/UPGRADE.md#disable-ingress-controller-prior-to-2x-upgrade-when-using-postgresql) + for detailed instructions. +* ServiceAccount are now always created by default unless explicitly disabled. + ServiceAccount customization has [moved under the `deployment` section of + configuration](https://github.com/Kong/charts/blob/main/charts/kong/UPGRADE.md#changed-serviceaccount-configuration-location) + to reflect this. This accomodates configurations that need a ServiceAccount + but that do not use the ingress controller. + ([#455](https://github.com/Kong/charts/pull/455)) + +### Improvements + +* Migration jobs support a configurable backoffLimit. + ([#442](https://github.com/Kong/charts/pull/442)) +* Generated Ingresses now use `networking.k8s.io/v1` when available. + ([#446](https://github.com/Kong/charts/pull/446)) + +### Fixed + +* 5-digit UDP ports now work properly. + ([#443](https://github.com/Kong/charts/pull/443)) +* Fixed port name used for NLB annotation example. + ([#458](https://github.com/Kong/charts/pull/458)) +* Fixed a compatibility issue with Helm's `--set-file` feature and + user-provided DB-less configuration ConfigMaps. + ([#465](https://github.com/Kong/charts/pull/465)) + +## 2.3.0 + +### Breaking Changes + +* Upgraded CRDs to V1 from the previous deprecated v1beta1. + [#391](https://github.com/kong/charts/issues/391) + ACTION REQUIRED: This is a breaking change as it makes + this chart incompatible with Kubernetes clusters older + than v1.16.x. Upgrade your cluster to a version greater + than or equal to v1.16 before installing. + Note that technically it will remain possible to deploy + on older clusters by managing the CRDs manually ahead of + time (e.g. intentionally deploying the legacy CRDs) but + these configurations will be considered unsupported. + [upgrade](https://kubernetes.io/docs/tasks/administer-cluster/cluster-upgrade/) + ACTION REQUIRED: For existing deployments Helm avoids managing + CRDs so when upgrading from a previous release you will need + to apply the new V1 versions of the CRDs (in `crds/`) manually. + [hip-0011](https://github.com/helm/community/blob/main/hips/hip-0011.md) + ([#415](https://github.com/Kong/charts/pull/415)) +* Added support for controller metrics to the Prometheus resources. This + requires KIC 2.x. The chart automatically detects if your controller image is + compatible, but only if your tag is semver-compliant. If you are using an + image without a semver-compliant tag (such as `next`) you _must_ set the + `ingressController.image.effectiveSemver` value to a semver string + appropriate for your image (for example, if your image is 2.0.0-based, you + would set it to `2.0.0`. + ([#430](https://github.com/Kong/charts/pull/430)) + +### Improvements + +* Updated default Kong versions to 2.5 (OSS) and 2.5.0.0 (Enterprise). +* Added user-configured initContainer support to Jobs. + ([#408](https://github.com/Kong/charts/pull/408)) +* Upgraded RBAC resources to v1 from v1beta1 for compatibility with Kubernetes + 1.22 and newer. This breaks compatibility with Kubernetes 1.7 and older, but + these Kubernetes versions were never supported, so this change is not + breaking. Added additional permissions to support KIC 2.x. + ([#420](https://github.com/Kong/charts/pull/420)) + ([#419](https://github.com/Kong/charts/pull/419)) +* Added `ingressController.watchNamespaces[]` to values.yaml. When set, the + controller will only watch the listed namespaces (instead of all namespaces, + the default), and will create Roles for each namespace (instead of a + ClusterRole). This feature requires KIC 2.x. + ([#420](https://github.com/Kong/charts/pull/420)) +* Added support for [dnsPolicy and + dnsConfig](https://kubernetes.io/docs/tasks/administer-cluster/nodelocaldns/). + ([#425](https://github.com/Kong/charts/pull/425)) +* Use migration commands directly in upgrade/install Jobs instead of invoking + them via a shell. This adds support for some additional features in Kong + images that only apply when the container command starts with `kong`. + ([#429](https://github.com/Kong/charts/pull/429)) + +### Fixed +* Fixed an incorrect template for DaemonSet releases. + ([#426](https://github.com/Kong/charts/pull/426)) + +## 2.2.0 + +### Breaking changes + +* Removed default `maxUnavailable` setting for pod disruption budget + configuration. This is necessary to allow usage of the `minUnavailable` + setting, but means that there is no longer any default availability + constraint. If you set `podDisruptionBudget.enabled=true` in your values and + did not previously set any `podDisruptionBudget.maxUnavailable` value, you + must add `podDisruptionBudget.maxUnavailable="50%"` to your values. + +### Improvements + +* Added host alias injection to override DNS and/or add DNS entries not + available from the DNS resolver. + ([#366](https://github.com/Kong/charts/pull/366)) +* Added support for custom labels. + ([#370](https://github.com/Kong/charts/pull/370)) +* Only add paths to Ingresses if configured, for OpenShift 4.x compatibility. + ([#375](https://github.com/Kong/charts/pull/375)) +* Kong containers no longer the image ENTRYPOINT. This allows the stock image + bootstrap scripts to run normally. + ([#377](https://github.com/Kong/charts/pull/377)) +* Added security context settings for containers. + ([#387](https://github.com/Kong/charts/pull/387)) +* Bumped Kong and controller image defaults to the latest versions. + ([#378](https://github.com/Kong/charts/pull/378)) +* Added support for user-provided admission webhook certificates. + ([#385](https://github.com/Kong/charts/pull/385)) +* Disable service account tokens when it is unnecessary. + ([#389](https://github.com/Kong/charts/pull/389)) + +### Fixed + +* Admission webhook port is now listed under the controller container, where + the admission webhook runs. + ([#384](https://github.com/Kong/charts/pull/384)) + +### Documentation + +* Removed a duplicate key from example values. + ([#360](https://github.com/Kong/charts/pull/360)) +* Clarified Enterprise free mode usage. + ([#362](https://github.com/Kong/charts/pull/362)) +* Expand EKS Service annotation examples for proxy. + ([#376](https://github.com/Kong/charts/pull/375)) + +## 2.1.0 + +### Improvements + +* Added support for user-defined volumes, volume mounts, and init containers. + ([#317](https://github.com/Kong/charts/pull/317)) +* Tolerations are now applied to migration Job Pods also. + ([#341](https://github.com/Kong/charts/pull/341)) +* Added support for using a DaemonSet instead of Deployment. + ([#347](https://github.com/Kong/charts/pull/347)) +* Updated default image versions and completed migration off Bintray + repositories. + ([#349](https://github.com/Kong/charts/pull/349)) +* PDB ignores migration Job Pods. + ([#352](https://github.com/Kong/charts/pull/352)) + +### Documentation + +* Clarified service monitor usage information. + ([#345](https://github.com/Kong/charts/pull/345)) + +## 2.0.0 + +### Breaking changes + +* Helm 2 is no longer supported. You **must** [migrate your Kong chart releases + to Helm 3](https://helm.sh/docs/topics/v2_v3_migration/) before updating to + this release. +* Deprecated [Portal auth settings](https://github.com/Kong/charts/blob/kong-1.15.0/charts/kong/UPGRADE.md#removal-of-dedicated-portal-authentication-configuration-parameters) + are no longer supported. +* The deprecated [`runMigrations` setting](https://github.com/Kong/charts/blob/kong-1.15.0/charts/kong/UPGRADE.md#changes-to-migration-job-configuration) + is no longer supported. +* Deprecated [admin API Service configuration](https://github.com/Kong/charts/blob/kong-1.15.0/charts/kong/UPGRADE.md#changes-to-kong-service-configuration) + is no longer supported. +* Deprecated [multi-host proxy configuration](https://github.com/Kong/charts/blob/kong-1.15.0/charts/kong/UPGRADE.md#removal-of-multi-host-proxy-ingress) + is no longer supported. + +`helm upgrade` with the previous version (1.15.0) will print a warning message +if you still use any of the removed values.yaml configuration. If you do not +see any warnings after the upgrade completes, you are already using the modern +equivalents of these settings and can proceed with upgrading to 2.0.0-rc1. + +### Improvements + +* Admission webhook certificates persist after their initial creation. This + prevents an unnecessary restart of Kong Pods on upgrades that do not actually + modify the deployment. + ([#256](https://github.com/Kong/charts/pull/256)) +* `ingressController.installCRDs` now defaults to `false`, simplifying + installation on Helm 3. Installs now default to using Helm 3's CRD management + system, and do not require changes to values or install flags to install + successfully. + ([#305](https://github.com/Kong/charts/pull/305)) +* Added support for Pod `topologySpreadConstraints`. + ([#308](https://github.com/Kong/charts/pull/308)) +* Kong Ingress Controller image now pulled from Docker Hub (due to Bintray being + discontinued). Changed the default Docker image repository for the ingress + controller. + +### Fixed + +* Generated admission webhook certificates now include SANs for compatibility + with Go 1.15 controller builds. + ([#312](https://github.com/Kong/charts/pull/312)). + +### Documentation + +* Clarified use of `terminationGracePeriodSeconds`. + ([#302](https://github.com/Kong/charts/pull/302)) + +## 1.15.0 + +1.15.0 is an interim release before the planned release of 2.0.0. There were +several feature changes we wanted to release prior to the removal of deprecated +functionality for 2.0. The original planned deprecations covered in the [1.14.0 +changelog](#1140) are still planned for 2.0.0. + +### Improvements + +* The default Kong version is now 2.3 and the default Kong Enterprise version + is now 2.3.2.0. +* Added configurable `terminationGracePeriodSeconds` for the pre-stop lifecycle + hook. + ([#271](https://github.com/Kong/charts/pull/271)). +* Initial migration database wait init containers no longer have a default + image configuration in values.yaml. When no image is specified, the chart + will use the Kong image. The standard Kong images include bash, and can run + the database wait script without downloading a separate image. Configuring a + wait image is now only necessary if you use a custom Kong image that lacks + bash. + ([#285](https://github.com/Kong/charts/pull/285)). +* Init containers for database availability and migration completeness can now + be disabled. They cause compatibility issues with many service meshes. + ([#285](https://github.com/Kong/charts/pull/285)). +* Removed the default migration Job annotation that disabled Kuma's mesh proxy. + The latest version of Kuma no longer prevents Jobs from completing. + ([#285](https://github.com/Kong/charts/pull/285)). +* Services now support user-configurable labels, and the Prometheus + ServiceMonitor label is included on the proxy Service by default. Users that + disable the proxy Service and add this label to another Service to collect + metrics. + ([#290](https://github.com/Kong/charts/pull/290)). +* Migration Jobs now allow resource quota configuration. Init containers + inherit their resource quotas from their associated Kong container. + ([#294](https://github.com/Kong/charts/pull/294)). + +### Fixed + +* The database readiness wait script ConfigMap and associated mounts are no + longer created if that feature is not in use. + ([#285](https://github.com/Kong/charts/pull/285)). +* Removed a duplicated field from CRDs. + ([#281](https://github.com/Kong/charts/pull/281)). + +## 1.14.5 + +### Fixed + +* Removed `http2` from default status listen TLS parameters. It only supports a + limited subset of the extra listen parameters, and does not allow `http2`. + +## 1.14.4 + +### Fixed + +* Status listens now include parameters in the default values.yaml. The absence + of these defaults caused a template rendering error when the TLS listen was + enabled. + +### Documentation + +* Updated status listen comments to reflect TLS listen availability on Kong + 2.1+. + +## 1.14.3 + +### Fixed + +* Fix issues with legacy proxy Ingress object template. + +## 1.14.2 + +### Fixed + +* Corrected invalid default value for `enterprise.smtp.smtp_auth`. + +## 1.14.1 + +### Fixed + +* Moved several Kong container settings into the appropriate template block. + Previously these were rendered whether or not the Kong container was enabled, + which unintentionally applied them to the controller container. + +## 1.14.0 + +### Breaking changes + +1.14 is the last planned 1.x version of the Kong chart. 2.x will remove support +for Helm 2.x and all deprecated configuration. The chart prints a warning when +upgrading or installing if it detects any configuration still using an old +format. + +* All Ingress and Service resources now use the same template. This ensures + that all chart Ingresses and Services support the same configuration. The + proxy previously used a unique Ingress configuration, which is now + deprecated. If you use the proxy Ingress, [see the instructions in + UPGRADE.md](https://github.com/Kong/charts/blob/kong-1.14.0/charts/kong/UPGRADE.md#removal-of-multi-host-proxy-ingress) + to update your configuration. No changes are required for other Service and + Ingress configurations. + ([#251](https://github.com/Kong/charts/pull/251)). +* The chart now uses the standard Kong status endpoint instead of custom + configuration, allowing users to specify their own custom configuration. The + status endpoint is no available in versions older than Kong 1.4.0 or Kong + Enterprise 1.5.0; if you use an older version, you will need to [add and load + the old custom configuration](https://github.com/Kong/charts/blob/main/charts/kong/UPGRADE.md#default-custom-server-block-replaced-with-status-listen). + + If you use a newer version and include Kong container readinessProbe and/or + livenessProbe configuration in your values.yaml, you must change the port + from `metrics` to `status`. + ([#255](https://github.com/Kong/charts/pull/255)). + +### Fixed + +* Correct an issue with migrations Job toggles. + ([#231](https://github.com/Kong/charts/pull/231)) + +## 1.13.0 + +### Improvements + +* Updated default Kong Enterprise version to 2.2.1.0-alpine. +* Updated default Kong Ingress Controller version to 1.1. +* Add `namespace` to values.yaml to override release namespace if desired. + ([#231](https://github.com/Kong/charts/pull/231)) + +### Fixed + +* Migration Jobs now use the same nodeSelector configuration as the main Kong + Deployment. + ([#238](https://github.com/Kong/charts/pull/238)) +* Disabled custom Kong template mount if Kong is not enabled. + ([#240](https://github.com/Kong/charts/pull/240)) +* Changed YAML string to a YAML boolean. + ([#240](https://github.com/Kong/charts/pull/240)) + +### Documentation + +* Clarify requirements for using horizontal pod autoscalers. + ([#236](https://github.com/Kong/charts/pull/236)) + +## 1.12.0 + +### Improvements + +* Increased default worker count to 2 to avoid issues with latency during + blocking tasks, such as DB-less config updates. This change increases memory + usage, but the increase should not be a concern for any but the smallest + deployments (deployments with memory limits below 512MB). +* Updated default Kong version to 2.2. + ([#221](https://github.com/Kong/charts/pull/221)) +* Updated default Kong Enterprise version to 2.1.4.1. +* Added a means to mount extra ConfigMap and Secret resources. + ([#208](https://github.com/Kong/charts/pull/208)) +* Added configurable annotations for migration Jobs. + ([#219](https://github.com/Kong/charts/pull/219)) +* Added template for deprecation warnings to automate formatting and avoid + excess newlines. + +### Fixed + +* Upgrades no longer force auto-scaling Deployments back to the replica count. + ([#222](https://github.com/Kong/charts/pull/222)) + +## 1.11.0 + +### Breaking changes + +* Kong Ingress Controller 1.0 removes support for several deprecated flags and + the KongCredential custom resource. Please see the [controller changelog](https://github.com/Kong/kubernetes-ingress-controller/blob/main/CHANGELOG.md#breaking-changes) + for details. Note that Helm 3 will not remove the KongCredential CRD by + default: you should delete it manually after converting KongCredentials to + [credential Secrets](https://github.com/Kong/kubernetes-ingress-controller/blob/next/docs/guides/using-consumer-credential-resource.md#provision-a-consumer). + If you manage CRDs using Helm (check to see if your KongCredential CRD has a + `app.kubernetes.io/managed-by: Helm` label), perform the credential Secret + conversion **before** upgrading to chart 1.11.0 to avoid losing credential + configuration. +* The chart no longer uses the `extensions` API for PodSecurityPolicy, and now + uses the modern `policy` API. This breaks compatibility with Kubernetes + versions 1.11 and older. + ([#195](https://github.com/Kong/charts/pull/195)) + +### Improvements + +* Updated default controller version to 1.0. +* The chart now adds namespace information to manifests explicitly. This + simplifies workflows that use `helm template`. + ([#193](https://github.com/Kong/charts/pull/193)) + +### Fixed +* Changes to annotation block generation prevent incorrect YAML indentation + when specifying annotations via command line arguments to Helm commands. + ([#200](https://github.com/Kong/charts/pull/200)) + +## 1.10.0 + +### Breaking changes + +* Kong Ingress Controller 0.10.0 comes with breaking changes to global + `KongPlugin`s and to resources without an ingress class defined. Refer to the + [`UPGRADE.md notes for chart 1.10.0`](https://github.com/Kong/charts/blob/main/charts/kong/UPGRADE.md#1100) + for details. + +### Improvements + +* Updated default controller version to 0.10.0. + +### Fixed + +* Removed the `status` field from the `TCPIngress` CRD. + ([#188](https://github.com/Kong/charts/pull/188)) + +## 1.9.1 + +### Documentation + +* Clarified documentation for [breaking changes in 1.9.0](#190) to indicate + that any values.yaml that sets `waitImage.repository` requires changes, + including those that set the old default. +* Updated Enterprise examples to use latest Enterprise image version. + +## 1.9.0 + +### Breaking changes + +1.9.0 now uses a bash-based pre-migration database availability check. If you +set `waitImage.repository` in values.yaml, either to the previous default +(`busybox`) or to a custom image, you must change it to an image that includes +a `bash` executable. + +Once you have `waitImage.repository` set to an image with bash, [perform an +initial chart version upgrade with migrations disabled](https://github.com/Kong/charts/blob/main/charts/kong/UPGRADE.md#changes-to-wait-for-postgres-image) +before re-enabling migrations, updating your Kong image version, and performing +a second release upgrade. + +### Improvements + +* Added support for sidecar injection. + ([#174](https://github.com/Kong/charts/pull/174)) +* Changed to a bash-based pre-migration database availability check. + ([#179](https://github.com/Kong/charts/pull/179)) +* Changed to a bash-based pre-migration database availability check. + ([#179](https://github.com/Kong/charts/pull/179)) +* Updated default Kong Enterprise version to 2.1.3.0. + +### Fixed + +* Added missing cluster telemetry service and fixed missing cluster service + port. + ([#185](https://github.com/Kong/charts/pull/185)) + +### Documentation + +* Added an example Enterprise controller-managed DB-less values.yaml. + ([#175](https://github.com/Kong/charts/pull/175)) + +## 1.8.0 + +**Kong Enterprise users:** please review documentation for the [Kong Enterprise +2.1.x beta +release](https://docs.konghq.com/enterprise/2.1.x/release-notes/#coming-soon) +and [hybrid mode on Kong +Enterprise](https://docs.konghq.com/enterprise/2.1.x/deployment/hybrid-mode/#kubernetes-support) +as well. Version 1.8 of the Kong Helm chart adds support for hybrid mode, which +is currently only available in the 2.1.x beta. Production systems should +continue to use the Kong Enterprise 1.5.x stable releases, which do not support +hybrid mode. + +### Improvements + +* Update default Kong version to 2.1. +* Update Kong Enterprise images to 1.5.0.4 (kong-enterprise-edition) and + 2.0.4.2 (kong-enterprise-k8s). +* Updated default controller version to 0.9.1. + ([#150](https://github.com/Kong/charts/pull/150)) +* Added support for ServiceMonitor targetLabels (for use with the Prometheus + Operator). + ([#162](https://github.com/Kong/charts/pull/162)) +* Automatically handle the [new port_maps + setting](https://github.com/Kong/kong/pull/5861) for the proxy service. + ([#169](https://github.com/Kong/charts/pull/169)) +* Add support for [hybrid mode + deployments](https://docs.konghq.com/latest/hybrid-mode/). + ([#160](https://github.com/Kong/charts/pull/160)) + + +### Fixed + +* Fixed an issue with improperly-rendered listen strings. + ([#155](https://github.com/Kong/charts/pull/155)) + +### Documentation + +* Improved inline documentation of `env` in values.yaml. + ([#163](https://github.com/Kong/charts/pull/163)) + +## 1.7.0 + +### Improvements + +* Added support for + [CRD-only](https://github.com/Kong/charts/blob/1.7.0/charts/kong/README.md#crds-only) + and [controller-only releases](https://github.com/Kong/charts/blob/next/charts/kong/README.md#standalone-controller-nodes). + ([#136](https://github.com/Kong/charts/pull/136)) + +### Documentation + +* Added a set of [example + values.yamls](https://github.com/Kong/charts/tree/main/charts/kong/example-values) + for various configurations of Kong and Kong Enterprise. + ([#134](https://github.com/Kong/charts/pull/134)) + +## 1.6.1 + +This release contains no changes other than the version. This is to address an +issue with our release automation. + +## 1.6.0 + +### Improvements + +* Updated default controller version to 0.9.0. + ([#132](https://github.com/Kong/charts/pull/132)) +* Updated default Enterprise versions to 2.0.4.1 and 1.5.0.2. + ([#130](https://github.com/Kong/charts/pull/130)) +* Added ability to override chart lifecycle. + ([#116](https://github.com/Kong/charts/pull/116)) +* Added ability to apply user-defined labels to pods. + ([#121](https://github.com/Kong/charts/pull/121)) +* Filtered serviceMonitor to disable metrics collection from non-proxy + services. + ([#112](https://github.com/Kong/charts/pull/112)) +* Set admin API to listen on localhost only if possible. + ([#125](https://github.com/Kong/charts/pull/125)) +* Add `auth_type` and `ssl` settings to `smtp` block. + ([#127](https://github.com/Kong/charts/pull/127)) +* Remove UID from default securityContext. + ([#138](https://github.com/Kong/charts/pull/138)) + +### Documentation + +* Corrected invalid default serviceMonitor.interval value. + ([#110](https://github.com/Kong/charts/pull/110)) +* Removed duplicate `installCRDs` documentation. + ([#115](https://github.com/Kong/charts/pull/115)) +* Simplified example license Secret creation command. + ([#131](https://github.com/Kong/charts/pull/131)) + +## 1.5.0 + +### Improvements + +* Added support for annotating the ServiceAccount. + ([#97](https://github.com/Kong/charts/pull/97)) +* Updated controller templates to use environment variables for default + configuration. + ([#99](https://github.com/Kong/charts/pull/99)) +* Added support for stream listens. + ([#103](https://github.com/Kong/charts/pull/103)) +* Moved migration configuration under a `migrations` block with support for + enabling upgrade jobs independently and adding annotations. + ([#102](https://github.com/Kong/charts/pull/102)) +* Added support for the [status listen](https://github.com/Kong/kong/pull/4977). + ([#107](https://github.com/Kong/charts/pull/107)) +* :warning: Exposed PodSecurityPolicy spec in values.yaml and added default + configuration to enforce a read-only root filesystem. **Kong Enterprise + versions prior to 1.5.0 require the root filesystem be read-write. If you use + an older version and enforce PodSecurityPolicy, you must set + `.Values.podSecurityPolicy.spec.readOnlyRootFilesystem: false`.** + ([#104](https://github.com/Kong/charts/pull/104)) + +### Fixed + +* Fixed old init-migrations jobs blocking upgrades. + ([#102](https://github.com/Kong/charts/pull/102)) + +### Documentation + +* Fixed discrepancy between image version in values.yaml and README.md. + ([#96](https://github.com/Kong/charts/pull/96)) +* Added example Enterprise image tags to values.yaml. + ([#100](https://github.com/Kong/charts/pull/100)) +* Added deprecation warnings in CHANGELOG.md. + ([#91](https://github.com/Kong/charts/pull/91)) +* Improved RBAC documentation to clarify process and use new controller + functionality. + ([#95](https://github.com/Kong/charts/pull/95)) +* Added documentation for managing multi-release clusters with varied node + roles (e.g. admin-only, Portal-only, etc.). + ([#102](https://github.com/Kong/charts/pull/102)) + +## 1.4.1 + +### Documentation + +* Fixed an issue with the 1.4.1 upgrade steps. + +## 1.4.0 + +### Improvements + +* :warning: Service and listen configuration now use a unified configuration + format. **The previous configuration format for the admin API service is + deprecated and will be removed in a future release.** Listen configuration + now supports specifying parameters. Kubernetes service creation can now be + enabled or disabled for all Kong services. Users should review the + [1.4.0 upgrade guide](https://github.com/Kong/charts/blob/next/charts/kong/UPGRADE.md#changes-to-kong-service-configuration) + for details on how to update their values.yaml. + ([#72](https://github.com/Kong/charts/pull/72)) +* Updated the default controller version to 0.8. This adds new + KongClusterPlugin and TCPIngress CRDs and RBAC permissions for them. Users + should also note that `strip_path` now defaults to disabled, which will + likely break existing configuration. See [the controller + changelog](https://github.com/Kong/kubernetes-ingress-controller/blob/main/CHANGELOG.md#080---20200325) + and [upgrade-guide](https://github.com/Kong/charts/blob/next/charts/kong/UPGRADE.md#strip_path-now-defaults-to-false-for-controller-managed-routes) + for full details. + ([#77](https://github.com/Kong/charts/pull/77)) +* Added support for user-supplied ingress controller CLI arguments. + ([#79](https://github.com/Kong/charts/pull/79)) +* Added support for annotating the chart's deployment. + ([#81](https://github.com/Kong/charts/pull/81)) +* Switched to the Bitnami Postgres chart, as the chart in Helm's repository has + [moved + there](https://github.com/helm/charts/tree/master/stable/postgresql#this-helm-chart-is-deprecated). + ([#82](https://github.com/Kong/charts/pull/82)) + +### Fixed + +* Corrected the app version in Chart.yaml. + ([#86](https://github.com/Kong/charts/pull/86)) + +### Documentation + +* Fixed incorrect default value for `installCRDs`. + ([#78](https://github.com/Kong/charts/pull/78)) +* Added detailed upgrade guide covering breaking changes and deprecations. + ([#74](https://github.com/Kong/charts/pull/74)) +* Improved installation steps for Helm 2 and Helm 3. + ([#83](https://github.com/Kong/charts/pull/83)) + ([#84](https://github.com/Kong/charts/pull/84)) +* Remove outdated `ingressController.replicaCount` setting. + ([#87](https://github.com/Kong/charts/pull/87)) + +## 1.3.1 + +### Fixed + +* Added missing newline to NOTES.txt template. + ([#66](https://github.com/Kong/charts/pull/66)) + +### Documentation + +* Instruct users to create secrets for both the kong-enterprise-k8s and + kong-enterprise-edition Docker registries. + ([#65](https://github.com/Kong/charts/pull/65)) +* Updated maintainer information. + +## 1.3.0 + +### Improvements + +* Custom plugin mounts now support subdirectories. These are necessary for + plugins that include their own migrations. Note that Kong versions prior to + 2.0.1 [have a bug](https://github.com/Kong/kong/pull/5509) that prevents them + from running these migrations. ([#24](https://github.com/Kong/charts/pull/24)) +* LoadBalancer services will now respect their NodePort. + ([#48](https://github.com/Kong/charts/pull/41)) +* The proxy TLS listen now enables HTTP/2 (and, by extension, gRPC). + ([#47](https://github.com/Kong/charts/pull/47)) +* Added support for `priorityClassName` to the Kong deployment. + ([#56](https://github.com/Kong/charts/pull/56)) +* Bumped default Kong version to 2.0 and controller version to 0.7.1. + ([#60](https://github.com/Kong/charts/pull/60)) +* :warning: Removed dedicated Portal auth settings, which are unnecessary in + modern versions. **The `enterprise.portal.portal_auth` and + `enterprise.portal.session_conf_secret` settings in values.yaml are + deprecated and will be removed in a future release.** See the [upgrade + guide](https://github.com/Kong/charts/blob/main/charts/kong/UPGRADE.md#removal-of-dedicated-portal-authentication-configuration-parameters) + for instructions on migrating them to environment variables. + ([#55](https://github.com/Kong/charts/pull/55)) + +### Fixed + +* Fixed typo in HorizontalPodAutoscaler template. + ([#45](https://github.com/Kong/charts/pull/45)) + +### Documentation + +* Added contributing guidelines. ([#41](https://github.com/Kong/charts/pull/41)) +* Added README section for Helm 2 versus Helm 3 considerations. + ([#34](https://github.com/Kong/charts/pull/41)) +* Added documentation for `proxy.annotations` to README.md. + ([#57](https://github.com/Kong/charts/pull/57)) +* Added FAQ entry for init-migrations job conflicts on upgrades. + ([#59](https://github.com/Kong/charts/pull/59) +* Move changelog out of README.md into CHANGELOG.md. + ([#60](https://github.com/Kong/charts/pull/60) +* Improved formatting for 1.2.0 changelog. + +## 1.2.0 + +### Improvements +* Added support for HorizontalPodAutoscaler. + ([#12](https://github.com/Kong/charts/pull/12)) +* Environment variables are now consistently sorted alphabetically. + ([#29](https://github.com/Kong/charts/pull/29)) + +### Fixed +* Removed temporary ServiceAccount template, which caused upgrades to break the + existing ServiceAccount's credentials. Moved template and instructions for + use to FAQs, as the temporary user is only needed in rare scenarios. + ([#31](https://github.com/Kong/charts/pull/31)) +* Fix an issue where the wait-for-postgres job did not know which port to use + in some scenarios. ([#28](https://github.com/Kong/charts/pull/28)) + +### Documentation +* Added warning regarding volume mounts. + ([#25](https://github.com/Kong/charts/pull/25)) + +## 1.1.1 + +### Fixed + +* Add missing `smtp_admin_emails` and `smtp_mock = off` to SMTP enabled block in + `kong.env`. + +### CI changes + +* Remove version bump requirement in preparation for new release model. + +## 1.1.0 + +> https://github.com/Kong/charts/pull/4 + +### Improvements + +* Significantly refactor the `env`/EnvVar templating system to determine the + complete set of environment variables (both user-defined variables and + variables generated from other sections of values.yaml) and resolve conflicts + before rendering. User-provided values are now guaranteed to take precedence + over generated values. Previously, precedence relied on a Kubernetes + implementation quirk that was not consistent across all Kubernetes providers. +* Combine templates for license, session configuration, etc. that generate + `secretKeyRef` values into a single generic template. + +## 1.0.3 + +- Fix invalid namespace for pre-migrations and Role. +- Fix whitespaces formatting in README. + +## 1.0.2 + +- Helm 3 support: CRDs are declared in crds directory. Backward compatible support for helm 2. + +## 1.0.1 + +Fixed invalid namespace variable name causing ServiceAccount and Role to be generated in other namespace than desired. + +## 1.0.0 + +There are not code changes between `1.0.0` and `0.36.5`. +From this version onwards, charts are hosted at https://charts.konghq.com. + +The `0.x` versions of the chart are available in Helm's +[Charts](https://github.com/helm/charts) repository are are now considered +deprecated. + +## 0.36.5 + +> PR https://github.com/helm/charts/pull/20099 + +### Improvements + +- Allow `grpc` protocol for KongPlugins + +## 0.36.4 + +> PR https://github.com/helm/charts/pull/20051 + +### Fixed + +- Issue: [`Ingress Controller errors when chart is redeployed with Admission + Webhook enabled`](https://github.com/helm/charts/issues/20050) + +## 0.36.3 + +> PR https://github.com/helm/charts/pull/19992 + +### Fixed + +- Fix spacing in ServiceMonitor when label is specified in config + +## 0.36.2 + +> PR https://github.com/helm/charts/pull/19955 + +### Fixed + +- Set `sideEffects` and `admissionReviewVersions` for Admission Webhook +- timeouts for liveness and readiness probes has been changed from `1s` to `5s` + +## 0.36.1 + +> PR https://github.com/helm/charts/pull/19946 + +### Fixed + +- Added missing watch permission to custom resources + +## 0.36.0 + +> PR https://github.com/helm/charts/pull/19916 + +### Upgrade Instructions + +- When upgrading from <0.35.0, in-place chart upgrades will fail. + It is necessary to delete the helm release with `helm del --purge $RELEASE` and redeploy from scratch. + Note that this will cause downtime for the kong proxy. + +### Improvements + +- Fixed Deployment's label selector that prevented in-place chart upgrades. + +## 0.35.1 + +> PR https://github.com/helm/charts/pull/19914 + +### Improvements + +- Update CRDs to Ingress Controller 0.7 +- Optimize readiness and liveness probes for more responsive health checks +- Fixed incorrect space in NOTES.txt + +## 0.35.0 + +> PR [#19856](https://github.com/helm/charts/pull/19856) + +### Improvements + +- Labels on all resources have been updated to adhere to the Helm Chart + guideline here: + https://v2.helm.sh/docs/developing_charts/#syncing-your-chart-repository + +## 0.34.2 + +> PR [#19854](https://github.com/helm/charts/pull/19854) + +This release contains no user-visible changes + +### Under the hood + + - Various tests have been consolidated to speed up CI. + +## 0.34.1 + +> PR [#19887](https://github.com/helm/charts/pull/19887) + +### Fixed + +- Correct indentation for Job securityContexts. + +## 0.34.0 + +> PR [#19885](https://github.com/helm/charts/pull/19885) + +### New features + +- Update default version of Ingress Controller to 0.7.0 + +## 0.33.1 + +> PR [#19852](https://github.com/helm/charts/pull/19852) + +### Fixed + +- Correct an issue with white space handling within `final_env` helper. + +## 0.33.0 + +> PR [#19840](https://github.com/helm/charts/pull/19840) + +### Dependencies + +- Postgres sub-chart has been bumped up to 8.1.2 + +### Fixed + +- Removed podDisruption budge for Ingress Controller. Ingress Controller and + Kong run in the same pod so this was no longer applicable +- Migration job now receives the same environment variable and configuration + as that of the Kong pod. +- If Kong is configured to run with Postgres, the Kong pods now always wait + for Postgres to start. Previously this was done only when the sub-chart + Postgres was deployed. +- A hard-coded container name is used for kong: `proxy`. Previously this + was auto-generated by Helm. This deterministic naming allows for simpler + scripts and documentation. + +### Under the hood + +Following changes have no end user visible effects: + +- All Custom Resource Definitions have been consolidated into a single + template file +- All RBAC resources have been consolidated into a single template file +- `wait-for-postgres` container has been refactored and de-duplicated + +## 0.32.1 + +### Improvements + +- This is a doc only release. No code changes have been done. +- Post installation steps have been simplified and now point to a getting + started page +- Misc updates to README: + - Document missing variables + - Remove outdated variables + - Revamp and rewrite major portions of the README + - Added a table of content to make the content navigable + +## 0.32.0 + +### Improvements + +- Create and mount emptyDir volumes for `/tmp` and `/kong_prefix` to allow + for read-only root filesystem securityContexts and PodSecurityPolicys. +- Use read-only mounts for custom plugin volumes. +- Update stock PodSecurityPolicy to allow emptyDir access. +- Override the standard `/usr/local/kong` prefix to the mounted emptyDir + at `/kong_prefix` in `.Values.env`. +- Add securityContext injection points to template. By default, + it sets Kong pods to run with UID 1000. + +### Fixes + +- Correct behavior for the Vitals toggle. + Vitals defaults to on in all current Kong Enterprise releases, and + the existing template only created the Vitals environment variable + if `.Values.enterprise.enabled == true`. Inverted template to create + it (and set it to "off") if that setting is instead disabled. +- Correct an issue where custom plugin configurations would block Kong + from starting. + +## 0.31.0 + +### Breaking changes + +- Admin Service is disabled by default (`admin.enabled`) +- Default for `proxy.type` has been changed to `LoadBalancer` + +### New features + +- Update default version of Kong to 1.4 +- Update default version of Ingress Controller to 0.6.2 +- Add support to disable kong-admin service via `admin.enabled` flag. + +## 0.31.2 + +### Fixes + +- Do not remove white space between documents when rendering + `migrations-pre-upgrade.yaml` + +## 0.30.1 + +### New Features + +- Add support for specifying Proxy service ClusterIP + +## 0.30.0 + +### Breaking changes + +- `admin_gui_auth_conf_secret` is now required for Kong Manager + authentication methods other than `basic-auth`. + Users defining values for `admin_gui_auth_conf` should migrate them to + an externally-defined secret with a key of `admin_gui_auth_conf` and + reference the secret name in `admin_gui_auth_conf_secret`. + +## 0.29.0 + +### New Features + +- Add support for specifying Ingress Controller environment variables. + +## 0.28.0 + +### New Features + +- Added support for the Validating Admission Webhook with the Ingress Controller. + +## 0.27.2 + +### Fixes + +- Do not create a ServiceAccount if it is not necessary. +- If a configuration change requires creating a ServiceAccount, + create a temporary ServiceAccount to allow pre-upgrade tasks to + complete before the regular ServiceAccount is created. + +## 0.27.1 + +### Documentation updates +- Retroactive changelog update for 0.24 breaking changes. + +## 0.27.0 + +### Breaking changes + +- DB-less mode is enabled by default. +- Kong is installed as an Ingress Controller for the cluster by default. + +## 0.25.0 + +### New features + +- Add support for PodSecurityPolicy +- Require creation of a ServiceAccount + +## 0.24.0 + +### Breaking changes + +- The configuration format for ingresses in values.yaml has changed. +Previously, all ingresses accepted an array of hostnames, and would create +ingress rules for each. Ingress configuration for services other than the proxy +now accepts a single hostname, which allows simpler TLS configuration and +automatic population of `admin_api_uri` and similar settings. Configuration for +the proxy ingress is unchanged, but its documentation now accurately reflects +the TLS configuration needed. diff --git a/charts/kong/kong/2.41.0/Chart.lock b/charts/kong/kong/2.41.0/Chart.lock new file mode 100644 index 000000000..88cd736b9 --- /dev/null +++ b/charts/kong/kong/2.41.0/Chart.lock @@ -0,0 +1,6 @@ +dependencies: +- name: postgresql + repository: https://charts.bitnami.com/bitnami + version: 11.9.13 +digest: sha256:051285066cef2799e39e2953c4abd405c36510a09e9e1bd1833a29224daffddb +generated: "2022-12-19T11:56:46.951582785-08:00" diff --git a/charts/kong/kong/2.41.0/Chart.yaml b/charts/kong/kong/2.41.0/Chart.yaml new file mode 100644 index 000000000..00058ceee --- /dev/null +++ b/charts/kong/kong/2.41.0/Chart.yaml @@ -0,0 +1,21 @@ +annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Kong Gateway + catalog.cattle.io/release-name: kong +apiVersion: v2 +appVersion: "3.6" +dependencies: +- condition: postgresql.enabled + name: postgresql + repository: file://./charts/postgresql + version: 11.9.13 +description: The Cloud-Native Ingress and API-management +home: https://konghq.com/ +icon: file://assets/icons/kong.png +maintainers: +- email: team-k8s@konghq.com + name: team-k8s-bot +name: kong +sources: +- https://github.com/Kong/charts/tree/main/charts/kong +version: 2.41.0 diff --git a/charts/kong/kong/2.41.0/FAQs.md b/charts/kong/kong/2.41.0/FAQs.md new file mode 100644 index 000000000..847cb63d1 --- /dev/null +++ b/charts/kong/kong/2.41.0/FAQs.md @@ -0,0 +1,139 @@ +# Frequently Asked Questions (FAQs) + +Despite the title, this is more a list of common problems. + +#### Kong cannot connect to a fresh Postgres install and fails to start + +If Kong is reporting that it cannot connect to Postgres because of an invalid +password on a fresh install, you likely have a leftover PersistentVolume from a +previous install using the same name. You should delete your install, delete +the associated PersistentVolumeClaim, and install again. + +Postgres PVCs [are not deleted when the chart install is +deleted](https://docs.bitnami.com/kubernetes/faq/troubleshooting/troubleshooting-helm-chart-issues/#persistence-volumes-pvs-retained-from-previous-releases), +and will be reused by subsequent installs if still present. Since the `kong` +user password is written to disk during database initialization only, that old +user's password is expected, not the new user's. + +PVC names use the pattern `data--postgresql-`. If +you named your install `foo` and did not increase the Postgres replica count, +you will have a single `data-foo-postgresql-0` PVC that needs to be deleted: + +``` +kubectl delete pvc data-foo-postgresql-0 +``` + +If you use a workflow that frequently deletes and re-creates installs, you +should make sure to delete PVCs when you delete the release: + +``` +helm delete foo; kubectl delete pvc data-foo-postgresql-0 +``` + +#### Upgrading a release fails due to missing ServiceAccount + +When upgrading a release, some configuration changes result in this error: + +``` +Error creating: pods "releasename-kong-pre-upgrade-migrations-" is forbidden: error looking up service account releasename-kong: serviceaccount "releasename-kong" not found +``` + +Enabling the ingress controller or PodSecurityPolicy requires that the Kong +chart also create a ServiceAccount. When upgrading from a configuration that +previously had neither of these features enabled, the pre-upgrade-migrations +Job attempts to use this ServiceAccount before it is created. It is [not +possible to easily handle this case automatically](https://github.com/Kong/charts/pull/31). + +Users encountering this issue should temporarily modify their +[pre-upgrade-migrations template](https://github.com/Kong/charts/blob/main/charts/kong/templates/migrations-pre-upgrade.yaml), +adding the following at the bottom: + +``` +{{ if or .Values.podSecurityPolicy.enabled (and .Values.ingressController.enabled .Values.ingressController.serviceAccount.create) -}} +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "kong.serviceAccountName" . }} + namespace: {{ template "kong.namespace" . }} + annotations: + "helm.sh/hook": pre-upgrade + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded + labels: + {{- include "kong.metaLabels" . | nindent 4 }} +{{- end -}} +``` + +Upgrading with this in place will create a temporary service account before +creating the actual service account. After this initial upgrade, users must +revert to the original pre-upgrade migrations template, as leaving the +temporary ServiceAccount template in place will [cause permissions issues on +subsequent upgrades](https://github.com/Kong/charts/issues/30). + +#### Running "helm upgrade" fails because of old init-migrations Job + +When running `helm upgrade`, the upgrade fails and Helm reports an error +similar to the following: + +``` +Error: UPGRADE FAILED: cannot patch "RELEASE-NAME-kong-init-migrations" with +kind Job: Job.batch "RELEASE-NAME-kong-init-migrations" is invalid ... field +is immutable +``` + +This occurs if a `RELEASE-NAME-kong-init-migrations` Job is left over from a +previous `helm install` or `helm upgrade`. Deleting it with +`kubectl delete job RELEASE-NAME-kong-init-migrations` will allow the upgrade +to proceed. Chart versions greater than 1.5.0 delete the job automatically. + +#### DB-backed instances do not start when deployed within a service mesh + +Service meshes, such as Istio and Kuma, if deployed in a mode that injects +a sidecar to Kong, don't make the mesh available to `InitContainer`s, +because the sidecar starts _after_ all `InitContainer`s finish. + +By default, this chart uses init containers to ensure that the database is +online and has migrations applied before starting Kong. This provides for a +smoother startup, but isn't compatible with service mesh sidecar requirements +if Kong is to access the database through the mesh. + +Setting `waitImage.enabled=false` in values.yaml disables these init containers +and resolves this issue. However, during the initial install, your Kong +Deployment will enter the CrashLoopBackOff state while waiting for migrations +to complete. It will eventually exit this state and enter Running as long as +there are no issues finishing migrations, usually within 2 minutes. + +If your Deployment is stuck in CrashLoopBackoff for longer, check the init +migrations Job logs to see if it is unable to connect to the database or unable +to complete migrations for some other reason. Resolve any issues you find, +delete the release, and attempt to install again. + +#### Kong fails to start after `helm upgrade` when Postgres is used + +As of Kong chart 2.8, this issue is no longer present. 2.8 updates the Postgres +sub-chart to a version that checks for existing password Secrets and leaves +them as-is rather than overwriting them. + +You may be running into this issue: https://github.com/helm/charts/issues/12575. +This issue is caused due to: https://github.com/helm/helm/issues/3053. + +The problem that happens is that Postgres database has the old password but +the new secret has a different password, which is used by Kong, and password +based authentication fails. + +The solution to the problem is to specify a password to the `postgresql` chart. +This is to ensure that the password is not generated randomly but is set to +the same one that is user-provided on each upgrade. + +The Postgres chart provides [two options](https://github.com/bitnami/charts/tree/master/bitnami/postgresql#postgresql-common-parameters) +for setting a password: + +- `auth.password` sets a password directly in values.yaml, in cleartext. This + is fine if you are using the instance for testing and have no security + concerns. +- `auth.existingSecret` specifies a Secret that contains [specific keys](https://github.com/bitnami/charts/blob/a6146a1ed392c8683c30b21e3fef905d86b0d2d6/bitnami/postgresql/values.yaml#L134-L143). + This should be used if you need to properly secure the Postgres instance. + +If you have already upgraded, the old password is lost. You will need to +delete the Helm release and the Postgres PersistentVolumeClaim before +re-installing with a non-random password. diff --git a/charts/kong/kong/2.41.0/README.md b/charts/kong/kong/2.41.0/README.md new file mode 100644 index 000000000..fa495a31b --- /dev/null +++ b/charts/kong/kong/2.41.0/README.md @@ -0,0 +1,1240 @@ +## Kong for Kubernetes + +[Kong for Kubernetes](https://github.com/Kong/kubernetes-ingress-controller) +is an open-source Ingress Controller for Kubernetes that offers +API management capabilities with a plugin architecture. + +This chart bootstraps all the components needed to run Kong on a +[Kubernetes](http://kubernetes.io) cluster using the +[Helm](https://helm.sh) package manager. + +## TL;DR; + +```bash +helm repo add kong https://charts.konghq.com +helm repo update + +helm install kong/kong --generate-name +``` + +## Table of contents + +- [Prerequisites](#prerequisites) +- [Install](#install) +- [Uninstall](#uninstall) +- [FAQs](#faqs) +- [Kong Enterprise](#kong-enterprise) +- [Deployment Options](#deployment-options) + - [Database](#database) + - [DB-less deployment](#db-less-deployment) + - [Using the Postgres sub-chart](#using-the-postgres-sub-chart) + - [Postgres sub-chart considerations for OpenShift](#postgres-sub-chart-considerations-for-openshift) + - [Runtime package](#runtime-package) + - [Configuration method](#configuration-method) + - [Separate admin and proxy nodes](#separate-admin-and-proxy-nodes) + - [Standalone controller nodes](#standalone-controller-nodes) + - [Hybrid mode](#hybrid-mode) + - [Certificates](#certificates) + - [Control plane node configuration](#control-plane-node-configuration) + - [Data plane node configuration](#data-plane-node-configuration) + - [Cert Manager Integration](#cert-manager-integration) + - [CRD management](#crd-management) + - [InitContainers](#initcontainers) + - [HostAliases](#hostaliases) + - [Sidecar Containers](#sidecar-containers) + - [Migration Sidecar Containers](#migration-sidecar-containers) + - [User Defined Volumes](#user-defined-volumes) + - [User Defined Volume Mounts](#user-defined-volume-mounts) + - [Removing cluster-scoped permissions](#removing-cluster-scoped-permissions) + - [Using a DaemonSet](#using-a-daemonset) + - [Using dnsPolicy and dnsConfig](#using-dnspolicy-and-dnsconfig) + - [Example configurations](#example-configurations) +- [Configuration](#configuration) + - [Kong parameters](#kong-parameters) + - [Kong Service Parameters](#kong-service-parameters) + - [Admin Service mTLS](#admin-service-mtls) + - [Stream listens](#stream-listens) + - [Ingress Controller Parameters](#ingress-controller-parameters) + - [The `env` section](#the-env-section) + - [The `customEnv` section](#the-customenv-section) + - [General Parameters](#general-parameters) + - [The `env` section](#the-env-section-1) + - [The `customEnv` section](#the-customenv-section-1) + - [The `extraLabels` section](#the-extralabels-section) +- [Kong Enterprise Parameters](#kong-enterprise-parameters) + - [Overview](#overview) + - [Prerequisites](#prerequisites-1) + - [Kong Enterprise License](#kong-enterprise-license) + - [Kong Enterprise Docker registry access](#kong-enterprise-docker-registry-access) + - [Service location hints](#service-location-hints) + - [RBAC](#rbac) + - [Sessions](#sessions) + - [Email/SMTP](#emailsmtp) +- [Prometheus Operator integration](#prometheus-operator-integration) +- [Argo CD considerations](#argo-cd-considerations) +- [Changelog](https://github.com/Kong/charts/blob/main/charts/kong/CHANGELOG.md) +- [Upgrading](https://github.com/Kong/charts/blob/main/charts/kong/UPGRADE.md) +- [Seeking help](#seeking-help) + +## Prerequisites + +- Kubernetes 1.17+. Older chart releases support older Kubernetes versions. + Refer to the [supported version matrix](https://docs.konghq.com/kubernetes-ingress-controller/latest/references/version-compatibility/#kubernetes) + and the [chart changelog](https://github.com/Kong/charts/blob/main/charts/kong/CHANGELOG.md) + for information about the default chart controller versions and Kubernetes + versions supported by controller releases. +- PV provisioner support in the underlying infrastructure if persistence + is needed for Kong datastore. + +## Install + +To install Kong: + +```bash +helm repo add kong https://charts.konghq.com +helm repo update + +helm install kong/kong --generate-name +``` + +## Uninstall + +To uninstall/delete a Helm release `my-release`: + +```bash +helm delete my-release +``` + +The command removes all the Kubernetes components associated with the +chart and deletes the release. + +> **Tip**: List all releases using `helm list` + +## FAQs + +Please read the +[FAQs](https://github.com/Kong/charts/blob/main/charts/kong/FAQs.md) +document. + +## Kong Enterprise + +If using Kong Enterprise, several additional steps are necessary before +installing the chart: + +- Set `enterprise.enabled` to `true` in `values.yaml` file. +- Update values.yaml to use a Kong Enterprise image. +- Satisfy the two prerequisites below for + [Enterprise License](#kong-enterprise-license) and + [Enterprise Docker Registry](#kong-enterprise-docker-registry-access). +- (Optional) [set a `password` environment variable](#rbac) to create the + initial super-admin. Though not required, this is recommended for users that + wish to use RBAC, as it cannot be done after initial setup. + +Once you have these set, it is possible to install Kong Enterprise. + +Please read through +[Kong Enterprise considerations](#kong-enterprise-parameters) +to understand all settings that are enterprise specific. + +## Deployment Options + +Kong is a highly configurable piece of software that can be deployed +in a number of different ways, depending on your use-case. + +All combinations of various runtimes, databases and configuration methods are +supported by this Helm chart. +The recommended approach is to use the Ingress Controller based configuration +along-with DB-less mode. + +Following sections detail on various high-level architecture options available: + +### Database + +Kong can run with or without a database (DB-less). By default, this chart +installs Kong without a database. + +You can set the database the `env.database` parameter. For more details, please +read the [env](#the-env-section) section. + +#### DB-less deployment + +When deploying Kong in DB-less mode(`env.database: "off"`) +and without the Ingress Controller(`ingressController.enabled: false`), +you have to provide a [declarative configuration](https://docs.konghq.com/gateway-oss/latest/db-less-and-declarative-config/#the-declarative-configuration-format) for Kong to run. +You can provide an existing ConfigMap +(`dblessConfig.configMap`) or Secret (`dblessConfig.secret`) or place the whole +configuration into `values.yaml` (`dblessConfig.config`) parameter. See the +example configuration in the default values.yaml for more details. You can use +`--set-file dblessConfig.config=/path/to/declarative-config.yaml` in Helm +commands to substitute in a complete declarative config file. + +Note that externally supplied ConfigMaps are not hashed or tracked in deployment annotations. +Subsequent ConfigMap updates will require user-initiated new deployment rollouts +to apply the new configuration. You should run `kubectl rollout restart deploy` +after updating externally supplied ConfigMap content. + +#### Using the Postgres sub-chart + +The chart can optionally spawn a Postgres instance using [Bitnami's Postgres +chart](https://github.com/bitnami/charts/blob/master/bitnami/postgresql/README.md) +as a sub-chart. Set `postgresql.enabled=true` to enable the sub-chart. Enabling +this will auto-populate Postgres connection settings in Kong's environment. + +The Postgres sub-chart is best used to quickly provision temporary environments +without installing and configuring your database separately. For longer-lived +environments, we recommend you manage your database outside the Kong Helm +release. + +##### Postgres sub-chart considerations for OpenShift + +Due to the default `securityContexts` in the postgres sub-chart, you will need to add the following values to the `postgresql` section to get postgres running on OpenShift: + +```yaml + volumePermissions: + enabled: false + securityContext: + runAsUser: "auto" + primary: + containerSecurityContext: + enabled: false + podSecurityContext: + enabled: false +``` + +### Runtime package + +There are three different packages of Kong that are available: + +- **Kong Gateway**\ + This is the [Open-Source](https://github.com/kong/kong) offering. It is a + full-blown API Gateway and Ingress solution with a wide-array of functionality. + When Kong Gateway is combined with the Ingress based configuration method, + you get Kong for Kubernetes. This is the default deployment for this Helm + Chart. +- **Kong Enterprise K8S**\ + This package builds up on top of the Open-Source Gateway and bundles in all + the Enterprise-only plugins as well. + When Kong Enterprise K8S is combined with the Ingress based + configuration method, you get Kong for Kubernetes Enterprise. + This package also comes with 24x7 support from Kong Inc. +- **Kong Enterprise**\ + This is the full-blown Enterprise package which packs with itself all the + Enterprise functionality like Manager, Portal, Vitals, etc. + This package can't be run in DB-less mode. + +The package to run can be changed via `image.repository` and `image.tag` +parameters. If you would like to run the Enterprise package, please read +the [Kong Enterprise Parameters](#kong-enterprise-parameters) section. + +### Configuration method + +Kong can be configured via two methods: +- **Ingress and CRDs**\ + The configuration for Kong is done via `kubectl` and Kubernetes-native APIs. + This is also known as Kong Ingress Controller or Kong for Kubernetes and is + the default deployment pattern for this Helm Chart. The configuration + for Kong is managed via Ingress and a few + [Custom Resources](https://docs.konghq.com/kubernetes-ingress-controller/latest/concepts/custom-resources). + For more details, please read the + [documentation](https://docs.konghq.com/kubernetes-ingress-controller/) + on Kong Ingress Controller. + To configure and fine-tune the controller, please read the + [Ingress Controller Parameters](#ingress-controller-parameters) section. +- **Admin API**\ + This is the traditional method of running and configuring Kong. + By default, the Admin API of Kong is not exposed as a Service. This + can be controlled via `admin.enabled` and `env.admin_listen` parameters. + +### Separate admin and proxy nodes + +*Note: although this section is titled "Separate admin and proxy nodes", this +split release technique is generally applicable to any deployment with +different types of Kong nodes. Separating Admin API and proxy nodes is one of +the more common use cases for splitting across multiple releases, but you can +also split releases for split proxy and Developer Portal nodes, multiple groups +of proxy nodes with separate listen configurations for network segmentation, etc. +However, it does not apply to hybrid mode, as only the control plane release +interacts with the database.* + +Users may wish to split their Kong deployment into multiple instances that only +run some of Kong's services (i.e. you run `helm install` once for every +instance type you wish to create). + +To disable Kong services on an instance, you should set `SVC.enabled`, +`SVC.http.enabled`, `SVC.tls.enabled`, and `SVC.ingress.enabled` all to +`false`, where `SVC` is `proxy`, `admin`, `manager`, `portal`, or `portalapi`. + +The standard chart upgrade automation process assumes that there is only a +single Kong release in the Kong cluster, and runs both `migrations up` and +`migrations finish` jobs. To handle clusters split across multiple releases, +you should: +1. Upgrade one of the releases with `helm upgrade RELEASENAME -f values.yaml + --set migrations.preUpgrade=true --set migrations.postUpgrade=false`. +2. Upgrade all but one of the remaining releases with `helm upgrade RELEASENAME + -f values.yaml --set migrations.preUpgrade=false --set + migrations.postUpgrade=false`. +3. Upgrade the final release with `helm upgrade RELEASENAME -f values.yaml + --set migrations.preUpgrade=false --set migrations.postUpgrade=true`. + +This ensures that all instances are using the new Kong package before running +`kong migrations finish`. + +Users should note that Helm supports supplying multiple values.yaml files, +allowing you to separate shared configuration from instance-specific +configuration. For example, you may have a shared values.yaml that contains +environment variables and other common settings, and then several +instance-specific values.yamls that contain service configuration only. You can +then create releases with: + +```bash +helm install proxy-only -f shared-values.yaml -f only-proxy.yaml kong/kong +helm install admin-only -f shared-values.yaml -f only-admin.yaml kong/kong +``` + +### Standalone controller nodes + +The chart can deploy releases that contain the controller only, with no Kong +container, by setting `deployment.kong.enabled: false` in values.yaml. There +are several controller settings that must be populated manually in this +scenario and several settings that are useful when using multiple controllers: + +* `ingressController.env.kong_admin_url` must be set to the Kong Admin API URL. + If the Admin API is exposed by a service in the cluster, this should look + something like `https://my-release-kong-admin.kong-namespace.svc:8444` +* `ingressController.env.publish_service` must be set to the Kong proxy + service, e.g. `namespace/my-release-kong-proxy`. +* `ingressController.ingressClass` should be set to a different value for each + instance of the controller. +* `ingressController.env.kong_admin_filter_tag` should be set to a different value + for each instance of the controller. +* If using Kong Enterprise, `ingressController.env.kong_workspace` can + optionally create configuration in a workspace other than `default`. + +Standalone controllers require a database-backed Kong instance, as DB-less mode +requires that a single controller generate a complete Kong configuration. + +### Hybrid mode + +Kong supports [hybrid mode +deployments](https://docs.konghq.com/2.0.x/hybrid-mode/) as of Kong 2.0.0 and +[Kong Enterprise 2.1.0](https://docs.konghq.com/enterprise/2.1.x/deployment/hybrid-mode/). +These deployments split Kong nodes into control plane (CP) nodes, which provide +the admin API and interact with the database, and data plane (DP) nodes, which +provide the proxy and receive configuration from control plane nodes. + +You can deploy hybrid mode Kong clusters by [creating separate releases for each node +type](#separate-admin-and-proxy-nodes), i.e. use separate control and data +plane values.yamls that are then installed separately. The [control +plane](#control-plane-node-configuration) and [data +plane](#data-plane-node-configuration) configuration sections below cover the +values.yaml specifics for each. + +Cluster certificates are not generated automatically. You must [create a +certificate and key pair](#certificates) for intra-cluster communication. + +When upgrading the Kong version, you must [upgrade the control plane release +first and then upgrade the data plane release](https://docs.konghq.com/gateway/latest/plan-and-deploy/hybrid-mode/#version-compatibility). + +#### Certificates + +> This example shows how to use Kong Hybrid mode with `cluster_mtls: shared`. +> For an example of `cluster_mtls: pki` see the [hybrid-cert-manager example](https://github.com/Kong/charts/blob/main/charts/kong/example-values/hybrid-cert-manager/) + +Hybrid mode uses TLS to secure the CP/DP node communication channel, and +requires certificates for it. You can generate these either using `kong hybrid +gen_cert` on a local Kong installation or using OpenSSL: + +```bash +openssl req -new -x509 -nodes -newkey ec:<(openssl ecparam -name secp384r1) \ + -keyout /tmp/cluster.key -out /tmp/cluster.crt \ + -days 1095 -subj "/CN=kong_clustering" +``` + +You must then place these certificates in a Secret: + +```bash +kubectl create secret tls kong-cluster-cert --cert=/tmp/cluster.crt --key=/tmp/cluster.key +``` + +#### Control plane node configuration + +You must configure the control plane nodes to mount the certificate secret on +the container filesystem is serve it from the cluster listen. In values.yaml: + +```yaml +secretVolumes: +- kong-cluster-cert +``` + +```yaml +env: + role: control_plane + cluster_cert: /etc/secrets/kong-cluster-cert/tls.crt + cluster_cert_key: /etc/secrets/kong-cluster-cert/tls.key +``` + +Furthermore, you must enable the cluster listen and Kubernetes Service, and +should typically disable the proxy: + +```yaml +cluster: + enabled: true + tls: + enabled: true + servicePort: 8005 + containerPort: 8005 + +proxy: + enabled: false +``` + +Enterprise users with Vitals enabled must also enable the cluster telemetry +service: + +```yaml +clustertelemetry: + enabled: true + tls: + enabled: true + servicePort: 8006 + containerPort: 8006 +``` + +If using the ingress controller, you must also specify the DP proxy service as +its publish target to keep Ingress status information up to date: + +``` +ingressController: + env: + publish_service: hybrid/example-release-data-kong-proxy +``` + +Replace `hybrid` with your DP nodes' namespace and `example-release-data` with +the name of the DP release. + +#### Data plane node configuration + +Data plane configuration also requires the certificate and `role` +configuration, and the database should always be set to `off`. You must also +trust the cluster certificate and indicate what hostname/port Kong should use +to find control plane nodes. + +Though not strictly required, you should disable the admin service (it will not +work on DP nodes anyway, but should be disabled to avoid creating an invalid +Service resource). + +```yaml +secretVolumes: +- kong-cluster-cert +``` + +```yaml +admin: + enabled: false +``` + +```yaml +env: + role: data_plane + database: "off" + cluster_cert: /etc/secrets/kong-cluster-cert/tls.crt + cluster_cert_key: /etc/secrets/kong-cluster-cert/tls.key + lua_ssl_trusted_certificate: /etc/secrets/kong-cluster-cert/tls.crt + cluster_control_plane: control-plane-release-name-kong-cluster.hybrid.svc.cluster.local:8005 + cluster_telemetry_endpoint: control-plane-release-name-kong-clustertelemetry.hybrid.svc.cluster.local:8006 # Enterprise-only +``` + +Note that the `cluster_control_plane` value will differ depending on your +environment. `control-plane-release-name` will change to your CP release name, +`hybrid` will change to whatever namespace it resides in. See [Kubernetes' +documentation on Service +DNS](https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/) +for more detail. + +If you use multiple Helm releases to manage different data plane configurations +attached to the same control plane, setting the `deployment.hostname` field +will help you keep track of which is which in the `/clustering/data-plane` +endpoint. + +### Cert Manager Integration + +By default, Kong will create self-signed certificates on start for its TLS +listens if you do not provide your own. The chart can create +[cert-manager](https://cert-manager.io/docs/) Certificates for its Services and +configure them for you. To use this integration, install cert-manager, create +an issuer, set `certificates.enabled: true` in values.yaml, and set your issuer +name in `certificates.issuer` or `certificates.clusterIssuer` depending on the +issuer type. + +If you do not have an issuer available, you can install the example [self-signed ClusterIssuer](https://cert-manager.io/docs/configuration/selfsigned/#bootstrapping-ca-issuers) +and set `certificates.clusterIssuer: selfsigned-issuer` for testing. You +should, however, migrate to an issuer using a CA your clients trust for actual +usage. + +The `proxy`, `admin`, `portal`, and `cluster` subsections under `certificates` +let you choose hostnames, override issuers, set `subject` or set `privateKey` on a per-certificate basis for the +proxy, admin API and Manager, Portal and Portal API, and hybrid mode mTLS +services, respectively. + +To use hybrid mode, the control and data plane releases must use the same +issuer for their cluster certificates. + +### CRD management + +Earlier versions of this chart (<2.0) created CRDs associated with the ingress +controller as part of the release. This raised two challenges: + +- Multiple release of the chart would conflict with one another, as each would + attempt to create its own set of CRDs. +- Because deleting a CRD also deletes any custom resources associated with it, + deleting a release of the chart could destroy user configuration without + providing any means to restore it. + +Helm 3 introduced a simplified CRD management method that was safer, but +requires some manual work when a chart added or modified CRDs: CRDs are created +on install if they are not already present, but are not modified during +release upgrades or deletes. Our chart release upgrade instructions call out +when manual action is necessary to update CRDs. This CRD handling strategy is +recommended for most users. + +Some users may wish to manage their CRDs automatically. If you manage your CRDs +this way, we _strongly_ recommend that you back up all associated custom +resources in the event you need to recover from unintended CRD deletion. + +While Helm 3's CRD management system is recommended, there is no simple means +of migrating away from release-managed CRDs if you previously installed your +release with the old system (you would need to back up your existing custom +resources, delete your release, reinstall, and restore your custom resources +after). As such, the chart detects if you currently use release-managed CRDs +and continues to use the old CRD templates when using chart version 2.0+. If +you do (your resources will have a `meta.helm.sh/release-name` annotation), we +_strongly_ recommend that you back up all associated custom resources in the +event you need to recover from unintended CRD deletion. + +### InitContainers + +The chart is able to deploy initContainers along with Kong. This can be very +useful when there's a requirement for custom initialization. The +`deployment.initContainers` field in values.yaml takes an array of objects that +get appended as-is to the existing `spec.template.initContainers` array in the +kong deployment resource. + +### HostAliases + +The chart is able to inject host aliases into containers. This can be very useful +when it's required to resolve additional domain name which can't be looked-up +directly from dns server. The `deployment.hostAliases` field in values.yaml +takes an array of objects that set to `spec.template.hostAliases` field in the +kong deployment resource. + +### Sidecar Containers + +The chart can deploy additional containers along with the Kong and Ingress +Controller containers, sometimes referred to as "sidecar containers". This can +be useful to include network proxies or logging services along with Kong. The +`deployment.sidecarContainers` field in values.yaml takes an array of objects +that get appended as-is to the existing `spec.template.spec.containers` array +in the Kong deployment resource. + +### Migration Sidecar Containers + +In the same way sidecar containers are attached to the Kong and Ingress +Controller containers the chart can add sidecars to the containers that runs +the migrations. The +`migrations.sidecarContainers` field in values.yaml takes an array of objects +that get appended as-is to the existing `spec.template.spec.containers` array +in the pre-upgrade-migrations, post-upgrade-migrations and migration resrouces. +Keep in mind the containers should be finite and they should be terminated +with the migration containers, otherwise the migration could get the status +as finished and the deployment of the chart will reach the timeout. + +### User Defined Volumes + +The chart can deploy additional volumes along with Kong. This can be useful to +include additional volumes which required during iniatilization phase +(InitContainer). The `deployment.userDefinedVolumes` field in values.yaml +takes an array of objects that get appended as-is to the existing +`spec.template.spec.volumes` array in the kong deployment resource. + +### User Defined Volume Mounts + +The chart can mount user-defined volumes. The +`deployment.userDefinedVolumeMounts` and +`ingressController.userDefinedVolumeMounts` fields in values.yaml take an array +of object that get appended as-is to the existing +`spec.template.spec.containers[].volumeMounts` and +`spec.template.spec.initContainers[].volumeMounts` array in the kong deployment +resource. + +### Removing cluster-scoped permissions + +You can limit the controller's access to allow it to only watch specific +namespaces for namespaced resources. By default, the controller watches all +namespaces. Limiting access requires several changes to configuration: + +- Set `ingressController.watchNamespaces` to a list of namespaces you want to + watch. The chart will automatically generate roles for each namespace and + assign them to the controller's service account. +- Optionally set `ingressController.installCRDs=false` if your user role (the + role you use when running `helm install`, not the controller service + account's role) does not have access to get CRDs. By default, the chart + attempts to look up the controller CRDs for [a legacy behavior + check](#crd-management). + +### Using a DaemonSet + +Setting `deployment.daemonset: true` deploys Kong using a [DaemonSet +controller](https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/) +instead of a Deployment controller. This runs a Kong Pod on every kubelet in +the Kubernetes cluster. For such configuration it may be desirable to configure +Pods to use the network of the host they run on instead of a dedicated network +namespace. The benefit of this approach is that the Kong can bind ports directly +to Kubernetes nodes' network interfaces, without the extra network translation +imposed by NodePort Services. It can be achieved by setting `deployment.hostNetwork: true`. + +### Using dnsPolicy and dnsConfig + +The chart able to inject custom DNS configuration into containers. This can be useful when you have EKS cluster with [NodeLocal DNSCache](https://kubernetes.io/docs/tasks/administer-cluster/nodelocaldns/) configured and attach AWS security groups directly to pod using [security groups for pods feature](https://docs.aws.amazon.com/eks/latest/userguide/security-groups-for-pods.html). + +### Example configurations + +Several example values.yaml are available in the +[example-values](https://github.com/Kong/charts/blob/main/charts/kong/example-values/) +directory. + +## Configuration + +### Kong parameters + +| Parameter | Description | Default | +| ---------------------------------- | ------------------------------------------------------------------------------------- | ------------------- | +| image.repository | Kong image | `kong` | +| image.tag | Kong image version | `3.5` | +| image.effectiveSemver | Semantic version to use for version-dependent features (if `tag` is not a semver) | | +| image.pullPolicy | Image pull policy | `IfNotPresent` | +| image.pullSecrets | Image pull secrets | `null` | +| replicaCount | Kong instance count. It has no effect when `autoscaling.enabled` is set to true | `1` | +| plugins | Install custom plugins into Kong via ConfigMaps or Secrets | `{}` | +| env | Additional [Kong configurations](https://getkong.org/docs/latest/configuration/) | | +| customEnv | Custom Environment variables without `KONG_` prefix | | +| envFrom | Populate environment variables from ConfigMap or Secret keys | | +| migrations.preUpgrade | Run "kong migrations up" jobs | `true` | +| migrations.postUpgrade | Run "kong migrations finish" jobs | `true` | +| migrations.annotations | Annotations for migration job pods | `{"sidecar.istio.io/inject": "false" | +| migrations.jobAnnotations | Additional annotations for migration jobs | `{}` | +| migrations.backoffLimit | Override the system backoffLimit | `{}` | +| waitImage.enabled | Spawn init containers that wait for the database before starting Kong | `true` | +| waitImage.repository | Image used to wait for database to become ready. Uses the Kong image if none set | | +| waitImage.tag | Tag for image used to wait for database to become ready | | +| waitImage.pullPolicy | Wait image pull policy | `IfNotPresent` | +| postgresql.enabled | Spin up a new postgres instance for Kong | `false` | +| dblessConfig.configMap | Name of an existing ConfigMap containing the `kong.yml` file. This must have the key `kong.yml`.| `` | +| dblessConfig.config | Yaml configuration file for the dbless (declarative) configuration of Kong | see in `values.yaml` | + +#### Kong Service Parameters + +The various `SVC.*` parameters below are common to the various Kong services +(the admin API, proxy, Kong Manager, the Developer Portal, and the Developer +Portal API) and define their listener configuration, K8S Service properties, +and K8S Ingress properties. Defaults are listed only if consistent across the +individual services: see values.yaml for their individual default values. + +`SVC` below can be substituted with each of: +* `proxy` +* `udpProxy` +* `admin` +* `manager` +* `portal` +* `portalapi` +* `cluster` +* `clustertelemetry` +* `status` + +`status` is intended for internal use within the cluster. Unlike other +services it cannot be exposed externally, and cannot create a Kubernetes +service or ingress. It supports the settings under `SVC.http` and `SVC.tls` +only. + +`cluster` is used on hybrid mode control plane nodes. It does not support the +`SVC.http.*` settings (cluster communications must be TLS-only) or the +`SVC.ingress.*` settings (cluster communication requires TLS client +authentication, which cannot pass through an ingress proxy). `clustertelemetry` +is similar, and used when Vitals is enabled on Kong Enterprise control plane +nodes. + +`udpProxy` is used for UDP stream listens (Kubernetes does not yet support +mixed TCP/UDP LoadBalancer Services). It _does not_ support the `http`, `tls`, +or `ingress` sections, as it is used only for stream listens. + +| Parameter | Description | Default | +|-----------------------------------|-------------------------------------------------------------------------------------------|--------------------------| +| SVC.enabled | Create Service resource for SVC (admin, proxy, manager, etc.) | | +| SVC.http.enabled | Enables http on the service | | +| SVC.http.servicePort | Service port to use for http | | +| SVC.http.containerPort | Container port to use for http | | +| SVC.http.nodePort | Node port to use for http | | +| SVC.http.hostPort | Host port to use for http | | +| SVC.http.parameters | Array of additional listen parameters | `[]` | +| SVC.http.appProtocol | `appProtocol` to be set in a Service's port. If left empty, no `appProtocol` will be set. | | +| SVC.tls.enabled | Enables TLS on the service | | +| SVC.tls.containerPort | Container port to use for TLS | | +| SVC.tls.servicePort | Service port to use for TLS | | +| SVC.tls.nodePort | Node port to use for TLS | | +| SVC.tls.hostPort | Host port to use for TLS | | +| SVC.tls.overrideServiceTargetPort | Override service port to use for TLS without touching Kong containerPort | | +| SVC.tls.parameters | Array of additional listen parameters | `["http2"]` | +| SVC.tls.appProtocol | `appProtocol` to be set in a Service's port. If left empty, no `appProtocol` will be set. | | +| SVC.type | k8s service type. Options: NodePort, ClusterIP, LoadBalancer | | +| SVC.clusterIP | k8s service clusterIP | | +| SVC.loadBalancerClass | loadBalancerClass to use for LoadBalancer provisionning | | +| SVC.loadBalancerSourceRanges | Limit service access to CIDRs if set and service type is `LoadBalancer` | `[]` | +| SVC.loadBalancerIP | Reuse an existing ingress static IP for the service | | +| SVC.externalIPs | IPs for which nodes in the cluster will also accept traffic for the servic | `[]` | +| SVC.externalTrafficPolicy | k8s service's externalTrafficPolicy. Options: Cluster, Local | | +| SVC.ingress.enabled | Enable ingress resource creation (works with SVC.type=ClusterIP) | `false` | +| SVC.ingress.ingressClassName | Set the ingressClassName to associate this Ingress with an IngressClass | | +| SVC.ingress.hostname | Ingress hostname | `""` | +| SVC.ingress.path | Ingress path. | `/` | +| SVC.ingress.pathType | Ingress pathType. One of `ImplementationSpecific`, `Exact` or `Prefix` | `ImplementationSpecific` | +| SVC.ingress.hosts | Slice of hosts configurations, including `hostname`, `path` and `pathType` keys | `[]` | +| SVC.ingress.tls | Name of secret resource or slice of `secretName` and `hosts` keys | | +| SVC.ingress.annotations | Ingress annotations. See documentation for your ingress controller for details | `{}` | +| SVC.ingress.labels | Ingress labels. Additional custom labels to add to the ingress. | `{}` | +| SVC.annotations | Service annotations | `{}` | +| SVC.labels | Service labels | `{}` | + +#### Admin Service mTLS + +On top of the common parameters listed above, the `admin` service supports parameters for mTLS client verification. +If any of `admin.tls.client.caBundle` or `admin.tls.client.secretName` are set, the admin service will be configured to +require mTLS client verification. If both are set, `admin.tls.client.caBundle` will take precedence. + +| Parameter | Description | Default | +|-----------------------------|---------------------------------------------------------------------------------------------|---------| +| admin.tls.client.caBundle | CA certificate to use for TLS verification of the Admin API client (PEM-encoded). | `""` | +| admin.tls.client.secretName | CA certificate secret name - must contain a `tls.crt` key with the PEM-encoded certificate. | `""` | + +#### Stream listens + +The proxy configuration additionally supports creating stream listens. These +are configured using an array of objects under `proxy.stream` and `udpProxy.stream`: + +| Parameter | Description | Default | +| ---------------------------------- | ------------------------------------------------------------------------------------- | ------------------- | +| protocol | The listen protocol, either "TCP" or "UDP" | | +| containerPort | Container port to use for a stream listen | | +| servicePort | Service port to use for a stream listen | | +| nodePort | Node port to use for a stream listen | | +| hostPort | Host port to use for a stream listen | | +| parameters | Array of additional listen parameters | `[]` | + +### Ingress Controller Parameters + +All of the following properties are nested under the `ingressController` +section of `values.yaml` file: + +| Parameter | Description | Default | +|--------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------| +| enabled | Deploy the ingress controller, rbac and crd | true | +| image.repository | Docker image with the ingress controller | kong/kubernetes-ingress-controller | +| image.tag | Version of the ingress controller | `3.3` | +| image.effectiveSemver | Version of the ingress controller used for version-specific features when image.tag is not a valid semantic version | | +| readinessProbe | Kong ingress controllers readiness probe | | +| livenessProbe | Kong ingress controllers liveness probe | | +| installCRDs | Legacy toggle for Helm 2-style CRD management. Should not be set [unless necessary due to cluster permissions](#removing-cluster-scoped-permissions). | false | +| env | Specify Kong Ingress Controller configuration via environment variables | | +| customEnv | Specify custom environment variables (without the CONTROLLER_ prefix) | | +| envFrom | Populate environment variables from ConfigMap or Secret keys | | +| ingressClass | The name of this controller's ingressClass | kong | +| ingressClassAnnotations | The ingress-class value for controller | kong | +| args | List of ingress-controller cli arguments | [] | +| watchNamespaces | List of namespaces to watch. Watches all namespaces if empty | [] | +| admissionWebhook.enabled | Whether to enable the validating admission webhook | true | +| admissionWebhook.failurePolicy | How unrecognized errors from the admission endpoint are handled (Ignore or Fail) | Ignore | +| admissionWebhook.filterSecrets | Limit the webhook to only Secrets with the appropriate KIC validation labels. | false | +| admissionWebhook.port | The port the ingress controller will listen on for admission webhooks | 8080 | +| admissionWebhook.address | The address the ingress controller will listen on for admission webhooks, if not 0.0.0.0 | | +| admissionWebhook.annotations | Annotations for the Validation Webhook Configuration | | +| admissionWebhook.certificate.provided | Use a provided certificate. When set to false, the chart will automatically generate a certificate. | false | +| admissionWebhook.certificate.secretName | Name of the TLS secret for the provided webhook certificate | | +| admissionWebhook.certificate.caBundle | PEM encoded CA bundle which will be used to validate the provided webhook certificate | | +| admissionWebhook.namespaceSelector | Add namespaceSelector to the webhook. Please go to [Kubernetes doc for the specs](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#matching-requests-namespaceselector) | | +| admissionWebhook.timeoutSeconds | Kubernetes `apiserver`'s timeout when running this webhook. Default: 10 seconds. | | +| userDefinedVolumes | Create volumes. Please go to Kubernetes doc for the spec of the volumes | | +| userDefinedVolumeMounts | Create volumeMounts. Please go to Kubernetes doc for the spec of the volumeMounts | | +| terminationGracePeriodSeconds | Sets the [termination grace period](https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#hook-handler-execution) for Deployment pod | 30 | +| gatewayDiscovery.enabled | Enables Kong instance service discovery (for more details see [gatewayDiscovery section][gd_section]) | false | +| gatewayDiscovery.generateAdminApiService | Generate the admin API service name based on the release name (for more details see [gatewayDiscovery section][gd_section]) | false | +| gatewayDiscovery.adminApiService.namespace | The namespace of the Kong admin API service (for more details see [gatewayDiscovery section][gd_section]) | `.Release.Namespace` | +| gatewayDiscovery.adminApiService.name | The name of the Kong admin API service (for more details see [gatewayDiscovery section][gd_section]) | "" | +| konnect.enabled | Enable synchronisation of data plane configuration with Konnect Runtime Group | false | +| konnect.runtimeGroupID | Deprecated: Konnect Runtime Group's unique identifier. | | +| konnect.controlPlaneID | Konnect Control Plane's unique identifier. | | +| konnect.apiHostname | Konnect API hostname. Defaults to a production US-region. | us.kic.api.konghq.com | +| konnect.tlsClientCertSecretName | Name of the secret that contains Konnect Runtime Group's client TLS certificate. | konnect-client-tls | +| konnect.license.enabled | Enable automatic license provisioning for Gateways managed by Ingress Controller in Konnect mode. | false | +| adminApi.tls.client.enabled | Enable TLS client verification for the Admin API. By default, Helm will generate certificates automatically. | false | +| adminApi.tls.client.certProvided | Use user-provided certificates. If set to false, Helm will generate certificates. | false | +| adminApi.tls.client.secretName | Client TLS certificate/key pair secret name. Can be also set when `certProvided` is false to enforce a generated secret's name. | "" | +| adminApi.tls.client.caSecretName | CA TLS certificate/key pair secret name. Can be also set when `certProvided` is false to enforce a generated secret's name. | "" | + +[gd_section]: #the-gatewayDiscovery-section + +#### The `env` section +For a complete list of all configuration values you can set in the +`env` section, please read the Kong Ingress Controller's +[configuration document](https://docs.konghq.com/kubernetes-ingress-controller/latest/reference/cli-arguments/). + +#### The `customEnv` section + +The `customEnv` section can be used to configure all environment variables other than Ingress Controller configuration. +Any key value put under this section translates to environment variables. +Every key is upper-cased before setting the environment variable. + +An example: + +```yaml +kong: + ingressController: + customEnv: + TZ: "Europe/Berlin" +``` + +#### The `gatewayDiscovery` section + +Kong Ingress Controller v2.9 has introduced gateway discovery which allows +the controller to discover Gateway instances that it should configure using +an Admin API Kubernetes service. + +Using this feature requires a split release installation of Gateways and Ingress Controller. +For exemplar `values.yaml` files which use this feature please see: [examples README.md](./example-values/README.md). +or use the [`ingress` chart](../ingress/README.md) which can handle this for you. + +##### Configuration + +You'll be able to configure this feature through configuration section under +`ingressController.gatewayDiscovery`: + +- If `ingressController.gatewayDiscovery.enabled` is set to `false`: the ingress controller + will control a pre-determined set of Gateway instances based on Admin API URLs + (provided under the hood via `CONTROLLER_KONG_ADMIN_URL` environment variable). + +- If `ingressController.gatewayDiscovery.enabled` is set to `true`: the ingress controller + will dynamically locate Gateway instances by watching the specified Kubernetes + service. + (provided under the hood via `CONTROLLER_KONG_ADMIN_SVC` environment variable). + + The following admin API Service flags have to be present in order for gateway + discovery to work: + + - `ingressController.gatewayDiscovery.adminApiService.name` + - `ingressController.gatewayDiscovery.adminApiService.namespace` + + If you set `ingressController.gatewayDiscovery.generateAdminApiService` to `true`, + the chart will generate values for `name` and `namespace` based on the current release name and + namespace. This is useful when consuming the `kong` chart as a subchart. + +Additionally, you can control the addresses that are generated for your Gateways +via the `--gateway-discovery-dns-strategy` CLI flag that can be set on the Ingress Controller +(or an equivalent environment variable: `CONTROLLER_GATEWAY_DISCOVERY_DNS_STRATEGY`). +It accepts 3 values which change the way that Gateway addresses are generated: +- `service` - for service scoped pod DNS names: `pod-ip-address.service-name.my-namespace.svc.cluster-domain.example` +- `pod` - for namespace scope pod DNS names: `pod-ip-address.my-namespace.pod.cluster-domain.example` +- `ip` (default, retains behavior introduced in v2.9) - for regular IP addresses + +When using `gatewayDiscovery`, you should consider configuring the Admin service to use mTLS client verification to make +this interface secure. +Without that, anyone who can access the Admin API from inside the cluster can configure the Gateway instances. + +On the controller release side, that can be achieved by setting `ingressController.adminApi.tls.client.enabled` to `true`. +By default, Helm will generate a certificate Secret named `-admin-api-keypair` and +a CA Secret named `-admin-api-ca-keypair` for you. + +To provide your own cert, set `ingressController.adminApi.tls.client.certProvided` to +`true`, `ingressController.adminApi.tls.client.secretName` to the name of the Secret containing your client cert, and `ingressController.adminApi.tls.client.caSecretName` to the name of the Secret containing your CA cert. + +On the Gateway release side, set either `admin.tls.client.secretName` to the name of your CA Secret or set `admin.tls.client.caBundle` to the CA certificate string. + +### General Parameters + +| Parameter | Description | Default | +| ---------------------------------- | ------------------------------------------------------------------------------------- | ------------------- | +| namespace | Namespace to deploy chart resources | | +| deployment.kong.enabled | Enable or disable deploying Kong | `true` | +| deployment.revisionHistoryLimit | The number of `ReplicaSet`s to retain. | `10` | +| deployment.minReadySeconds | Minimum number of seconds for which newly created pods should be ready without any of its container crashing, for it to be considered available. | | +| deployment.initContainers | Create initContainers. Please go to Kubernetes doc for the spec of the initContainers | | +| deployment.daemonset | Use a DaemonSet instead of a Deployment | `false` | +| deployment.hostname | Set the Deployment's `.spec.template.hostname`. Kong reports this as its hostname. | | +| deployment.hostNetwork | Enable hostNetwork, which binds to the ports to the host | `false` | +| deployment.userDefinedVolumes | Create volumes. Please go to Kubernetes doc for the spec of the volumes | | +| deployment.userDefinedVolumeMounts | Create volumeMounts. Please go to Kubernetes doc for the spec of the volumeMounts | | +| deployment.serviceAccount.create | Create Service Account for the Deployment / Daemonset and the migrations | `true` | +| deployment.serviceAccount.automountServiceAccountToken | Enable ServiceAccount token automount in Kong deployment | `false` | +| deployment.serviceAccount.name | Name of the Service Account, a default one will be generated if left blank. | "" | +| deployment.serviceAccount.annotations | Annotations for the Service Account | {} | +| deployment.test.enabled | Enable creation of test resources for use with "helm test" | `false` | +| autoscaling.enabled | Set this to `true` to enable autoscaling | `false` | +| autoscaling.minReplicas | Set minimum number of replicas | `2` | +| autoscaling.maxReplicas | Set maximum number of replicas | `5` | +| autoscaling.behavior | Sets the [behavior for scaling up and down](https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/#configurable-scaling-behavior) | `{}` | +| autoscaling.targetCPUUtilizationPercentage | Target Percentage for when autoscaling takes affect. Only used if cluster does not support `autoscaling/v2` or `autoscaling/v2beta2` | `80` | +| autoscaling.metrics | metrics used for autoscaling for clusters that supports `autoscaling/v2` or `autoscaling/v2beta2` | See [values.yaml](values.yaml) | +| updateStrategy | update strategy for deployment | `{}` | +| readinessProbe | Kong readiness probe | | +| livenessProbe | Kong liveness probe | | +| startupProbe | Kong startup probe | | +| lifecycle | Proxy container lifecycle hooks | see `values.yaml` | +| terminationGracePeriodSeconds | Sets the [termination grace period](https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#hook-handler-execution) for Deployment pods | 30 | +| affinity | Node/pod affinities | | +| topologySpreadConstraints | Control how Pods are spread across cluster among failure-domains | | +| nodeSelector | Node labels for pod assignment | `{}` | +| deploymentAnnotations | Annotations to add to deployment | see `values.yaml` | +| podAnnotations | Annotations to add to each pod | see `values.yaml` | +| podLabels | Labels to add to each pod | `{}` | +| resources | Pod resource requests & limits | `{}` | +| tolerations | List of node taints to tolerate | `[]` | +| dnsPolicy | Pod dnsPolicy | | +| dnsConfig | Pod dnsConfig | | +| podDisruptionBudget.enabled | Enable PodDisruptionBudget for Kong | `false` | +| podDisruptionBudget.maxUnavailable | Represents the minimum number of Pods that can be unavailable (integer or percentage) | `50%` | +| podDisruptionBudget.minAvailable | Represents the number of Pods that must be available (integer or percentage) | | +| podSecurityPolicy.enabled | Enable podSecurityPolicy for Kong | `false` | +| podSecurityPolicy.labels | Labels to add to podSecurityPolicy for Kong | `{}` | +| podSecurityPolicy.annotations | Annotations to add to podSecurityPolicy for Kong | `{}` | +| podSecurityPolicy.spec | Collection of [PodSecurityPolicy settings](https://kubernetes.io/docs/concepts/policy/pod-security-policy/#what-is-a-pod-security-policy) | | +| priorityClassName | Set pod scheduling priority class for Kong pods | `""` | +| secretVolumes | Mount given secrets as a volume in Kong container to override default certs and keys. | `[]` | +| securityContext | Set the securityContext for Kong Pods | `{}` | +| containerSecurityContext | Set the securityContext for Containers | See values.yaml | +| serviceMonitor.enabled | Create ServiceMonitor for Prometheus Operator | `false` | +| serviceMonitor.interval | Scraping interval | `30s` | +| serviceMonitor.namespace | Where to create ServiceMonitor | | +| serviceMonitor.labels | ServiceMonitor labels | `{}` | +| serviceMonitor.targetLabels | ServiceMonitor targetLabels | `{}` | +| serviceMonitor.honorLabels | ServiceMonitor honorLabels | `{}` | +| serviceMonitor.metricRelabelings | ServiceMonitor metricRelabelings | `{}` | +| serviceMonitor.relabelings | ServiceMonitor relabelings | `[]` | +| extraConfigMaps | ConfigMaps to add to mounted volumes | `[]` | +| extraSecrets | Secrets to add to mounted volumes | `[]` | +| nameOverride | Replaces "kong" in resource names, like "RELEASENAME-nameOverride" instead of "RELEASENAME-kong" | `""` | +| fullnameOverride | Overrides the entire resource name string | `""` | +| extraObjects | Create additional k8s resources | `[]` | +**Note:** If you are using `deployment.hostNetwork` to bind to lower ports ( < 1024), which may be the desired option (ports 80 and 433), you also +need to tweak the `containerSecurityContext` configuration as in the example: + +```yaml +containerSecurityContext: # run as root to bind to lower ports + capabilities: + add: [NET_BIND_SERVICE] + runAsGroup: 0 + runAsNonRoot: false + runAsUser: 0 +``` + +**Note:** The default `podAnnotations` values disable inbound proxying for Kuma +and Istio. This is appropriate when using Kong as a gateway for external +traffic inbound into the cluster. + +If you want to use Kong as an internal proxy within the cluster network, you +should enable inbound the inbound mesh proxies: + +```yaml +# Enable inbound mesh proxying for Kuma and Istio +podAnnotations: + kuma.io/gateway: disabled + traffic.sidecar.istio.io/includeInboundPorts: "*" +``` + +#### The `env` section + +The `env` section can be used to configured all properties of Kong. +Any key value put under this section translates to environment variables +used to control Kong's configuration. Every key is prefixed with `KONG_` +and upper-cased before setting the environment variable. + +Furthermore, all `kong.env` parameters can also accept a mapping instead of a +value to ensure the parameters can be set through configmaps and secrets. + +An example: + +```yaml +kong: + env: # load PG password from a secret dynamically + pg_user: kong + pg_password: + valueFrom: + secretKeyRef: + key: kong + name: postgres + nginx_worker_processes: "2" +``` + +For complete list of Kong configurations please check the +[Kong configuration docs](https://docs.konghq.com/latest/configuration). + +> **Tip**: You can use the default [values.yaml](values.yaml) + +#### The `customEnv` section + +The `customEnv` section can be used to configure all custom properties of other than Kong. +Any key value put under this section translates to environment variables +that can be used in Kong's plugin configurations. Every key is upper-cased before setting the environment variable. + +An example: + +```yaml +kong: + customEnv: + api_token: + valueFrom: + secretKeyRef: + key: token + name: api_key + client_name: testClient +``` + +#### The `extraLabels` section + +The `extraLabels` section can be used to configure some extra labels that will be added to each Kubernetes object generated. + +For example, you can add the `acme.com/some-key: some-value` label to each Kubernetes object by putting the following in your Helm values: + +```yaml +extraLabels: + acme.com/some-key: some-value +``` + +## Kong Enterprise Parameters + +### Overview + +Kong Enterprise requires some additional configuration not needed when using +Kong Open-Source. To use Kong Enterprise, at the minimum, +you need to do the following: + +- Set `enterprise.enabled` to `true` in `values.yaml` file. +- Update values.yaml to use a Kong Enterprise image. +- Satisfy the two prerequisites below for Enterprise License and + Enterprise Docker Registry. +- (Optional) [set a `password` environment variable](#rbac) to create the + initial super-admin. Though not required, this is recommended for users that + wish to use RBAC, as it cannot be done after initial setup. + +Once you have these set, it is possible to install Kong Enterprise, +but please make sure to review the below sections for other settings that +you should consider configuring before installing Kong. + +Some of the more important configuration is grouped in sections +under the `.enterprise` key in values.yaml, though most enterprise-specific +configuration can be placed under the `.env` key. + +### Prerequisites + +#### Kong Enterprise License + +Kong Enterprise 2.3+ can run with or without a license. If you wish to run 2.3+ +without a license, you can skip this step and leave `enterprise.license_secret` +unset. In this case only a limited subset of features will be available. +Earlier versions require a license. + +If you have paid for a license, but you do not have a copy of yours, please +contact Kong Support. Once you have it, you will need to store it in a Secret: + +```bash +kubectl create secret generic kong-enterprise-license --from-file=license=./license.json +``` + +Set the secret name in `values.yaml`, in the `.enterprise.license_secret` key. +Please ensure the above secret is created in the same namespace in which +Kong is going to be deployed. + +#### Kong Enterprise Docker registry access + +Kong Enterprise versions 2.2 and earlier use a private Docker registry and +require a pull secret. **If you use 2.3 or newer, you can skip this step.** + +You should have received credentials to log into docker hub after +purchasing Kong Enterprise. After logging in, you can retrieve your API key +from \ \> Edit Profile \> API Key. Use this to create registry +secrets: + +```bash +kubectl create secret docker-registry kong-enterprise-edition-docker \ + --docker-server=hub.docker.io \ + --docker-username= \ + --docker-password= +secret/kong-enterprise-edition-docker created +``` + +Set the secret names in `values.yaml` in the `image.pullSecrets` section. +Again, please ensure the above secret is created in the same namespace in which +Kong is going to be deployed. + +### Service location hints + +Kong Enterprise add two GUIs, Kong Manager and the Kong Developer Portal, that +must know where other Kong services (namely the admin and files APIs) can be +accessed in order to function properly. Kong's default behavior for attempting +to locate these absent configuration is unlikely to work in common Kubernetes +environments. Because of this, you should set each of `admin_gui_url`, +`admin_gui_api_url`, `proxy_url`, `portal_api_url`, `portal_gui_host`, and +`portal_gui_protocol` under the `.env` key in values.yaml to locations where +each of their respective services can be accessed to ensure that Kong services +can locate one another and properly set CORS headers. See the +[Property Reference documentation](https://docs.konghq.com/enterprise/latest/property-reference/) +for more details on these settings. + +### RBAC + +You can create a default RBAC superuser when initially running `helm install` +by setting a `password` environment variable under `env` in values.yaml. It +should be a reference to a secret key containing your desired password. This +will create a `kong_admin` admin whose token and basic-auth password match the +value in the secret. For example: + +```yaml +env: + password: + valueFrom: + secretKeyRef: + name: kong-enterprise-superuser-password + key: password +``` + +If using the ingress controller, it needs access to the token as well, by +specifying `kong_admin_token` in its environment variables: + +```yaml +ingressController: + env: + kong_admin_token: + valueFrom: + secretKeyRef: + name: kong-enterprise-superuser-password + key: password +``` + +Although the above examples both use the initial super-admin, we recommend +[creating a less-privileged RBAC user](https://docs.konghq.com/enterprise/latest/kong-manager/administration/rbac/add-user/) +for the controller after installing. It needs at least workspace admin +privileges in its workspace (`default` by default, settable by adding a +`workspace` variable under `ingressController.env`). Once you create the +controller user, add its token to a secret and update your `kong_admin_token` +variable to use it. Remove the `password` variable from Kong's environment +variables and the secret containing the super-admin token after. + +### Sessions + +Login sessions for Kong Manager and the Developer Portal make use of +[the Kong Sessions plugin](https://docs.konghq.com/enterprise/latest/kong-manager/authentication/sessions). +When configured via values.yaml, their configuration must be stored in Secrets, +as it contains an HMAC key. + +Kong Manager's session configuration must be configured via values.yaml, +whereas this is optional for the Developer Portal on versions 0.36+. Providing +Portal session configuration in values.yaml provides the default session +configuration, which can be overridden on a per-workspace basis. + +```bash +cat admin_gui_session_conf +``` + +```json +{"cookie_name":"admin_session","cookie_samesite":"off","secret":"admin-secret-CHANGEME","cookie_secure":true,"storage":"kong"} +``` + +```bash +cat portal_session_conf +``` + +```json +{"cookie_name":"portal_session","cookie_samesite":"off","secret":"portal-secret-CHANGEME","cookie_secure":true,"storage":"kong"} +``` + +```bash +kubectl create secret generic kong-session-config --from-file=admin_gui_session_conf --from-file=portal_session_conf +``` + +```bash +secret/kong-session-config created +``` + +The exact plugin settings may vary in your environment. The `secret` should +always be changed for both configurations. + +After creating your secret, set its name in values.yaml in +`.enterprise.rbac.session_conf_secret`. If you create a Portal configuration, +add it at `env.portal_session_conf` using a secretKeyRef. + +### Email/SMTP + +Email is used to send invitations for +[Kong Admins](https://docs.konghq.com/enterprise/latest/kong-manager/networking/email) +and [Developers](https://docs.konghq.com/enterprise/latest/developer-portal/configuration/smtp). + +Email invitations rely on setting a number of SMTP settings at once. For +convenience, these are grouped under the `.enterprise.smtp` key in values.yaml. +Setting `.enterprise.smtp.disabled: true` will set `KONG_SMTP_MOCK=on` and +allow Admin/Developer invites to proceed without sending email. Note, however, +that these have limited functionality without sending email. + +If your SMTP server requires authentication, you must provide the `username` +and `smtp_password_secret` keys under `.enterprise.smtp.auth`. +`smtp_password_secret` must be a Secret containing an `smtp_password` key whose +value is your SMTP password. + +By default, SMTP uses `AUTH` `PLAIN` when you provide credentials. If your provider requires `AUTH LOGIN`, set `smtp_auth_type: login`. + +## Prometheus Operator integration + +The chart can configure a ServiceMonitor resource to instruct the [Prometheus +Operator](https://github.com/prometheus-operator/prometheus-operator) to +collect metrics from Kong Pods. To enable this, set +`serviceMonitor.enabled=true` in `values.yaml`. + +Kong exposes memory usage and connection counts by default. You can enable +traffic metrics for routes and services by configuring the [Prometheus +plugin](https://docs.konghq.com/hub/kong-inc/prometheus/). + +The ServiceMonitor requires an `enable-metrics: "true"` label on one of the +chart's Services to collect data. By default, this label is set on the proxy +Service. It should only be set on a single chart Service to avoid duplicate +data. If you disable the proxy Service (e.g. on a hybrid control plane instance +or Portal-only instance) and still wish to collect memory usage metrics, add +this label to another Service, e.g. on the admin API Service: + +``` +admin: + labels: + enable-metrics: "true" +``` + +## Argo CD Considerations + +The built-in database subchart (`postgresql.enabled` in values) is not +supported when installing the chart via Argo CD. + +Argo CD does not support the full Helm lifecycle. There is no distinction +between the initial install and upgrades. Both operations are a "sync" in Argo +terms. This affects when migration Jobs execute in database-backed Kong +installs. + +The chart sets the `Sync` and `BeforeHookCreation` deletion +[hook policies](https://argo-cd.readthedocs.io/en/stable/user-guide/resource_hooks/) +on the `init-migrations` and `pre-upgrade-migrations` Jobs. + +The `pre-upgrade-migrations` Job normally uses Helm's `pre-upgrade` policy. Argo +translates this to its `PreSync` policy, which would create the Job before all +sync phase resources. Doing this before various sync phase resources (such as +the ServiceAccount) are in place would prevent the Job from running +successfully. Overriding this with Argo's `Sync` policy starts the Job at the +same time as the upgraded Deployment Pods. The new Pods may fail to start +temporarily, but will eventually start normally once migrations complete. + +## Seeking help + +If you run into an issue, bug or have a question, please reach out to the Kong +community via [Kong Nation](https://discuss.konghq.com). +Please do not open issues in [this](https://github.com/helm/charts) repository +as the maintainers will not be notified and won't respond. diff --git a/charts/kong/kong/2.41.0/UPGRADE.md b/charts/kong/kong/2.41.0/UPGRADE.md new file mode 100644 index 000000000..893527759 --- /dev/null +++ b/charts/kong/kong/2.41.0/UPGRADE.md @@ -0,0 +1,807 @@ +# Upgrade considerations + +New versions of the Kong chart may add significant new functionality or +deprecate/entirely remove old functionality. This document covers how and why +users should update their chart configuration to take advantage of new features +or migrate away from deprecated features. + +In general, breaking changes deprecate their old features before removing them +entirely. While support for the old functionality remains, the chart will show +a warning about the outdated configuration when running `helm +install/status/upgrade`. + +Note that not all versions contain breaking changes. If a version is not +present in the table of contents, it requires no version-specific changes when +upgrading from a previous version. + +## Table of contents + +- [Upgrade considerations for all versions](#upgrade-considerations-for-all-versions) +- [2.26.0](#2260) +- [2.19.0](#2190) +- [2.13.0](#2130) +- [2.8.0](#280) +- [2.7.0](#270) +- [2.4.0](#240) +- [2.3.0](#230) +- [2.2.0](#220) +- [2.1.0](#210) +- [2.0.0](#200) +- [1.14.0](#1140) +- [1.11.0](#1110) +- [1.10.0](#1100) +- [1.9.0](#190) +- [1.6.0](#160) +- [1.5.0](#150) +- [1.4.0](#140) +- [1.3.0](#130) + +## Upgrade considerations for all versions + +The chart automates the +[upgrade migration process](https://github.com/Kong/kong/blob/master/UPGRADE.md). +When running `helm upgrade`, the chart spawns an initial job to run `kong +migrations up` and then spawns new Kong pods with the updated version. Once +these pods become ready, they begin processing traffic and old pods are +terminated. Once this is complete, the chart spawns another job to run `kong +migrations finish`. + +If you split your Kong deployment across multiple Helm releases (to create +proxy-only and admin-only nodes, for example), you must +[set which migration jobs run based on your upgrade order](https://github.com/Kong/charts/blob/main/charts/kong/README.md#separate-admin-and-proxy-nodes). +However, this does not apply to hybrid mode, which can run both migrations but +requires [upgrading the control plane version +first](https://docs.konghq.com/gateway/latest/plan-and-deploy/hybrid-mode/#version-compatibility). + +While the migrations themselves are automated, the chart does not automatically +ensure that you follow the recommended upgrade path. If you are upgrading from +more than one minor Kong version back, check the [upgrade path +recommendations for Kong open source](https://github.com/Kong/kong/blob/master/UPGRADE.md#3-suggested-upgrade-path) +or [Kong Enterprise](https://docs.konghq.com/enterprise/latest/deployment/migrations/). + +Although not required, users should upgrade their chart version and Kong +version indepedently. In the even of any issues, this will help clarify whether +the issue stems from changes in Kubernetes resources or changes in Kong. + +Users may encounter an error when upgrading which displays a large block of +text ending with `field is immutable`. This is typically due to a bug with the +`init-migrations` job, which was not removed automatically prior to 1.5.0. +If you encounter this error, deleting any existing `init-migrations` jobs will +clear it. + +### Updates to CRDs + +Helm installs CRDs at initial install but [does not update them +after](https://github.com/helm/community/blob/main/hips/hip-0011.md). Some +chart releases include updates to CRDs that must be applied to successfully +upgrade. Because Helm does not handle these updates, you must manually apply +them before upgrading your release. + +``` kubectl apply -f +https://raw.githubusercontent.com/Kong/charts/kong-/charts/kong/crds/custom-resource-definitions.yaml +``` + +For example, if your release is 2.6.4, you would apply +`https://raw.githubusercontent.com/Kong/charts/kong-2.6.4/charts/kong/crds/custom-resource-definitions.yaml`. + +## 2.26.0 + +If you are using controller version 2.10 or lower and proxy version 3.3 or +higher in separate Deployments (such as when using the `ingress` chart), proxy +Pods will not become ready unless you override the default readiness endpoint: + +``` +readinessProbe: + httpGet: + path: /status +``` + +This section goes under the `gateway` section when using the `ingress` chart. + +2.26 changes the default proxy readiness endpoint to the `/status/ready` +endpoint introduced in Kong 3.3. This endpoint reports true when Kong has +configuration available, whereas the previous `/status` endpoint returned true +immediately after start, and could result in proxy instances attempting to +serve requests before they had configuration. + +The chart has logic to fall back to the older endpoint if the proxy and +controller versions do not work well with the new endpoint. However, the chart +detection cannot determine the controller version when the controller is in a +separate Deployment, and will always use the new endpoint if the Kong image +version is 3.3 or higher. + +Kong recommends Kong 3.3 and higher users update to controller 2.11 at their +earliest convenience to take advantage of the improved readiness behavior. + +## 2.19.0 + +2.19 sets a default [security context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/) +that declares a read-only root filesystem for Kong containers. The base Kong and KIC +images are compatible with this setting. The chart mounts temporary writeable +emptyDir filesystems for locations that require writeable files (`/tmp` and +`/kong_prefix/`). + +This setting limit attack surface and should be compatible with most +installations. However, if you use custom plugins that write to disk, you must +either mount a writeable emptyDir for them or override the new defaults by +setting: + +``` +containerSecurityContext: + readOnlyRootFilesystem: false +``` + +in your values.yaml. + +## 2.13.0 + +2.13.0 includes updated CRDs. You must [apply these manually](#updates-to-crds) +before upgrading an existing release. + +2.13 changes the default Kong tag to 3.0 and the default KIC tag to 2.6. We +recommend that you set these versions (`image.tag` and +`ingressController.image.tag`) in your values.yaml to allow updating the chart +without also updating the container versions. If you do update to these +container image versions, you should first review the Kong 3.0 breaking changes +(see the [open +source](https://github.com/Kong/kong/blob/master/CHANGELOG.md#300) and +[Enterprise](https://docs.konghq.com/gateway/changelog/#3000) Kong changelogs) +and the [ingress controller upgrade guide for Kong +3.x](https://docs.konghq.com/kubernetes-ingress-controller/2.6.x/guides/upgrade-kong-3x). + +Kong 3.0 requires KIC version 2.6 at minimum. It will not work with any +previous versions. Changes to regular expression paths in Kong 3.x furthermore +require changes to Ingresses that use regular expression paths in rules. + +## 2.8.0 + +### IngressClass controller name change requires manual delete + +2.8 updates the chart-managed IngressClass's controller name to match the +controller name used elsewhere in Kong's documenation. Controller names are +immutable, so Helm cannot actually update existing IngressClass resources. + +Prior to your upgrade, you must delete the existing IngressClass. Helm will +create a new IngressClass with the new controller name during the upgrade: + +``` +kubectl delete ingressclass +helm upgrade RELEASE_NAME kong/kong ... +``` + +Removing the IngressClass will not affect configuration: the controller +IngressClass implementation is still in progress, and it will still ingest +resources whose `ingress.class` annotation or `ingressClassName` value matches +the the `CONTROLLER_INGRESS_CLASS` value in the controller environment even if +no matching IngressClass exists. + +### Postgres subchart version update + +2.8 updates the Postgres subchart version from 8.6.8 to 11.1.15. This changes +a number of values.yaml keys and the default Postgres version. The previous +default Postgres version was [11.7.0-debian-10-r37](https://github.com/bitnami/charts/blob/590c6b0f4e07161614453b12efe71f22e0c00a46/bitnami/postgresql/values.yaml#L18). + +To use the new version on an existing install, you should [follow Bitnami's +instructions for updating values.yaml keys and upgrading their chart]() as well +as [the Postgres upgrade instructions](https://www.postgresql.org/docs/current/upgrading.html). + +You can alternately use the new chart without upgrading Postgres by setting +`postgresql.image.tag=11.7.0-debian-10-r37` or use the old version of the +chart. Helm documentation is unclear on whether ignoring a subchart version +change for a release is possible, so we recommend [dumping the +database](https://www.postgresql.org/docs/current/backup-dump.html) and +creating a separate release if you wish to continue using 8.6.8: + +``` +helm install my-release -f values.yaml --version 8.6.8 bitnami/postgresql +``` + +Afterwords, you will upgrade your Kong chart release with +`postgresql.enabled=false` and `env.pg_host` and `env.pg_password` set to the +appropriate hostname and Secret reference for your new release (these are set +automatically when the subchart is enabled, but will not be set automatically +with a separate release). + +## 2.7.0 + +2.7 updates CRDs to the version released in KIC 2.1.0. Helm does not upgrade +CRDs automatically; you must `kubectl apply -f https://raw.githubusercontent.com/Kong/charts/kong-2.7.0/charts/kong/crds/custom-resource-definitions.yaml` +manually before upgrading. + +You should not apply the updated CRDs until you are prepared to upgrade to KIC +2.1 or higher, and [must have first upgraded to 2.0](https://github.com/Kong/kubernetes-ingress-controller/blob/v2.1.1/CHANGELOG.md#breaking-changes) +and applied the [previous version of the CRDs](https://raw.githubusercontent.com/Kong/charts/kong-2.6.4/charts/kong/crds/custom-resource-definitions.yaml). + +## 2.4.0 + +### Disable ingress controller prior to 2.x upgrade when using PostgreSQL + +Chart version 2.4 is the first Kong chart version that defaults to the 2.x +series of ingress controller releases. 2.x uses a different leader election +system than 1.x. If both versions are running simultaneously, both controller +versions will attempt to interact with the admin API, potentially setting +inconsistent configuration in the database when PostgreSQL is the backend. + +If you are configured with the following: + +- ingressController.enabled=true +- postgresql.enabled=true + +and do not override the ingress controller version, you must perform the +upgrade in multiple steps: + +First, pin the controller version and upgrade to chart 2.4.0: + +```console +helm upgrade --wait \ + --set ingressController.image.tag= \ + --version 2.4.0 \ + --namespace \ + kong/kong +``` + +Second, temporarily disable the ingress controller: + +```console +helm upgrade --wait \ + --set ingressController.enabled=false \ + --set deployment.serviceaccount.create=true \ + --version 2.4.0 \ + --namespace \ + kong/kong +``` + +Finally, re-enable the ingress controller at the new version: + +```console +helm upgrade --wait \ + --set ingressController.enabled=true \ + --set ingressController.image.tag= \ + --version 2.4.0 \ + --namespace \ + kong/kong +``` + +While the controller is disabled, changes to Kubernetes configuration (Ingress +resources, KongPlugin resources, Service Endpoints, etc.) will not update Kong +proxy configuration. We recommend you establish an active maintenance window +under which to perform this upgrade and inform users and stakeholders so as to +avoid unexpected disruption. + +### Changed ServiceAccount configuration location + +2.4.0 moved ServiceAccount configuration from +`ingressController.serviceAccount` to `deployment.serviceAccount` to accomodate +configurations that required a ServiceAccount but did not use the controller. + +The chart now creates a ServiceAccount by default. When enabled, upgrade +migration hooks require the ServiceAccount, but Helm will not create it before +the hooks run, and the migration jobs will fail. To avoid this, first perform +an initial chart upgrade that does not update the Kong image version and sets +`migrations.preUpgrade=false` and `migrations.postUpgrade=false`. This will +create the account for future upgrades, and you can re-enable migrations and +upgrade your Kong version after. + +If you disable ServiceAccount or override its name, you must move your +configuration under `deployment.serviceAccount`. The chart will warn you if it +detects non-default configuration in the original location when you upgrade. +You can use `helm upgrade --dry-run` to see if you are affected before actually +upgrading. + +## 2.3.0 + +### Updated CRDs and CRD API version + +2.3.0 adds new and updated CRDs for KIC 2.x. These CRDs are compatible with +KIC 1.x also. The CRD API version is now v1, replacing the deprecated v1beta1, +to support Kubernetes 1.22 and onward. API version v1 requires Kubernetes 1.16 +and newer. + +Helm 2-style CRD management will upgrade CRDs automatically. You can check to +see if you are using Helm 2-style management by running: + +``` +kubectl get crd kongconsumers.configuration.konghq.com -o yaml | grep "meta.helm.sh/release-name" +``` + +If you see output, you are using Helm 2-style CRD management. + +Helm 3-style CRD management (the default) does not upgrade CRDs automatically. +You must apply the changes manually by running: + +``` +kubectl apply -f https://raw.githubusercontent.com/Kong/charts/kong-2.2.0/charts/kong/crds/custom-resource-definitions.yaml +``` + +Although not recommended, you can remain on an older Kubernetes version and not +upgrade your CRDs if you are using Helm 3-style CRD management. However, you +will not be able to run KIC 2.x, and these configurations are considered +unsupported. + +### Ingress controller feature detection + +2.3.0 includes some features that are enabled by default, but require KIC 2.x. +KIC 2.x is not yet the default ingress controller version because there are +currently only preview releases for it. To maintain compatibility with KIC 1.x, +the chart automatically detects the KIC image version and disables incompatible +features. This feature detection requires a semver image tag, and the chart +cannot render successfully if the image tag is not semver-compliant. + +Standard KIC images do use semver-compliant tags, and you do not need to make +any configuration changes if you use one. If you use a non-semver tag, such as +`next`, you must set the new `ingressController.image.effectiveSemver` field to +your approximate semver version. For example, if your `next` tag is for an +unreleased `2.1.0` KIC version, you should set `effectiveSemver: 2.1.0`. + +## 2.2.0 + +### Changes to pod disruption budget defaults + +Prior to 2.2.0, the default values.yaml included +`podDisruptionBudget.maxUnavailable: 50%`. This prevented setting +`podDisruptionBudget.minUnavailable` at all. To allow use of +`podDisruptionBudget.minUnavailable`, we have removed the +`podDisruptionBudget.maxUnavailable` default. If you previously relied on this +default (you set `podDisruptionBudget.enabled: true` but did not set +`podDisruptionBudget.maxUnavailable`), you now must explicitly set +`podDisruptionBudget.maxUnavailable: 50%` in your values.yaml. + +## 2.1.0 + +### Migration off Bintray + +Bintray, the Docker registry previously used for several images used by this +chart, is [sunsetting May 1, +2021](https://jfrog.com/blog/into-the-sunset-bintray-jcenter-gocenter-and-chartcenter/). + +The chart default `values.yaml` now uses the new Docker Hub repositories for all +affected images. You should check your release `values.yaml` files to confirm that +they do not still reference Bintray repositories. If they do, update them to +use the Docker Hub repositories now in the default `values.yaml`. + +## 2.0.0 + +### Support for Helm 2 dropped + +2.0.0 takes advantage of template functionality that is only available in Helm +3 and reworks values defaults to target Helm 3 CRD handling, and requires Helm +3 as such. If you are not already using Helm 3, you must migrate to it before +updating to 2.0.0 or later: + +https://helm.sh/docs/topics/v2_v3_migration/ + +If desired, you can migrate your Kong chart releases without migrating charts' +releases. + +### Support for deprecated 1.x features removed + +Several previous 1.x chart releases reworked sections of values.yaml while +maintaining support for the older version of those settings. 2.x drops support +for the older versions of these settings entirely: + +* [Portal auth settings](#removal-of-dedicated-portal-authentication-configuration-parameters) +* [The `runMigrations` setting](#changes-to-migration-job-configuration) +* [Single-stack admin API Service configuration](#changes-to-kong-service-configuration) +* [Multi-host proxy configuration](#removal-of-multi-host-proxy-ingress) + +Each deprecated setting is accompanied by a warning that appears at the end of +`helm upgrade` output on a 1.x release: + +``` +WARNING: You are currently using legacy ... +``` + +If you do not see any such warnings when upgrading a release using chart +1.15.0, you are not using deprecated configuration and are ready to upgrade to +2.0.0. If you do see these warnings, follow the linked instructions to migrate +to the current settings format. + +## 1.14.0 + +### Removal of multi-host proxy Ingress + +Most of the chart's Ingress templates support a single hostname and TLS Secret. +The proxy Ingress template originally differed, and allowed multiple hostnames +and TLS configurations. As of chart 1.14.0, we have deprecated the unique proxy +Ingress configuration; it is now identical to all other Kong services. If you +do not need to configure multiple Ingress rules for your proxy, you will +change: + +```yaml +ingress: + hosts: ["proxy.kong.example"] + tls: + - hosts: + - proxy.kong.example + secretName: example-tls-secret + path: / +``` +to: + +```yaml +ingress: + tls: example-tls-secret + hostname: proxy.kong.example + path: / +``` +We plan to remove support for the multi-host configuration entirely in version +2.0 of the chart. If you currently use multiple hosts, we recommend that you +either: +- Define Ingresses for each application, e.g. if you proxy applicationA at + `foo.kong.example` and applicationB at `bar.kong.example`, you deploy those + applications with their own Ingress resources that target the proxy. +- Define a multi-host Ingress manually. Before upgrading, save your current + proxy Ingress, delete labels from the saved copy, and set + `proxy.ingress.enabled=false`. After upgrading, create your Ingress from the + saved copy and edit it directly to add new rules. + +We expect that most users do not need a built-in multi-host proxy Ingress or +even a proxy Ingress at all: the old configuration predates the Kong Ingress +Controller and is most useful if you place Kong behind some other controller. +If you are interested in preserving this functionality, please [discuss your +use case with us](https://github.com/Kong/charts/issues/73). If there is +sufficient interest, we will explore options for continuing to support the +original proxy Ingress configuration format. + +### Default custom server block replaced with status listen + +Earlier versions of the chart included [a custom server block](https://github.com/Kong/charts/blob/kong-1.13.0/charts/kong/templates/config-custom-server-blocks.yaml) +to provide `/status` and `/metrics` endpoints. This server block simplified +RBAC-enabled Enterprise deployments by providing access to these endpoints +outside the (protected) admin API. + +Current versions (Kong 1.4.0+ and Kong Enterprise 1.5.0+) have a built-in +status listen that provides the same functionality, and chart 1.14.0 uses it +for readiness/liveness probes and the Prometheus service monitor. + +If you are using a version that supports the new status endpoint, you do not +need to make any changes to your values unless you include `readinessProbe` and +`livenessProbe` in them. If you do, you must change the port from `metrics` to +`status`. + +If you are using an older version that does not support the status listen, you +will need to: +- Create the server block ConfigMap independent of the chart. You will need to + set the ConfigMap name and namespace manually and remove the labels block. +- Add an `extraConfigMaps` values entry for your ConfigMap. +- Set `env.nginx_http_include` to `/path/to/your/mount/servers.conf`. +- Add the [old readiness/liveness probe blocks](https://github.com/Kong/charts/blob/kong-1.13.0/charts/kong/values.yaml#L437-L458) + to your values.yaml. +- If you use the Prometheus service monitor, edit it after installing the chart + and set `targetPort` to `9542`. This cannot be set from values.yaml, but Helm + 3 will preserve the change on subsequent upgrades. + +## 1.11.0 + +### `KongCredential` custom resources no longer supported + +1.11.0 updates the default Kong Ingress Controller version to 1.0. Controller +1.0 removes support for the deprecated KongCredential resource. Before +upgrading to chart 1.11.0, you must convert existing KongCredential resources +to [credential Secrets](https://github.com/Kong/kubernetes-ingress-controller/blob/next/docs/guides/using-consumer-credential-resource.md#provision-a-consumer). + +Custom resource management varies depending on your exact chart configuration. +By default, Helm 3 only creates CRDs in the `crds` directory if they are not +already present, and does not modify or remove them after. If you use this +management method, you should create a manifest file that contains [only the +KongCredential CRD](https://github.com/Kong/charts/blob/kong-1.10.0/charts/kong/crds/custom-resource-definitions.yaml#L35-L68) +and then [delete it](https://kubernetes.io/docs/tasks/extend-kubernetes/custom-resources/custom-resource-definitions/#delete-a-customresourcedefinition). + +Helm 2 and Helm 3 both allow managing CRDs via the chart. In Helm 2, this is +required; in Helm 3, it is optional. When using this method, only a single +release will actually manage the CRD. Check to see which release has +`ingressController.installCRDs: true` to determine which does so if you have +multiple releases. When using this management method, upgrading a release to +chart 1.11.0 will delete the KongCredential CRD during the upgrade, which will +_delete any existing KongCredential resources_. To avoid losing configuration, +check to see if your CRD is managed: + +``` +kubectl get crd kongcredentials.configuration.konghq.com -o yaml | grep "app.kubernetes.io/managed-by: Helm" +``` + +If that command returns output, your CRD is managed and you must convert to +credential Secrets before upgrading (you should do so regardless, but are not +at risk of losing data, and can downgrade to an older chart version if you have +issues). + +### Changes to CRDs + +Controller 1.0 [introduces a status field](https://github.com/Kong/kubernetes-ingress-controller/blob/main/CHANGELOG.md#added) +for its custom resources. By default, Helm 3 does not apply updates to custom +resource definitions if those definitions are already present on the Kubernetes +API server (and they will be if you are upgrading a release from a previous +chart version). To update your custom resources: + +``` +kubectl apply -f https://raw.githubusercontent.com/Kong/charts/main/charts/kong/crds/custom-resource-definitions.yaml +``` + +### Deprecated controller flags/environment variables and annotations removed + +Kong Ingress Controller 0.x versions had a number of deprecated +flags/environment variables and annotations. Version 1.0 removes support for +these, and you must update your configuration to use their modern equivalents +before upgrading to chart 1.11.0. + +The [controller changelog](https://github.com/Kong/kubernetes-ingress-controller/blob/master/CHANGELOG.md#breaking-changes) +provides links to lists of deprecated configuration and their replacements. + +## 1.10.0 + +### `KongClusterPlugin` replaces global `KongPlugin`s + +Kong Ingress Controller 0.10.0 no longer supports `KongPlugin`s with a `global: true` label. See the [KIC changelog for 0.10.0](https://github.com/Kong/kubernetes-ingress-controller/blob/main/CHANGELOG.md#0100---20200915) for migration hints. + +### Dropping support for resources not specifying an ingress class + +Kong Ingress Controller 0.10.0 drops support for certain kinds of resources without a `kubernetes.io/ingress.class` annotation. See the [KIC changelog for 0.10.0](https://github.com/Kong/kubernetes-ingress-controller/blob/main/CHANGELOG.md#0100---20200915) for the exact list of those kinds, and for possible migration paths. + +## 1.9.0 + +### New image for Enterprise controller-managed DB-less deployments + +As of Kong Enterprise 2.1.3.0, there is no longer a separate image +(`kong-enterprise-k8s`) for controller-managed DB-less deployments. All Kong +Enterprise deployments now use the `kong-enterprise-edition` image. + +Existing users of the `kong-enterprise-k8s` image can use the latest +`kong-enterprise-edition` image as a drop-in replacement for the +`kong-enterprise-k8s` image. You will also need to [create a Docker registry +secret](https://github.com/Kong/charts/blob/main/charts/kong/README.md#kong-enterprise-docker-registry-access) +for the `kong-enterprise-edition` registry and add it to `image.pullSecrets` in +values.yaml if you do not have one already. + +### Changes to wait-for-postgres image + +Prior to 1.9.0, the chart launched a busybox initContainer for migration Pods +to check Postgres' reachability [using +netcat](https://github.com/Kong/charts/blob/kong-1.8.0/charts/kong/templates/_helpers.tpl#L626). + +As of 1.9.0, the chart uses a [bash +script](https://github.com/Kong/charts/blob/kong-1.9.0/charts/kong/templates/wait-for-postgres-script.yaml) +to perform the same connectivity check. The default `waitImage.repository` +value is now `bash` rather than `busybox`. Double-check your values.yaml to +confirm that you do not set `waitImage.repository` and `waitImage.tag` to the +old defaults: if you do, remove that configuration before upgrading. + +The Helm upgrade cycle requires this script be available for upgrade jobs. On +existing installations, you must first perform an initial `helm upgrade --set +migrations.preUpgrade=false --migrations.postUpgrade=false` to chart 1.9.0. +Perform this initial upgrade without making changes to your Kong image version: +if you are upgrading Kong along with the chart, perform a separate upgrade +after with the migration jobs re-enabled. + +If you do not override `waitImage.repository` in your releases, you do not need +to make any other configuration changes when upgrading to 1.9.0. + +If you do override `waitImage.repository` to use a custom image, you must +switch to a custom image that provides a `bash` executable. Note that busybox +images, or images derived from it, do _not_ include a `bash` executable. We +recommend switching to an image derived from the public bash Docker image or a +base operating system image that provides a `bash` executable. + +## 1.6.0 + +### Changes to Custom Resource Definitions + +The KongPlugin and KongClusterPlugin resources have changed. Helm 3's CRD +management system does not modify CRDs during `helm upgrade`, and these must be +updated manually: + +``` +kubectl apply -f https://raw.githubusercontent.com/Kong/charts/kong-1.6.0/charts/kong/crds/custom-resource-definitions.yaml +``` + +Existing plugin resources do not require changes; the CRD update only adds new +fields. + +### Removal of default security context UID setting + +Versions of Kong prior to 2.0 and Kong Enterprise prior to 1.3 use Docker +images that required setting a UID via Kubernetes in some environments +(primarily OpenShift). This is no longer necessary with modern Docker images +and can cause issues depending on other environment settings, so it was +removed. + +Most users should not need to take any action, but if you encounter permissions +errors when upgrading (`kubectl describe pod PODNAME` should contain any), you +can restore it by adding the following to your values.yaml: + +``` +securityContext: + runAsUser: 1000 +``` + +## 1.5.0 + +### PodSecurityPolicy defaults to read-only root filesystem + +1.5.0 defaults to using a read-only root container filesystem if +`podSecurityPolicy.enabled: true` is set in values.yaml. This improves +security, but is incompatible with Kong Enterprise versions prior to 1.5. If +you use an older version and enable PodSecurityPolicy, you must set +`podSecurityPolicy.spec.readOnlyRootFilesystem: false`. + +Kong open-source and Kong for Kubernetes Enterprise are compatible with a +read-only root filesystem on all versions. + +### Changes to migration job configuration + +Previously, all migration jobs were enabled/disabled through a single +`runMigrations` setting. 1.5.0 splits these into toggles for each of the +individual upgrade migrations: + +``` +migrations: + preUpgrade: true + postUpgrade: true +``` + +Initial migration jobs are now only run during `helm install` and are deleted +automatically when users first run `helm upgrade`. + +Users should replace `runMigrations` with the above block from the latest +values.yaml. + +The new format addresses several needs: +* The initial migrations job are only created during the initial install, + preventing [conflicts on upgrades](https://github.com/Kong/charts/blob/main/charts/kong/FAQs.md#running-helm-upgrade-fails-because-of-old-init-migrations-job). +* The upgrade migrations jobs can be disabled as need for managing + [multi-release clusters](https://github.com/Kong/charts/blob/main/charts/kong/README.md#separate-admin-and-proxy-nodes). + This enables management of clusters that have nodes with different roles, + e.g. nodes that only run the proxy and nodes that only run the admin API. +* Migration jobs now allow specifying annotations, and provide a default set + of annotations that disable some service mesh sidecars. Because sidecar + containers do not terminate, they [prevent the jobs from completing](https://github.com/kubernetes/kubernetes/issues/25908). + +## 1.4.0 + +### Changes to default Postgres permissions + +The [Postgres sub-chart](https://github.com/bitnami/charts/tree/master/bitnami/postgresql) +used by this chart has modified the way their chart handles file permissions. +This is not an issue for new installations, but prevents Postgres from starting +if its PVC was created with an older version. If affected, your Postgres pod +logs will show: + +``` +postgresql 19:16:04.03 INFO ==> ** Starting PostgreSQL ** +2020-03-27 19:16:04.053 GMT [1] FATAL: data directory "/bitnami/postgresql/data" has group or world access +2020-03-27 19:16:04.053 GMT [1] DETAIL: Permissions should be u=rwx (0700). +``` + +You can restore the old permission handling behavior by adding two settings to +the `postgresql` block in values.yaml: + +```yaml +postgresql: + enabled: true + postgresqlDataDir: /bitnami/postgresql/data + volumePermissions: + enabled: true +``` + +For background, see https://github.com/helm/charts/issues/13651 + +### `strip_path` now defaults to `false` for controller-managed routes + +1.4.0 defaults to version 0.8 of the ingress controller, which changes the +default value of the `strip_path` route setting from `true` to `false`. To +understand how this works in practice, compare the upstream path for these +requests when `strip_path` is toggled: + +| Ingress path | `strip_path` | Request path | Upstream path | +|--------------|--------------|--------------|---------------| +| /foo/bar | true | /foo/bar/baz | /baz | +| /foo/bar | false | /foo/bar/baz | /foo/bar/baz | + +This change brings the controller in line with the Kubernetes Ingress +specification, which expects that controllers will not modify the request +before passing it upstream unless explicitly configured to do so. + +To preserve your existing route handling, you should add this annotation to +your ingress resources: + +``` +konghq.com/strip-path: "true" +``` + +This is a new annotation that is equivalent to the `route.strip_path` setting +in KongIngress resources. Note that if you have already set this to `false`, +you should leave it as-is and not add an annotation to the ingress. + +### Changes to Kong service configuration + +1.4.0 reworks the templates and configuration used to generate Kong +configuration and Kuberenetes resources for Kong's services (the admin API, +proxy, Developer Portal, etc.). For the admin API, this requires breaking +changes to the configuration format in values.yaml. Prior to 1.4.0, the admin +API allowed a single listen only, which could be toggled between HTTPS and +HTTP: + +```yaml +admin: + enabled: false # create Service + useTLS: true + servicePort: 8444 + containerPort: 8444 +``` +In 1.4.0+, the admin API allows enabling or disabling the HTTP and TLS listens +independently. The equivalent of the above configuration is: + +```yaml +admin: + enabled: false # create Service + http: + enabled: false # create HTTP listen + servicePort: 8001 + containerPort: 8001 + parameters: [] + + tls: + enabled: true # create HTTPS listen + servicePort: 8444 + containerPort: 8444 + parameters: + - http2 +``` +All Kong services now support `SERVICE.enabled` parameters: these allow +disabling the creation of a Kubernetes Service resource for that Kong service, +which is useful in configurations where nodes have different roles, e.g. where +some nodes only handle proxy traffic and some only handle admin API traffic. To +disable a Kong service completely, you should also set `SERVICE.http.enabled: +false` and `SERVICE.tls.enabled: false`. Disabling creation of the Service +resource only leaves the Kong service enabled, but only accessible within its +pod. The admin API is configured with only Service creation disabled to allow +the ingress controller to access it without allowing access from other pods. + +Services now also include a new `parameters` section that allows setting +additional listen options, e.g. the `reuseport` and `backlog=16384` parameters +from the [default 2.0.0 proxy +listen](https://github.com/Kong/kong/blob/2.0.0/kong.conf.default#L186). For +compatibility with older Kong versions, the chart defaults do not enable most +of the newer parameters, only HTTP/2 support. Users of versions 1.3.0 and newer +can safely add the new parameters. + +## 1.3.0 + +### Removal of dedicated Portal authentication configuration parameters + +1.3.0 deprecates the `enterprise.portal.portal_auth` and +`enterprise.portal.session_conf_secret` settings in values.yaml in favor of +placing equivalent configuration under `env`. These settings are less important +in Kong Enterprise 0.36+, as they can both be set per workspace in Kong +Manager. + +These settings provide the default settings for Portal instances: when the +"Authentication plugin" and "Session Config" dropdowns at +https://manager.kong.example/WORKSPACE/portal/settings/ are set to "Default", +the settings from `KONG_PORTAL_AUTH` and `KONG_PORTAL_SESSION_CONF` are used. +If these environment variables are not set, the defaults are to use +`basic-auth` and `{}` (which applies the [session plugin default +configuration](https://docs.konghq.com/hub/kong-inc/session/)). + +If you set nonstandard defaults and wish to keep using these settings, or use +Kong Enterprise 0.35 (which did not provide a means to set per-workspace +session configuration) you should convert them to environment variables. For +example, if you currently have: + +```yaml +portal: + enabled: true + portal_auth: basic-auth + session_conf_secret: portal-session +``` +You should remove the `portal_auth` and `session_conf_secret` entries and +replace them with their equivalents under the `env` block: + +```yaml +env: + portal_auth: basic-auth + portal_session_conf: + valueFrom: + secretKeyRef: + name: portal-session + key: portal_session_conf +``` diff --git a/charts/kong/kong/2.41.0/app-readme.md b/charts/kong/kong/2.41.0/app-readme.md new file mode 100644 index 000000000..19d811f90 --- /dev/null +++ b/charts/kong/kong/2.41.0/app-readme.md @@ -0,0 +1,7 @@ +# Kong for Kubernetes + +[Kong](https://konghq.com) makes connecting APIs and microservices across hybrid or multi-cloud environments easier and faster than ever. We power trillions of API transactions for leading organizations globally through our end-to-end API platform. + +Kong Gateway is the world’s most popular open source API gateway, built for multi-cloud and hybrid, and optimized for microservices and distributed architectures. It is built on top of a lightweight proxy to deliver unparalleled latency, performance and scalability for all your microservice applications regardless of where they run. It allows you to exercise granular control over your traffic with Kong’s plugin architecture + +The Kong Enterprise Service Control Platform brokers an organization’s information across all services. Built on top of Kong’s battle-tested open source core, Kong Enterprise enables customers to simplify management of APIs and microservices across hybrid-cloud and multi-cloud deployments. With Kong Enterprise, customers can proactively identify anomalies and threats, automate tasks, and improve visibility across their entire organization. diff --git a/charts/kong/kong/2.41.0/charts/postgresql/.helmignore b/charts/kong/kong/2.41.0/charts/postgresql/.helmignore new file mode 100644 index 000000000..f0c131944 --- /dev/null +++ b/charts/kong/kong/2.41.0/charts/postgresql/.helmignore @@ -0,0 +1,21 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj diff --git a/charts/kong/kong/2.41.0/charts/postgresql/Chart.lock b/charts/kong/kong/2.41.0/charts/postgresql/Chart.lock new file mode 100644 index 000000000..123dedb6b --- /dev/null +++ b/charts/kong/kong/2.41.0/charts/postgresql/Chart.lock @@ -0,0 +1,6 @@ +dependencies: +- name: common + repository: https://charts.bitnami.com/bitnami + version: 2.0.4 +digest: sha256:ec5726c5d8f1e474cc6c9ca90c18efc35f4dbd15ccaf2df148764947d5ad6a6c +generated: "2022-10-25T14:40:27.273494162Z" diff --git a/charts/kong/kong/2.41.0/charts/postgresql/Chart.yaml b/charts/kong/kong/2.41.0/charts/postgresql/Chart.yaml new file mode 100644 index 000000000..109e6b2dd --- /dev/null +++ b/charts/kong/kong/2.41.0/charts/postgresql/Chart.yaml @@ -0,0 +1,30 @@ +annotations: + category: Database +apiVersion: v2 +appVersion: 14.5.0 +dependencies: +- name: common + repository: https://charts.bitnami.com/bitnami + tags: + - bitnami-common + version: 2.x.x +description: PostgreSQL (Postgres) is an open source object-relational database known + for reliability and data integrity. ACID-compliant, it supports foreign keys, joins, + views, triggers and stored procedures. +home: https://github.com/bitnami/charts/tree/main/bitnami/postgresql +icon: https://bitnami.com/assets/stacks/postgresql/img/postgresql-stack-220x234.png +keywords: +- postgresql +- postgres +- database +- sql +- replication +- cluster +maintainers: +- name: Bitnami + url: https://github.com/bitnami/charts +name: postgresql +sources: +- https://github.com/bitnami/containers/tree/main/bitnami/postgresql +- https://www.postgresql.org/ +version: 11.9.13 diff --git a/charts/kong/kong/2.41.0/charts/postgresql/README.md b/charts/kong/kong/2.41.0/charts/postgresql/README.md new file mode 100644 index 000000000..28eed1c57 --- /dev/null +++ b/charts/kong/kong/2.41.0/charts/postgresql/README.md @@ -0,0 +1,683 @@ + + +# PostgreSQL packaged by Bitnami + +PostgreSQL (Postgres) is an open source object-relational database known for reliability and data integrity. ACID-compliant, it supports foreign keys, joins, views, triggers and stored procedures. + +[Overview of PostgreSQL](http://www.postgresql.org) + +Trademarks: This software listing is packaged by Bitnami. The respective trademarks mentioned in the offering are owned by the respective companies, and use of them does not imply any affiliation or endorsement. + +## TL;DR + +```bash +helm repo add my-repo https://charts.bitnami.com/bitnami +helm install my-release my-repo/postgresql +``` + +## Introduction + +This chart bootstraps a [PostgreSQL](https://github.com/bitnami/containers/tree/main/bitnami/postgresql) deployment on a [Kubernetes](https://kubernetes.io) cluster using the [Helm](https://helm.sh) package manager. + +For HA, please see [this repo](https://github.com/bitnami/charts/tree/main/bitnami/postgresql-ha) + +Bitnami charts can be used with [Kubeapps](https://kubeapps.dev/) for deployment and management of Helm Charts in clusters. + +## Prerequisites + +- Kubernetes 1.19+ +- Helm 3.2.0+ +- PV provisioner support in the underlying infrastructure + +## Installing the Chart + +To install the chart with the release name `my-release`: + +```bash +helm install my-release my-repo/postgresql +``` + +The command deploys PostgreSQL on the Kubernetes cluster in the default configuration. The [Parameters](#parameters) section lists the parameters that can be configured during installation. + +> **Tip**: List all releases using `helm list` + +## Uninstalling the Chart + +To uninstall/delete the `my-release` deployment: + +```console +helm delete my-release +``` + +The command removes all the Kubernetes components but PVC's associated with the chart and deletes the release. + +To delete the PVC's associated with `my-release`: + +```bash +kubectl delete pvc -l release=my-release +``` + +> **Note**: Deleting the PVC's will delete postgresql data as well. Please be cautious before doing it. + +## Parameters + +### Global parameters + +| Name | Description | Value | +| ---------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----- | +| `global.imageRegistry` | Global Docker image registry | `""` | +| `global.imagePullSecrets` | Global Docker registry secret names as an array | `[]` | +| `global.storageClass` | Global StorageClass for Persistent Volume(s) | `""` | +| `global.postgresql.auth.postgresPassword` | Password for the "postgres" admin user (overrides `auth.postgresPassword`) | `""` | +| `global.postgresql.auth.username` | Name for a custom user to create (overrides `auth.username`) | `""` | +| `global.postgresql.auth.password` | Password for the custom user to create (overrides `auth.password`) | `""` | +| `global.postgresql.auth.database` | Name for a custom database to create (overrides `auth.database`) | `""` | +| `global.postgresql.auth.existingSecret` | Name of existing secret to use for PostgreSQL credentials (overrides `auth.existingSecret`). | `""` | +| `global.postgresql.auth.secretKeys.adminPasswordKey` | Name of key in existing secret to use for PostgreSQL credentials (overrides `auth.secretKeys.adminPasswordKey`). Only used when `global.postgresql.auth.existingSecret` is set. | `""` | +| `global.postgresql.auth.secretKeys.userPasswordKey` | Name of key in existing secret to use for PostgreSQL credentials (overrides `auth.secretKeys.userPasswordKey`). Only used when `global.postgresql.auth.existingSecret` is set. | `""` | +| `global.postgresql.auth.secretKeys.replicationPasswordKey` | Name of key in existing secret to use for PostgreSQL credentials (overrides `auth.secretKeys.replicationPasswordKey`). Only used when `global.postgresql.auth.existingSecret` is set. | `""` | +| `global.postgresql.service.ports.postgresql` | PostgreSQL service port (overrides `service.ports.postgresql`) | `""` | + + +### Common parameters + +| Name | Description | Value | +| ------------------------ | -------------------------------------------------------------------------------------------- | --------------- | +| `kubeVersion` | Override Kubernetes version | `""` | +| `nameOverride` | String to partially override common.names.fullname template (will maintain the release name) | `""` | +| `fullnameOverride` | String to fully override common.names.fullname template | `""` | +| `clusterDomain` | Kubernetes Cluster Domain | `cluster.local` | +| `extraDeploy` | Array of extra objects to deploy with the release (evaluated as a template) | `[]` | +| `commonLabels` | Add labels to all the deployed resources | `{}` | +| `commonAnnotations` | Add annotations to all the deployed resources | `{}` | +| `diagnosticMode.enabled` | Enable diagnostic mode (all probes will be disabled and the command will be overridden) | `false` | +| `diagnosticMode.command` | Command to override all containers in the statefulset | `["sleep"]` | +| `diagnosticMode.args` | Args to override all containers in the statefulset | `["infinity"]` | + + +### PostgreSQL common parameters + +| Name | Description | Value | +| ---------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------- | +| `image.registry` | PostgreSQL image registry | `docker.io` | +| `image.repository` | PostgreSQL image repository | `bitnami/postgresql` | +| `image.tag` | PostgreSQL image tag (immutable tags are recommended) | `14.5.0-debian-11-r35` | +| `image.digest` | PostgreSQL image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | +| `image.pullPolicy` | PostgreSQL image pull policy | `IfNotPresent` | +| `image.pullSecrets` | Specify image pull secrets | `[]` | +| `image.debug` | Specify if debug values should be set | `false` | +| `auth.enablePostgresUser` | Assign a password to the "postgres" admin user. Otherwise, remote access will be blocked for this user | `true` | +| `auth.postgresPassword` | Password for the "postgres" admin user. Ignored if `auth.existingSecret` with key `postgres-password` is provided | `""` | +| `auth.username` | Name for a custom user to create | `""` | +| `auth.password` | Password for the custom user to create. Ignored if `auth.existingSecret` with key `password` is provided | `""` | +| `auth.database` | Name for a custom database to create | `""` | +| `auth.replicationUsername` | Name of the replication user | `repl_user` | +| `auth.replicationPassword` | Password for the replication user. Ignored if `auth.existingSecret` with key `replication-password` is provided | `""` | +| `auth.existingSecret` | Name of existing secret to use for PostgreSQL credentials. `auth.postgresPassword`, `auth.password`, and `auth.replicationPassword` will be ignored and picked up from this secret. The secret might also contains the key `ldap-password` if LDAP is enabled. `ldap.bind_password` will be ignored and picked from this secret in this case. | `""` | +| `auth.secretKeys.adminPasswordKey` | Name of key in existing secret to use for PostgreSQL credentials. Only used when `auth.existingSecret` is set. | `postgres-password` | +| `auth.secretKeys.userPasswordKey` | Name of key in existing secret to use for PostgreSQL credentials. Only used when `auth.existingSecret` is set. | `password` | +| `auth.secretKeys.replicationPasswordKey` | Name of key in existing secret to use for PostgreSQL credentials. Only used when `auth.existingSecret` is set. | `replication-password` | +| `auth.usePasswordFiles` | Mount credentials as a files instead of using an environment variable | `false` | +| `architecture` | PostgreSQL architecture (`standalone` or `replication`) | `standalone` | +| `replication.synchronousCommit` | Set synchronous commit mode. Allowed values: `on`, `remote_apply`, `remote_write`, `local` and `off` | `off` | +| `replication.numSynchronousReplicas` | Number of replicas that will have synchronous replication. Note: Cannot be greater than `readReplicas.replicaCount`. | `0` | +| `replication.applicationName` | Cluster application name. Useful for advanced replication settings | `my_application` | +| `containerPorts.postgresql` | PostgreSQL container port | `5432` | +| `audit.logHostname` | Log client hostnames | `false` | +| `audit.logConnections` | Add client log-in operations to the log file | `false` | +| `audit.logDisconnections` | Add client log-outs operations to the log file | `false` | +| `audit.pgAuditLog` | Add operations to log using the pgAudit extension | `""` | +| `audit.pgAuditLogCatalog` | Log catalog using pgAudit | `off` | +| `audit.clientMinMessages` | Message log level to share with the user | `error` | +| `audit.logLinePrefix` | Template for log line prefix (default if not set) | `""` | +| `audit.logTimezone` | Timezone for the log timestamps | `""` | +| `ldap.enabled` | Enable LDAP support | `false` | +| `ldap.server` | IP address or name of the LDAP server. | `""` | +| `ldap.port` | Port number on the LDAP server to connect to | `""` | +| `ldap.prefix` | String to prepend to the user name when forming the DN to bind | `""` | +| `ldap.suffix` | String to append to the user name when forming the DN to bind | `""` | +| `ldap.basedn` | Root DN to begin the search for the user in | `""` | +| `ldap.binddn` | DN of user to bind to LDAP | `""` | +| `ldap.bindpw` | Password for the user to bind to LDAP | `""` | +| `ldap.searchAttribute` | Attribute to match against the user name in the search | `""` | +| `ldap.searchFilter` | The search filter to use when doing search+bind authentication | `""` | +| `ldap.scheme` | Set to `ldaps` to use LDAPS | `""` | +| `ldap.tls.enabled` | Se to true to enable TLS encryption | `false` | +| `ldap.uri` | LDAP URL beginning in the form `ldap[s]://host[:port]/basedn`. If provided, all the other LDAP parameters will be ignored. | `""` | +| `postgresqlDataDir` | PostgreSQL data dir folder | `/bitnami/postgresql/data` | +| `postgresqlSharedPreloadLibraries` | Shared preload libraries (comma-separated list) | `pgaudit` | +| `shmVolume.enabled` | Enable emptyDir volume for /dev/shm for PostgreSQL pod(s) | `true` | +| `shmVolume.sizeLimit` | Set this to enable a size limit on the shm tmpfs | `""` | +| `tls.enabled` | Enable TLS traffic support | `false` | +| `tls.autoGenerated` | Generate automatically self-signed TLS certificates | `false` | +| `tls.preferServerCiphers` | Whether to use the server's TLS cipher preferences rather than the client's | `true` | +| `tls.certificatesSecret` | Name of an existing secret that contains the certificates | `""` | +| `tls.certFilename` | Certificate filename | `""` | +| `tls.certKeyFilename` | Certificate key filename | `""` | +| `tls.certCAFilename` | CA Certificate filename | `""` | +| `tls.crlFilename` | File containing a Certificate Revocation List | `""` | + + +### PostgreSQL Primary parameters + +| Name | Description | Value | +| -------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------ | --------------------- | +| `primary.name` | Name of the primary database (eg primary, master, leader, ...) | `primary` | +| `primary.configuration` | PostgreSQL Primary main configuration to be injected as ConfigMap | `""` | +| `primary.pgHbaConfiguration` | PostgreSQL Primary client authentication configuration | `""` | +| `primary.existingConfigmap` | Name of an existing ConfigMap with PostgreSQL Primary configuration | `""` | +| `primary.extendedConfiguration` | Extended PostgreSQL Primary configuration (appended to main or default configuration) | `""` | +| `primary.existingExtendedConfigmap` | Name of an existing ConfigMap with PostgreSQL Primary extended configuration | `""` | +| `primary.initdb.args` | PostgreSQL initdb extra arguments | `""` | +| `primary.initdb.postgresqlWalDir` | Specify a custom location for the PostgreSQL transaction log | `""` | +| `primary.initdb.scripts` | Dictionary of initdb scripts | `{}` | +| `primary.initdb.scriptsConfigMap` | ConfigMap with scripts to be run at first boot | `""` | +| `primary.initdb.scriptsSecret` | Secret with scripts to be run at first boot (in case it contains sensitive information) | `""` | +| `primary.initdb.user` | Specify the PostgreSQL username to execute the initdb scripts | `""` | +| `primary.initdb.password` | Specify the PostgreSQL password to execute the initdb scripts | `""` | +| `primary.standby.enabled` | Whether to enable current cluster's primary as standby server of another cluster or not | `false` | +| `primary.standby.primaryHost` | The Host of replication primary in the other cluster | `""` | +| `primary.standby.primaryPort` | The Port of replication primary in the other cluster | `""` | +| `primary.extraEnvVars` | Array with extra environment variables to add to PostgreSQL Primary nodes | `[]` | +| `primary.extraEnvVarsCM` | Name of existing ConfigMap containing extra env vars for PostgreSQL Primary nodes | `""` | +| `primary.extraEnvVarsSecret` | Name of existing Secret containing extra env vars for PostgreSQL Primary nodes | `""` | +| `primary.command` | Override default container command (useful when using custom images) | `[]` | +| `primary.args` | Override default container args (useful when using custom images) | `[]` | +| `primary.livenessProbe.enabled` | Enable livenessProbe on PostgreSQL Primary containers | `true` | +| `primary.livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `30` | +| `primary.livenessProbe.periodSeconds` | Period seconds for livenessProbe | `10` | +| `primary.livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `5` | +| `primary.livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `6` | +| `primary.livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` | +| `primary.readinessProbe.enabled` | Enable readinessProbe on PostgreSQL Primary containers | `true` | +| `primary.readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `5` | +| `primary.readinessProbe.periodSeconds` | Period seconds for readinessProbe | `10` | +| `primary.readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `5` | +| `primary.readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `6` | +| `primary.readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` | +| `primary.startupProbe.enabled` | Enable startupProbe on PostgreSQL Primary containers | `false` | +| `primary.startupProbe.initialDelaySeconds` | Initial delay seconds for startupProbe | `30` | +| `primary.startupProbe.periodSeconds` | Period seconds for startupProbe | `10` | +| `primary.startupProbe.timeoutSeconds` | Timeout seconds for startupProbe | `1` | +| `primary.startupProbe.failureThreshold` | Failure threshold for startupProbe | `15` | +| `primary.startupProbe.successThreshold` | Success threshold for startupProbe | `1` | +| `primary.customLivenessProbe` | Custom livenessProbe that overrides the default one | `{}` | +| `primary.customReadinessProbe` | Custom readinessProbe that overrides the default one | `{}` | +| `primary.customStartupProbe` | Custom startupProbe that overrides the default one | `{}` | +| `primary.lifecycleHooks` | for the PostgreSQL Primary container to automate configuration before or after startup | `{}` | +| `primary.resources.limits` | The resources limits for the PostgreSQL Primary containers | `{}` | +| `primary.resources.requests.memory` | The requested memory for the PostgreSQL Primary containers | `256Mi` | +| `primary.resources.requests.cpu` | The requested cpu for the PostgreSQL Primary containers | `250m` | +| `primary.podSecurityContext.enabled` | Enable security context | `true` | +| `primary.podSecurityContext.fsGroup` | Group ID for the pod | `1001` | +| `primary.containerSecurityContext.enabled` | Enable container security context | `true` | +| `primary.containerSecurityContext.runAsUser` | User ID for the container | `1001` | +| `primary.hostAliases` | PostgreSQL primary pods host aliases | `[]` | +| `primary.hostNetwork` | Specify if host network should be enabled for PostgreSQL pod (postgresql primary) | `false` | +| `primary.hostIPC` | Specify if host IPC should be enabled for PostgreSQL pod (postgresql primary) | `false` | +| `primary.labels` | Map of labels to add to the statefulset (postgresql primary) | `{}` | +| `primary.annotations` | Annotations for PostgreSQL primary pods | `{}` | +| `primary.podLabels` | Map of labels to add to the pods (postgresql primary) | `{}` | +| `primary.podAnnotations` | Map of annotations to add to the pods (postgresql primary) | `{}` | +| `primary.podAffinityPreset` | PostgreSQL primary pod affinity preset. Ignored if `primary.affinity` is set. Allowed values: `soft` or `hard` | `""` | +| `primary.podAntiAffinityPreset` | PostgreSQL primary pod anti-affinity preset. Ignored if `primary.affinity` is set. Allowed values: `soft` or `hard` | `soft` | +| `primary.nodeAffinityPreset.type` | PostgreSQL primary node affinity preset type. Ignored if `primary.affinity` is set. Allowed values: `soft` or `hard` | `""` | +| `primary.nodeAffinityPreset.key` | PostgreSQL primary node label key to match Ignored if `primary.affinity` is set. | `""` | +| `primary.nodeAffinityPreset.values` | PostgreSQL primary node label values to match. Ignored if `primary.affinity` is set. | `[]` | +| `primary.affinity` | Affinity for PostgreSQL primary pods assignment | `{}` | +| `primary.nodeSelector` | Node labels for PostgreSQL primary pods assignment | `{}` | +| `primary.tolerations` | Tolerations for PostgreSQL primary pods assignment | `[]` | +| `primary.topologySpreadConstraints` | Topology Spread Constraints for pod assignment spread across your cluster among failure-domains. Evaluated as a template | `[]` | +| `primary.priorityClassName` | Priority Class to use for each pod (postgresql primary) | `""` | +| `primary.schedulerName` | Use an alternate scheduler, e.g. "stork". | `""` | +| `primary.terminationGracePeriodSeconds` | Seconds PostgreSQL primary pod needs to terminate gracefully | `""` | +| `primary.updateStrategy.type` | PostgreSQL Primary statefulset strategy type | `RollingUpdate` | +| `primary.updateStrategy.rollingUpdate` | PostgreSQL Primary statefulset rolling update configuration parameters | `{}` | +| `primary.extraVolumeMounts` | Optionally specify extra list of additional volumeMounts for the PostgreSQL Primary container(s) | `[]` | +| `primary.extraVolumes` | Optionally specify extra list of additional volumes for the PostgreSQL Primary pod(s) | `[]` | +| `primary.sidecars` | Add additional sidecar containers to the PostgreSQL Primary pod(s) | `[]` | +| `primary.initContainers` | Add additional init containers to the PostgreSQL Primary pod(s) | `[]` | +| `primary.extraPodSpec` | Optionally specify extra PodSpec for the PostgreSQL Primary pod(s) | `{}` | +| `primary.service.type` | Kubernetes Service type | `ClusterIP` | +| `primary.service.ports.postgresql` | PostgreSQL service port | `5432` | +| `primary.service.nodePorts.postgresql` | Node port for PostgreSQL | `""` | +| `primary.service.clusterIP` | Static clusterIP or None for headless services | `""` | +| `primary.service.annotations` | Annotations for PostgreSQL primary service | `{}` | +| `primary.service.loadBalancerIP` | Load balancer IP if service type is `LoadBalancer` | `""` | +| `primary.service.externalTrafficPolicy` | Enable client source IP preservation | `Cluster` | +| `primary.service.loadBalancerSourceRanges` | Addresses that are allowed when service is LoadBalancer | `[]` | +| `primary.service.extraPorts` | Extra ports to expose in the PostgreSQL primary service | `[]` | +| `primary.service.sessionAffinity` | Session Affinity for Kubernetes service, can be "None" or "ClientIP" | `None` | +| `primary.service.sessionAffinityConfig` | Additional settings for the sessionAffinity | `{}` | +| `primary.persistence.enabled` | Enable PostgreSQL Primary data persistence using PVC | `true` | +| `primary.persistence.existingClaim` | Name of an existing PVC to use | `""` | +| `primary.persistence.mountPath` | The path the volume will be mounted at | `/bitnami/postgresql` | +| `primary.persistence.subPath` | The subdirectory of the volume to mount to | `""` | +| `primary.persistence.storageClass` | PVC Storage Class for PostgreSQL Primary data volume | `""` | +| `primary.persistence.accessModes` | PVC Access Mode for PostgreSQL volume | `["ReadWriteOnce"]` | +| `primary.persistence.size` | PVC Storage Request for PostgreSQL volume | `8Gi` | +| `primary.persistence.annotations` | Annotations for the PVC | `{}` | +| `primary.persistence.labels` | Labels for the PVC | `{}` | +| `primary.persistence.selector` | Selector to match an existing Persistent Volume (this value is evaluated as a template) | `{}` | +| `primary.persistence.dataSource` | Custom PVC data source | `{}` | + + +### PostgreSQL read only replica parameters (only used when `architecture` is set to `replication`) + +| Name | Description | Value | +| ------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------ | --------------------- | +| `readReplicas.name` | Name of the read replicas database (eg secondary, slave, ...) | `read` | +| `readReplicas.replicaCount` | Number of PostgreSQL read only replicas | `1` | +| `readReplicas.extendedConfiguration` | Extended PostgreSQL read only replicas configuration (appended to main or default configuration) | `""` | +| `readReplicas.extraEnvVars` | Array with extra environment variables to add to PostgreSQL read only nodes | `[]` | +| `readReplicas.extraEnvVarsCM` | Name of existing ConfigMap containing extra env vars for PostgreSQL read only nodes | `""` | +| `readReplicas.extraEnvVarsSecret` | Name of existing Secret containing extra env vars for PostgreSQL read only nodes | `""` | +| `readReplicas.command` | Override default container command (useful when using custom images) | `[]` | +| `readReplicas.args` | Override default container args (useful when using custom images) | `[]` | +| `readReplicas.livenessProbe.enabled` | Enable livenessProbe on PostgreSQL read only containers | `true` | +| `readReplicas.livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `30` | +| `readReplicas.livenessProbe.periodSeconds` | Period seconds for livenessProbe | `10` | +| `readReplicas.livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `5` | +| `readReplicas.livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `6` | +| `readReplicas.livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` | +| `readReplicas.readinessProbe.enabled` | Enable readinessProbe on PostgreSQL read only containers | `true` | +| `readReplicas.readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `5` | +| `readReplicas.readinessProbe.periodSeconds` | Period seconds for readinessProbe | `10` | +| `readReplicas.readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `5` | +| `readReplicas.readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `6` | +| `readReplicas.readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` | +| `readReplicas.startupProbe.enabled` | Enable startupProbe on PostgreSQL read only containers | `false` | +| `readReplicas.startupProbe.initialDelaySeconds` | Initial delay seconds for startupProbe | `30` | +| `readReplicas.startupProbe.periodSeconds` | Period seconds for startupProbe | `10` | +| `readReplicas.startupProbe.timeoutSeconds` | Timeout seconds for startupProbe | `1` | +| `readReplicas.startupProbe.failureThreshold` | Failure threshold for startupProbe | `15` | +| `readReplicas.startupProbe.successThreshold` | Success threshold for startupProbe | `1` | +| `readReplicas.customLivenessProbe` | Custom livenessProbe that overrides the default one | `{}` | +| `readReplicas.customReadinessProbe` | Custom readinessProbe that overrides the default one | `{}` | +| `readReplicas.customStartupProbe` | Custom startupProbe that overrides the default one | `{}` | +| `readReplicas.lifecycleHooks` | for the PostgreSQL read only container to automate configuration before or after startup | `{}` | +| `readReplicas.resources.limits` | The resources limits for the PostgreSQL read only containers | `{}` | +| `readReplicas.resources.requests.memory` | The requested memory for the PostgreSQL read only containers | `256Mi` | +| `readReplicas.resources.requests.cpu` | The requested cpu for the PostgreSQL read only containers | `250m` | +| `readReplicas.podSecurityContext.enabled` | Enable security context | `true` | +| `readReplicas.podSecurityContext.fsGroup` | Group ID for the pod | `1001` | +| `readReplicas.containerSecurityContext.enabled` | Enable container security context | `true` | +| `readReplicas.containerSecurityContext.runAsUser` | User ID for the container | `1001` | +| `readReplicas.hostAliases` | PostgreSQL read only pods host aliases | `[]` | +| `readReplicas.hostNetwork` | Specify if host network should be enabled for PostgreSQL pod (PostgreSQL read only) | `false` | +| `readReplicas.hostIPC` | Specify if host IPC should be enabled for PostgreSQL pod (postgresql primary) | `false` | +| `readReplicas.labels` | Map of labels to add to the statefulset (PostgreSQL read only) | `{}` | +| `readReplicas.annotations` | Annotations for PostgreSQL read only pods | `{}` | +| `readReplicas.podLabels` | Map of labels to add to the pods (PostgreSQL read only) | `{}` | +| `readReplicas.podAnnotations` | Map of annotations to add to the pods (PostgreSQL read only) | `{}` | +| `readReplicas.podAffinityPreset` | PostgreSQL read only pod affinity preset. Ignored if `primary.affinity` is set. Allowed values: `soft` or `hard` | `""` | +| `readReplicas.podAntiAffinityPreset` | PostgreSQL read only pod anti-affinity preset. Ignored if `primary.affinity` is set. Allowed values: `soft` or `hard` | `soft` | +| `readReplicas.nodeAffinityPreset.type` | PostgreSQL read only node affinity preset type. Ignored if `primary.affinity` is set. Allowed values: `soft` or `hard` | `""` | +| `readReplicas.nodeAffinityPreset.key` | PostgreSQL read only node label key to match Ignored if `primary.affinity` is set. | `""` | +| `readReplicas.nodeAffinityPreset.values` | PostgreSQL read only node label values to match. Ignored if `primary.affinity` is set. | `[]` | +| `readReplicas.affinity` | Affinity for PostgreSQL read only pods assignment | `{}` | +| `readReplicas.nodeSelector` | Node labels for PostgreSQL read only pods assignment | `{}` | +| `readReplicas.tolerations` | Tolerations for PostgreSQL read only pods assignment | `[]` | +| `readReplicas.topologySpreadConstraints` | Topology Spread Constraints for pod assignment spread across your cluster among failure-domains. Evaluated as a template | `[]` | +| `readReplicas.priorityClassName` | Priority Class to use for each pod (PostgreSQL read only) | `""` | +| `readReplicas.schedulerName` | Use an alternate scheduler, e.g. "stork". | `""` | +| `readReplicas.terminationGracePeriodSeconds` | Seconds PostgreSQL read only pod needs to terminate gracefully | `""` | +| `readReplicas.updateStrategy.type` | PostgreSQL read only statefulset strategy type | `RollingUpdate` | +| `readReplicas.updateStrategy.rollingUpdate` | PostgreSQL read only statefulset rolling update configuration parameters | `{}` | +| `readReplicas.extraVolumeMounts` | Optionally specify extra list of additional volumeMounts for the PostgreSQL read only container(s) | `[]` | +| `readReplicas.extraVolumes` | Optionally specify extra list of additional volumes for the PostgreSQL read only pod(s) | `[]` | +| `readReplicas.sidecars` | Add additional sidecar containers to the PostgreSQL read only pod(s) | `[]` | +| `readReplicas.initContainers` | Add additional init containers to the PostgreSQL read only pod(s) | `[]` | +| `readReplicas.extraPodSpec` | Optionally specify extra PodSpec for the PostgreSQL read only pod(s) | `{}` | +| `readReplicas.service.type` | Kubernetes Service type | `ClusterIP` | +| `readReplicas.service.ports.postgresql` | PostgreSQL service port | `5432` | +| `readReplicas.service.nodePorts.postgresql` | Node port for PostgreSQL | `""` | +| `readReplicas.service.clusterIP` | Static clusterIP or None for headless services | `""` | +| `readReplicas.service.annotations` | Annotations for PostgreSQL read only service | `{}` | +| `readReplicas.service.loadBalancerIP` | Load balancer IP if service type is `LoadBalancer` | `""` | +| `readReplicas.service.externalTrafficPolicy` | Enable client source IP preservation | `Cluster` | +| `readReplicas.service.loadBalancerSourceRanges` | Addresses that are allowed when service is LoadBalancer | `[]` | +| `readReplicas.service.extraPorts` | Extra ports to expose in the PostgreSQL read only service | `[]` | +| `readReplicas.service.sessionAffinity` | Session Affinity for Kubernetes service, can be "None" or "ClientIP" | `None` | +| `readReplicas.service.sessionAffinityConfig` | Additional settings for the sessionAffinity | `{}` | +| `readReplicas.persistence.enabled` | Enable PostgreSQL read only data persistence using PVC | `true` | +| `readReplicas.persistence.existingClaim` | Name of an existing PVC to use | `""` | +| `readReplicas.persistence.mountPath` | The path the volume will be mounted at | `/bitnami/postgresql` | +| `readReplicas.persistence.subPath` | The subdirectory of the volume to mount to | `""` | +| `readReplicas.persistence.storageClass` | PVC Storage Class for PostgreSQL read only data volume | `""` | +| `readReplicas.persistence.accessModes` | PVC Access Mode for PostgreSQL volume | `["ReadWriteOnce"]` | +| `readReplicas.persistence.size` | PVC Storage Request for PostgreSQL volume | `8Gi` | +| `readReplicas.persistence.annotations` | Annotations for the PVC | `{}` | +| `readReplicas.persistence.labels` | Labels for the PVC | `{}` | +| `readReplicas.persistence.selector` | Selector to match an existing Persistent Volume (this value is evaluated as a template) | `{}` | +| `readReplicas.persistence.dataSource` | Custom PVC data source | `{}` | + + +### NetworkPolicy parameters + +| Name | Description | Value | +| ------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------- | ------- | +| `networkPolicy.enabled` | Enable network policies | `false` | +| `networkPolicy.metrics.enabled` | Enable network policies for metrics (prometheus) | `false` | +| `networkPolicy.metrics.namespaceSelector` | Monitoring namespace selector labels. These labels will be used to identify the prometheus' namespace. | `{}` | +| `networkPolicy.metrics.podSelector` | Monitoring pod selector labels. These labels will be used to identify the Prometheus pods. | `{}` | +| `networkPolicy.ingressRules.primaryAccessOnlyFrom.enabled` | Enable ingress rule that makes PostgreSQL primary node only accessible from a particular origin. | `false` | +| `networkPolicy.ingressRules.primaryAccessOnlyFrom.namespaceSelector` | Namespace selector label that is allowed to access the PostgreSQL primary node. This label will be used to identified the allowed namespace(s). | `{}` | +| `networkPolicy.ingressRules.primaryAccessOnlyFrom.podSelector` | Pods selector label that is allowed to access the PostgreSQL primary node. This label will be used to identified the allowed pod(s). | `{}` | +| `networkPolicy.ingressRules.primaryAccessOnlyFrom.customRules` | Custom network policy for the PostgreSQL primary node. | `{}` | +| `networkPolicy.ingressRules.readReplicasAccessOnlyFrom.enabled` | Enable ingress rule that makes PostgreSQL read-only nodes only accessible from a particular origin. | `false` | +| `networkPolicy.ingressRules.readReplicasAccessOnlyFrom.namespaceSelector` | Namespace selector label that is allowed to access the PostgreSQL read-only nodes. This label will be used to identified the allowed namespace(s). | `{}` | +| `networkPolicy.ingressRules.readReplicasAccessOnlyFrom.podSelector` | Pods selector label that is allowed to access the PostgreSQL read-only nodes. This label will be used to identified the allowed pod(s). | `{}` | +| `networkPolicy.ingressRules.readReplicasAccessOnlyFrom.customRules` | Custom network policy for the PostgreSQL read-only nodes. | `{}` | +| `networkPolicy.egressRules.denyConnectionsToExternal` | Enable egress rule that denies outgoing traffic outside the cluster, except for DNS (port 53). | `false` | +| `networkPolicy.egressRules.customRules` | Custom network policy rule | `{}` | + + +### Volume Permissions parameters + +| Name | Description | Value | +| ------------------------------------------------------ | --------------------------------------------------------------------------------------------------------------------------------- | ----------------------- | +| `volumePermissions.enabled` | Enable init container that changes the owner and group of the persistent volume | `false` | +| `volumePermissions.image.registry` | Init container volume-permissions image registry | `docker.io` | +| `volumePermissions.image.repository` | Init container volume-permissions image repository | `bitnami/bitnami-shell` | +| `volumePermissions.image.tag` | Init container volume-permissions image tag (immutable tags are recommended) | `11-debian-11-r45` | +| `volumePermissions.image.digest` | Init container volume-permissions image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | +| `volumePermissions.image.pullPolicy` | Init container volume-permissions image pull policy | `IfNotPresent` | +| `volumePermissions.image.pullSecrets` | Init container volume-permissions image pull secrets | `[]` | +| `volumePermissions.resources.limits` | Init container volume-permissions resource limits | `{}` | +| `volumePermissions.resources.requests` | Init container volume-permissions resource requests | `{}` | +| `volumePermissions.containerSecurityContext.runAsUser` | User ID for the init container | `0` | + + +### Other Parameters + +| Name | Description | Value | +| --------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------- | ------- | +| `serviceAccount.create` | Enable creation of ServiceAccount for PostgreSQL pod | `false` | +| `serviceAccount.name` | The name of the ServiceAccount to use. | `""` | +| `serviceAccount.automountServiceAccountToken` | Allows auto mount of ServiceAccountToken on the serviceAccount created | `true` | +| `serviceAccount.annotations` | Additional custom annotations for the ServiceAccount | `{}` | +| `rbac.create` | Create Role and RoleBinding (required for PSP to work) | `false` | +| `rbac.rules` | Custom RBAC rules to set | `[]` | +| `psp.create` | Whether to create a PodSecurityPolicy. WARNING: PodSecurityPolicy is deprecated in Kubernetes v1.21 or later, unavailable in v1.25 or later | `false` | + + +### Metrics Parameters + +| Name | Description | Value | +| ----------------------------------------------- | ---------------------------------------------------------------------------------------------------------- | --------------------------- | +| `metrics.enabled` | Start a prometheus exporter | `false` | +| `metrics.image.registry` | PostgreSQL Prometheus Exporter image registry | `docker.io` | +| `metrics.image.repository` | PostgreSQL Prometheus Exporter image repository | `bitnami/postgres-exporter` | +| `metrics.image.tag` | PostgreSQL Prometheus Exporter image tag (immutable tags are recommended) | `0.11.1-debian-11-r22` | +| `metrics.image.digest` | PostgreSQL image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` | +| `metrics.image.pullPolicy` | PostgreSQL Prometheus Exporter image pull policy | `IfNotPresent` | +| `metrics.image.pullSecrets` | Specify image pull secrets | `[]` | +| `metrics.customMetrics` | Define additional custom metrics | `{}` | +| `metrics.extraEnvVars` | Extra environment variables to add to PostgreSQL Prometheus exporter | `[]` | +| `metrics.containerSecurityContext.enabled` | Enable PostgreSQL Prometheus exporter containers' Security Context | `true` | +| `metrics.containerSecurityContext.runAsUser` | Set PostgreSQL Prometheus exporter containers' Security Context runAsUser | `1001` | +| `metrics.containerSecurityContext.runAsNonRoot` | Set PostgreSQL Prometheus exporter containers' Security Context runAsNonRoot | `true` | +| `metrics.livenessProbe.enabled` | Enable livenessProbe on PostgreSQL Prometheus exporter containers | `true` | +| `metrics.livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `5` | +| `metrics.livenessProbe.periodSeconds` | Period seconds for livenessProbe | `10` | +| `metrics.livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `5` | +| `metrics.livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `6` | +| `metrics.livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` | +| `metrics.readinessProbe.enabled` | Enable readinessProbe on PostgreSQL Prometheus exporter containers | `true` | +| `metrics.readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `5` | +| `metrics.readinessProbe.periodSeconds` | Period seconds for readinessProbe | `10` | +| `metrics.readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `5` | +| `metrics.readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `6` | +| `metrics.readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` | +| `metrics.startupProbe.enabled` | Enable startupProbe on PostgreSQL Prometheus exporter containers | `false` | +| `metrics.startupProbe.initialDelaySeconds` | Initial delay seconds for startupProbe | `10` | +| `metrics.startupProbe.periodSeconds` | Period seconds for startupProbe | `10` | +| `metrics.startupProbe.timeoutSeconds` | Timeout seconds for startupProbe | `1` | +| `metrics.startupProbe.failureThreshold` | Failure threshold for startupProbe | `15` | +| `metrics.startupProbe.successThreshold` | Success threshold for startupProbe | `1` | +| `metrics.customLivenessProbe` | Custom livenessProbe that overrides the default one | `{}` | +| `metrics.customReadinessProbe` | Custom readinessProbe that overrides the default one | `{}` | +| `metrics.customStartupProbe` | Custom startupProbe that overrides the default one | `{}` | +| `metrics.containerPorts.metrics` | PostgreSQL Prometheus exporter metrics container port | `9187` | +| `metrics.resources.limits` | The resources limits for the PostgreSQL Prometheus exporter container | `{}` | +| `metrics.resources.requests` | The requested resources for the PostgreSQL Prometheus exporter container | `{}` | +| `metrics.service.ports.metrics` | PostgreSQL Prometheus Exporter service port | `9187` | +| `metrics.service.clusterIP` | Static clusterIP or None for headless services | `""` | +| `metrics.service.sessionAffinity` | Control where client requests go, to the same pod or round-robin | `None` | +| `metrics.service.annotations` | Annotations for Prometheus to auto-discover the metrics endpoint | `{}` | +| `metrics.serviceMonitor.enabled` | Create ServiceMonitor Resource for scraping metrics using Prometheus Operator | `false` | +| `metrics.serviceMonitor.namespace` | Namespace for the ServiceMonitor Resource (defaults to the Release Namespace) | `""` | +| `metrics.serviceMonitor.interval` | Interval at which metrics should be scraped. | `""` | +| `metrics.serviceMonitor.scrapeTimeout` | Timeout after which the scrape is ended | `""` | +| `metrics.serviceMonitor.labels` | Additional labels that can be used so ServiceMonitor will be discovered by Prometheus | `{}` | +| `metrics.serviceMonitor.selector` | Prometheus instance selector labels | `{}` | +| `metrics.serviceMonitor.relabelings` | RelabelConfigs to apply to samples before scraping | `[]` | +| `metrics.serviceMonitor.metricRelabelings` | MetricRelabelConfigs to apply to samples before ingestion | `[]` | +| `metrics.serviceMonitor.honorLabels` | Specify honorLabels parameter to add the scrape endpoint | `false` | +| `metrics.serviceMonitor.jobLabel` | The name of the label on the target service to use as the job name in prometheus. | `""` | +| `metrics.prometheusRule.enabled` | Create a PrometheusRule for Prometheus Operator | `false` | +| `metrics.prometheusRule.namespace` | Namespace for the PrometheusRule Resource (defaults to the Release Namespace) | `""` | +| `metrics.prometheusRule.labels` | Additional labels that can be used so PrometheusRule will be discovered by Prometheus | `{}` | +| `metrics.prometheusRule.rules` | PrometheusRule definitions | `[]` | + + +Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example, + +```bash +$ helm install my-release \ + --set auth.postgresPassword=secretpassword + my-repo/postgresql +``` + +The above command sets the PostgreSQL `postgres` account password to `secretpassword`. + +> NOTE: Once this chart is deployed, it is not possible to change the application's access credentials, such as usernames or passwords, using Helm. To change these application credentials after deployment, delete any persistent volumes (PVs) used by the chart and re-deploy it, or use the application's built-in administrative tools if available. + +> **Warning** Setting a password will be ignored on new installation in case when previous Posgresql release was deleted through the helm command. In that case, old PVC will have an old password, and setting it through helm won't take effect. Deleting persistent volumes (PVs) will solve the issue. Refer to [issue 2061](https://github.com/bitnami/charts/issues/2061) for more details + +Alternatively, a YAML file that specifies the values for the parameters can be provided while installing the chart. For example, + +```bash +helm install my-release -f values.yaml my-repo/postgresql +``` + +> **Tip**: You can use the default [values.yaml](values.yaml) + +## Configuration and installation details + +### [Rolling VS Immutable tags](https://docs.bitnami.com/containers/how-to/understand-rolling-tags-containers/) + +It is strongly recommended to use immutable tags in a production environment. This ensures your deployment does not change automatically if the same tag is updated with a different image. + +Bitnami will release a new chart updating its containers if a new version of the main container, significant changes, or critical vulnerabilities exist. + +### Customizing primary and read replica services in a replicated configuration + +At the top level, there is a service object which defines the services for both primary and readReplicas. For deeper customization, there are service objects for both the primary and read types individually. This allows you to override the values in the top level service object so that the primary and read can be of different service types and with different clusterIPs / nodePorts. Also in the case you want the primary and read to be of type nodePort, you will need to set the nodePorts to different values to prevent a collision. The values that are deeper in the primary.service or readReplicas.service objects will take precedence over the top level service object. + +### Use a different PostgreSQL version + +To modify the application version used in this chart, specify a different version of the image using the `image.tag` parameter and/or a different repository using the `image.repository` parameter. Refer to the [chart documentation for more information on these parameters and how to use them with images from a private registry](https://docs.bitnami.com/kubernetes/infrastructure/postgresql/configuration/change-image-version/). + +### postgresql.conf / pg_hba.conf files as configMap + +This helm chart also supports to customize the PostgreSQL configuration file. You can add additional PostgreSQL configuration parameters using the `primary.extendedConfiguration`/`readReplicas.extendedConfiguration` parameters as a string. Alternatively, to replace the entire default configuration use `primary.configuration`. + +You can also add a custom pg_hba.conf using the `primary.pgHbaConfiguration` parameter. + +In addition to these options, you can also set an external ConfigMap with all the configuration files. This is done by setting the `primary.existingConfigmap` parameter. Note that this will override the two previous options. + +### Initialize a fresh instance + +The [Bitnami PostgreSQL](https://github.com/bitnami/containers/tree/main/bitnami/postgresql) image allows you to use your custom scripts to initialize a fresh instance. In order to execute the scripts, you can specify custom scripts using the `primary.initdb.scripts` parameter as a string. + +In addition, you can also set an external ConfigMap with all the initialization scripts. This is done by setting the `primary.initdb.scriptsConfigMap` parameter. Note that this will override the two previous options. If your initialization scripts contain sensitive information such as credentials or passwords, you can use the `primary.initdb.scriptsSecret` parameter. + +The allowed extensions are `.sh`, `.sql` and `.sql.gz`. + +### Securing traffic using TLS + +TLS support can be enabled in the chart by specifying the `tls.` parameters while creating a release. The following parameters should be configured to properly enable the TLS support in the chart: + +- `tls.enabled`: Enable TLS support. Defaults to `false` +- `tls.certificatesSecret`: Name of an existing secret that contains the certificates. No defaults. +- `tls.certFilename`: Certificate filename. No defaults. +- `tls.certKeyFilename`: Certificate key filename. No defaults. + +For example: + +- First, create the secret with the cetificates files: + + ```console + kubectl create secret generic certificates-tls-secret --from-file=./cert.crt --from-file=./cert.key --from-file=./ca.crt + ``` + +- Then, use the following parameters: + + ```console + volumePermissions.enabled=true + tls.enabled=true + tls.certificatesSecret="certificates-tls-secret" + tls.certFilename="cert.crt" + tls.certKeyFilename="cert.key" + ``` + + > Note TLS and VolumePermissions: PostgreSQL requires certain permissions on sensitive files (such as certificate keys) to start up. Due to an on-going [issue](https://github.com/kubernetes/kubernetes/issues/57923) regarding kubernetes permissions and the use of `containerSecurityContext.runAsUser`, you must enable `volumePermissions` to ensure everything works as expected. + +### Sidecars + +If you need additional containers to run within the same pod as PostgreSQL (e.g. an additional metrics or logging exporter), you can do so via the `sidecars` config parameter. Simply define your container according to the Kubernetes container spec. + +```yaml +# For the PostgreSQL primary +primary: + sidecars: + - name: your-image-name + image: your-image + imagePullPolicy: Always + ports: + - name: portname + containerPort: 1234 +# For the PostgreSQL replicas +readReplicas: + sidecars: + - name: your-image-name + image: your-image + imagePullPolicy: Always + ports: + - name: portname + containerPort: 1234 +``` + +### Metrics + +The chart optionally can start a metrics exporter for [prometheus](https://prometheus.io). The metrics endpoint (port 9187) is not exposed and it is expected that the metrics are collected from inside the k8s cluster using something similar as the described in the [example Prometheus scrape configuration](https://github.com/prometheus/prometheus/blob/master/documentation/examples/prometheus-kubernetes.yml). + +The exporter allows to create custom metrics from additional SQL queries. See the Chart's `values.yaml` for an example and consult the [exporters documentation](https://github.com/wrouesnel/postgres_exporter#adding-new-metrics-via-a-config-file) for more details. + +### Use of global variables + +In more complex scenarios, we may have the following tree of dependencies + +``` + +--------------+ + | | + +------------+ Chart 1 +-----------+ + | | | | + | --------+------+ | + | | | + | | | + | | | + | | | + v v v ++-------+------+ +--------+------+ +--------+------+ +| | | | | | +| PostgreSQL | | Sub-chart 1 | | Sub-chart 2 | +| | | | | | ++--------------+ +---------------+ +---------------+ +``` + +The three charts below depend on the parent chart Chart 1. However, subcharts 1 and 2 may need to connect to PostgreSQL as well. In order to do so, subcharts 1 and 2 need to know the PostgreSQL credentials, so one option for deploying could be deploy Chart 1 with the following parameters: + +``` +postgresql.auth.username=testuser +subchart1.postgresql.auth.username=testuser +subchart2.postgresql.auth.username=testuser +postgresql.auth.password=testpass +subchart1.postgresql.auth.password=testpass +subchart2.postgresql.auth.password=testpass +postgresql.auth.database=testdb +subchart1.postgresql.auth.database=testdb +subchart2.postgresql.auth.database=testdb +``` + +If the number of dependent sub-charts increases, installing the chart with parameters can become increasingly difficult. An alternative would be to set the credentials using global variables as follows: + +``` +global.postgresql.auth.username=testuser +global.postgresql.auth.password=testpass +global.postgresql.auth.database=testdb +``` + +This way, the credentials will be available in all of the subcharts. + +## Persistence + +The [Bitnami PostgreSQL](https://github.com/bitnami/containers/tree/main/bitnami/postgresql) image stores the PostgreSQL data and configurations at the `/bitnami/postgresql` path of the container. + +Persistent Volume Claims are used to keep the data across deployments. This is known to work in GCE, AWS, and minikube. +See the [Parameters](#parameters) section to configure the PVC or to disable persistence. + +If you already have data in it, you will fail to sync to standby nodes for all commits, details can refer to the [code present in the container repository](https://github.com/bitnami/containers/tree/main/bitnami/postgresql). If you need to use those data, please covert them to sql and import after `helm install` finished. + +## NetworkPolicy + +To enable network policy for PostgreSQL, install [a networking plugin that implements the Kubernetes NetworkPolicy spec](https://kubernetes.io/docs/tasks/administer-cluster/declare-network-policy#before-you-begin), and set `networkPolicy.enabled` to `true`. + +For Kubernetes v1.5 & v1.6, you must also turn on NetworkPolicy by setting the DefaultDeny namespace annotation. Note: this will enforce policy for _all_ pods in the namespace: + +```bash +kubectl annotate namespace default "net.beta.kubernetes.io/network-policy={\"ingress\":{\"isolation\":\"DefaultDeny\"}}" +``` + +With NetworkPolicy enabled, traffic will be limited to just port 5432. + +For more precise policy, set `networkPolicy.allowExternal=false`. This will only allow pods with the generated client label to connect to PostgreSQL. +This label will be displayed in the output of a successful install. + +## Differences between Bitnami PostgreSQL image and [Docker Official](https://hub.docker.com/_/postgres) image + +- The Docker Official PostgreSQL image does not support replication. If you pass any replication environment variable, this would be ignored. The only environment variables supported by the Docker Official image are POSTGRES_USER, POSTGRES_DB, POSTGRES_PASSWORD, POSTGRES_INITDB_ARGS, POSTGRES_INITDB_WALDIR and PGDATA. All the remaining environment variables are specific to the Bitnami PostgreSQL image. +- The Bitnami PostgreSQL image is non-root by default. This requires that you run the pod with `securityContext` and updates the permissions of the volume with an `initContainer`. A key benefit of this configuration is that the pod follows security best practices and is prepared to run on Kubernetes distributions with hard security constraints like OpenShift. +- For OpenShift, one may either define the runAsUser and fsGroup accordingly, or try this more dynamic option: volumePermissions.securityContext.runAsUser="auto",securityContext.enabled=false,containerSecurityContext.enabled=false,shmVolume.chmod.enabled=false + +### Setting Pod's affinity + +This chart allows you to set your custom affinity using the `XXX.affinity` parameter(s). Find more information about Pod's affinity in the [kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity). + +As an alternative, you can use of the preset configurations for pod affinity, pod anti-affinity, and node affinity available at the [bitnami/common](https://github.com/bitnami/charts/tree/main/bitnami/common#affinities) chart. To do so, set the `XXX.podAffinityPreset`, `XXX.podAntiAffinityPreset`, or `XXX.nodeAffinityPreset` parameters. + +## Troubleshooting + +Find more information about how to deal with common errors related to Bitnami's Helm charts in [this troubleshooting guide](https://docs.bitnami.com/general/how-to/troubleshoot-helm-chart-issues). + +## Upgrading + +Refer to the [chart documentation for more information about how to upgrade from previous releases](https://docs.bitnami.com/kubernetes/infrastructure/postgresql/administration/upgrade/). + +## License + +Copyright © 2022 Bitnami + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. \ No newline at end of file diff --git a/charts/kong/kong/2.41.0/charts/postgresql/charts/common/.helmignore b/charts/kong/kong/2.41.0/charts/postgresql/charts/common/.helmignore new file mode 100644 index 000000000..50af03172 --- /dev/null +++ b/charts/kong/kong/2.41.0/charts/postgresql/charts/common/.helmignore @@ -0,0 +1,22 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/charts/kong/kong/2.41.0/charts/postgresql/charts/common/Chart.yaml b/charts/kong/kong/2.41.0/charts/postgresql/charts/common/Chart.yaml new file mode 100644 index 000000000..4721c32c3 --- /dev/null +++ b/charts/kong/kong/2.41.0/charts/postgresql/charts/common/Chart.yaml @@ -0,0 +1,23 @@ +annotations: + category: Infrastructure +apiVersion: v2 +appVersion: 2.0.4 +description: A Library Helm Chart for grouping common logic between bitnami charts. + This chart is not deployable by itself. +home: https://github.com/bitnami/charts/tree/main/bitnami/common +icon: https://bitnami.com/downloads/logos/bitnami-mark.png +keywords: +- common +- helper +- template +- function +- bitnami +maintainers: +- name: Bitnami + url: https://github.com/bitnami/charts +name: common +sources: +- https://github.com/bitnami/charts +- https://www.bitnami.com/ +type: library +version: 2.0.4 diff --git a/charts/kong/kong/2.41.0/charts/postgresql/charts/common/README.md b/charts/kong/kong/2.41.0/charts/postgresql/charts/common/README.md new file mode 100644 index 000000000..a2ecd6044 --- /dev/null +++ b/charts/kong/kong/2.41.0/charts/postgresql/charts/common/README.md @@ -0,0 +1,350 @@ +# Bitnami Common Library Chart + +A [Helm Library Chart](https://helm.sh/docs/topics/library_charts/#helm) for grouping common logic between bitnami charts. + +## TL;DR + +```yaml +dependencies: + - name: common + version: 1.x.x + repository: https://charts.bitnami.com/bitnami +``` + +```bash +$ helm dependency update +``` + +```yaml +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "common.names.fullname" . }} +data: + myvalue: "Hello World" +``` + +## Introduction + +This chart provides a common template helpers which can be used to develop new charts using [Helm](https://helm.sh) package manager. + +Bitnami charts can be used with [Kubeapps](https://kubeapps.dev/) for deployment and management of Helm Charts in clusters. + +## Prerequisites + +- Kubernetes 1.19+ +- Helm 3.2.0+ + +## Parameters + +The following table lists the helpers available in the library which are scoped in different sections. + +### Affinities + +| Helper identifier | Description | Expected Input | +|-------------------------------|------------------------------------------------------|------------------------------------------------| +| `common.affinities.nodes.soft` | Return a soft nodeAffinity definition | `dict "key" "FOO" "values" (list "BAR" "BAZ")` | +| `common.affinities.nodes.hard` | Return a hard nodeAffinity definition | `dict "key" "FOO" "values" (list "BAR" "BAZ")` | +| `common.affinities.pods.soft` | Return a soft podAffinity/podAntiAffinity definition | `dict "component" "FOO" "context" $` | +| `common.affinities.pods.hard` | Return a hard podAffinity/podAntiAffinity definition | `dict "component" "FOO" "context" $` | + +### Capabilities + +| Helper identifier | Description | Expected Input | +|------------------------------------------------|------------------------------------------------------------------------------------------------|-------------------| +| `common.capabilities.kubeVersion` | Return the target Kubernetes version (using client default if .Values.kubeVersion is not set). | `.` Chart context | +| `common.capabilities.cronjob.apiVersion` | Return the appropriate apiVersion for cronjob. | `.` Chart context | +| `common.capabilities.deployment.apiVersion` | Return the appropriate apiVersion for deployment. | `.` Chart context | +| `common.capabilities.statefulset.apiVersion` | Return the appropriate apiVersion for statefulset. | `.` Chart context | +| `common.capabilities.ingress.apiVersion` | Return the appropriate apiVersion for ingress. | `.` Chart context | +| `common.capabilities.rbac.apiVersion` | Return the appropriate apiVersion for RBAC resources. | `.` Chart context | +| `common.capabilities.crd.apiVersion` | Return the appropriate apiVersion for CRDs. | `.` Chart context | +| `common.capabilities.policy.apiVersion` | Return the appropriate apiVersion for podsecuritypolicy. | `.` Chart context | +| `common.capabilities.networkPolicy.apiVersion` | Return the appropriate apiVersion for networkpolicy. | `.` Chart context | +| `common.capabilities.apiService.apiVersion` | Return the appropriate apiVersion for APIService. | `.` Chart context | +| `common.capabilities.hpa.apiVersion` | Return the appropriate apiVersion for Horizontal Pod Autoscaler | `.` Chart context | +| `common.capabilities.supportsHelmVersion` | Returns true if the used Helm version is 3.3+ | `.` Chart context | + +### Errors + +| Helper identifier | Description | Expected Input | +|-----------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------| +| `common.errors.upgrade.passwords.empty` | It will ensure required passwords are given when we are upgrading a chart. If `validationErrors` is not empty it will throw an error and will stop the upgrade action. | `dict "validationErrors" (list $validationError00 $validationError01) "context" $` | + +### Images + +| Helper identifier | Description | Expected Input | +|-----------------------------|------------------------------------------------------|---------------------------------------------------------------------------------------------------------| +| `common.images.image` | Return the proper and full image name | `dict "imageRoot" .Values.path.to.the.image "global" $`, see [ImageRoot](#imageroot) for the structure. | +| `common.images.pullSecrets` | Return the proper Docker Image Registry Secret Names (deprecated: use common.images.renderPullSecrets instead) | `dict "images" (list .Values.path.to.the.image1, .Values.path.to.the.image2) "global" .Values.global` | +| `common.images.renderPullSecrets` | Return the proper Docker Image Registry Secret Names (evaluates values as templates) | `dict "images" (list .Values.path.to.the.image1, .Values.path.to.the.image2) "context" $` | + +### Ingress + +| Helper identifier | Description | Expected Input | +|-------------------------------------------|-------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| `common.ingress.backend` | Generate a proper Ingress backend entry depending on the API version | `dict "serviceName" "foo" "servicePort" "bar"`, see the [Ingress deprecation notice](https://kubernetes.io/blog/2019/07/18/api-deprecations-in-1-16/) for the syntax differences | +| `common.ingress.supportsPathType` | Prints "true" if the pathType field is supported | `.` Chart context | +| `common.ingress.supportsIngressClassname` | Prints "true" if the ingressClassname field is supported | `.` Chart context | +| `common.ingress.certManagerRequest` | Prints "true" if required cert-manager annotations for TLS signed certificates are set in the Ingress annotations | `dict "annotations" .Values.path.to.the.ingress.annotations` | + +### Labels + +| Helper identifier | Description | Expected Input | +|-----------------------------|-----------------------------------------------------------------------------|-------------------| +| `common.labels.standard` | Return Kubernetes standard labels | `.` Chart context | +| `common.labels.matchLabels` | Labels to use on `deploy.spec.selector.matchLabels` and `svc.spec.selector` | `.` Chart context | + +### Names + +| Helper identifier | Description | Expected Input | +|-----------------------------------|-----------------------------------------------------------------------|-------------------| +| `common.names.name` | Expand the name of the chart or use `.Values.nameOverride` | `.` Chart context | +| `common.names.fullname` | Create a default fully qualified app name. | `.` Chart context | +| `common.names.namespace` | Allow the release namespace to be overridden | `.` Chart context | +| `common.names.fullname.namespace` | Create a fully qualified app name adding the installation's namespace | `.` Chart context | +| `common.names.chart` | Chart name plus version | `.` Chart context | + +### Secrets + +| Helper identifier | Description | Expected Input | +|---------------------------|--------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| `common.secrets.name` | Generate the name of the secret. | `dict "existingSecret" .Values.path.to.the.existingSecret "defaultNameSuffix" "mySuffix" "context" $` see [ExistingSecret](#existingsecret) for the structure. | +| `common.secrets.key` | Generate secret key. | `dict "existingSecret" .Values.path.to.the.existingSecret "key" "keyName"` see [ExistingSecret](#existingsecret) for the structure. | +| `common.passwords.manage` | Generate secret password or retrieve one if already created. | `dict "secret" "secret-name" "key" "keyName" "providedValues" (list "path.to.password1" "path.to.password2") "length" 10 "strong" false "chartName" "chartName" "context" $`, length, strong and chartNAme fields are optional. | +| `common.secrets.exists` | Returns whether a previous generated secret already exists. | `dict "secret" "secret-name" "context" $` | + +### Storage + +| Helper identifier | Description | Expected Input | +|-------------------------------|---------------------------------------|---------------------------------------------------------------------------------------------------------------------| +| `common.storage.class` | Return the proper Storage Class | `dict "persistence" .Values.path.to.the.persistence "global" $`, see [Persistence](#persistence) for the structure. | + +### TplValues + +| Helper identifier | Description | Expected Input | +|---------------------------|----------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------| +| `common.tplvalues.render` | Renders a value that contains template | `dict "value" .Values.path.to.the.Value "context" $`, value is the value should rendered as template, context frequently is the chart context `$` or `.` | + +### Utils + +| Helper identifier | Description | Expected Input | +|--------------------------------|------------------------------------------------------------------------------------------|------------------------------------------------------------------------| +| `common.utils.fieldToEnvVar` | Build environment variable name given a field. | `dict "field" "my-password"` | +| `common.utils.secret.getvalue` | Print instructions to get a secret value. | `dict "secret" "secret-name" "field" "secret-value-field" "context" $` | +| `common.utils.getValueFromKey` | Gets a value from `.Values` object given its key path | `dict "key" "path.to.key" "context" $` | +| `common.utils.getKeyFromList` | Returns first `.Values` key with a defined value or first of the list if all non-defined | `dict "keys" (list "path.to.key1" "path.to.key2") "context" $` | + +### Validations + +| Helper identifier | Description | Expected Input | +|--------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| `common.validations.values.single.empty` | Validate a value must not be empty. | `dict "valueKey" "path.to.value" "secret" "secret.name" "field" "my-password" "subchart" "subchart" "context" $` secret, field and subchart are optional. In case they are given, the helper will generate a how to get instruction. See [ValidateValue](#validatevalue) | +| `common.validations.values.multiple.empty` | Validate a multiple values must not be empty. It returns a shared error for all the values. | `dict "required" (list $validateValueConf00 $validateValueConf01) "context" $`. See [ValidateValue](#validatevalue) | +| `common.validations.values.mariadb.passwords` | This helper will ensure required password for MariaDB are not empty. It returns a shared error for all the values. | `dict "secret" "mariadb-secret" "subchart" "true" "context" $` subchart field is optional and could be true or false it depends on where you will use mariadb chart and the helper. | +| `common.validations.values.mysql.passwords` | This helper will ensure required password for MySQL are not empty. It returns a shared error for all the values. | `dict "secret" "mysql-secret" "subchart" "true" "context" $` subchart field is optional and could be true or false it depends on where you will use mysql chart and the helper. | +| `common.validations.values.postgresql.passwords` | This helper will ensure required password for PostgreSQL are not empty. It returns a shared error for all the values. | `dict "secret" "postgresql-secret" "subchart" "true" "context" $` subchart field is optional and could be true or false it depends on where you will use postgresql chart and the helper. | +| `common.validations.values.redis.passwords` | This helper will ensure required password for Redis® are not empty. It returns a shared error for all the values. | `dict "secret" "redis-secret" "subchart" "true" "context" $` subchart field is optional and could be true or false it depends on where you will use redis chart and the helper. | +| `common.validations.values.cassandra.passwords` | This helper will ensure required password for Cassandra are not empty. It returns a shared error for all the values. | `dict "secret" "cassandra-secret" "subchart" "true" "context" $` subchart field is optional and could be true or false it depends on where you will use cassandra chart and the helper. | +| `common.validations.values.mongodb.passwords` | This helper will ensure required password for MongoDB® are not empty. It returns a shared error for all the values. | `dict "secret" "mongodb-secret" "subchart" "true" "context" $` subchart field is optional and could be true or false it depends on where you will use mongodb chart and the helper. | + +### Warnings + +| Helper identifier | Description | Expected Input | +|------------------------------|----------------------------------|------------------------------------------------------------| +| `common.warnings.rollingTag` | Warning about using rolling tag. | `ImageRoot` see [ImageRoot](#imageroot) for the structure. | + +## Special input schemas + +### ImageRoot + +```yaml +registry: + type: string + description: Docker registry where the image is located + example: docker.io + +repository: + type: string + description: Repository and image name + example: bitnami/nginx + +tag: + type: string + description: image tag + example: 1.16.1-debian-10-r63 + +pullPolicy: + type: string + description: Specify a imagePullPolicy. Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' + +pullSecrets: + type: array + items: + type: string + description: Optionally specify an array of imagePullSecrets (evaluated as templates). + +debug: + type: boolean + description: Set to true if you would like to see extra information on logs + example: false + +## An instance would be: +# registry: docker.io +# repository: bitnami/nginx +# tag: 1.16.1-debian-10-r63 +# pullPolicy: IfNotPresent +# debug: false +``` + +### Persistence + +```yaml +enabled: + type: boolean + description: Whether enable persistence. + example: true + +storageClass: + type: string + description: Ghost data Persistent Volume Storage Class, If set to "-", storageClassName: "" which disables dynamic provisioning. + example: "-" + +accessMode: + type: string + description: Access mode for the Persistent Volume Storage. + example: ReadWriteOnce + +size: + type: string + description: Size the Persistent Volume Storage. + example: 8Gi + +path: + type: string + description: Path to be persisted. + example: /bitnami + +## An instance would be: +# enabled: true +# storageClass: "-" +# accessMode: ReadWriteOnce +# size: 8Gi +# path: /bitnami +``` + +### ExistingSecret + +```yaml +name: + type: string + description: Name of the existing secret. + example: mySecret +keyMapping: + description: Mapping between the expected key name and the name of the key in the existing secret. + type: object + +## An instance would be: +# name: mySecret +# keyMapping: +# password: myPasswordKey +``` + +#### Example of use + +When we store sensitive data for a deployment in a secret, some times we want to give to users the possibility of using theirs existing secrets. + +```yaml +# templates/secret.yaml +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "common.names.fullname" . }} + labels: + app: {{ include "common.names.fullname" . }} +type: Opaque +data: + password: {{ .Values.password | b64enc | quote }} + +# templates/dpl.yaml +--- +... + env: + - name: PASSWORD + valueFrom: + secretKeyRef: + name: {{ include "common.secrets.name" (dict "existingSecret" .Values.existingSecret "context" $) }} + key: {{ include "common.secrets.key" (dict "existingSecret" .Values.existingSecret "key" "password") }} +... + +# values.yaml +--- +name: mySecret +keyMapping: + password: myPasswordKey +``` + +### ValidateValue + +#### NOTES.txt + +```console +{{- $validateValueConf00 := (dict "valueKey" "path.to.value00" "secret" "secretName" "field" "password-00") -}} +{{- $validateValueConf01 := (dict "valueKey" "path.to.value01" "secret" "secretName" "field" "password-01") -}} + +{{ include "common.validations.values.multiple.empty" (dict "required" (list $validateValueConf00 $validateValueConf01) "context" $) }} +``` + +If we force those values to be empty we will see some alerts + +```console +$ helm install test mychart --set path.to.value00="",path.to.value01="" + 'path.to.value00' must not be empty, please add '--set path.to.value00=$PASSWORD_00' to the command. To get the current value: + + export PASSWORD_00=$(kubectl get secret --namespace default secretName -o jsonpath="{.data.password-00}" | base64 -d) + + 'path.to.value01' must not be empty, please add '--set path.to.value01=$PASSWORD_01' to the command. To get the current value: + + export PASSWORD_01=$(kubectl get secret --namespace default secretName -o jsonpath="{.data.password-01}" | base64 -d) +``` + +## Upgrading + +### To 1.0.0 + +[On November 13, 2020, Helm v2 support was formally finished](https://github.com/helm/charts#status-of-the-project), this major version is the result of the required changes applied to the Helm Chart to be able to incorporate the different features added in Helm v3 and to be consistent with the Helm project itself regarding the Helm v2 EOL. + +**What changes were introduced in this major version?** + +- Previous versions of this Helm Chart use `apiVersion: v1` (installable by both Helm 2 and 3), this Helm Chart was updated to `apiVersion: v2` (installable by Helm 3 only). [Here](https://helm.sh/docs/topics/charts/#the-apiversion-field) you can find more information about the `apiVersion` field. +- Use `type: library`. [Here](https://v3.helm.sh/docs/faq/#library-chart-support) you can find more information. +- The different fields present in the *Chart.yaml* file has been ordered alphabetically in a homogeneous way for all the Bitnami Helm Charts + +**Considerations when upgrading to this version** + +- If you want to upgrade to this version from a previous one installed with Helm v3, you shouldn't face any issues +- If you want to upgrade to this version using Helm v2, this scenario is not supported as this version doesn't support Helm v2 anymore +- If you installed the previous version with Helm v2 and wants to upgrade to this version with Helm v3, please refer to the [official Helm documentation](https://helm.sh/docs/topics/v2_v3_migration/#migration-use-cases) about migrating from Helm v2 to v3 + +**Useful links** + +- https://docs.bitnami.com/tutorials/resolve-helm2-helm3-post-migration-issues/ +- https://helm.sh/docs/topics/v2_v3_migration/ +- https://helm.sh/blog/migrate-from-helm-v2-to-helm-v3/ + +## License + +Copyright © 2022 Bitnami + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. diff --git a/charts/kong/kong/2.41.0/charts/postgresql/charts/common/templates/_affinities.tpl b/charts/kong/kong/2.41.0/charts/postgresql/charts/common/templates/_affinities.tpl new file mode 100644 index 000000000..2387be262 --- /dev/null +++ b/charts/kong/kong/2.41.0/charts/postgresql/charts/common/templates/_affinities.tpl @@ -0,0 +1,102 @@ +{{/* vim: set filetype=mustache: */}} + +{{/* +Return a soft nodeAffinity definition +{{ include "common.affinities.nodes.soft" (dict "key" "FOO" "values" (list "BAR" "BAZ")) -}} +*/}} +{{- define "common.affinities.nodes.soft" -}} +preferredDuringSchedulingIgnoredDuringExecution: + - preference: + matchExpressions: + - key: {{ .key }} + operator: In + values: + {{- range .values }} + - {{ . | quote }} + {{- end }} + weight: 1 +{{- end -}} + +{{/* +Return a hard nodeAffinity definition +{{ include "common.affinities.nodes.hard" (dict "key" "FOO" "values" (list "BAR" "BAZ")) -}} +*/}} +{{- define "common.affinities.nodes.hard" -}} +requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: {{ .key }} + operator: In + values: + {{- range .values }} + - {{ . | quote }} + {{- end }} +{{- end -}} + +{{/* +Return a nodeAffinity definition +{{ include "common.affinities.nodes" (dict "type" "soft" "key" "FOO" "values" (list "BAR" "BAZ")) -}} +*/}} +{{- define "common.affinities.nodes" -}} + {{- if eq .type "soft" }} + {{- include "common.affinities.nodes.soft" . -}} + {{- else if eq .type "hard" }} + {{- include "common.affinities.nodes.hard" . -}} + {{- end -}} +{{- end -}} + +{{/* +Return a soft podAffinity/podAntiAffinity definition +{{ include "common.affinities.pods.soft" (dict "component" "FOO" "extraMatchLabels" .Values.extraMatchLabels "context" $) -}} +*/}} +{{- define "common.affinities.pods.soft" -}} +{{- $component := default "" .component -}} +{{- $extraMatchLabels := default (dict) .extraMatchLabels -}} +preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchLabels: {{- (include "common.labels.matchLabels" .context) | nindent 10 }} + {{- if not (empty $component) }} + {{ printf "app.kubernetes.io/component: %s" $component }} + {{- end }} + {{- range $key, $value := $extraMatchLabels }} + {{ $key }}: {{ $value | quote }} + {{- end }} + namespaces: + - {{ include "common.names.namespace" .context | quote }} + topologyKey: kubernetes.io/hostname + weight: 1 +{{- end -}} + +{{/* +Return a hard podAffinity/podAntiAffinity definition +{{ include "common.affinities.pods.hard" (dict "component" "FOO" "extraMatchLabels" .Values.extraMatchLabels "context" $) -}} +*/}} +{{- define "common.affinities.pods.hard" -}} +{{- $component := default "" .component -}} +{{- $extraMatchLabels := default (dict) .extraMatchLabels -}} +requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchLabels: {{- (include "common.labels.matchLabels" .context) | nindent 8 }} + {{- if not (empty $component) }} + {{ printf "app.kubernetes.io/component: %s" $component }} + {{- end }} + {{- range $key, $value := $extraMatchLabels }} + {{ $key }}: {{ $value | quote }} + {{- end }} + namespaces: + - {{ include "common.names.namespace" .context | quote }} + topologyKey: kubernetes.io/hostname +{{- end -}} + +{{/* +Return a podAffinity/podAntiAffinity definition +{{ include "common.affinities.pods" (dict "type" "soft" "key" "FOO" "values" (list "BAR" "BAZ")) -}} +*/}} +{{- define "common.affinities.pods" -}} + {{- if eq .type "soft" }} + {{- include "common.affinities.pods.soft" . -}} + {{- else if eq .type "hard" }} + {{- include "common.affinities.pods.hard" . -}} + {{- end -}} +{{- end -}} diff --git a/charts/kong/kong/2.41.0/charts/postgresql/charts/common/templates/_capabilities.tpl b/charts/kong/kong/2.41.0/charts/postgresql/charts/common/templates/_capabilities.tpl new file mode 100644 index 000000000..9d9b76004 --- /dev/null +++ b/charts/kong/kong/2.41.0/charts/postgresql/charts/common/templates/_capabilities.tpl @@ -0,0 +1,154 @@ +{{/* vim: set filetype=mustache: */}} + +{{/* +Return the target Kubernetes version +*/}} +{{- define "common.capabilities.kubeVersion" -}} +{{- if .Values.global }} + {{- if .Values.global.kubeVersion }} + {{- .Values.global.kubeVersion -}} + {{- else }} + {{- default .Capabilities.KubeVersion.Version .Values.kubeVersion -}} + {{- end -}} +{{- else }} +{{- default .Capabilities.KubeVersion.Version .Values.kubeVersion -}} +{{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for poddisruptionbudget. +*/}} +{{- define "common.capabilities.policy.apiVersion" -}} +{{- if semverCompare "<1.21-0" (include "common.capabilities.kubeVersion" .) -}} +{{- print "policy/v1beta1" -}} +{{- else -}} +{{- print "policy/v1" -}} +{{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for networkpolicy. +*/}} +{{- define "common.capabilities.networkPolicy.apiVersion" -}} +{{- if semverCompare "<1.7-0" (include "common.capabilities.kubeVersion" .) -}} +{{- print "extensions/v1beta1" -}} +{{- else -}} +{{- print "networking.k8s.io/v1" -}} +{{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for cronjob. +*/}} +{{- define "common.capabilities.cronjob.apiVersion" -}} +{{- if semverCompare "<1.21-0" (include "common.capabilities.kubeVersion" .) -}} +{{- print "batch/v1beta1" -}} +{{- else -}} +{{- print "batch/v1" -}} +{{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for deployment. +*/}} +{{- define "common.capabilities.deployment.apiVersion" -}} +{{- if semverCompare "<1.14-0" (include "common.capabilities.kubeVersion" .) -}} +{{- print "extensions/v1beta1" -}} +{{- else -}} +{{- print "apps/v1" -}} +{{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for statefulset. +*/}} +{{- define "common.capabilities.statefulset.apiVersion" -}} +{{- if semverCompare "<1.14-0" (include "common.capabilities.kubeVersion" .) -}} +{{- print "apps/v1beta1" -}} +{{- else -}} +{{- print "apps/v1" -}} +{{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for ingress. +*/}} +{{- define "common.capabilities.ingress.apiVersion" -}} +{{- if .Values.ingress -}} +{{- if .Values.ingress.apiVersion -}} +{{- .Values.ingress.apiVersion -}} +{{- else if semverCompare "<1.14-0" (include "common.capabilities.kubeVersion" .) -}} +{{- print "extensions/v1beta1" -}} +{{- else if semverCompare "<1.19-0" (include "common.capabilities.kubeVersion" .) -}} +{{- print "networking.k8s.io/v1beta1" -}} +{{- else -}} +{{- print "networking.k8s.io/v1" -}} +{{- end }} +{{- else if semverCompare "<1.14-0" (include "common.capabilities.kubeVersion" .) -}} +{{- print "extensions/v1beta1" -}} +{{- else if semverCompare "<1.19-0" (include "common.capabilities.kubeVersion" .) -}} +{{- print "networking.k8s.io/v1beta1" -}} +{{- else -}} +{{- print "networking.k8s.io/v1" -}} +{{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for RBAC resources. +*/}} +{{- define "common.capabilities.rbac.apiVersion" -}} +{{- if semverCompare "<1.17-0" (include "common.capabilities.kubeVersion" .) -}} +{{- print "rbac.authorization.k8s.io/v1beta1" -}} +{{- else -}} +{{- print "rbac.authorization.k8s.io/v1" -}} +{{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for CRDs. +*/}} +{{- define "common.capabilities.crd.apiVersion" -}} +{{- if semverCompare "<1.19-0" (include "common.capabilities.kubeVersion" .) -}} +{{- print "apiextensions.k8s.io/v1beta1" -}} +{{- else -}} +{{- print "apiextensions.k8s.io/v1" -}} +{{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for APIService. +*/}} +{{- define "common.capabilities.apiService.apiVersion" -}} +{{- if semverCompare "<1.10-0" (include "common.capabilities.kubeVersion" .) -}} +{{- print "apiregistration.k8s.io/v1beta1" -}} +{{- else -}} +{{- print "apiregistration.k8s.io/v1" -}} +{{- end -}} +{{- end -}} + +{{/* +Return the appropriate apiVersion for Horizontal Pod Autoscaler. +*/}} +{{- define "common.capabilities.hpa.apiVersion" -}} +{{- if semverCompare "<1.23-0" (include "common.capabilities.kubeVersion" .context) -}} +{{- if .beta2 -}} +{{- print "autoscaling/v2beta2" -}} +{{- else -}} +{{- print "autoscaling/v2beta1" -}} +{{- end -}} +{{- else -}} +{{- print "autoscaling/v2" -}} +{{- end -}} +{{- end -}} + +{{/* +Returns true if the used Helm version is 3.3+. +A way to check the used Helm version was not introduced until version 3.3.0 with .Capabilities.HelmVersion, which contains an additional "{}}" structure. +This check is introduced as a regexMatch instead of {{ if .Capabilities.HelmVersion }} because checking for the key HelmVersion in <3.3 results in a "interface not found" error. +**To be removed when the catalog's minimun Helm version is 3.3** +*/}} +{{- define "common.capabilities.supportsHelmVersion" -}} +{{- if regexMatch "{(v[0-9])*[^}]*}}$" (.Capabilities | toString ) }} + {{- true -}} +{{- end -}} +{{- end -}} diff --git a/charts/kong/kong/2.41.0/charts/postgresql/charts/common/templates/_errors.tpl b/charts/kong/kong/2.41.0/charts/postgresql/charts/common/templates/_errors.tpl new file mode 100644 index 000000000..a79cc2e32 --- /dev/null +++ b/charts/kong/kong/2.41.0/charts/postgresql/charts/common/templates/_errors.tpl @@ -0,0 +1,23 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Through error when upgrading using empty passwords values that must not be empty. + +Usage: +{{- $validationError00 := include "common.validations.values.single.empty" (dict "valueKey" "path.to.password00" "secret" "secretName" "field" "password-00") -}} +{{- $validationError01 := include "common.validations.values.single.empty" (dict "valueKey" "path.to.password01" "secret" "secretName" "field" "password-01") -}} +{{ include "common.errors.upgrade.passwords.empty" (dict "validationErrors" (list $validationError00 $validationError01) "context" $) }} + +Required password params: + - validationErrors - String - Required. List of validation strings to be return, if it is empty it won't throw error. + - context - Context - Required. Parent context. +*/}} +{{- define "common.errors.upgrade.passwords.empty" -}} + {{- $validationErrors := join "" .validationErrors -}} + {{- if and $validationErrors .context.Release.IsUpgrade -}} + {{- $errorString := "\nPASSWORDS ERROR: You must provide your current passwords when upgrading the release." -}} + {{- $errorString = print $errorString "\n Note that even after reinstallation, old credentials may be needed as they may be kept in persistent volume claims." -}} + {{- $errorString = print $errorString "\n Further information can be obtained at https://docs.bitnami.com/general/how-to/troubleshoot-helm-chart-issues/#credential-errors-while-upgrading-chart-releases" -}} + {{- $errorString = print $errorString "\n%s" -}} + {{- printf $errorString $validationErrors | fail -}} + {{- end -}} +{{- end -}} diff --git a/charts/kong/kong/2.41.0/charts/postgresql/charts/common/templates/_images.tpl b/charts/kong/kong/2.41.0/charts/postgresql/charts/common/templates/_images.tpl new file mode 100644 index 000000000..46c659e79 --- /dev/null +++ b/charts/kong/kong/2.41.0/charts/postgresql/charts/common/templates/_images.tpl @@ -0,0 +1,76 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Return the proper image name +{{ include "common.images.image" ( dict "imageRoot" .Values.path.to.the.image "global" $) }} +*/}} +{{- define "common.images.image" -}} +{{- $registryName := .imageRoot.registry -}} +{{- $repositoryName := .imageRoot.repository -}} +{{- $separator := ":" -}} +{{- $termination := .imageRoot.tag | toString -}} +{{- if .global }} + {{- if .global.imageRegistry }} + {{- $registryName = .global.imageRegistry -}} + {{- end -}} +{{- end -}} +{{- if .imageRoot.digest }} + {{- $separator = "@" -}} + {{- $termination = .imageRoot.digest | toString -}} +{{- end -}} +{{- printf "%s/%s%s%s" $registryName $repositoryName $separator $termination -}} +{{- end -}} + +{{/* +Return the proper Docker Image Registry Secret Names (deprecated: use common.images.renderPullSecrets instead) +{{ include "common.images.pullSecrets" ( dict "images" (list .Values.path.to.the.image1, .Values.path.to.the.image2) "global" .Values.global) }} +*/}} +{{- define "common.images.pullSecrets" -}} + {{- $pullSecrets := list }} + + {{- if .global }} + {{- range .global.imagePullSecrets -}} + {{- $pullSecrets = append $pullSecrets . -}} + {{- end -}} + {{- end -}} + + {{- range .images -}} + {{- range .pullSecrets -}} + {{- $pullSecrets = append $pullSecrets . -}} + {{- end -}} + {{- end -}} + + {{- if (not (empty $pullSecrets)) }} +imagePullSecrets: + {{- range $pullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} +{{- end -}} + +{{/* +Return the proper Docker Image Registry Secret Names evaluating values as templates +{{ include "common.images.renderPullSecrets" ( dict "images" (list .Values.path.to.the.image1, .Values.path.to.the.image2) "context" $) }} +*/}} +{{- define "common.images.renderPullSecrets" -}} + {{- $pullSecrets := list }} + {{- $context := .context }} + + {{- if $context.Values.global }} + {{- range $context.Values.global.imagePullSecrets -}} + {{- $pullSecrets = append $pullSecrets (include "common.tplvalues.render" (dict "value" . "context" $context)) -}} + {{- end -}} + {{- end -}} + + {{- range .images -}} + {{- range .pullSecrets -}} + {{- $pullSecrets = append $pullSecrets (include "common.tplvalues.render" (dict "value" . "context" $context)) -}} + {{- end -}} + {{- end -}} + + {{- if (not (empty $pullSecrets)) }} +imagePullSecrets: + {{- range $pullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} +{{- end -}} diff --git a/charts/kong/kong/2.41.0/charts/postgresql/charts/common/templates/_ingress.tpl b/charts/kong/kong/2.41.0/charts/postgresql/charts/common/templates/_ingress.tpl new file mode 100644 index 000000000..831da9caa --- /dev/null +++ b/charts/kong/kong/2.41.0/charts/postgresql/charts/common/templates/_ingress.tpl @@ -0,0 +1,68 @@ +{{/* vim: set filetype=mustache: */}} + +{{/* +Generate backend entry that is compatible with all Kubernetes API versions. + +Usage: +{{ include "common.ingress.backend" (dict "serviceName" "backendName" "servicePort" "backendPort" "context" $) }} + +Params: + - serviceName - String. Name of an existing service backend + - servicePort - String/Int. Port name (or number) of the service. It will be translated to different yaml depending if it is a string or an integer. + - context - Dict - Required. The context for the template evaluation. +*/}} +{{- define "common.ingress.backend" -}} +{{- $apiVersion := (include "common.capabilities.ingress.apiVersion" .context) -}} +{{- if or (eq $apiVersion "extensions/v1beta1") (eq $apiVersion "networking.k8s.io/v1beta1") -}} +serviceName: {{ .serviceName }} +servicePort: {{ .servicePort }} +{{- else -}} +service: + name: {{ .serviceName }} + port: + {{- if typeIs "string" .servicePort }} + name: {{ .servicePort }} + {{- else if or (typeIs "int" .servicePort) (typeIs "float64" .servicePort) }} + number: {{ .servicePort | int }} + {{- end }} +{{- end -}} +{{- end -}} + +{{/* +Print "true" if the API pathType field is supported +Usage: +{{ include "common.ingress.supportsPathType" . }} +*/}} +{{- define "common.ingress.supportsPathType" -}} +{{- if (semverCompare "<1.18-0" (include "common.capabilities.kubeVersion" .)) -}} +{{- print "false" -}} +{{- else -}} +{{- print "true" -}} +{{- end -}} +{{- end -}} + +{{/* +Returns true if the ingressClassname field is supported +Usage: +{{ include "common.ingress.supportsIngressClassname" . }} +*/}} +{{- define "common.ingress.supportsIngressClassname" -}} +{{- if semverCompare "<1.18-0" (include "common.capabilities.kubeVersion" .) -}} +{{- print "false" -}} +{{- else -}} +{{- print "true" -}} +{{- end -}} +{{- end -}} + +{{/* +Return true if cert-manager required annotations for TLS signed +certificates are set in the Ingress annotations +Ref: https://cert-manager.io/docs/usage/ingress/#supported-annotations +Usage: +{{ include "common.ingress.certManagerRequest" ( dict "annotations" .Values.path.to.the.ingress.annotations ) }} +*/}} +{{- define "common.ingress.certManagerRequest" -}} +{{ if or (hasKey .annotations "cert-manager.io/cluster-issuer") (hasKey .annotations "cert-manager.io/issuer") (hasKey .annotations "kubernetes.io/tls-acme") }} + {{- true -}} +{{- end -}} +{{- end -}} diff --git a/charts/kong/kong/2.41.0/charts/postgresql/charts/common/templates/_labels.tpl b/charts/kong/kong/2.41.0/charts/postgresql/charts/common/templates/_labels.tpl new file mode 100644 index 000000000..252066c7e --- /dev/null +++ b/charts/kong/kong/2.41.0/charts/postgresql/charts/common/templates/_labels.tpl @@ -0,0 +1,18 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Kubernetes standard labels +*/}} +{{- define "common.labels.standard" -}} +app.kubernetes.io/name: {{ include "common.names.name" . }} +helm.sh/chart: {{ include "common.names.chart" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end -}} + +{{/* +Labels to use on deploy.spec.selector.matchLabels and svc.spec.selector +*/}} +{{- define "common.labels.matchLabels" -}} +app.kubernetes.io/name: {{ include "common.names.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end -}} diff --git a/charts/kong/kong/2.41.0/charts/postgresql/charts/common/templates/_names.tpl b/charts/kong/kong/2.41.0/charts/postgresql/charts/common/templates/_names.tpl new file mode 100644 index 000000000..1bdac8b77 --- /dev/null +++ b/charts/kong/kong/2.41.0/charts/postgresql/charts/common/templates/_names.tpl @@ -0,0 +1,70 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "common.names.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "common.names.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "common.names.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create a default fully qualified dependency name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +Usage: +{{ include "common.names.dependency.fullname" (dict "chartName" "dependency-chart-name" "chartValues" .Values.dependency-chart "context" $) }} +*/}} +{{- define "common.names.dependency.fullname" -}} +{{- if .chartValues.fullnameOverride -}} +{{- .chartValues.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .chartName .chartValues.nameOverride -}} +{{- if contains $name .context.Release.Name -}} +{{- .context.Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .context.Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Allow the release namespace to be overridden for multi-namespace deployments in combined charts. +*/}} +{{- define "common.names.namespace" -}} +{{- if .Values.namespaceOverride -}} +{{- .Values.namespaceOverride -}} +{{- else -}} +{{- .Release.Namespace -}} +{{- end -}} +{{- end -}} + +{{/* +Create a fully qualified app name adding the installation's namespace. +*/}} +{{- define "common.names.fullname.namespace" -}} +{{- printf "%s-%s" (include "common.names.fullname" .) (include "common.names.namespace" .) | trunc 63 | trimSuffix "-" -}} +{{- end -}} diff --git a/charts/kong/kong/2.41.0/charts/postgresql/charts/common/templates/_secrets.tpl b/charts/kong/kong/2.41.0/charts/postgresql/charts/common/templates/_secrets.tpl new file mode 100644 index 000000000..fa18f73a4 --- /dev/null +++ b/charts/kong/kong/2.41.0/charts/postgresql/charts/common/templates/_secrets.tpl @@ -0,0 +1,140 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Generate secret name. + +Usage: +{{ include "common.secrets.name" (dict "existingSecret" .Values.path.to.the.existingSecret "defaultNameSuffix" "mySuffix" "context" $) }} + +Params: + - existingSecret - ExistingSecret/String - Optional. The path to the existing secrets in the values.yaml given by the user + to be used instead of the default one. Allows for it to be of type String (just the secret name) for backwards compatibility. + +info: https://github.com/bitnami/charts/tree/main/bitnami/common#existingsecret + - defaultNameSuffix - String - Optional. It is used only if we have several secrets in the same deployment. + - context - Dict - Required. The context for the template evaluation. +*/}} +{{- define "common.secrets.name" -}} +{{- $name := (include "common.names.fullname" .context) -}} + +{{- if .defaultNameSuffix -}} +{{- $name = printf "%s-%s" $name .defaultNameSuffix | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{- with .existingSecret -}} +{{- if not (typeIs "string" .) -}} +{{- with .name -}} +{{- $name = . -}} +{{- end -}} +{{- else -}} +{{- $name = . -}} +{{- end -}} +{{- end -}} + +{{- printf "%s" $name -}} +{{- end -}} + +{{/* +Generate secret key. + +Usage: +{{ include "common.secrets.key" (dict "existingSecret" .Values.path.to.the.existingSecret "key" "keyName") }} + +Params: + - existingSecret - ExistingSecret/String - Optional. The path to the existing secrets in the values.yaml given by the user + to be used instead of the default one. Allows for it to be of type String (just the secret name) for backwards compatibility. + +info: https://github.com/bitnami/charts/tree/main/bitnami/common#existingsecret + - key - String - Required. Name of the key in the secret. +*/}} +{{- define "common.secrets.key" -}} +{{- $key := .key -}} + +{{- if .existingSecret -}} + {{- if not (typeIs "string" .existingSecret) -}} + {{- if .existingSecret.keyMapping -}} + {{- $key = index .existingSecret.keyMapping $.key -}} + {{- end -}} + {{- end }} +{{- end -}} + +{{- printf "%s" $key -}} +{{- end -}} + +{{/* +Generate secret password or retrieve one if already created. + +Usage: +{{ include "common.secrets.passwords.manage" (dict "secret" "secret-name" "key" "keyName" "providedValues" (list "path.to.password1" "path.to.password2") "length" 10 "strong" false "chartName" "chartName" "context" $) }} + +Params: + - secret - String - Required - Name of the 'Secret' resource where the password is stored. + - key - String - Required - Name of the key in the secret. + - providedValues - List - Required - The path to the validating value in the values.yaml, e.g: "mysql.password". Will pick first parameter with a defined value. + - length - int - Optional - Length of the generated random password. + - strong - Boolean - Optional - Whether to add symbols to the generated random password. + - chartName - String - Optional - Name of the chart used when said chart is deployed as a subchart. + - context - Context - Required - Parent context. + +The order in which this function returns a secret password: + 1. Already existing 'Secret' resource + (If a 'Secret' resource is found under the name provided to the 'secret' parameter to this function and that 'Secret' resource contains a key with the name passed as the 'key' parameter to this function then the value of this existing secret password will be returned) + 2. Password provided via the values.yaml + (If one of the keys passed to the 'providedValues' parameter to this function is a valid path to a key in the values.yaml and has a value, the value of the first key with a value will be returned) + 3. Randomly generated secret password + (A new random secret password with the length specified in the 'length' parameter will be generated and returned) + +*/}} +{{- define "common.secrets.passwords.manage" -}} + +{{- $password := "" }} +{{- $subchart := "" }} +{{- $chartName := default "" .chartName }} +{{- $passwordLength := default 10 .length }} +{{- $providedPasswordKey := include "common.utils.getKeyFromList" (dict "keys" .providedValues "context" $.context) }} +{{- $providedPasswordValue := include "common.utils.getValueFromKey" (dict "key" $providedPasswordKey "context" $.context) }} +{{- $secretData := (lookup "v1" "Secret" $.context.Release.Namespace .secret).data }} +{{- if $secretData }} + {{- if hasKey $secretData .key }} + {{- $password = index $secretData .key | quote }} + {{- else }} + {{- printf "\nPASSWORDS ERROR: The secret \"%s\" does not contain the key \"%s\"\n" .secret .key | fail -}} + {{- end -}} +{{- else if $providedPasswordValue }} + {{- $password = $providedPasswordValue | toString | b64enc | quote }} +{{- else }} + + {{- if .context.Values.enabled }} + {{- $subchart = $chartName }} + {{- end -}} + + {{- $requiredPassword := dict "valueKey" $providedPasswordKey "secret" .secret "field" .key "subchart" $subchart "context" $.context -}} + {{- $requiredPasswordError := include "common.validations.values.single.empty" $requiredPassword -}} + {{- $passwordValidationErrors := list $requiredPasswordError -}} + {{- include "common.errors.upgrade.passwords.empty" (dict "validationErrors" $passwordValidationErrors "context" $.context) -}} + + {{- if .strong }} + {{- $subStr := list (lower (randAlpha 1)) (randNumeric 1) (upper (randAlpha 1)) | join "_" }} + {{- $password = randAscii $passwordLength }} + {{- $password = regexReplaceAllLiteral "\\W" $password "@" | substr 5 $passwordLength }} + {{- $password = printf "%s%s" $subStr $password | toString | shuffle | b64enc | quote }} + {{- else }} + {{- $password = randAlphaNum $passwordLength | b64enc | quote }} + {{- end }} +{{- end -}} +{{- printf "%s" $password -}} +{{- end -}} + +{{/* +Returns whether a previous generated secret already exists + +Usage: +{{ include "common.secrets.exists" (dict "secret" "secret-name" "context" $) }} + +Params: + - secret - String - Required - Name of the 'Secret' resource where the password is stored. + - context - Context - Required - Parent context. +*/}} +{{- define "common.secrets.exists" -}} +{{- $secret := (lookup "v1" "Secret" $.context.Release.Namespace .secret) }} +{{- if $secret }} + {{- true -}} +{{- end -}} +{{- end -}} diff --git a/charts/kong/kong/2.41.0/charts/postgresql/charts/common/templates/_storage.tpl b/charts/kong/kong/2.41.0/charts/postgresql/charts/common/templates/_storage.tpl new file mode 100644 index 000000000..60e2a844f --- /dev/null +++ b/charts/kong/kong/2.41.0/charts/postgresql/charts/common/templates/_storage.tpl @@ -0,0 +1,23 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Return the proper Storage Class +{{ include "common.storage.class" ( dict "persistence" .Values.path.to.the.persistence "global" $) }} +*/}} +{{- define "common.storage.class" -}} + +{{- $storageClass := .persistence.storageClass -}} +{{- if .global -}} + {{- if .global.storageClass -}} + {{- $storageClass = .global.storageClass -}} + {{- end -}} +{{- end -}} + +{{- if $storageClass -}} + {{- if (eq "-" $storageClass) -}} + {{- printf "storageClassName: \"\"" -}} + {{- else }} + {{- printf "storageClassName: %s" $storageClass -}} + {{- end -}} +{{- end -}} + +{{- end -}} diff --git a/charts/kong/kong/2.41.0/charts/postgresql/charts/common/templates/_tplvalues.tpl b/charts/kong/kong/2.41.0/charts/postgresql/charts/common/templates/_tplvalues.tpl new file mode 100644 index 000000000..2db166851 --- /dev/null +++ b/charts/kong/kong/2.41.0/charts/postgresql/charts/common/templates/_tplvalues.tpl @@ -0,0 +1,13 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Renders a value that contains template. +Usage: +{{ include "common.tplvalues.render" ( dict "value" .Values.path.to.the.Value "context" $) }} +*/}} +{{- define "common.tplvalues.render" -}} + {{- if typeIs "string" .value }} + {{- tpl .value .context }} + {{- else }} + {{- tpl (.value | toYaml) .context }} + {{- end }} +{{- end -}} diff --git a/charts/kong/kong/2.41.0/charts/postgresql/charts/common/templates/_utils.tpl b/charts/kong/kong/2.41.0/charts/postgresql/charts/common/templates/_utils.tpl new file mode 100644 index 000000000..8c22b2a38 --- /dev/null +++ b/charts/kong/kong/2.41.0/charts/postgresql/charts/common/templates/_utils.tpl @@ -0,0 +1,62 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Print instructions to get a secret value. +Usage: +{{ include "common.utils.secret.getvalue" (dict "secret" "secret-name" "field" "secret-value-field" "context" $) }} +*/}} +{{- define "common.utils.secret.getvalue" -}} +{{- $varname := include "common.utils.fieldToEnvVar" . -}} +export {{ $varname }}=$(kubectl get secret --namespace {{ .context.Release.Namespace | quote }} {{ .secret }} -o jsonpath="{.data.{{ .field }}}" | base64 -d) +{{- end -}} + +{{/* +Build env var name given a field +Usage: +{{ include "common.utils.fieldToEnvVar" dict "field" "my-password" }} +*/}} +{{- define "common.utils.fieldToEnvVar" -}} + {{- $fieldNameSplit := splitList "-" .field -}} + {{- $upperCaseFieldNameSplit := list -}} + + {{- range $fieldNameSplit -}} + {{- $upperCaseFieldNameSplit = append $upperCaseFieldNameSplit ( upper . ) -}} + {{- end -}} + + {{ join "_" $upperCaseFieldNameSplit }} +{{- end -}} + +{{/* +Gets a value from .Values given +Usage: +{{ include "common.utils.getValueFromKey" (dict "key" "path.to.key" "context" $) }} +*/}} +{{- define "common.utils.getValueFromKey" -}} +{{- $splitKey := splitList "." .key -}} +{{- $value := "" -}} +{{- $latestObj := $.context.Values -}} +{{- range $splitKey -}} + {{- if not $latestObj -}} + {{- printf "please review the entire path of '%s' exists in values" $.key | fail -}} + {{- end -}} + {{- $value = ( index $latestObj . ) -}} + {{- $latestObj = $value -}} +{{- end -}} +{{- printf "%v" (default "" $value) -}} +{{- end -}} + +{{/* +Returns first .Values key with a defined value or first of the list if all non-defined +Usage: +{{ include "common.utils.getKeyFromList" (dict "keys" (list "path.to.key1" "path.to.key2") "context" $) }} +*/}} +{{- define "common.utils.getKeyFromList" -}} +{{- $key := first .keys -}} +{{- $reverseKeys := reverse .keys }} +{{- range $reverseKeys }} + {{- $value := include "common.utils.getValueFromKey" (dict "key" . "context" $.context ) }} + {{- if $value -}} + {{- $key = . }} + {{- end -}} +{{- end -}} +{{- printf "%s" $key -}} +{{- end -}} diff --git a/charts/kong/kong/2.41.0/charts/postgresql/charts/common/templates/_warnings.tpl b/charts/kong/kong/2.41.0/charts/postgresql/charts/common/templates/_warnings.tpl new file mode 100644 index 000000000..ae10fa41e --- /dev/null +++ b/charts/kong/kong/2.41.0/charts/postgresql/charts/common/templates/_warnings.tpl @@ -0,0 +1,14 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Warning about using rolling tag. +Usage: +{{ include "common.warnings.rollingTag" .Values.path.to.the.imageRoot }} +*/}} +{{- define "common.warnings.rollingTag" -}} + +{{- if and (contains "bitnami/" .repository) (not (.tag | toString | regexFind "-r\\d+$|sha256:")) }} +WARNING: Rolling tag detected ({{ .repository }}:{{ .tag }}), please note that it is strongly recommended to avoid using rolling tags in a production environment. ++info https://docs.bitnami.com/containers/how-to/understand-rolling-tags-containers/ +{{- end }} + +{{- end -}} diff --git a/charts/kong/kong/2.41.0/charts/postgresql/charts/common/templates/validations/_cassandra.tpl b/charts/kong/kong/2.41.0/charts/postgresql/charts/common/templates/validations/_cassandra.tpl new file mode 100644 index 000000000..ded1ae3bc --- /dev/null +++ b/charts/kong/kong/2.41.0/charts/postgresql/charts/common/templates/validations/_cassandra.tpl @@ -0,0 +1,72 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Validate Cassandra required passwords are not empty. + +Usage: +{{ include "common.validations.values.cassandra.passwords" (dict "secret" "secretName" "subchart" false "context" $) }} +Params: + - secret - String - Required. Name of the secret where Cassandra values are stored, e.g: "cassandra-passwords-secret" + - subchart - Boolean - Optional. Whether Cassandra is used as subchart or not. Default: false +*/}} +{{- define "common.validations.values.cassandra.passwords" -}} + {{- $existingSecret := include "common.cassandra.values.existingSecret" . -}} + {{- $enabled := include "common.cassandra.values.enabled" . -}} + {{- $dbUserPrefix := include "common.cassandra.values.key.dbUser" . -}} + {{- $valueKeyPassword := printf "%s.password" $dbUserPrefix -}} + + {{- if and (or (not $existingSecret) (eq $existingSecret "\"\"")) (eq $enabled "true") -}} + {{- $requiredPasswords := list -}} + + {{- $requiredPassword := dict "valueKey" $valueKeyPassword "secret" .secret "field" "cassandra-password" -}} + {{- $requiredPasswords = append $requiredPasswords $requiredPassword -}} + + {{- include "common.validations.values.multiple.empty" (dict "required" $requiredPasswords "context" .context) -}} + + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for existingSecret. + +Usage: +{{ include "common.cassandra.values.existingSecret" (dict "context" $) }} +Params: + - subchart - Boolean - Optional. Whether Cassandra is used as subchart or not. Default: false +*/}} +{{- define "common.cassandra.values.existingSecret" -}} + {{- if .subchart -}} + {{- .context.Values.cassandra.dbUser.existingSecret | quote -}} + {{- else -}} + {{- .context.Values.dbUser.existingSecret | quote -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for enabled cassandra. + +Usage: +{{ include "common.cassandra.values.enabled" (dict "context" $) }} +*/}} +{{- define "common.cassandra.values.enabled" -}} + {{- if .subchart -}} + {{- printf "%v" .context.Values.cassandra.enabled -}} + {{- else -}} + {{- printf "%v" (not .context.Values.enabled) -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for the key dbUser + +Usage: +{{ include "common.cassandra.values.key.dbUser" (dict "subchart" "true" "context" $) }} +Params: + - subchart - Boolean - Optional. Whether Cassandra is used as subchart or not. Default: false +*/}} +{{- define "common.cassandra.values.key.dbUser" -}} + {{- if .subchart -}} + cassandra.dbUser + {{- else -}} + dbUser + {{- end -}} +{{- end -}} diff --git a/charts/kong/kong/2.41.0/charts/postgresql/charts/common/templates/validations/_mariadb.tpl b/charts/kong/kong/2.41.0/charts/postgresql/charts/common/templates/validations/_mariadb.tpl new file mode 100644 index 000000000..b6906ff77 --- /dev/null +++ b/charts/kong/kong/2.41.0/charts/postgresql/charts/common/templates/validations/_mariadb.tpl @@ -0,0 +1,103 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Validate MariaDB required passwords are not empty. + +Usage: +{{ include "common.validations.values.mariadb.passwords" (dict "secret" "secretName" "subchart" false "context" $) }} +Params: + - secret - String - Required. Name of the secret where MariaDB values are stored, e.g: "mysql-passwords-secret" + - subchart - Boolean - Optional. Whether MariaDB is used as subchart or not. Default: false +*/}} +{{- define "common.validations.values.mariadb.passwords" -}} + {{- $existingSecret := include "common.mariadb.values.auth.existingSecret" . -}} + {{- $enabled := include "common.mariadb.values.enabled" . -}} + {{- $architecture := include "common.mariadb.values.architecture" . -}} + {{- $authPrefix := include "common.mariadb.values.key.auth" . -}} + {{- $valueKeyRootPassword := printf "%s.rootPassword" $authPrefix -}} + {{- $valueKeyUsername := printf "%s.username" $authPrefix -}} + {{- $valueKeyPassword := printf "%s.password" $authPrefix -}} + {{- $valueKeyReplicationPassword := printf "%s.replicationPassword" $authPrefix -}} + + {{- if and (or (not $existingSecret) (eq $existingSecret "\"\"")) (eq $enabled "true") -}} + {{- $requiredPasswords := list -}} + + {{- $requiredRootPassword := dict "valueKey" $valueKeyRootPassword "secret" .secret "field" "mariadb-root-password" -}} + {{- $requiredPasswords = append $requiredPasswords $requiredRootPassword -}} + + {{- $valueUsername := include "common.utils.getValueFromKey" (dict "key" $valueKeyUsername "context" .context) }} + {{- if not (empty $valueUsername) -}} + {{- $requiredPassword := dict "valueKey" $valueKeyPassword "secret" .secret "field" "mariadb-password" -}} + {{- $requiredPasswords = append $requiredPasswords $requiredPassword -}} + {{- end -}} + + {{- if (eq $architecture "replication") -}} + {{- $requiredReplicationPassword := dict "valueKey" $valueKeyReplicationPassword "secret" .secret "field" "mariadb-replication-password" -}} + {{- $requiredPasswords = append $requiredPasswords $requiredReplicationPassword -}} + {{- end -}} + + {{- include "common.validations.values.multiple.empty" (dict "required" $requiredPasswords "context" .context) -}} + + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for existingSecret. + +Usage: +{{ include "common.mariadb.values.auth.existingSecret" (dict "context" $) }} +Params: + - subchart - Boolean - Optional. Whether MariaDB is used as subchart or not. Default: false +*/}} +{{- define "common.mariadb.values.auth.existingSecret" -}} + {{- if .subchart -}} + {{- .context.Values.mariadb.auth.existingSecret | quote -}} + {{- else -}} + {{- .context.Values.auth.existingSecret | quote -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for enabled mariadb. + +Usage: +{{ include "common.mariadb.values.enabled" (dict "context" $) }} +*/}} +{{- define "common.mariadb.values.enabled" -}} + {{- if .subchart -}} + {{- printf "%v" .context.Values.mariadb.enabled -}} + {{- else -}} + {{- printf "%v" (not .context.Values.enabled) -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for architecture + +Usage: +{{ include "common.mariadb.values.architecture" (dict "subchart" "true" "context" $) }} +Params: + - subchart - Boolean - Optional. Whether MariaDB is used as subchart or not. Default: false +*/}} +{{- define "common.mariadb.values.architecture" -}} + {{- if .subchart -}} + {{- .context.Values.mariadb.architecture -}} + {{- else -}} + {{- .context.Values.architecture -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for the key auth + +Usage: +{{ include "common.mariadb.values.key.auth" (dict "subchart" "true" "context" $) }} +Params: + - subchart - Boolean - Optional. Whether MariaDB is used as subchart or not. Default: false +*/}} +{{- define "common.mariadb.values.key.auth" -}} + {{- if .subchart -}} + mariadb.auth + {{- else -}} + auth + {{- end -}} +{{- end -}} diff --git a/charts/kong/kong/2.41.0/charts/postgresql/charts/common/templates/validations/_mongodb.tpl b/charts/kong/kong/2.41.0/charts/postgresql/charts/common/templates/validations/_mongodb.tpl new file mode 100644 index 000000000..f820ec107 --- /dev/null +++ b/charts/kong/kong/2.41.0/charts/postgresql/charts/common/templates/validations/_mongodb.tpl @@ -0,0 +1,108 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Validate MongoDB® required passwords are not empty. + +Usage: +{{ include "common.validations.values.mongodb.passwords" (dict "secret" "secretName" "subchart" false "context" $) }} +Params: + - secret - String - Required. Name of the secret where MongoDB® values are stored, e.g: "mongodb-passwords-secret" + - subchart - Boolean - Optional. Whether MongoDB® is used as subchart or not. Default: false +*/}} +{{- define "common.validations.values.mongodb.passwords" -}} + {{- $existingSecret := include "common.mongodb.values.auth.existingSecret" . -}} + {{- $enabled := include "common.mongodb.values.enabled" . -}} + {{- $authPrefix := include "common.mongodb.values.key.auth" . -}} + {{- $architecture := include "common.mongodb.values.architecture" . -}} + {{- $valueKeyRootPassword := printf "%s.rootPassword" $authPrefix -}} + {{- $valueKeyUsername := printf "%s.username" $authPrefix -}} + {{- $valueKeyDatabase := printf "%s.database" $authPrefix -}} + {{- $valueKeyPassword := printf "%s.password" $authPrefix -}} + {{- $valueKeyReplicaSetKey := printf "%s.replicaSetKey" $authPrefix -}} + {{- $valueKeyAuthEnabled := printf "%s.enabled" $authPrefix -}} + + {{- $authEnabled := include "common.utils.getValueFromKey" (dict "key" $valueKeyAuthEnabled "context" .context) -}} + + {{- if and (or (not $existingSecret) (eq $existingSecret "\"\"")) (eq $enabled "true") (eq $authEnabled "true") -}} + {{- $requiredPasswords := list -}} + + {{- $requiredRootPassword := dict "valueKey" $valueKeyRootPassword "secret" .secret "field" "mongodb-root-password" -}} + {{- $requiredPasswords = append $requiredPasswords $requiredRootPassword -}} + + {{- $valueUsername := include "common.utils.getValueFromKey" (dict "key" $valueKeyUsername "context" .context) }} + {{- $valueDatabase := include "common.utils.getValueFromKey" (dict "key" $valueKeyDatabase "context" .context) }} + {{- if and $valueUsername $valueDatabase -}} + {{- $requiredPassword := dict "valueKey" $valueKeyPassword "secret" .secret "field" "mongodb-password" -}} + {{- $requiredPasswords = append $requiredPasswords $requiredPassword -}} + {{- end -}} + + {{- if (eq $architecture "replicaset") -}} + {{- $requiredReplicaSetKey := dict "valueKey" $valueKeyReplicaSetKey "secret" .secret "field" "mongodb-replica-set-key" -}} + {{- $requiredPasswords = append $requiredPasswords $requiredReplicaSetKey -}} + {{- end -}} + + {{- include "common.validations.values.multiple.empty" (dict "required" $requiredPasswords "context" .context) -}} + + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for existingSecret. + +Usage: +{{ include "common.mongodb.values.auth.existingSecret" (dict "context" $) }} +Params: + - subchart - Boolean - Optional. Whether MongoDb is used as subchart or not. Default: false +*/}} +{{- define "common.mongodb.values.auth.existingSecret" -}} + {{- if .subchart -}} + {{- .context.Values.mongodb.auth.existingSecret | quote -}} + {{- else -}} + {{- .context.Values.auth.existingSecret | quote -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for enabled mongodb. + +Usage: +{{ include "common.mongodb.values.enabled" (dict "context" $) }} +*/}} +{{- define "common.mongodb.values.enabled" -}} + {{- if .subchart -}} + {{- printf "%v" .context.Values.mongodb.enabled -}} + {{- else -}} + {{- printf "%v" (not .context.Values.enabled) -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for the key auth + +Usage: +{{ include "common.mongodb.values.key.auth" (dict "subchart" "true" "context" $) }} +Params: + - subchart - Boolean - Optional. Whether MongoDB® is used as subchart or not. Default: false +*/}} +{{- define "common.mongodb.values.key.auth" -}} + {{- if .subchart -}} + mongodb.auth + {{- else -}} + auth + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for architecture + +Usage: +{{ include "common.mongodb.values.architecture" (dict "subchart" "true" "context" $) }} +Params: + - subchart - Boolean - Optional. Whether MongoDB® is used as subchart or not. Default: false +*/}} +{{- define "common.mongodb.values.architecture" -}} + {{- if .subchart -}} + {{- .context.Values.mongodb.architecture -}} + {{- else -}} + {{- .context.Values.architecture -}} + {{- end -}} +{{- end -}} diff --git a/charts/kong/kong/2.41.0/charts/postgresql/charts/common/templates/validations/_mysql.tpl b/charts/kong/kong/2.41.0/charts/postgresql/charts/common/templates/validations/_mysql.tpl new file mode 100644 index 000000000..74472a061 --- /dev/null +++ b/charts/kong/kong/2.41.0/charts/postgresql/charts/common/templates/validations/_mysql.tpl @@ -0,0 +1,103 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Validate MySQL required passwords are not empty. + +Usage: +{{ include "common.validations.values.mysql.passwords" (dict "secret" "secretName" "subchart" false "context" $) }} +Params: + - secret - String - Required. Name of the secret where MySQL values are stored, e.g: "mysql-passwords-secret" + - subchart - Boolean - Optional. Whether MySQL is used as subchart or not. Default: false +*/}} +{{- define "common.validations.values.mysql.passwords" -}} + {{- $existingSecret := include "common.mysql.values.auth.existingSecret" . -}} + {{- $enabled := include "common.mysql.values.enabled" . -}} + {{- $architecture := include "common.mysql.values.architecture" . -}} + {{- $authPrefix := include "common.mysql.values.key.auth" . -}} + {{- $valueKeyRootPassword := printf "%s.rootPassword" $authPrefix -}} + {{- $valueKeyUsername := printf "%s.username" $authPrefix -}} + {{- $valueKeyPassword := printf "%s.password" $authPrefix -}} + {{- $valueKeyReplicationPassword := printf "%s.replicationPassword" $authPrefix -}} + + {{- if and (or (not $existingSecret) (eq $existingSecret "\"\"")) (eq $enabled "true") -}} + {{- $requiredPasswords := list -}} + + {{- $requiredRootPassword := dict "valueKey" $valueKeyRootPassword "secret" .secret "field" "mysql-root-password" -}} + {{- $requiredPasswords = append $requiredPasswords $requiredRootPassword -}} + + {{- $valueUsername := include "common.utils.getValueFromKey" (dict "key" $valueKeyUsername "context" .context) }} + {{- if not (empty $valueUsername) -}} + {{- $requiredPassword := dict "valueKey" $valueKeyPassword "secret" .secret "field" "mysql-password" -}} + {{- $requiredPasswords = append $requiredPasswords $requiredPassword -}} + {{- end -}} + + {{- if (eq $architecture "replication") -}} + {{- $requiredReplicationPassword := dict "valueKey" $valueKeyReplicationPassword "secret" .secret "field" "mysql-replication-password" -}} + {{- $requiredPasswords = append $requiredPasswords $requiredReplicationPassword -}} + {{- end -}} + + {{- include "common.validations.values.multiple.empty" (dict "required" $requiredPasswords "context" .context) -}} + + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for existingSecret. + +Usage: +{{ include "common.mysql.values.auth.existingSecret" (dict "context" $) }} +Params: + - subchart - Boolean - Optional. Whether MySQL is used as subchart or not. Default: false +*/}} +{{- define "common.mysql.values.auth.existingSecret" -}} + {{- if .subchart -}} + {{- .context.Values.mysql.auth.existingSecret | quote -}} + {{- else -}} + {{- .context.Values.auth.existingSecret | quote -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for enabled mysql. + +Usage: +{{ include "common.mysql.values.enabled" (dict "context" $) }} +*/}} +{{- define "common.mysql.values.enabled" -}} + {{- if .subchart -}} + {{- printf "%v" .context.Values.mysql.enabled -}} + {{- else -}} + {{- printf "%v" (not .context.Values.enabled) -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for architecture + +Usage: +{{ include "common.mysql.values.architecture" (dict "subchart" "true" "context" $) }} +Params: + - subchart - Boolean - Optional. Whether MySQL is used as subchart or not. Default: false +*/}} +{{- define "common.mysql.values.architecture" -}} + {{- if .subchart -}} + {{- .context.Values.mysql.architecture -}} + {{- else -}} + {{- .context.Values.architecture -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for the key auth + +Usage: +{{ include "common.mysql.values.key.auth" (dict "subchart" "true" "context" $) }} +Params: + - subchart - Boolean - Optional. Whether MySQL is used as subchart or not. Default: false +*/}} +{{- define "common.mysql.values.key.auth" -}} + {{- if .subchart -}} + mysql.auth + {{- else -}} + auth + {{- end -}} +{{- end -}} diff --git a/charts/kong/kong/2.41.0/charts/postgresql/charts/common/templates/validations/_postgresql.tpl b/charts/kong/kong/2.41.0/charts/postgresql/charts/common/templates/validations/_postgresql.tpl new file mode 100644 index 000000000..164ec0d01 --- /dev/null +++ b/charts/kong/kong/2.41.0/charts/postgresql/charts/common/templates/validations/_postgresql.tpl @@ -0,0 +1,129 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Validate PostgreSQL required passwords are not empty. + +Usage: +{{ include "common.validations.values.postgresql.passwords" (dict "secret" "secretName" "subchart" false "context" $) }} +Params: + - secret - String - Required. Name of the secret where postgresql values are stored, e.g: "postgresql-passwords-secret" + - subchart - Boolean - Optional. Whether postgresql is used as subchart or not. Default: false +*/}} +{{- define "common.validations.values.postgresql.passwords" -}} + {{- $existingSecret := include "common.postgresql.values.existingSecret" . -}} + {{- $enabled := include "common.postgresql.values.enabled" . -}} + {{- $valueKeyPostgresqlPassword := include "common.postgresql.values.key.postgressPassword" . -}} + {{- $valueKeyPostgresqlReplicationEnabled := include "common.postgresql.values.key.replicationPassword" . -}} + {{- if and (or (not $existingSecret) (eq $existingSecret "\"\"")) (eq $enabled "true") -}} + {{- $requiredPasswords := list -}} + {{- $requiredPostgresqlPassword := dict "valueKey" $valueKeyPostgresqlPassword "secret" .secret "field" "postgresql-password" -}} + {{- $requiredPasswords = append $requiredPasswords $requiredPostgresqlPassword -}} + + {{- $enabledReplication := include "common.postgresql.values.enabled.replication" . -}} + {{- if (eq $enabledReplication "true") -}} + {{- $requiredPostgresqlReplicationPassword := dict "valueKey" $valueKeyPostgresqlReplicationEnabled "secret" .secret "field" "postgresql-replication-password" -}} + {{- $requiredPasswords = append $requiredPasswords $requiredPostgresqlReplicationPassword -}} + {{- end -}} + + {{- include "common.validations.values.multiple.empty" (dict "required" $requiredPasswords "context" .context) -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to decide whether evaluate global values. + +Usage: +{{ include "common.postgresql.values.use.global" (dict "key" "key-of-global" "context" $) }} +Params: + - key - String - Required. Field to be evaluated within global, e.g: "existingSecret" +*/}} +{{- define "common.postgresql.values.use.global" -}} + {{- if .context.Values.global -}} + {{- if .context.Values.global.postgresql -}} + {{- index .context.Values.global.postgresql .key | quote -}} + {{- end -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for existingSecret. + +Usage: +{{ include "common.postgresql.values.existingSecret" (dict "context" $) }} +*/}} +{{- define "common.postgresql.values.existingSecret" -}} + {{- $globalValue := include "common.postgresql.values.use.global" (dict "key" "existingSecret" "context" .context) -}} + + {{- if .subchart -}} + {{- default (.context.Values.postgresql.existingSecret | quote) $globalValue -}} + {{- else -}} + {{- default (.context.Values.existingSecret | quote) $globalValue -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for enabled postgresql. + +Usage: +{{ include "common.postgresql.values.enabled" (dict "context" $) }} +*/}} +{{- define "common.postgresql.values.enabled" -}} + {{- if .subchart -}} + {{- printf "%v" .context.Values.postgresql.enabled -}} + {{- else -}} + {{- printf "%v" (not .context.Values.enabled) -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for the key postgressPassword. + +Usage: +{{ include "common.postgresql.values.key.postgressPassword" (dict "subchart" "true" "context" $) }} +Params: + - subchart - Boolean - Optional. Whether postgresql is used as subchart or not. Default: false +*/}} +{{- define "common.postgresql.values.key.postgressPassword" -}} + {{- $globalValue := include "common.postgresql.values.use.global" (dict "key" "postgresqlUsername" "context" .context) -}} + + {{- if not $globalValue -}} + {{- if .subchart -}} + postgresql.postgresqlPassword + {{- else -}} + postgresqlPassword + {{- end -}} + {{- else -}} + global.postgresql.postgresqlPassword + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for enabled.replication. + +Usage: +{{ include "common.postgresql.values.enabled.replication" (dict "subchart" "true" "context" $) }} +Params: + - subchart - Boolean - Optional. Whether postgresql is used as subchart or not. Default: false +*/}} +{{- define "common.postgresql.values.enabled.replication" -}} + {{- if .subchart -}} + {{- printf "%v" .context.Values.postgresql.replication.enabled -}} + {{- else -}} + {{- printf "%v" .context.Values.replication.enabled -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for the key replication.password. + +Usage: +{{ include "common.postgresql.values.key.replicationPassword" (dict "subchart" "true" "context" $) }} +Params: + - subchart - Boolean - Optional. Whether postgresql is used as subchart or not. Default: false +*/}} +{{- define "common.postgresql.values.key.replicationPassword" -}} + {{- if .subchart -}} + postgresql.replication.password + {{- else -}} + replication.password + {{- end -}} +{{- end -}} diff --git a/charts/kong/kong/2.41.0/charts/postgresql/charts/common/templates/validations/_redis.tpl b/charts/kong/kong/2.41.0/charts/postgresql/charts/common/templates/validations/_redis.tpl new file mode 100644 index 000000000..dcccfc1ae --- /dev/null +++ b/charts/kong/kong/2.41.0/charts/postgresql/charts/common/templates/validations/_redis.tpl @@ -0,0 +1,76 @@ + +{{/* vim: set filetype=mustache: */}} +{{/* +Validate Redis® required passwords are not empty. + +Usage: +{{ include "common.validations.values.redis.passwords" (dict "secret" "secretName" "subchart" false "context" $) }} +Params: + - secret - String - Required. Name of the secret where redis values are stored, e.g: "redis-passwords-secret" + - subchart - Boolean - Optional. Whether redis is used as subchart or not. Default: false +*/}} +{{- define "common.validations.values.redis.passwords" -}} + {{- $enabled := include "common.redis.values.enabled" . -}} + {{- $valueKeyPrefix := include "common.redis.values.keys.prefix" . -}} + {{- $standarizedVersion := include "common.redis.values.standarized.version" . }} + + {{- $existingSecret := ternary (printf "%s%s" $valueKeyPrefix "auth.existingSecret") (printf "%s%s" $valueKeyPrefix "existingSecret") (eq $standarizedVersion "true") }} + {{- $existingSecretValue := include "common.utils.getValueFromKey" (dict "key" $existingSecret "context" .context) }} + + {{- $valueKeyRedisPassword := ternary (printf "%s%s" $valueKeyPrefix "auth.password") (printf "%s%s" $valueKeyPrefix "password") (eq $standarizedVersion "true") }} + {{- $valueKeyRedisUseAuth := ternary (printf "%s%s" $valueKeyPrefix "auth.enabled") (printf "%s%s" $valueKeyPrefix "usePassword") (eq $standarizedVersion "true") }} + + {{- if and (or (not $existingSecret) (eq $existingSecret "\"\"")) (eq $enabled "true") -}} + {{- $requiredPasswords := list -}} + + {{- $useAuth := include "common.utils.getValueFromKey" (dict "key" $valueKeyRedisUseAuth "context" .context) -}} + {{- if eq $useAuth "true" -}} + {{- $requiredRedisPassword := dict "valueKey" $valueKeyRedisPassword "secret" .secret "field" "redis-password" -}} + {{- $requiredPasswords = append $requiredPasswords $requiredRedisPassword -}} + {{- end -}} + + {{- include "common.validations.values.multiple.empty" (dict "required" $requiredPasswords "context" .context) -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right value for enabled redis. + +Usage: +{{ include "common.redis.values.enabled" (dict "context" $) }} +*/}} +{{- define "common.redis.values.enabled" -}} + {{- if .subchart -}} + {{- printf "%v" .context.Values.redis.enabled -}} + {{- else -}} + {{- printf "%v" (not .context.Values.enabled) -}} + {{- end -}} +{{- end -}} + +{{/* +Auxiliary function to get the right prefix path for the values + +Usage: +{{ include "common.redis.values.key.prefix" (dict "subchart" "true" "context" $) }} +Params: + - subchart - Boolean - Optional. Whether redis is used as subchart or not. Default: false +*/}} +{{- define "common.redis.values.keys.prefix" -}} + {{- if .subchart -}}redis.{{- else -}}{{- end -}} +{{- end -}} + +{{/* +Checks whether the redis chart's includes the standarizations (version >= 14) + +Usage: +{{ include "common.redis.values.standarized.version" (dict "context" $) }} +*/}} +{{- define "common.redis.values.standarized.version" -}} + + {{- $standarizedAuth := printf "%s%s" (include "common.redis.values.keys.prefix" .) "auth" -}} + {{- $standarizedAuthValues := include "common.utils.getValueFromKey" (dict "key" $standarizedAuth "context" .context) }} + + {{- if $standarizedAuthValues -}} + {{- true -}} + {{- end -}} +{{- end -}} diff --git a/charts/kong/kong/2.41.0/charts/postgresql/charts/common/templates/validations/_validations.tpl b/charts/kong/kong/2.41.0/charts/postgresql/charts/common/templates/validations/_validations.tpl new file mode 100644 index 000000000..9a814cf40 --- /dev/null +++ b/charts/kong/kong/2.41.0/charts/postgresql/charts/common/templates/validations/_validations.tpl @@ -0,0 +1,46 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Validate values must not be empty. + +Usage: +{{- $validateValueConf00 := (dict "valueKey" "path.to.value" "secret" "secretName" "field" "password-00") -}} +{{- $validateValueConf01 := (dict "valueKey" "path.to.value" "secret" "secretName" "field" "password-01") -}} +{{ include "common.validations.values.empty" (dict "required" (list $validateValueConf00 $validateValueConf01) "context" $) }} + +Validate value params: + - valueKey - String - Required. The path to the validating value in the values.yaml, e.g: "mysql.password" + - secret - String - Optional. Name of the secret where the validating value is generated/stored, e.g: "mysql-passwords-secret" + - field - String - Optional. Name of the field in the secret data, e.g: "mysql-password" +*/}} +{{- define "common.validations.values.multiple.empty" -}} + {{- range .required -}} + {{- include "common.validations.values.single.empty" (dict "valueKey" .valueKey "secret" .secret "field" .field "context" $.context) -}} + {{- end -}} +{{- end -}} + +{{/* +Validate a value must not be empty. + +Usage: +{{ include "common.validations.value.empty" (dict "valueKey" "mariadb.password" "secret" "secretName" "field" "my-password" "subchart" "subchart" "context" $) }} + +Validate value params: + - valueKey - String - Required. The path to the validating value in the values.yaml, e.g: "mysql.password" + - secret - String - Optional. Name of the secret where the validating value is generated/stored, e.g: "mysql-passwords-secret" + - field - String - Optional. Name of the field in the secret data, e.g: "mysql-password" + - subchart - String - Optional - Name of the subchart that the validated password is part of. +*/}} +{{- define "common.validations.values.single.empty" -}} + {{- $value := include "common.utils.getValueFromKey" (dict "key" .valueKey "context" .context) }} + {{- $subchart := ternary "" (printf "%s." .subchart) (empty .subchart) }} + + {{- if not $value -}} + {{- $varname := "my-value" -}} + {{- $getCurrentValue := "" -}} + {{- if and .secret .field -}} + {{- $varname = include "common.utils.fieldToEnvVar" . -}} + {{- $getCurrentValue = printf " To get the current value:\n\n %s\n" (include "common.utils.secret.getvalue" .) -}} + {{- end -}} + {{- printf "\n '%s' must not be empty, please add '--set %s%s=$%s' to the command.%s" .valueKey $subchart .valueKey $varname $getCurrentValue -}} + {{- end -}} +{{- end -}} diff --git a/charts/kong/kong/2.41.0/charts/postgresql/charts/common/values.yaml b/charts/kong/kong/2.41.0/charts/postgresql/charts/common/values.yaml new file mode 100644 index 000000000..f2df68e5e --- /dev/null +++ b/charts/kong/kong/2.41.0/charts/postgresql/charts/common/values.yaml @@ -0,0 +1,5 @@ +## bitnami/common +## It is required by CI/CD tools and processes. +## @skip exampleValue +## +exampleValue: common-chart diff --git a/charts/kong/kong/2.41.0/charts/postgresql/templates/NOTES.txt b/charts/kong/kong/2.41.0/charts/postgresql/templates/NOTES.txt new file mode 100644 index 000000000..e0474d4b6 --- /dev/null +++ b/charts/kong/kong/2.41.0/charts/postgresql/templates/NOTES.txt @@ -0,0 +1,89 @@ +CHART NAME: {{ .Chart.Name }} +CHART VERSION: {{ .Chart.Version }} +APP VERSION: {{ .Chart.AppVersion }} + +** Please be patient while the chart is being deployed ** + +{{- if .Values.diagnosticMode.enabled }} +The chart has been deployed in diagnostic mode. All probes have been disabled and the command has been overwritten with: + + command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 4 }} + args: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.args "context" $) | nindent 4 }} + +Get the list of pods by executing: + + kubectl get pods --namespace {{ .Release.Namespace }} -l app.kubernetes.io/instance={{ .Release.Name }} + +Access the pod you want to debug by executing + + kubectl exec --namespace {{ .Release.Namespace }} -ti -- /opt/bitnami/scripts/postgresql/entrypoint.sh /bin/bash + +In order to replicate the container startup scripts execute this command: + + /opt/bitnami/scripts/postgresql/entrypoint.sh /opt/bitnami/scripts/postgresql/run.sh + +{{- else }} + +PostgreSQL can be accessed via port {{ include "postgresql.service.port" . }} on the following DNS names from within your cluster: + + {{ include "postgresql.primary.fullname" . }}.{{ .Release.Namespace }}.svc.cluster.local - Read/Write connection + +{{- if eq .Values.architecture "replication" }} + + {{ include "postgresql.readReplica.fullname" . }}.{{ .Release.Namespace }}.svc.cluster.local - Read only connection + +{{- end }} + +{{- $customUser := include "postgresql.username" . }} +{{- if and (not (empty $customUser)) (ne $customUser "postgres") .Values.auth.enablePostgresUser }} + +To get the password for "postgres" run: + + export POSTGRES_ADMIN_PASSWORD=$(kubectl get secret --namespace {{ .Release.Namespace }} {{ include "postgresql.secretName" . }} -o jsonpath="{.data.postgres-password}" | base64 -d) + +To get the password for "{{ $customUser }}" run: + + export POSTGRES_PASSWORD=$(kubectl get secret --namespace {{ .Release.Namespace }} {{ include "postgresql.secretName" . }} -o jsonpath="{.data.password}" | base64 -d) + +{{- else }} + +To get the password for "{{ default "postgres" $customUser }}" run: + + export POSTGRES_PASSWORD=$(kubectl get secret --namespace {{ .Release.Namespace }} {{ include "postgresql.secretName" . }} -o jsonpath="{.data.{{ ternary "password" "postgres-password" (and (not (empty $customUser)) (ne $customUser "postgres")) }}}" | base64 -d) + +{{- end }} + +To connect to your database run the following command: + + kubectl run {{ include "common.names.fullname" . }}-client --rm --tty -i --restart='Never' --namespace {{ .Release.Namespace }} --image {{ include "postgresql.image" . }} --env="PGPASSWORD=$POSTGRES_PASSWORD" \ + --command -- psql --host {{ include "postgresql.primary.fullname" . }} -U {{ default "postgres" $customUser }} -d {{- if include "postgresql.database" . }} {{ include "postgresql.database" . }}{{- else }} postgres{{- end }} -p {{ include "postgresql.service.port" . }} + + > NOTE: If you access the container using bash, make sure that you execute "/opt/bitnami/scripts/postgresql/entrypoint.sh /bin/bash" in order to avoid the error "psql: local user with ID {{ .Values.primary.containerSecurityContext.runAsUser }}} does not exist" + +To connect to your database from outside the cluster execute the following commands: + +{{- if contains "NodePort" .Values.primary.service.type }} + + export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}") + export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "postgresql.primary.fullname" . }}) + PGPASSWORD="$POSTGRES_PASSWORD" psql --host $NODE_IP --port $NODE_PORT -U {{ default "postgres" $customUser }} -d {{- if include "postgresql.database" . }} {{ include "postgresql.database" . }}{{- else }} postgres{{- end }} + +{{- else if contains "LoadBalancer" .Values.primary.service.type }} + + NOTE: It may take a few minutes for the LoadBalancer IP to be available. + Watch the status with: 'kubectl get svc --namespace {{ .Release.Namespace }} -w {{ include "postgresql.primary.fullname" . }}' + + export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "postgresql.primary.fullname" . }} --template "{{ "{{ range (index .status.loadBalancer.ingress 0) }}{{ . }}{{ end }}" }}") + PGPASSWORD="$POSTGRES_PASSWORD" psql --host $SERVICE_IP --port {{ include "postgresql.service.port" . }} -U {{ default "postgres" $customUser }} -d {{- if include "postgresql.database" . }} {{ include "postgresql.database" . }}{{- else }} postgres{{- end }} + +{{- else if contains "ClusterIP" .Values.primary.service.type }} + + kubectl port-forward --namespace {{ .Release.Namespace }} svc/{{ include "postgresql.primary.fullname" . }} {{ include "postgresql.service.port" . }}:{{ include "postgresql.service.port" . }} & + PGPASSWORD="$POSTGRES_PASSWORD" psql --host 127.0.0.1 -U {{ default "postgres" $customUser }} -d {{- if include "postgresql.database" . }} {{ include "postgresql.database" . }}{{- else }} postgres{{- end }} -p {{ include "postgresql.service.port" . }} + +{{- end }} +{{- end }} + +{{- include "postgresql.validateValues" . -}} +{{- include "common.warnings.rollingTag" .Values.image -}} +{{- include "common.warnings.rollingTag" .Values.volumePermissions.image }} diff --git a/charts/kong/kong/2.41.0/charts/postgresql/templates/_helpers.tpl b/charts/kong/kong/2.41.0/charts/postgresql/templates/_helpers.tpl new file mode 100644 index 000000000..fe123f5f5 --- /dev/null +++ b/charts/kong/kong/2.41.0/charts/postgresql/templates/_helpers.tpl @@ -0,0 +1,399 @@ +{{/* vim: set filetype=mustache: */}} + +{{/* +Create a default fully qualified app name for PostgreSQL Primary objects +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +*/}} +{{- define "postgresql.primary.fullname" -}} +{{- if eq .Values.architecture "replication" }} + {{- printf "%s-%s" (include "common.names.fullname" .) .Values.primary.name | trunc 63 | trimSuffix "-" -}} +{{- else -}} + {{- include "common.names.fullname" . -}} +{{- end -}} +{{- end -}} + +{{/* +Create a default fully qualified app name for PostgreSQL read-only replicas objects +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +*/}} +{{- define "postgresql.readReplica.fullname" -}} +{{- printf "%s-%s" (include "common.names.fullname" .) .Values.readReplicas.name | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create the default FQDN for PostgreSQL primary headless service +We truncate at 63 chars because of the DNS naming spec. +*/}} +{{- define "postgresql.primary.svc.headless" -}} +{{- printf "%s-hl" (include "postgresql.primary.fullname" .) | trunc 63 | trimSuffix "-" }} +{{- end -}} + +{{/* +Create the default FQDN for PostgreSQL read-only replicas headless service +We truncate at 63 chars because of the DNS naming spec. +*/}} +{{- define "postgresql.readReplica.svc.headless" -}} +{{- printf "%s-hl" (include "postgresql.readReplica.fullname" .) | trunc 63 | trimSuffix "-" }} +{{- end -}} + +{{/* +Return the proper PostgreSQL image name +*/}} +{{- define "postgresql.image" -}} +{{ include "common.images.image" (dict "imageRoot" .Values.image "global" .Values.global) }} +{{- end -}} + +{{/* +Return the proper PostgreSQL metrics image name +*/}} +{{- define "postgresql.metrics.image" -}} +{{ include "common.images.image" (dict "imageRoot" .Values.metrics.image "global" .Values.global) }} +{{- end -}} + +{{/* +Return the proper image name (for the init container volume-permissions image) +*/}} +{{- define "postgresql.volumePermissions.image" -}} +{{ include "common.images.image" (dict "imageRoot" .Values.volumePermissions.image "global" .Values.global) }} +{{- end -}} + +{{/* +Return the proper Docker Image Registry Secret Names +*/}} +{{- define "postgresql.imagePullSecrets" -}} +{{ include "common.images.pullSecrets" (dict "images" (list .Values.image .Values.metrics.image .Values.volumePermissions.image) "global" .Values.global) }} +{{- end -}} + +{{/* +Return the name for a custom user to create +*/}} +{{- define "postgresql.username" -}} +{{- if .Values.global.postgresql.auth.username }} + {{- .Values.global.postgresql.auth.username -}} +{{- else -}} + {{- .Values.auth.username -}} +{{- end -}} +{{- end -}} + +{{/* +Return the name for a custom database to create +*/}} +{{- define "postgresql.database" -}} +{{- if .Values.global.postgresql.auth.database }} + {{- .Values.global.postgresql.auth.database -}} +{{- else if .Values.auth.database -}} + {{- .Values.auth.database -}} +{{- end -}} +{{- end -}} + +{{/* +Get the password secret. +*/}} +{{- define "postgresql.secretName" -}} +{{- if .Values.global.postgresql.auth.existingSecret }} + {{- printf "%s" (tpl .Values.global.postgresql.auth.existingSecret $) -}} +{{- else if .Values.auth.existingSecret -}} + {{- printf "%s" (tpl .Values.auth.existingSecret $) -}} +{{- else -}} + {{- printf "%s" (include "common.names.fullname" .) -}} +{{- end -}} +{{- end -}} + +{{/* +Get the replication-password key. +*/}} +{{- define "postgresql.replicationPasswordKey" -}} +{{- if or .Values.global.postgresql.auth.existingSecret .Values.auth.existingSecret }} + {{- if .Values.global.postgresql.auth.secretKeys.replicationPasswordKey }} + {{- printf "%s" (tpl .Values.global.postgresql.auth.secretKeys.replicationPasswordKey $) -}} + {{- else if .Values.auth.secretKeys.replicationPasswordKey -}} + {{- printf "%s" (tpl .Values.auth.secretKeys.replicationPasswordKey $) -}} + {{- else -}} + {{- "replication-password" -}} + {{- end -}} +{{- else -}} + {{- "replication-password" -}} +{{- end -}} +{{- end -}} + +{{/* +Get the admin-password key. +*/}} +{{- define "postgresql.adminPasswordKey" -}} +{{- if or .Values.global.postgresql.auth.existingSecret .Values.auth.existingSecret }} + {{- if .Values.global.postgresql.auth.secretKeys.adminPasswordKey }} + {{- printf "%s" (tpl .Values.global.postgresql.auth.secretKeys.adminPasswordKey $) -}} + {{- else if .Values.auth.secretKeys.adminPasswordKey -}} + {{- printf "%s" (tpl .Values.auth.secretKeys.adminPasswordKey $) -}} + {{- end -}} +{{- else -}} + {{- "postgres-password" -}} +{{- end -}} +{{- end -}} + +{{/* +Get the user-password key. +*/}} +{{- define "postgresql.userPasswordKey" -}} +{{- if or .Values.global.postgresql.auth.existingSecret .Values.auth.existingSecret }} + {{- if or (empty (include "postgresql.username" .)) (eq (include "postgresql.username" .) "postgres") }} + {{- printf "%s" (include "postgresql.adminPasswordKey" .) -}} + {{- else -}} + {{- if .Values.global.postgresql.auth.secretKeys.userPasswordKey }} + {{- printf "%s" (tpl .Values.global.postgresql.auth.secretKeys.userPasswordKey $) -}} + {{- else if .Values.auth.secretKeys.userPasswordKey -}} + {{- printf "%s" (tpl .Values.auth.secretKeys.userPasswordKey $) -}} + {{- end -}} + {{- end -}} +{{- else -}} + {{- ternary "password" "postgres-password" (and (not (empty (include "postgresql.username" .))) (ne (include "postgresql.username" .) "postgres")) -}} +{{- end -}} +{{- end -}} + +{{/* +Return true if a secret object should be created +*/}} +{{- define "postgresql.createSecret" -}} +{{- if not (or .Values.global.postgresql.auth.existingSecret .Values.auth.existingSecret) -}} + {{- true -}} +{{- end -}} +{{- end -}} + +{{/* +Return PostgreSQL service port +*/}} +{{- define "postgresql.service.port" -}} +{{- if .Values.global.postgresql.service.ports.postgresql }} + {{- .Values.global.postgresql.service.ports.postgresql -}} +{{- else -}} + {{- .Values.primary.service.ports.postgresql -}} +{{- end -}} +{{- end -}} + +{{/* +Return PostgreSQL service port +*/}} +{{- define "postgresql.readReplica.service.port" -}} +{{- if .Values.global.postgresql.service.ports.postgresql }} + {{- .Values.global.postgresql.service.ports.postgresql -}} +{{- else -}} + {{- .Values.readReplicas.service.ports.postgresql -}} +{{- end -}} +{{- end -}} + +{{/* +Get the PostgreSQL primary configuration ConfigMap name. +*/}} +{{- define "postgresql.primary.configmapName" -}} +{{- if .Values.primary.existingConfigmap -}} + {{- printf "%s" (tpl .Values.primary.existingConfigmap $) -}} +{{- else -}} + {{- printf "%s-configuration" (include "postgresql.primary.fullname" .) -}} +{{- end -}} +{{- end -}} + +{{/* +Return true if a configmap object should be created for PostgreSQL primary with the configuration +*/}} +{{- define "postgresql.primary.createConfigmap" -}} +{{- if and (or .Values.primary.configuration .Values.primary.pgHbaConfiguration) (not .Values.primary.existingConfigmap) }} + {{- true -}} +{{- else -}} +{{- end -}} +{{- end -}} + +{{/* +Get the PostgreSQL primary extended configuration ConfigMap name. +*/}} +{{- define "postgresql.primary.extendedConfigmapName" -}} +{{- if .Values.primary.existingExtendedConfigmap -}} + {{- printf "%s" (tpl .Values.primary.existingExtendedConfigmap $) -}} +{{- else -}} + {{- printf "%s-extended-configuration" (include "postgresql.primary.fullname" .) -}} +{{- end -}} +{{- end -}} + +{{/* +Get the PostgreSQL read replica extended configuration ConfigMap name. +*/}} +{{- define "postgresql.readReplicas.extendedConfigmapName" -}} + {{- printf "%s-extended-configuration" (include "postgresql.readReplica.fullname" .) -}} +{{- end -}} + +{{/* +Return true if a configmap object should be created for PostgreSQL primary with the extended configuration +*/}} +{{- define "postgresql.primary.createExtendedConfigmap" -}} +{{- if and .Values.primary.extendedConfiguration (not .Values.primary.existingExtendedConfigmap) }} + {{- true -}} +{{- else -}} +{{- end -}} +{{- end -}} + +{{/* +Return true if a configmap object should be created for PostgreSQL read replica with the extended configuration +*/}} +{{- define "postgresql.readReplicas.createExtendedConfigmap" -}} +{{- if .Values.readReplicas.extendedConfiguration }} + {{- true -}} +{{- else -}} +{{- end -}} +{{- end -}} + +{{/* + Create the name of the service account to use + */}} +{{- define "postgresql.serviceAccountName" -}} +{{- if .Values.serviceAccount.create -}} + {{ default (include "common.names.fullname" .) .Values.serviceAccount.name }} +{{- else -}} + {{ default "default" .Values.serviceAccount.name }} +{{- end -}} +{{- end -}} + +{{/* +Return true if a configmap should be mounted with PostgreSQL configuration +*/}} +{{- define "postgresql.mountConfigurationCM" -}} +{{- if or .Values.primary.configuration .Values.primary.pgHbaConfiguration .Values.primary.existingConfigmap }} + {{- true -}} +{{- end -}} +{{- end -}} + +{{/* +Get the initialization scripts ConfigMap name. +*/}} +{{- define "postgresql.initdb.scriptsCM" -}} +{{- if .Values.primary.initdb.scriptsConfigMap -}} + {{- printf "%s" (tpl .Values.primary.initdb.scriptsConfigMap $) -}} +{{- else -}} + {{- printf "%s-init-scripts" (include "postgresql.primary.fullname" .) -}} +{{- end -}} +{{- end -}} + +{/* +Return true if TLS is enabled for LDAP connection +*/}} +{{- define "postgresql.ldap.tls.enabled" -}} +{{- if and (kindIs "string" .Values.ldap.tls) (not (empty .Values.ldap.tls)) }} + {{- true -}} +{{- else if and (kindIs "map" .Values.ldap.tls) .Values.ldap.tls.enabled }} + {{- true -}} +{{- end -}} +{{- end -}} + +{{/* +Get the readiness probe command +*/}} +{{- define "postgresql.readinessProbeCommand" -}} +{{- $customUser := include "postgresql.username" . }} +- | +{{- if (include "postgresql.database" .) }} + exec pg_isready -U {{ default "postgres" $customUser | quote }} -d "dbname={{ include "postgresql.database" . }} {{- if .Values.tls.enabled }} sslcert={{ include "postgresql.tlsCert" . }} sslkey={{ include "postgresql.tlsCertKey" . }}{{- end }}" -h 127.0.0.1 -p {{ .Values.containerPorts.postgresql }} +{{- else }} + exec pg_isready -U {{ default "postgres" $customUser | quote }} {{- if .Values.tls.enabled }} -d "sslcert={{ include "postgresql.tlsCert" . }} sslkey={{ include "postgresql.tlsCertKey" . }}"{{- end }} -h 127.0.0.1 -p {{ .Values.containerPorts.postgresql }} +{{- end }} +{{- if contains "bitnami/" .Values.image.repository }} + [ -f /opt/bitnami/postgresql/tmp/.initialized ] || [ -f /bitnami/postgresql/.initialized ] +{{- end -}} +{{- end -}} + +{{/* +Compile all warnings into a single message, and call fail. +*/}} +{{- define "postgresql.validateValues" -}} +{{- $messages := list -}} +{{- $messages := append $messages (include "postgresql.validateValues.ldapConfigurationMethod" .) -}} +{{- $messages := append $messages (include "postgresql.validateValues.psp" .) -}} +{{- $messages := without $messages "" -}} +{{- $message := join "\n" $messages -}} + +{{- if $message -}} +{{- printf "\nVALUES VALIDATION:\n%s" $message | fail -}} +{{- end -}} +{{- end -}} + +{{/* +Validate values of Postgresql - If ldap.url is used then you don't need the other settings for ldap +*/}} +{{- define "postgresql.validateValues.ldapConfigurationMethod" -}} +{{- if and .Values.ldap.enabled (and (not (empty .Values.ldap.url)) (not (empty .Values.ldap.server))) }} +postgresql: ldap.url, ldap.server + You cannot set both `ldap.url` and `ldap.server` at the same time. + Please provide a unique way to configure LDAP. + More info at https://www.postgresql.org/docs/current/auth-ldap.html +{{- end -}} +{{- end -}} + +{{/* +Validate values of Postgresql - If PSP is enabled RBAC should be enabled too +*/}} +{{- define "postgresql.validateValues.psp" -}} +{{- if and .Values.psp.create (not .Values.rbac.create) }} +postgresql: psp.create, rbac.create + RBAC should be enabled if PSP is enabled in order for PSP to work. + More info at https://kubernetes.io/docs/concepts/policy/pod-security-policy/#authorizing-policies +{{- end -}} +{{- end -}} + +{{/* +Return the path to the cert file. +*/}} +{{- define "postgresql.tlsCert" -}} +{{- if .Values.tls.autoGenerated }} + {{- printf "/opt/bitnami/postgresql/certs/tls.crt" -}} +{{- else -}} + {{- required "Certificate filename is required when TLS in enabled" .Values.tls.certFilename | printf "/opt/bitnami/postgresql/certs/%s" -}} +{{- end -}} +{{- end -}} + +{{/* +Return the path to the cert key file. +*/}} +{{- define "postgresql.tlsCertKey" -}} +{{- if .Values.tls.autoGenerated }} + {{- printf "/opt/bitnami/postgresql/certs/tls.key" -}} +{{- else -}} +{{- required "Certificate Key filename is required when TLS in enabled" .Values.tls.certKeyFilename | printf "/opt/bitnami/postgresql/certs/%s" -}} +{{- end -}} +{{- end -}} + +{{/* +Return the path to the CA cert file. +*/}} +{{- define "postgresql.tlsCACert" -}} +{{- if .Values.tls.autoGenerated }} + {{- printf "/opt/bitnami/postgresql/certs/ca.crt" -}} +{{- else -}} + {{- printf "/opt/bitnami/postgresql/certs/%s" .Values.tls.certCAFilename -}} +{{- end -}} +{{- end -}} + +{{/* +Return the path to the CRL file. +*/}} +{{- define "postgresql.tlsCRL" -}} +{{- if .Values.tls.crlFilename -}} +{{- printf "/opt/bitnami/postgresql/certs/%s" .Values.tls.crlFilename -}} +{{- end -}} +{{- end -}} + +{{/* +Return true if a TLS credentials secret object should be created +*/}} +{{- define "postgresql.createTlsSecret" -}} +{{- if and .Values.tls.autoGenerated (not .Values.tls.certificatesSecret) }} + {{- true -}} +{{- end -}} +{{- end -}} + +{{/* +Return the path to the CA cert file. +*/}} +{{- define "postgresql.tlsSecretName" -}} +{{- if .Values.tls.autoGenerated }} + {{- printf "%s-crt" (include "common.names.fullname" .) -}} +{{- else -}} + {{ required "A secret containing TLS certificates is required when TLS is enabled" .Values.tls.certificatesSecret }} +{{- end -}} +{{- end -}} diff --git a/charts/kong/kong/2.41.0/charts/postgresql/templates/extra-list.yaml b/charts/kong/kong/2.41.0/charts/postgresql/templates/extra-list.yaml new file mode 100644 index 000000000..9ac65f9e1 --- /dev/null +++ b/charts/kong/kong/2.41.0/charts/postgresql/templates/extra-list.yaml @@ -0,0 +1,4 @@ +{{- range .Values.extraDeploy }} +--- +{{ include "common.tplvalues.render" (dict "value" . "context" $) }} +{{- end }} diff --git a/charts/kong/kong/2.41.0/charts/postgresql/templates/networkpolicy-egress.yaml b/charts/kong/kong/2.41.0/charts/postgresql/templates/networkpolicy-egress.yaml new file mode 100644 index 000000000..e8621474b --- /dev/null +++ b/charts/kong/kong/2.41.0/charts/postgresql/templates/networkpolicy-egress.yaml @@ -0,0 +1,32 @@ +{{- if and .Values.networkPolicy.enabled (or .Values.networkPolicy.egressRules.denyConnectionsToExternal .Values.networkPolicy.egressRules.customRules) }} +apiVersion: {{ include "common.capabilities.networkPolicy.apiVersion" . }} +kind: NetworkPolicy +metadata: + name: {{ printf "%s-egress" (include "common.names.fullname" .) }} + namespace: {{ .Release.Namespace }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +spec: + podSelector: + matchLabels: {{- include "common.labels.matchLabels" . | nindent 6 }} + policyTypes: + - Egress + egress: + {{- if .Values.networkPolicy.egressRules.denyConnectionsToExternal }} + - ports: + - port: 53 + protocol: UDP + - port: 53 + protocol: TCP + - to: + - namespaceSelector: {} + {{- end }} + {{- if .Values.networkPolicy.egressRules.customRules }} + {{- include "common.tplvalues.render" (dict "value" .Values.networkPolicy.egressRules.customRules "context" $) | nindent 4 }} + {{- end }} +{{- end }} diff --git a/charts/kong/kong/2.41.0/charts/postgresql/templates/primary/configmap.yaml b/charts/kong/kong/2.41.0/charts/postgresql/templates/primary/configmap.yaml new file mode 100644 index 000000000..d654a2257 --- /dev/null +++ b/charts/kong/kong/2.41.0/charts/postgresql/templates/primary/configmap.yaml @@ -0,0 +1,24 @@ +{{- if (include "postgresql.primary.createConfigmap" .) }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ printf "%s-configuration" (include "postgresql.primary.fullname" .) }} + namespace: {{ .Release.Namespace | quote }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + app.kubernetes.io/component: primary + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +data: + {{- if .Values.primary.configuration }} + postgresql.conf: |- + {{- include "common.tplvalues.render" ( dict "value" .Values.primary.configuration "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.primary.pgHbaConfiguration }} + pg_hba.conf: | + {{- include "common.tplvalues.render" ( dict "value" .Values.primary.pgHbaConfiguration "context" $ ) | nindent 4 }} + {{- end }} +{{- end }} diff --git a/charts/kong/kong/2.41.0/charts/postgresql/templates/primary/extended-configmap.yaml b/charts/kong/kong/2.41.0/charts/postgresql/templates/primary/extended-configmap.yaml new file mode 100644 index 000000000..d129bd3b2 --- /dev/null +++ b/charts/kong/kong/2.41.0/charts/postgresql/templates/primary/extended-configmap.yaml @@ -0,0 +1,18 @@ +{{- if (include "postgresql.primary.createExtendedConfigmap" .) }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ printf "%s-extended-configuration" (include "postgresql.primary.fullname" .) }} + namespace: {{ .Release.Namespace | quote }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + app.kubernetes.io/component: primary + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +data: + override.conf: |- + {{- include "common.tplvalues.render" ( dict "value" .Values.primary.extendedConfiguration "context" $ ) | nindent 4 }} +{{- end }} diff --git a/charts/kong/kong/2.41.0/charts/postgresql/templates/primary/initialization-configmap.yaml b/charts/kong/kong/2.41.0/charts/postgresql/templates/primary/initialization-configmap.yaml new file mode 100644 index 000000000..d3d26cb8c --- /dev/null +++ b/charts/kong/kong/2.41.0/charts/postgresql/templates/primary/initialization-configmap.yaml @@ -0,0 +1,15 @@ +{{- if and .Values.primary.initdb.scripts (not .Values.primary.initdb.scriptsConfigMap) }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ printf "%s-init-scripts" (include "postgresql.primary.fullname" .) }} + namespace: {{ .Release.Namespace | quote }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +data: {{- include "common.tplvalues.render" (dict "value" .Values.primary.initdb.scripts "context" .) | nindent 2 }} +{{- end }} diff --git a/charts/kong/kong/2.41.0/charts/postgresql/templates/primary/metrics-configmap.yaml b/charts/kong/kong/2.41.0/charts/postgresql/templates/primary/metrics-configmap.yaml new file mode 100644 index 000000000..8ad2f35fc --- /dev/null +++ b/charts/kong/kong/2.41.0/charts/postgresql/templates/primary/metrics-configmap.yaml @@ -0,0 +1,16 @@ +{{- if and .Values.metrics.enabled .Values.metrics.customMetrics }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ printf "%s-metrics" (include "postgresql.primary.fullname" .) }} + namespace: {{ .Release.Namespace | quote }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +data: + custom-metrics.yaml: {{ toYaml .Values.metrics.customMetrics | quote }} +{{- end }} diff --git a/charts/kong/kong/2.41.0/charts/postgresql/templates/primary/metrics-svc.yaml b/charts/kong/kong/2.41.0/charts/postgresql/templates/primary/metrics-svc.yaml new file mode 100644 index 000000000..75a1b81be --- /dev/null +++ b/charts/kong/kong/2.41.0/charts/postgresql/templates/primary/metrics-svc.yaml @@ -0,0 +1,31 @@ +{{- if .Values.metrics.enabled }} +apiVersion: v1 +kind: Service +metadata: + name: {{ printf "%s-metrics" (include "postgresql.primary.fullname" .) }} + namespace: {{ .Release.Namespace | quote }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + app.kubernetes.io/component: metrics + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + annotations: + {{- if .Values.commonAnnotations }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.metrics.service.annotations }} + {{- include "common.tplvalues.render" ( dict "value" .Values.metrics.service.annotations "context" $ ) | nindent 4 }} + {{- end }} +spec: + type: ClusterIP + sessionAffinity: {{ .Values.metrics.service.sessionAffinity }} + {{- if .Values.metrics.service.clusterIP }} + clusterIP: {{ .Values.metrics.service.clusterIP }} + {{- end }} + ports: + - name: http-metrics + port: {{ .Values.metrics.service.ports.metrics }} + targetPort: http-metrics + selector: {{- include "common.labels.matchLabels" . | nindent 4 }} + app.kubernetes.io/component: primary +{{- end }} diff --git a/charts/kong/kong/2.41.0/charts/postgresql/templates/primary/networkpolicy.yaml b/charts/kong/kong/2.41.0/charts/postgresql/templates/primary/networkpolicy.yaml new file mode 100644 index 000000000..ce0052d48 --- /dev/null +++ b/charts/kong/kong/2.41.0/charts/postgresql/templates/primary/networkpolicy.yaml @@ -0,0 +1,57 @@ +{{- if and .Values.networkPolicy.enabled (or .Values.networkPolicy.metrics.enabled .Values.networkPolicy.ingressRules.primaryAccessOnlyFrom.enabled) }} +apiVersion: {{ include "common.capabilities.networkPolicy.apiVersion" . }} +kind: NetworkPolicy +metadata: + name: {{ printf "%s-ingress" (include "postgresql.primary.fullname" .) }} + namespace: {{ .Release.Namespace | quote }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + app.kubernetes.io/component: primary + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +spec: + podSelector: + matchLabels: {{- include "common.labels.matchLabels" . | nindent 6 }} + app.kubernetes.io/component: primary + ingress: + {{- if and .Values.metrics.enabled .Values.networkPolicy.metrics.enabled (or .Values.networkPolicy.metrics.namespaceSelector .Values.networkPolicy.metrics.podSelector) }} + - from: + {{- if .Values.networkPolicy.metrics.namespaceSelector }} + - namespaceSelector: + matchLabels: {{- include "common.tplvalues.render" (dict "value" .Values.networkPolicy.metrics.namespaceSelector "context" $) | nindent 14 }} + {{- end }} + {{- if .Values.networkPolicy.metrics.podSelector }} + - podSelector: + matchLabels: {{- include "common.tplvalues.render" (dict "value" .Values.networkPolicy.metrics.podSelector "context" $) | nindent 14 }} + {{- end }} + ports: + - port: {{ .Values.metrics.containerPorts.metrics }} + {{- end }} + {{- if and .Values.networkPolicy.ingressRules.primaryAccessOnlyFrom.enabled (or .Values.networkPolicy.ingressRules.primaryAccessOnlyFrom.namespaceSelector .Values.networkPolicy.ingressRules.primaryAccessOnlyFrom.podSelector) }} + - from: + {{- if .Values.networkPolicy.ingressRules.primaryAccessOnlyFrom.namespaceSelector }} + - namespaceSelector: + matchLabels: {{- include "common.tplvalues.render" (dict "value" .Values.networkPolicy.ingressRules.primaryAccessOnlyFrom.namespaceSelector "context" $) | nindent 14 }} + {{- end }} + {{- if .Values.networkPolicy.ingressRules.primaryAccessOnlyFrom.podSelector }} + - podSelector: + matchLabels: {{- include "common.tplvalues.render" (dict "value" .Values.networkPolicy.ingressRules.primaryAccessOnlyFrom.podSelector "context" $) | nindent 14 }} + {{- end }} + ports: + - port: {{ .Values.containerPorts.postgresql }} + {{- end }} + {{- if and .Values.networkPolicy.ingressRules.primaryAccessOnlyFrom.enabled (eq .Values.architecture "replication") }} + - from: + - podSelector: + matchLabels: {{- include "common.labels.matchLabels" . | nindent 14 }} + app.kubernetes.io/component: read + ports: + - port: {{ .Values.containerPorts.postgresql }} + {{- end }} + {{- if .Values.networkPolicy.ingressRules.primaryAccessOnlyFrom.customRules }} + {{- include "common.tplvalues.render" (dict "value" .Values.networkPolicy.ingressRules.primaryAccessOnlyFrom.customRules "context" $) | nindent 4 }} + {{- end }} +{{- end }} diff --git a/charts/kong/kong/2.41.0/charts/postgresql/templates/primary/servicemonitor.yaml b/charts/kong/kong/2.41.0/charts/postgresql/templates/primary/servicemonitor.yaml new file mode 100644 index 000000000..c4a19fe05 --- /dev/null +++ b/charts/kong/kong/2.41.0/charts/postgresql/templates/primary/servicemonitor.yaml @@ -0,0 +1,48 @@ +{{- if and .Values.metrics.enabled .Values.metrics.serviceMonitor.enabled }} +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: {{ include "postgresql.primary.fullname" . }} + namespace: {{ default .Release.Namespace .Values.metrics.serviceMonitor.namespace | quote }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + app.kubernetes.io/component: metrics + {{- if .Values.metrics.serviceMonitor.labels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.metrics.serviceMonitor.labels "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +spec: + {{- if .Values.metrics.serviceMonitor.jobLabel }} + jobLabel: {{ .Values.metrics.serviceMonitor.jobLabel }} + {{- end }} + selector: + matchLabels: {{- include "common.labels.matchLabels" . | nindent 6 }} + {{- if .Values.metrics.serviceMonitor.selector }} + {{- include "common.tplvalues.render" (dict "value" .Values.metrics.serviceMonitor.selector "context" $) | nindent 6 }} + {{- end }} + app.kubernetes.io/component: metrics + endpoints: + - port: http-metrics + {{- if .Values.metrics.serviceMonitor.interval }} + interval: {{ .Values.metrics.serviceMonitor.interval }} + {{- end }} + {{- if .Values.metrics.serviceMonitor.scrapeTimeout }} + scrapeTimeout: {{ .Values.metrics.serviceMonitor.scrapeTimeout }} + {{- end }} + {{- if .Values.metrics.serviceMonitor.relabelings }} + relabelings: {{- include "common.tplvalues.render" ( dict "value" .Values.metrics.serviceMonitor.relabelings "context" $) | nindent 6 }} + {{- end }} + {{- if .Values.metrics.serviceMonitor.metricRelabelings }} + metricRelabelings: {{- include "common.tplvalues.render" ( dict "value" .Values.metrics.serviceMonitor.metricRelabelings "context" $) | nindent 6 }} + {{- end }} + {{- if .Values.metrics.serviceMonitor.honorLabels }} + honorLabels: {{ .Values.metrics.serviceMonitor.honorLabels }} + {{- end }} + namespaceSelector: + matchNames: + - {{ .Release.Namespace | quote }} +{{- end }} diff --git a/charts/kong/kong/2.41.0/charts/postgresql/templates/primary/statefulset.yaml b/charts/kong/kong/2.41.0/charts/postgresql/templates/primary/statefulset.yaml new file mode 100644 index 000000000..3fd77f4af --- /dev/null +++ b/charts/kong/kong/2.41.0/charts/postgresql/templates/primary/statefulset.yaml @@ -0,0 +1,634 @@ +{{- $customUser := include "postgresql.username" . }} +apiVersion: {{ include "common.capabilities.statefulset.apiVersion" . }} +kind: StatefulSet +metadata: + name: {{ include "postgresql.primary.fullname" . }} + namespace: {{ .Release.Namespace | quote }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + app.kubernetes.io/component: primary + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.primary.labels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.primary.labels "context" $ ) | nindent 4 }} + {{- end }} + annotations: + {{- if .Values.commonAnnotations }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.primary.annotations }} + {{- include "common.tplvalues.render" ( dict "value" .Values.primary.annotations "context" $ ) | nindent 4 }} + {{- end }} +spec: + replicas: 1 + serviceName: {{ include "postgresql.primary.svc.headless" . }} + {{- if .Values.primary.updateStrategy }} + updateStrategy: {{- toYaml .Values.primary.updateStrategy | nindent 4 }} + {{- end }} + selector: + matchLabels: {{- include "common.labels.matchLabels" . | nindent 6 }} + app.kubernetes.io/component: primary + template: + metadata: + name: {{ include "postgresql.primary.fullname" . }} + labels: {{- include "common.labels.standard" . | nindent 8 }} + app.kubernetes.io/component: primary + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 8 }} + {{- end }} + {{- if .Values.primary.podLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.primary.podLabels "context" $ ) | nindent 8 }} + {{- end }} + annotations: + {{- if (include "postgresql.primary.createConfigmap" .) }} + checksum/configuration: {{ include (print $.Template.BasePath "/primary/configmap.yaml") . | sha256sum }} + {{- end }} + {{- if (include "postgresql.primary.createExtendedConfigmap" .) }} + checksum/extended-configuration: {{ include (print $.Template.BasePath "/primary/extended-configmap.yaml") . | sha256sum }} + {{- end }} + {{- if .Values.primary.podAnnotations }} + {{- include "common.tplvalues.render" ( dict "value" .Values.primary.podAnnotations "context" $ ) | nindent 8 }} + {{- end }} + spec: + {{- if .Values.primary.extraPodSpec }} + {{- include "common.tplvalues.render" (dict "value" .Values.primary.extraPodSpec "context" $) | nindent 6 }} + {{- end }} + serviceAccountName: {{ include "postgresql.serviceAccountName" . }} + {{- include "postgresql.imagePullSecrets" . | nindent 6 }} + {{- if .Values.primary.hostAliases }} + hostAliases: {{- include "common.tplvalues.render" (dict "value" .Values.primary.hostAliases "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.primary.affinity }} + affinity: {{- include "common.tplvalues.render" (dict "value" .Values.primary.affinity "context" $) | nindent 8 }} + {{- else }} + affinity: + podAffinity: {{- include "common.affinities.pods" (dict "type" .Values.primary.podAffinityPreset "component" "primary" "context" $) | nindent 10 }} + podAntiAffinity: {{- include "common.affinities.pods" (dict "type" .Values.primary.podAntiAffinityPreset "component" "primary" "context" $) | nindent 10 }} + nodeAffinity: {{- include "common.affinities.nodes" (dict "type" .Values.primary.nodeAffinityPreset.type "key" .Values.primary.nodeAffinityPreset.key "values" .Values.primary.nodeAffinityPreset.values) | nindent 10 }} + {{- end }} + {{- if .Values.primary.nodeSelector }} + nodeSelector: {{- include "common.tplvalues.render" (dict "value" .Values.primary.nodeSelector "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.primary.tolerations }} + tolerations: {{- include "common.tplvalues.render" (dict "value" .Values.primary.tolerations "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.primary.topologySpreadConstraints }} + topologySpreadConstraints: {{- include "common.tplvalues.render" (dict "value" .Values.primary.topologySpreadConstraints "context" .) | nindent 8 }} + {{- end }} + {{- if .Values.primary.priorityClassName }} + priorityClassName: {{ .Values.primary.priorityClassName }} + {{- end }} + {{- if .Values.primary.schedulerName }} + schedulerName: {{ .Values.primary.schedulerName | quote }} + {{- end }} + {{- if .Values.primary.terminationGracePeriodSeconds }} + terminationGracePeriodSeconds: {{ .Values.primary.terminationGracePeriodSeconds }} + {{- end }} + {{- if .Values.primary.podSecurityContext.enabled }} + securityContext: {{- omit .Values.primary.podSecurityContext "enabled" | toYaml | nindent 8 }} + {{- end }} + hostNetwork: {{ .Values.primary.hostNetwork }} + hostIPC: {{ .Values.primary.hostIPC }} + initContainers: + {{- if and .Values.tls.enabled (not .Values.volumePermissions.enabled) }} + - name: copy-certs + image: {{ include "postgresql.volumePermissions.image" . }} + imagePullPolicy: {{ .Values.volumePermissions.image.pullPolicy | quote }} + {{- if .Values.primary.resources }} + resources: {{- toYaml .Values.primary.resources | nindent 12 }} + {{- end }} + # We don't require a privileged container in this case + {{- if .Values.primary.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.primary.containerSecurityContext "enabled" | toYaml | nindent 12 }} + {{- end }} + command: + - /bin/sh + - -ec + - | + cp /tmp/certs/* /opt/bitnami/postgresql/certs/ + chmod 600 {{ include "postgresql.tlsCertKey" . }} + volumeMounts: + - name: raw-certificates + mountPath: /tmp/certs + - name: postgresql-certificates + mountPath: /opt/bitnami/postgresql/certs + {{- else if and .Values.volumePermissions.enabled (or .Values.primary.persistence.enabled .Values.shmVolume.enabled) }} + - name: init-chmod-data + image: {{ include "postgresql.volumePermissions.image" . }} + imagePullPolicy: {{ .Values.volumePermissions.image.pullPolicy | quote }} + {{- if .Values.volumePermissions.resources }} + resources: {{- toYaml .Values.volumePermissions.resources | nindent 12 }} + {{- end }} + command: + - /bin/sh + - -ec + - | + {{- if .Values.primary.persistence.enabled }} + {{- if eq ( toString ( .Values.volumePermissions.containerSecurityContext.runAsUser )) "auto" }} + chown `id -u`:`id -G | cut -d " " -f2` {{ .Values.primary.persistence.mountPath }} + {{- else }} + chown {{ .Values.primary.containerSecurityContext.runAsUser }}:{{ .Values.primary.podSecurityContext.fsGroup }} {{ .Values.primary.persistence.mountPath }} + {{- end }} + mkdir -p {{ .Values.primary.persistence.mountPath }}/data {{- if (include "postgresql.mountConfigurationCM" .) }} {{ .Values.primary.persistence.mountPath }}/conf {{- end }} + chmod 700 {{ .Values.primary.persistence.mountPath }}/data {{- if (include "postgresql.mountConfigurationCM" .) }} {{ .Values.primary.persistence.mountPath }}/conf {{- end }} + find {{ .Values.primary.persistence.mountPath }} -mindepth 1 -maxdepth 1 {{- if not (include "postgresql.mountConfigurationCM" .) }} -not -name "conf" {{- end }} -not -name ".snapshot" -not -name "lost+found" | \ + {{- if eq ( toString ( .Values.volumePermissions.containerSecurityContext.runAsUser )) "auto" }} + xargs -r chown -R `id -u`:`id -G | cut -d " " -f2` + {{- else }} + xargs -r chown -R {{ .Values.primary.containerSecurityContext.runAsUser }}:{{ .Values.primary.podSecurityContext.fsGroup }} + {{- end }} + {{- end }} + {{- if .Values.shmVolume.enabled }} + chmod -R 777 /dev/shm + {{- end }} + {{- if .Values.tls.enabled }} + cp /tmp/certs/* /opt/bitnami/postgresql/certs/ + {{- if eq ( toString ( .Values.volumePermissions.containerSecurityContext.runAsUser )) "auto" }} + chown -R `id -u`:`id -G | cut -d " " -f2` /opt/bitnami/postgresql/certs/ + {{- else }} + chown -R {{ .Values.primary.containerSecurityContext.runAsUser }}:{{ .Values.primary.podSecurityContext.fsGroup }} /opt/bitnami/postgresql/certs/ + {{- end }} + chmod 600 {{ include "postgresql.tlsCertKey" . }} + {{- end }} + {{- if eq ( toString ( .Values.volumePermissions.containerSecurityContext.runAsUser )) "auto" }} + securityContext: {{- omit .Values.volumePermissions.containerSecurityContext "runAsUser" | toYaml | nindent 12 }} + {{- else }} + securityContext: {{- .Values.volumePermissions.containerSecurityContext | toYaml | nindent 12 }} + {{- end }} + volumeMounts: + {{- if .Values.primary.persistence.enabled }} + - name: data + mountPath: {{ .Values.primary.persistence.mountPath }} + {{- if .Values.primary.persistence.subPath }} + subPath: {{ .Values.primary.persistence.subPath }} + {{- end }} + {{- end }} + {{- if .Values.shmVolume.enabled }} + - name: dshm + mountPath: /dev/shm + {{- end }} + {{- if .Values.tls.enabled }} + - name: raw-certificates + mountPath: /tmp/certs + - name: postgresql-certificates + mountPath: /opt/bitnami/postgresql/certs + {{- end }} + {{- end }} + {{- if .Values.primary.initContainers }} + {{- include "common.tplvalues.render" ( dict "value" .Values.primary.initContainers "context" $ ) | nindent 8 }} + {{- end }} + containers: + - name: postgresql + image: {{ include "postgresql.image" . }} + imagePullPolicy: {{ .Values.image.pullPolicy | quote }} + {{- if .Values.primary.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.primary.containerSecurityContext "enabled" | toYaml | nindent 12 }} + {{- end }} + {{- if .Values.diagnosticMode.enabled }} + command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 12 }} + {{- else if .Values.primary.command }} + command: {{- include "common.tplvalues.render" (dict "value" .Values.primary.command "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.diagnosticMode.enabled }} + args: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.args "context" $) | nindent 12 }} + {{- else if .Values.primary.args }} + args: {{- include "common.tplvalues.render" (dict "value" .Values.primary.args "context" $) | nindent 12 }} + {{- end }} + env: + - name: BITNAMI_DEBUG + value: {{ ternary "true" "false" (or .Values.image.debug .Values.diagnosticMode.enabled) | quote }} + - name: POSTGRESQL_PORT_NUMBER + value: {{ .Values.containerPorts.postgresql | quote }} + - name: POSTGRESQL_VOLUME_DIR + value: {{ .Values.primary.persistence.mountPath | quote }} + {{- if .Values.primary.persistence.mountPath }} + - name: PGDATA + value: {{ .Values.postgresqlDataDir | quote }} + {{- end }} + # Authentication + {{- if and (not (empty $customUser)) (ne $customUser "postgres") }} + - name: POSTGRES_USER + value: {{ $customUser | quote }} + {{- if .Values.auth.enablePostgresUser }} + {{- if .Values.auth.usePasswordFiles }} + - name: POSTGRES_POSTGRES_PASSWORD_FILE + value: "/opt/bitnami/postgresql/secrets/postgres-password" + {{- else }} + - name: POSTGRES_POSTGRES_PASSWORD + valueFrom: + secretKeyRef: + name: {{ include "postgresql.secretName" . }} + key: {{ include "postgresql.adminPasswordKey" . }} + {{- end }} + {{- end }} + {{- end }} + {{- if .Values.auth.usePasswordFiles }} + - name: POSTGRES_PASSWORD_FILE + value: {{ printf "/opt/bitnami/postgresql/secrets/%s" (ternary "password" "postgres-password" (and (not (empty $customUser)) (ne $customUser "postgres"))) }} + {{- else }} + - name: POSTGRES_PASSWORD + valueFrom: + secretKeyRef: + name: {{ include "postgresql.secretName" . }} + key: {{ include "postgresql.userPasswordKey" . }} + {{- end }} + {{- if (include "postgresql.database" .) }} + - name: POSTGRES_DB + value: {{ (include "postgresql.database" .) | quote }} + {{- end }} + # Replication + {{- if or (eq .Values.architecture "replication") .Values.primary.standby.enabled }} + - name: POSTGRES_REPLICATION_MODE + value: {{ ternary "slave" "master" .Values.primary.standby.enabled | quote }} + - name: POSTGRES_REPLICATION_USER + value: {{ .Values.auth.replicationUsername | quote }} + {{- if .Values.auth.usePasswordFiles }} + - name: POSTGRES_REPLICATION_PASSWORD_FILE + value: "/opt/bitnami/postgresql/secrets/replication-password" + {{- else }} + - name: POSTGRES_REPLICATION_PASSWORD + valueFrom: + secretKeyRef: + name: {{ include "postgresql.secretName" . }} + key: {{ include "postgresql.replicationPasswordKey" . }} + {{- end }} + {{- if not (eq .Values.replication.synchronousCommit "off") }} + - name: POSTGRES_SYNCHRONOUS_COMMIT_MODE + value: {{ .Values.replication.synchronousCommit | quote }} + - name: POSTGRES_NUM_SYNCHRONOUS_REPLICAS + value: {{ .Values.replication.numSynchronousReplicas | quote }} + {{- end }} + - name: POSTGRES_CLUSTER_APP_NAME + value: {{ .Values.replication.applicationName }} + {{- end }} + # Initdb + {{- if .Values.primary.initdb.args }} + - name: POSTGRES_INITDB_ARGS + value: {{ .Values.primary.initdb.args | quote }} + {{- end }} + {{- if .Values.primary.initdb.postgresqlWalDir }} + - name: POSTGRES_INITDB_WALDIR + value: {{ .Values.primary.initdb.postgresqlWalDir | quote }} + {{- end }} + {{- if .Values.primary.initdb.user }} + - name: POSTGRESQL_INITSCRIPTS_USERNAME + value: {{ .Values.primary.initdb.user }} + {{- end }} + {{- if .Values.primary.initdb.password }} + - name: POSTGRESQL_INITSCRIPTS_PASSWORD + value: {{ .Values.primary.initdb.password | quote }} + {{- end }} + # Standby + {{- if .Values.primary.standby.enabled }} + - name: POSTGRES_MASTER_HOST + value: {{ .Values.primary.standby.primaryHost }} + - name: POSTGRES_MASTER_PORT_NUMBER + value: {{ .Values.primary.standby.primaryPort | quote }} + {{- end }} + # LDAP + - name: POSTGRESQL_ENABLE_LDAP + value: {{ ternary "yes" "no" .Values.ldap.enabled | quote }} + {{- if .Values.ldap.enabled }} + {{- if or .Values.ldap.url .Values.ldap.uri }} + - name: POSTGRESQL_LDAP_URL + value: {{ coalesce .Values.ldap.url .Values.ldap.uri }} + {{- else }} + - name: POSTGRESQL_LDAP_SERVER + value: {{ .Values.ldap.server }} + - name: POSTGRESQL_LDAP_PORT + value: {{ .Values.ldap.port | quote }} + - name: POSTGRESQL_LDAP_SCHEME + value: {{ .Values.ldap.scheme }} + {{- if (include "postgresql.ldap.tls.enabled" .) }} + - name: POSTGRESQL_LDAP_TLS + value: "1" + {{- end }} + - name: POSTGRESQL_LDAP_PREFIX + value: {{ .Values.ldap.prefix | quote }} + - name: POSTGRESQL_LDAP_SUFFIX + value: {{ .Values.ldap.suffix | quote }} + - name: POSTGRESQL_LDAP_BASE_DN + value: {{ coalesce .Values.ldap.baseDN .Values.ldap.basedn }} + - name: POSTGRESQL_LDAP_BIND_DN + value: {{ coalesce .Values.ldap.bindDN .Values.ldap.binddn}} + {{- if or (not (empty .Values.ldap.bind_password)) (not (empty .Values.ldap.bindpw)) }} + - name: POSTGRESQL_LDAP_BIND_PASSWORD + valueFrom: + secretKeyRef: + name: {{ include "postgresql.secretName" . }} + key: ldap-password + {{- end }} + - name: POSTGRESQL_LDAP_SEARCH_ATTR + value: {{ coalesce .Values.ldap.search_attr .Values.ldap.searchAttribute }} + - name: POSTGRESQL_LDAP_SEARCH_FILTER + value: {{ coalesce .Values.ldap.search_filter .Values.ldap.searchFilter }} + {{- end }} + {{- end }} + # TLS + - name: POSTGRESQL_ENABLE_TLS + value: {{ ternary "yes" "no" .Values.tls.enabled | quote }} + {{- if .Values.tls.enabled }} + - name: POSTGRESQL_TLS_PREFER_SERVER_CIPHERS + value: {{ ternary "yes" "no" .Values.tls.preferServerCiphers | quote }} + - name: POSTGRESQL_TLS_CERT_FILE + value: {{ include "postgresql.tlsCert" . }} + - name: POSTGRESQL_TLS_KEY_FILE + value: {{ include "postgresql.tlsCertKey" . }} + {{- if .Values.tls.certCAFilename }} + - name: POSTGRESQL_TLS_CA_FILE + value: {{ include "postgresql.tlsCACert" . }} + {{- end }} + {{- if .Values.tls.crlFilename }} + - name: POSTGRESQL_TLS_CRL_FILE + value: {{ include "postgresql.tlsCRL" . }} + {{- end }} + {{- end }} + # Audit + - name: POSTGRESQL_LOG_HOSTNAME + value: {{ .Values.audit.logHostname | quote }} + - name: POSTGRESQL_LOG_CONNECTIONS + value: {{ .Values.audit.logConnections | quote }} + - name: POSTGRESQL_LOG_DISCONNECTIONS + value: {{ .Values.audit.logDisconnections | quote }} + {{- if .Values.audit.logLinePrefix }} + - name: POSTGRESQL_LOG_LINE_PREFIX + value: {{ .Values.audit.logLinePrefix | quote }} + {{- end }} + {{- if .Values.audit.logTimezone }} + - name: POSTGRESQL_LOG_TIMEZONE + value: {{ .Values.audit.logTimezone | quote }} + {{- end }} + {{- if .Values.audit.pgAuditLog }} + - name: POSTGRESQL_PGAUDIT_LOG + value: {{ .Values.audit.pgAuditLog | quote }} + {{- end }} + - name: POSTGRESQL_PGAUDIT_LOG_CATALOG + value: {{ .Values.audit.pgAuditLogCatalog | quote }} + # Others + - name: POSTGRESQL_CLIENT_MIN_MESSAGES + value: {{ .Values.audit.clientMinMessages | quote }} + - name: POSTGRESQL_SHARED_PRELOAD_LIBRARIES + value: {{ .Values.postgresqlSharedPreloadLibraries | quote }} + {{- if .Values.primary.extraEnvVars }} + {{- include "common.tplvalues.render" (dict "value" .Values.primary.extraEnvVars "context" $) | nindent 12 }} + {{- end }} + {{- if or .Values.primary.extraEnvVarsCM .Values.primary.extraEnvVarsSecret }} + envFrom: + {{- if .Values.primary.extraEnvVarsCM }} + - configMapRef: + name: {{ .Values.primary.extraEnvVarsCM }} + {{- end }} + {{- if .Values.primary.extraEnvVarsSecret }} + - secretRef: + name: {{ .Values.primary.extraEnvVarsSecret }} + {{- end }} + {{- end }} + ports: + - name: tcp-postgresql + containerPort: {{ .Values.containerPorts.postgresql }} + {{- if not .Values.diagnosticMode.enabled }} + {{- if .Values.primary.customStartupProbe }} + startupProbe: {{- include "common.tplvalues.render" (dict "value" .Values.primary.customStartupProbe "context" $) | nindent 12 }} + {{- else if .Values.primary.startupProbe.enabled }} + startupProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.primary.startupProbe "enabled") "context" $) | nindent 12 }} + exec: + command: + - /bin/sh + - -c + {{- if (include "postgresql.database" .) }} + - exec pg_isready -U {{ default "postgres" $customUser | quote }} -d "dbname={{ include "postgresql.database" . }} {{- if and .Values.tls.enabled .Values.tls.certCAFilename }} sslcert={{ include "postgresql.tlsCert" . }} sslkey={{ include "postgresql.tlsCertKey" . }}{{- end }}" -h 127.0.0.1 -p {{ .Values.containerPorts.postgresql }} + {{- else }} + - exec pg_isready -U {{ default "postgres" $customUser | quote }} {{- if and .Values.tls.enabled .Values.tls.certCAFilename }} -d "sslcert={{ include "postgresql.tlsCert" . }} sslkey={{ include "postgresql.tlsCertKey" . }}"{{- end }} -h 127.0.0.1 -p {{ .Values.containerPorts.postgresql }} + {{- end }} + {{- end }} + {{- if .Values.primary.customLivenessProbe }} + livenessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.primary.customLivenessProbe "context" $) | nindent 12 }} + {{- else if .Values.primary.livenessProbe.enabled }} + livenessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.primary.livenessProbe "enabled") "context" $) | nindent 12 }} + exec: + command: + - /bin/sh + - -c + {{- if (include "postgresql.database" .) }} + - exec pg_isready -U {{ default "postgres" $customUser | quote }} -d "dbname={{ include "postgresql.database" . }} {{- if and .Values.tls.enabled .Values.tls.certCAFilename }} sslcert={{ include "postgresql.tlsCert" . }} sslkey={{ include "postgresql.tlsCertKey" . }}{{- end }}" -h 127.0.0.1 -p {{ .Values.containerPorts.postgresql }} + {{- else }} + - exec pg_isready -U {{ default "postgres" $customUser | quote }} {{- if and .Values.tls.enabled .Values.tls.certCAFilename }} -d "sslcert={{ include "postgresql.tlsCert" . }} sslkey={{ include "postgresql.tlsCertKey" . }}"{{- end }} -h 127.0.0.1 -p {{ .Values.containerPorts.postgresql }} + {{- end }} + {{- end }} + {{- if .Values.primary.customReadinessProbe }} + readinessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.primary.customReadinessProbe "context" $) | nindent 12 }} + {{- else if .Values.primary.readinessProbe.enabled }} + readinessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.primary.readinessProbe "enabled") "context" $) | nindent 12 }} + exec: + command: + - /bin/sh + - -c + - -e + {{- include "postgresql.readinessProbeCommand" . | nindent 16 }} + {{- end }} + {{- end }} + {{- if .Values.primary.resources }} + resources: {{- toYaml .Values.primary.resources | nindent 12 }} + {{- end }} + {{- if .Values.primary.lifecycleHooks }} + lifecycle: {{- include "common.tplvalues.render" (dict "value" .Values.primary.lifecycleHooks "context" $) | nindent 12 }} + {{- end }} + volumeMounts: + {{- if or .Values.primary.initdb.scriptsConfigMap .Values.primary.initdb.scripts }} + - name: custom-init-scripts + mountPath: /docker-entrypoint-initdb.d/ + {{- end }} + {{- if .Values.primary.initdb.scriptsSecret }} + - name: custom-init-scripts-secret + mountPath: /docker-entrypoint-initdb.d/secret + {{- end }} + {{- if or .Values.primary.extendedConfiguration .Values.primary.existingExtendedConfigmap }} + - name: postgresql-extended-config + mountPath: /bitnami/postgresql/conf/conf.d/ + {{- end }} + {{- if .Values.auth.usePasswordFiles }} + - name: postgresql-password + mountPath: /opt/bitnami/postgresql/secrets/ + {{- end }} + {{- if .Values.tls.enabled }} + - name: postgresql-certificates + mountPath: /opt/bitnami/postgresql/certs + readOnly: true + {{- end }} + {{- if .Values.shmVolume.enabled }} + - name: dshm + mountPath: /dev/shm + {{- end }} + {{- if .Values.primary.persistence.enabled }} + - name: data + mountPath: {{ .Values.primary.persistence.mountPath }} + {{- if .Values.primary.persistence.subPath }} + subPath: {{ .Values.primary.persistence.subPath }} + {{- end }} + {{- end }} + {{- if or .Values.primary.configuration .Values.primary.pgHbaConfiguration .Values.primary.existingConfigmap }} + - name: postgresql-config + mountPath: /bitnami/postgresql/conf + {{- end }} + {{- if .Values.primary.extraVolumeMounts }} + {{- include "common.tplvalues.render" (dict "value" .Values.primary.extraVolumeMounts "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.metrics.enabled }} + - name: metrics + image: {{ include "postgresql.metrics.image" . }} + imagePullPolicy: {{ .Values.metrics.image.pullPolicy | quote }} + {{- if .Values.metrics.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.metrics.containerSecurityContext "enabled" | toYaml | nindent 12 }} + {{- end }} + {{- if .Values.diagnosticMode.enabled }} + command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 12 }} + args: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.args "context" $) | nindent 12 }} + {{- else if .Values.metrics.customMetrics }} + args: ["--extend.query-path", "/conf/custom-metrics.yaml"] + {{- end }} + env: + {{- $database := required "In order to enable metrics you need to specify a database (.Values.auth.database or .Values.global.postgresql.auth.database)" (include "postgresql.database" .) }} + - name: DATA_SOURCE_URI + value: {{ printf "127.0.0.1:%d/%s?sslmode=disable" (int (include "postgresql.service.port" .)) $database }} + {{- if .Values.auth.usePasswordFiles }} + - name: DATA_SOURCE_PASS_FILE + value: {{ printf "/opt/bitnami/postgresql/secrets/%s" (ternary "password" "postgres-password" (and (not (empty $customUser)) (ne $customUser "postgres"))) }} + {{- else }} + - name: DATA_SOURCE_PASS + valueFrom: + secretKeyRef: + name: {{ include "postgresql.secretName" . }} + key: {{ include "postgresql.userPasswordKey" . }} + {{- end }} + - name: DATA_SOURCE_USER + value: {{ default "postgres" $customUser | quote }} + {{- if .Values.metrics.extraEnvVars }} + {{- include "common.tplvalues.render" (dict "value" .Values.metrics.extraEnvVars "context" $) | nindent 12 }} + {{- end }} + ports: + - name: http-metrics + containerPort: {{ .Values.metrics.containerPorts.metrics }} + {{- if not .Values.diagnosticMode.enabled }} + {{- if .Values.metrics.customStartupProbe }} + startupProbe: {{- include "common.tplvalues.render" (dict "value" .Values.metrics.customStartupProbe "context" $) | nindent 12 }} + {{- else if .Values.metrics.startupProbe.enabled }} + startupProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.metrics.startupProbe "enabled") "context" $) | nindent 12 }} + tcpSocket: + port: http-metrics + {{- end }} + {{- if .Values.metrics.customLivenessProbe }} + livenessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.metrics.customLivenessProbe "context" $) | nindent 12 }} + {{- else if .Values.metrics.livenessProbe.enabled }} + livenessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.metrics.livenessProbe "enabled") "context" $) | nindent 12 }} + httpGet: + path: / + port: http-metrics + {{- end }} + {{- if .Values.metrics.customReadinessProbe }} + readinessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.metrics.customReadinessProbe "context" $) | nindent 12 }} + {{- else if .Values.metrics.readinessProbe.enabled }} + readinessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.metrics.readinessProbe "enabled") "context" $) | nindent 12 }} + httpGet: + path: / + port: http-metrics + {{- end }} + {{- end }} + volumeMounts: + {{- if .Values.auth.usePasswordFiles }} + - name: postgresql-password + mountPath: /opt/bitnami/postgresql/secrets/ + {{- end }} + {{- if .Values.metrics.customMetrics }} + - name: custom-metrics + mountPath: /conf + readOnly: true + {{- end }} + {{- if .Values.metrics.resources }} + resources: {{- toYaml .Values.metrics.resources | nindent 12 }} + {{- end }} + {{- end }} + {{- if .Values.primary.sidecars }} + {{- include "common.tplvalues.render" ( dict "value" .Values.primary.sidecars "context" $ ) | nindent 8 }} + {{- end }} + volumes: + {{- if or .Values.primary.configuration .Values.primary.pgHbaConfiguration .Values.primary.existingConfigmap }} + - name: postgresql-config + configMap: + name: {{ include "postgresql.primary.configmapName" . }} + {{- end }} + {{- if or .Values.primary.extendedConfiguration .Values.primary.existingExtendedConfigmap }} + - name: postgresql-extended-config + configMap: + name: {{ include "postgresql.primary.extendedConfigmapName" . }} + {{- end }} + {{- if .Values.auth.usePasswordFiles }} + - name: postgresql-password + secret: + secretName: {{ include "postgresql.secretName" . }} + {{- end }} + {{- if or .Values.primary.initdb.scriptsConfigMap .Values.primary.initdb.scripts }} + - name: custom-init-scripts + configMap: + name: {{ include "postgresql.initdb.scriptsCM" . }} + {{- end }} + {{- if .Values.primary.initdb.scriptsSecret }} + - name: custom-init-scripts-secret + secret: + secretName: {{ tpl .Values.primary.initdb.scriptsSecret $ }} + {{- end }} + {{- if .Values.tls.enabled }} + - name: raw-certificates + secret: + secretName: {{ include "postgresql.tlsSecretName" . }} + - name: postgresql-certificates + emptyDir: {} + {{- end }} + {{- if .Values.primary.extraVolumes }} + {{- include "common.tplvalues.render" ( dict "value" .Values.primary.extraVolumes "context" $ ) | nindent 8 }} + {{- end }} + {{- if and .Values.metrics.enabled .Values.metrics.customMetrics }} + - name: custom-metrics + configMap: + name: {{ printf "%s-metrics" (include "common.names.fullname" .) }} + {{- end }} + {{- if .Values.shmVolume.enabled }} + - name: dshm + emptyDir: + medium: Memory + {{- if .Values.shmVolume.sizeLimit }} + sizeLimit: {{ .Values.shmVolume.sizeLimit }} + {{- end }} + {{- end }} + {{- if and .Values.primary.persistence.enabled .Values.primary.persistence.existingClaim }} + - name: data + persistentVolumeClaim: + claimName: {{ tpl .Values.primary.persistence.existingClaim $ }} + {{- else if not .Values.primary.persistence.enabled }} + - name: data + emptyDir: {} + {{- else }} + volumeClaimTemplates: + - metadata: + name: data + {{- if .Values.primary.persistence.annotations }} + annotations: {{- include "common.tplvalues.render" (dict "value" .Values.primary.persistence.annotations "context" $) | nindent 10 }} + {{- end }} + {{- if .Values.primary.persistence.labels }} + labels: {{- include "common.tplvalues.render" (dict "value" .Values.primary.persistence.labels "context" $) | nindent 10 }} + {{- end }} + spec: + accessModes: + {{- range .Values.primary.persistence.accessModes }} + - {{ . | quote }} + {{- end }} + {{- if .Values.primary.persistence.dataSource }} + dataSource: {{- include "common.tplvalues.render" (dict "value" .Values.primary.persistence.dataSource "context" $) | nindent 10 }} + {{- end }} + resources: + requests: + storage: {{ .Values.primary.persistence.size | quote }} + {{- if .Values.primary.persistence.selector }} + selector: {{- include "common.tplvalues.render" (dict "value" .Values.primary.persistence.selector "context" $) | nindent 10 }} + {{- end }} + {{- include "common.storage.class" (dict "persistence" .Values.primary.persistence "global" .Values.global) | nindent 8 }} + {{- end }} diff --git a/charts/kong/kong/2.41.0/charts/postgresql/templates/primary/svc-headless.yaml b/charts/kong/kong/2.41.0/charts/postgresql/templates/primary/svc-headless.yaml new file mode 100644 index 000000000..b7826318f --- /dev/null +++ b/charts/kong/kong/2.41.0/charts/postgresql/templates/primary/svc-headless.yaml @@ -0,0 +1,31 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ include "postgresql.primary.svc.headless" . }} + namespace: {{ .Release.Namespace | quote }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + app.kubernetes.io/component: primary + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} + # Use this annotation in addition to the actual publishNotReadyAddresses + # field below because the annotation will stop being respected soon but the + # field is broken in some versions of Kubernetes: + # https://github.com/kubernetes/kubernetes/issues/58662 + service.alpha.kubernetes.io/tolerate-unready-endpoints: "true" +spec: + type: ClusterIP + clusterIP: None + # We want all pods in the StatefulSet to have their addresses published for + # the sake of the other Postgresql pods even before they're ready, since they + # have to be able to talk to each other in order to become ready. + publishNotReadyAddresses: true + ports: + - name: tcp-postgresql + port: {{ template "postgresql.service.port" . }} + targetPort: tcp-postgresql + selector: {{- include "common.labels.matchLabels" . | nindent 4 }} + app.kubernetes.io/component: primary diff --git a/charts/kong/kong/2.41.0/charts/postgresql/templates/primary/svc.yaml b/charts/kong/kong/2.41.0/charts/postgresql/templates/primary/svc.yaml new file mode 100644 index 000000000..cf184809a --- /dev/null +++ b/charts/kong/kong/2.41.0/charts/postgresql/templates/primary/svc.yaml @@ -0,0 +1,51 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ include "postgresql.primary.fullname" . }} + namespace: {{ .Release.Namespace | quote }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + app.kubernetes.io/component: primary + annotations: + {{- if .Values.commonAnnotations }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.primary.service.annotations }} + {{- include "common.tplvalues.render" (dict "value" .Values.primary.service.annotations "context" $) | nindent 4 }} + {{- end }} +spec: + type: {{ .Values.primary.service.type }} + {{- if or (eq .Values.primary.service.type "LoadBalancer") (eq .Values.primary.service.type "NodePort") }} + externalTrafficPolicy: {{ .Values.primary.service.externalTrafficPolicy | quote }} + {{- end }} + {{- if and (eq .Values.primary.service.type "LoadBalancer") (not (empty .Values.primary.service.loadBalancerSourceRanges)) }} + loadBalancerSourceRanges: {{ .Values.primary.service.loadBalancerSourceRanges }} + {{- end }} + {{- if and (eq .Values.primary.service.type "LoadBalancer") (not (empty .Values.primary.service.loadBalancerIP)) }} + loadBalancerIP: {{ .Values.primary.service.loadBalancerIP }} + {{- end }} + {{- if and .Values.primary.service.clusterIP (eq .Values.primary.service.type "ClusterIP") }} + clusterIP: {{ .Values.primary.service.clusterIP }} + {{- end }} + {{- if .Values.primary.service.sessionAffinity }} + sessionAffinity: {{ .Values.primary.service.sessionAffinity }} + {{- end }} + {{- if .Values.primary.service.sessionAffinityConfig }} + sessionAffinityConfig: {{- include "common.tplvalues.render" (dict "value" .Values.primary.service.sessionAffinityConfig "context" $) | nindent 4 }} + {{- end }} + ports: + - name: tcp-postgresql + port: {{ template "postgresql.service.port" . }} + targetPort: tcp-postgresql + {{- if and (or (eq .Values.primary.service.type "NodePort") (eq .Values.primary.service.type "LoadBalancer")) (not (empty .Values.primary.service.nodePorts.postgresql)) }} + nodePort: {{ .Values.primary.service.nodePorts.postgresql }} + {{- else if eq .Values.primary.service.type "ClusterIP" }} + nodePort: null + {{- end }} + {{- if .Values.primary.service.extraPorts }} + {{- include "common.tplvalues.render" (dict "value" .Values.primary.service.extraPorts "context" $) | nindent 4 }} + {{- end }} + selector: {{- include "common.labels.matchLabels" . | nindent 4 }} + app.kubernetes.io/component: primary diff --git a/charts/kong/kong/2.41.0/charts/postgresql/templates/prometheusrule.yaml b/charts/kong/kong/2.41.0/charts/postgresql/templates/prometheusrule.yaml new file mode 100644 index 000000000..24be7100b --- /dev/null +++ b/charts/kong/kong/2.41.0/charts/postgresql/templates/prometheusrule.yaml @@ -0,0 +1,22 @@ +{{- if and .Values.metrics.enabled .Values.metrics.prometheusRule.enabled }} +apiVersion: monitoring.coreos.com/v1 +kind: PrometheusRule +metadata: + name: {{ include "common.names.fullname" . }} + namespace: {{ default .Release.Namespace .Values.metrics.prometheusRule.namespace | quote }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + app.kubernetes.io/component: metrics + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.metrics.prometheusRule.labels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.metrics.prometheusRule.labels "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +spec: + groups: + - name: {{ include "common.names.fullname" . }} + rules: {{- include "common.tplvalues.render" ( dict "value" .Values.metrics.prometheusRule.rules "context" $ ) | nindent 8 }} +{{- end }} diff --git a/charts/kong/kong/2.41.0/charts/postgresql/templates/psp.yaml b/charts/kong/kong/2.41.0/charts/postgresql/templates/psp.yaml new file mode 100644 index 000000000..48d11754d --- /dev/null +++ b/charts/kong/kong/2.41.0/charts/postgresql/templates/psp.yaml @@ -0,0 +1,41 @@ +{{- $pspAvailable := (semverCompare "<1.25-0" (include "common.capabilities.kubeVersion" .)) -}} +{{- if and $pspAvailable .Values.psp.create }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: {{ include "common.names.fullname" . }} + namespace: {{ .Release.Namespace | quote }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +spec: + privileged: false + volumes: + - 'configMap' + - 'secret' + - 'persistentVolumeClaim' + - 'emptyDir' + - 'projected' + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'MustRunAs' + ranges: + - min: 1 + max: 65535 + fsGroup: + rule: 'MustRunAs' + ranges: + - min: 1 + max: 65535 + readOnlyRootFilesystem: false +{{- end }} diff --git a/charts/kong/kong/2.41.0/charts/postgresql/templates/read/extended-configmap.yaml b/charts/kong/kong/2.41.0/charts/postgresql/templates/read/extended-configmap.yaml new file mode 100644 index 000000000..e329d1385 --- /dev/null +++ b/charts/kong/kong/2.41.0/charts/postgresql/templates/read/extended-configmap.yaml @@ -0,0 +1,18 @@ +{{- if (include "postgresql.readReplicas.createExtendedConfigmap" .) }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ printf "%s-extended-configuration" (include "postgresql.readReplica.fullname" .) }} + namespace: {{ .Release.Namespace | quote }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + app.kubernetes.io/component: read + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +data: + override.conf: |- + {{- include "common.tplvalues.render" ( dict "value" .Values.readReplicas.extendedConfiguration "context" $ ) | nindent 4 }} +{{- end }} diff --git a/charts/kong/kong/2.41.0/charts/postgresql/templates/read/metrics-configmap.yaml b/charts/kong/kong/2.41.0/charts/postgresql/templates/read/metrics-configmap.yaml new file mode 100644 index 000000000..b00a6eccb --- /dev/null +++ b/charts/kong/kong/2.41.0/charts/postgresql/templates/read/metrics-configmap.yaml @@ -0,0 +1,16 @@ +{{- if and .Values.metrics.enabled .Values.metrics.customMetrics (eq .Values.architecture "replication") }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ printf "%s-metrics" (include "postgresql.readReplica.fullname" .) }} + namespace: {{ .Release.Namespace | quote }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +data: + custom-metrics.yaml: {{ toYaml .Values.metrics.customMetrics | quote }} +{{- end }} diff --git a/charts/kong/kong/2.41.0/charts/postgresql/templates/read/metrics-svc.yaml b/charts/kong/kong/2.41.0/charts/postgresql/templates/read/metrics-svc.yaml new file mode 100644 index 000000000..b3e54974e --- /dev/null +++ b/charts/kong/kong/2.41.0/charts/postgresql/templates/read/metrics-svc.yaml @@ -0,0 +1,31 @@ +{{- if and .Values.metrics.enabled (eq .Values.architecture "replication") }} +apiVersion: v1 +kind: Service +metadata: + name: {{ printf "%s-metrics" (include "postgresql.readReplica.fullname" .) }} + namespace: {{ .Release.Namespace | quote }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + app.kubernetes.io/component: metrics-read + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + annotations: + {{- if .Values.commonAnnotations }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.metrics.service.annotations }} + {{- include "common.tplvalues.render" ( dict "value" .Values.metrics.service.annotations "context" $ ) | nindent 4 }} + {{- end }} +spec: + type: ClusterIP + sessionAffinity: {{ .Values.metrics.service.sessionAffinity }} + {{- if .Values.metrics.service.clusterIP }} + clusterIP: {{ .Values.metrics.service.clusterIP }} + {{- end }} + ports: + - name: http-metrics + port: {{ .Values.metrics.service.ports.metrics }} + targetPort: http-metrics + selector: {{- include "common.labels.matchLabels" . | nindent 4 }} + app.kubernetes.io/component: read +{{- end }} diff --git a/charts/kong/kong/2.41.0/charts/postgresql/templates/read/networkpolicy.yaml b/charts/kong/kong/2.41.0/charts/postgresql/templates/read/networkpolicy.yaml new file mode 100644 index 000000000..c969cd7a7 --- /dev/null +++ b/charts/kong/kong/2.41.0/charts/postgresql/templates/read/networkpolicy.yaml @@ -0,0 +1,36 @@ +{{- if and .Values.networkPolicy.enabled (eq .Values.architecture "replication") .Values.networkPolicy.ingressRules.readReplicasAccessOnlyFrom.enabled }} +apiVersion: {{ include "common.capabilities.networkPolicy.apiVersion" . }} +kind: NetworkPolicy +metadata: + name: {{ printf "%s-ingress" (include "postgresql.readReplica.fullname" .) }} + namespace: {{ .Release.Namespace | quote }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + app.kubernetes.io/component: read + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +spec: + podSelector: + matchLabels: {{- include "common.labels.matchLabels" . | nindent 6 }} + app.kubernetes.io/component: read + ingress: + {{- if and .Values.networkPolicy.ingressRules.readReplicasAccessOnlyFrom.enabled (or .Values.networkPolicy.ingressRules.readReplicasAccessOnlyFrom.namespaceSelector .Values.networkPolicy.ingressRules.readReplicasAccessOnlyFrom.podSelector) }} + - from: + {{- if .Values.networkPolicy.ingressRules.readReplicasAccessOnlyFrom.namespaceSelector }} + - namespaceSelector: + matchLabels: {{- include "common.tplvalues.render" (dict "value" .Values.networkPolicy.ingressRules.readReplicasAccessOnlyFrom.namespaceSelector "context" $) | nindent 14 }} + {{- end }} + {{- if .Values.networkPolicy.ingressRules.readReplicasAccessOnlyFrom.podSelector }} + - podSelector: + matchLabels: {{- include "common.tplvalues.render" (dict "value" .Values.networkPolicy.ingressRules.readReplicasAccessOnlyFrom.podSelector "context" $) | nindent 14 }} + {{- end }} + ports: + - port: {{ .Values.containerPorts.postgresql }} + {{- end }} + {{- if .Values.networkPolicy.ingressRules.readReplicasAccessOnlyFrom.customRules }} + {{- include "common.tplvalues.render" (dict "value" .Values.networkPolicy.ingressRules.readReplicasAccessOnlyFrom.customRules "context" $) | nindent 4 }} + {{- end }} +{{- end }} diff --git a/charts/kong/kong/2.41.0/charts/postgresql/templates/read/servicemonitor.yaml b/charts/kong/kong/2.41.0/charts/postgresql/templates/read/servicemonitor.yaml new file mode 100644 index 000000000..d511d6beb --- /dev/null +++ b/charts/kong/kong/2.41.0/charts/postgresql/templates/read/servicemonitor.yaml @@ -0,0 +1,48 @@ +{{- if and .Values.metrics.enabled .Values.metrics.serviceMonitor.enabled (eq .Values.architecture "replication") }} +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: {{ include "postgresql.readReplica.fullname" . }} + namespace: {{ default .Release.Namespace .Values.metrics.serviceMonitor.namespace | quote }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + app.kubernetes.io/component: metrics-read + {{- if .Values.metrics.serviceMonitor.labels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.metrics.serviceMonitor.labels "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +spec: + {{- if .Values.metrics.serviceMonitor.jobLabel }} + jobLabel: {{ .Values.metrics.serviceMonitor.jobLabel }} + {{- end }} + selector: + matchLabels: {{- include "common.labels.matchLabels" . | nindent 6 }} + {{- if .Values.metrics.serviceMonitor.selector }} + {{- include "common.tplvalues.render" (dict "value" .Values.metrics.serviceMonitor.selector "context" $) | nindent 6 }} + {{- end }} + app.kubernetes.io/component: metrics-read + endpoints: + - port: http-metrics + {{- if .Values.metrics.serviceMonitor.interval }} + interval: {{ .Values.metrics.serviceMonitor.interval }} + {{- end }} + {{- if .Values.metrics.serviceMonitor.scrapeTimeout }} + scrapeTimeout: {{ .Values.metrics.serviceMonitor.scrapeTimeout }} + {{- end }} + {{- if .Values.metrics.serviceMonitor.relabelings }} + relabelings: {{- include "common.tplvalues.render" ( dict "value" .Values.metrics.serviceMonitor.relabelings "context" $) | nindent 6 }} + {{- end }} + {{- if .Values.metrics.serviceMonitor.metricRelabelings }} + metricRelabelings: {{- include "common.tplvalues.render" ( dict "value" .Values.metrics.serviceMonitor.metricRelabelings "context" $) | nindent 6 }} + {{- end }} + {{- if .Values.metrics.serviceMonitor.honorLabels }} + honorLabels: {{ .Values.metrics.serviceMonitor.honorLabels }} + {{- end }} + namespaceSelector: + matchNames: + - {{ .Release.Namespace | quote }} +{{- end }} diff --git a/charts/kong/kong/2.41.0/charts/postgresql/templates/read/statefulset.yaml b/charts/kong/kong/2.41.0/charts/postgresql/templates/read/statefulset.yaml new file mode 100644 index 000000000..b3ff1da69 --- /dev/null +++ b/charts/kong/kong/2.41.0/charts/postgresql/templates/read/statefulset.yaml @@ -0,0 +1,531 @@ +{{- if eq .Values.architecture "replication" }} +{{- $customUser := include "postgresql.username" . }} +apiVersion: {{ include "common.capabilities.statefulset.apiVersion" . }} +kind: StatefulSet +metadata: + name: {{ include "postgresql.readReplica.fullname" . }} + namespace: {{ .Release.Namespace | quote }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + app.kubernetes.io/component: read + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.readReplicas.labels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.readReplicas.labels "context" $ ) | nindent 4 }} + {{- end }} + annotations: + {{- if .Values.commonAnnotations }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.readReplicas.annotations }} + {{- include "common.tplvalues.render" ( dict "value" .Values.readReplicas.annotations "context" $ ) | nindent 4 }} + {{- end }} +spec: + replicas: {{ .Values.readReplicas.replicaCount }} + serviceName: {{ include "postgresql.readReplica.svc.headless" . }} + {{- if .Values.readReplicas.updateStrategy }} + updateStrategy: {{- toYaml .Values.readReplicas.updateStrategy | nindent 4 }} + {{- end }} + selector: + matchLabels: {{- include "common.labels.matchLabels" . | nindent 6 }} + app.kubernetes.io/component: read + template: + metadata: + name: {{ include "postgresql.readReplica.fullname" . }} + labels: {{- include "common.labels.standard" . | nindent 8 }} + app.kubernetes.io/component: read + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 8 }} + {{- end }} + {{- if .Values.readReplicas.podLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.readReplicas.podLabels "context" $ ) | nindent 8 }} + {{- end }} + annotations: + {{- if (include "postgresql.readReplicas.createExtendedConfigmap" .) }} + checksum/extended-configuration: {{ include (print $.Template.BasePath "/read/extended-configmap.yaml") . | sha256sum }} + {{- end }} + {{- if .Values.readReplicas.podAnnotations }} + {{- include "common.tplvalues.render" ( dict "value" .Values.readReplicas.podAnnotations "context" $ ) | nindent 8 }} + {{- end }} + spec: + {{- if .Values.readReplicas.extraPodSpec }} + {{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.extraPodSpec "context" $) | nindent 6 }} + {{- end }} + serviceAccountName: {{ include "postgresql.serviceAccountName" . }} + {{- include "postgresql.imagePullSecrets" . | nindent 6 }} + {{- if .Values.readReplicas.hostAliases }} + hostAliases: {{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.hostAliases "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.readReplicas.affinity }} + affinity: {{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.affinity "context" $) | nindent 8 }} + {{- else }} + affinity: + podAffinity: {{- include "common.affinities.pods" (dict "type" .Values.readReplicas.podAffinityPreset "component" "read" "context" $) | nindent 10 }} + podAntiAffinity: {{- include "common.affinities.pods" (dict "type" .Values.readReplicas.podAntiAffinityPreset "component" "read" "context" $) | nindent 10 }} + nodeAffinity: {{- include "common.affinities.nodes" (dict "type" .Values.readReplicas.nodeAffinityPreset.type "key" .Values.readReplicas.nodeAffinityPreset.key "values" .Values.readReplicas.nodeAffinityPreset.values) | nindent 10 }} + {{- end }} + {{- if .Values.readReplicas.nodeSelector }} + nodeSelector: {{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.nodeSelector "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.readReplicas.tolerations }} + tolerations: {{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.tolerations "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.readReplicas.topologySpreadConstraints }} + topologySpreadConstraints: {{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.topologySpreadConstraints "context" $) | nindent 8 }} + {{- end }} + {{- if .Values.readReplicas.priorityClassName }} + priorityClassName: {{ .Values.readReplicas.priorityClassName }} + {{- end }} + {{- if .Values.readReplicas.schedulerName }} + schedulerName: {{ .Values.readReplicas.schedulerName | quote }} + {{- end }} + {{- if .Values.readReplicas.terminationGracePeriodSeconds }} + terminationGracePeriodSeconds: {{ .Values.readReplicas.terminationGracePeriodSeconds }} + {{- end }} + {{- if .Values.readReplicas.podSecurityContext.enabled }} + securityContext: {{- omit .Values.readReplicas.podSecurityContext "enabled" | toYaml | nindent 8 }} + {{- end }} + hostNetwork: {{ .Values.readReplicas.hostNetwork }} + hostIPC: {{ .Values.readReplicas.hostIPC }} + initContainers: + {{- if and .Values.tls.enabled (not .Values.volumePermissions.enabled) }} + - name: copy-certs + image: {{ include "postgresql.volumePermissions.image" . }} + imagePullPolicy: {{ .Values.volumePermissions.image.pullPolicy | quote }} + {{- if .Values.readReplicas.resources }} + resources: {{- toYaml .Values.readReplicas.resources | nindent 12 }} + {{- end }} + # We don't require a privileged container in this case + {{- if .Values.readReplicas.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.readReplicas.containerSecurityContext "enabled" | toYaml | nindent 12 }} + {{- end }} + command: + - /bin/sh + - -ec + - | + cp /tmp/certs/* /opt/bitnami/postgresql/certs/ + chmod 600 {{ include "postgresql.tlsCertKey" . }} + volumeMounts: + - name: raw-certificates + mountPath: /tmp/certs + - name: postgresql-certificates + mountPath: /opt/bitnami/postgresql/certs + {{- else if and .Values.volumePermissions.enabled (or .Values.readReplicas.persistence.enabled .Values.shmVolume.enabled) }} + - name: init-chmod-data + image: {{ include "postgresql.volumePermissions.image" . }} + imagePullPolicy: {{ .Values.volumePermissions.image.pullPolicy | quote }} + {{- if .Values.readReplicas.resources }} + resources: {{- toYaml .Values.readReplicas.resources | nindent 12 }} + {{- end }} + command: + - /bin/sh + - -ec + - | + {{- if .Values.readReplicas.persistence.enabled }} + {{- if eq ( toString ( .Values.volumePermissions.containerSecurityContext.runAsUser )) "auto" }} + chown `id -u`:`id -G | cut -d " " -f2` {{ .Values.readReplicas.persistence.mountPath }} + {{- else }} + chown {{ .Values.readReplicas.containerSecurityContext.runAsUser }}:{{ .Values.readReplicas.podSecurityContext.fsGroup }} {{ .Values.readReplicas.persistence.mountPath }} + {{- end }} + mkdir -p {{ .Values.readReplicas.persistence.mountPath }}/data {{- if (include "postgresql.mountConfigurationCM" .) }} {{ .Values.readReplicas.persistence.mountPath }}/conf {{- end }} + chmod 700 {{ .Values.readReplicas.persistence.mountPath }}/data {{- if (include "postgresql.mountConfigurationCM" .) }} {{ .Values.readReplicas.persistence.mountPath }}/conf {{- end }} + find {{ .Values.readReplicas.persistence.mountPath }} -mindepth 1 -maxdepth 1 {{- if not (include "postgresql.mountConfigurationCM" .) }} -not -name "conf" {{- end }} -not -name ".snapshot" -not -name "lost+found" | \ + {{- if eq ( toString ( .Values.volumePermissions.containerSecurityContext.runAsUser )) "auto" }} + xargs -r chown -R `id -u`:`id -G | cut -d " " -f2` + {{- else }} + xargs -r chown -R {{ .Values.readReplicas.containerSecurityContext.runAsUser }}:{{ .Values.readReplicas.podSecurityContext.fsGroup }} + {{- end }} + {{- end }} + {{- if .Values.shmVolume.enabled }} + chmod -R 777 /dev/shm + {{- end }} + {{- if .Values.tls.enabled }} + cp /tmp/certs/* /opt/bitnami/postgresql/certs/ + {{- if eq ( toString ( .Values.volumePermissions.containerSecurityContext.runAsUser )) "auto" }} + chown -R `id -u`:`id -G | cut -d " " -f2` /opt/bitnami/postgresql/certs/ + {{- else }} + chown -R {{ .Values.readReplicas.containerSecurityContext.runAsUser }}:{{ .Values.readReplicas.podSecurityContext.fsGroup }} /opt/bitnami/postgresql/certs/ + {{- end }} + chmod 600 {{ include "postgresql.tlsCertKey" . }} + {{- end }} + {{- if eq ( toString ( .Values.volumePermissions.containerSecurityContext.runAsUser )) "auto" }} + securityContext: {{- omit .Values.volumePermissions.containerSecurityContext "runAsUser" | toYaml | nindent 12 }} + {{- else }} + securityContext: {{- .Values.volumePermissions.containerSecurityContext | toYaml | nindent 12 }} + {{- end }} + volumeMounts: + {{ if .Values.readReplicas.persistence.enabled }} + - name: data + mountPath: {{ .Values.readReplicas.persistence.mountPath }} + {{- if .Values.readReplicas.persistence.subPath }} + subPath: {{ .Values.readReplicas.persistence.subPath }} + {{- end }} + {{- end }} + {{- if .Values.shmVolume.enabled }} + - name: dshm + mountPath: /dev/shm + {{- end }} + {{- if .Values.tls.enabled }} + - name: raw-certificates + mountPath: /tmp/certs + - name: postgresql-certificates + mountPath: /opt/bitnami/postgresql/certs + {{- end }} + {{- end }} + {{- if .Values.readReplicas.initContainers }} + {{- include "common.tplvalues.render" ( dict "value" .Values.readReplicas.initContainers "context" $ ) | nindent 8 }} + {{- end }} + containers: + - name: postgresql + image: {{ include "postgresql.image" . }} + imagePullPolicy: {{ .Values.image.pullPolicy | quote }} + {{- if .Values.readReplicas.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.readReplicas.containerSecurityContext "enabled" | toYaml | nindent 12 }} + {{- end }} + {{- if .Values.diagnosticMode.enabled }} + command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 12 }} + {{- else if .Values.readReplicas.command }} + command: {{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.command "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.diagnosticMode.enabled }} + args: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.args "context" $) | nindent 12 }} + {{- else if .Values.readReplicas.args }} + args: {{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.args "context" $) | nindent 12 }} + {{- end }} + env: + - name: BITNAMI_DEBUG + value: {{ ternary "true" "false" (or .Values.image.debug .Values.diagnosticMode.enabled) | quote }} + - name: POSTGRESQL_PORT_NUMBER + value: {{ .Values.containerPorts.postgresql | quote }} + - name: POSTGRESQL_VOLUME_DIR + value: {{ .Values.readReplicas.persistence.mountPath | quote }} + {{- if .Values.readReplicas.persistence.mountPath }} + - name: PGDATA + value: {{ .Values.postgresqlDataDir | quote }} + {{- end }} + # Authentication + {{- if and (not (empty $customUser)) (ne $customUser "postgres") .Values.auth.enablePostgresUser }} + {{- if .Values.auth.usePasswordFiles }} + - name: POSTGRES_POSTGRES_PASSWORD_FILE + value: "/opt/bitnami/postgresql/secrets/postgres-password" + {{- else }} + - name: POSTGRES_POSTGRES_PASSWORD + valueFrom: + secretKeyRef: + name: {{ include "postgresql.secretName" . }} + key: {{ include "postgresql.adminPasswordKey" . }} + {{- end }} + {{- end }} + {{- if .Values.auth.usePasswordFiles }} + - name: POSTGRES_PASSWORD_FILE + value: {{ printf "/opt/bitnami/postgresql/secrets/%s" (ternary "password" "postgres-password" (and (not (empty $customUser)) (ne $customUser "postgres"))) }} + {{- else }} + - name: POSTGRES_PASSWORD + valueFrom: + secretKeyRef: + name: {{ include "postgresql.secretName" . }} + key: {{ include "postgresql.userPasswordKey" . }} + {{- end }} + # Replication + - name: POSTGRES_REPLICATION_MODE + value: "slave" + - name: POSTGRES_REPLICATION_USER + value: {{ .Values.auth.replicationUsername | quote }} + {{- if .Values.auth.usePasswordFiles }} + - name: POSTGRES_REPLICATION_PASSWORD_FILE + value: "/opt/bitnami/postgresql/secrets/replication-password" + {{- else }} + - name: POSTGRES_REPLICATION_PASSWORD + valueFrom: + secretKeyRef: + name: {{ include "postgresql.secretName" . }} + key: {{ include "postgresql.replicationPasswordKey" . }} + {{- end }} + - name: POSTGRES_CLUSTER_APP_NAME + value: {{ .Values.replication.applicationName }} + - name: POSTGRES_MASTER_HOST + value: {{ include "postgresql.primary.fullname" . }} + - name: POSTGRES_MASTER_PORT_NUMBER + value: {{ include "postgresql.service.port" . | quote }} + # TLS + - name: POSTGRESQL_ENABLE_TLS + value: {{ ternary "yes" "no" .Values.tls.enabled | quote }} + {{- if .Values.tls.enabled }} + - name: POSTGRESQL_TLS_PREFER_SERVER_CIPHERS + value: {{ ternary "yes" "no" .Values.tls.preferServerCiphers | quote }} + - name: POSTGRESQL_TLS_CERT_FILE + value: {{ include "postgresql.tlsCert" . }} + - name: POSTGRESQL_TLS_KEY_FILE + value: {{ include "postgresql.tlsCertKey" . }} + {{- if .Values.tls.certCAFilename }} + - name: POSTGRESQL_TLS_CA_FILE + value: {{ include "postgresql.tlsCACert" . }} + {{- end }} + {{- if .Values.tls.crlFilename }} + - name: POSTGRESQL_TLS_CRL_FILE + value: {{ include "postgresql.tlsCRL" . }} + {{- end }} + {{- end }} + # Audit + - name: POSTGRESQL_LOG_HOSTNAME + value: {{ .Values.audit.logHostname | quote }} + - name: POSTGRESQL_LOG_CONNECTIONS + value: {{ .Values.audit.logConnections | quote }} + - name: POSTGRESQL_LOG_DISCONNECTIONS + value: {{ .Values.audit.logDisconnections | quote }} + {{- if .Values.audit.logLinePrefix }} + - name: POSTGRESQL_LOG_LINE_PREFIX + value: {{ .Values.audit.logLinePrefix | quote }} + {{- end }} + {{- if .Values.audit.logTimezone }} + - name: POSTGRESQL_LOG_TIMEZONE + value: {{ .Values.audit.logTimezone | quote }} + {{- end }} + {{- if .Values.audit.pgAuditLog }} + - name: POSTGRESQL_PGAUDIT_LOG + value: {{ .Values.audit.pgAuditLog | quote }} + {{- end }} + - name: POSTGRESQL_PGAUDIT_LOG_CATALOG + value: {{ .Values.audit.pgAuditLogCatalog | quote }} + # Others + - name: POSTGRESQL_CLIENT_MIN_MESSAGES + value: {{ .Values.audit.clientMinMessages | quote }} + - name: POSTGRESQL_SHARED_PRELOAD_LIBRARIES + value: {{ .Values.postgresqlSharedPreloadLibraries | quote }} + {{- if .Values.readReplicas.extraEnvVars }} + {{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.extraEnvVars "context" $) | nindent 12 }} + {{- end }} + {{- if or .Values.readReplicas.extraEnvVarsCM .Values.readReplicas.extraEnvVarsSecret }} + envFrom: + {{- if .Values.readReplicas.extraEnvVarsCM }} + - configMapRef: + name: {{ .Values.readReplicas.extraEnvVarsCM }} + {{- end }} + {{- if .Values.readReplicas.extraEnvVarsSecret }} + - secretRef: + name: {{ .Values.readReplicas.extraEnvVarsSecret }} + {{- end }} + {{- end }} + ports: + - name: tcp-postgresql + containerPort: {{ .Values.containerPorts.postgresql }} + {{- if not .Values.diagnosticMode.enabled }} + {{- if .Values.readReplicas.customStartupProbe }} + startupProbe: {{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.customStartupProbe "context" $) | nindent 12 }} + {{- else if .Values.readReplicas.startupProbe.enabled }} + startupProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.readReplicas.startupProbe "enabled") "context" $) | nindent 12 }} + exec: + command: + - /bin/sh + - -c + {{- if (include "postgresql.database" .) }} + - exec pg_isready -U {{ default "postgres" $customUser| quote }} -d "dbname={{ include "postgresql.database" . }} {{- if and .Values.tls.enabled .Values.tls.certCAFilename }} sslcert={{ include "postgresql.tlsCert" . }} sslkey={{ include "postgresql.tlsCertKey" . }}{{- end }}" -h 127.0.0.1 -p {{ .Values.containerPorts.postgresql }} + {{- else }} + - exec pg_isready -U {{ default "postgres" $customUser | quote }} {{- if and .Values.tls.enabled .Values.tls.certCAFilename }} -d "sslcert={{ include "postgresql.tlsCert" . }} sslkey={{ include "postgresql.tlsCertKey" . }}"{{- end }} -h 127.0.0.1 -p {{ .Values.containerPorts.postgresql }} + {{- end }} + {{- end }} + {{- if .Values.readReplicas.customLivenessProbe }} + livenessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.customLivenessProbe "context" $) | nindent 12 }} + {{- else if .Values.readReplicas.livenessProbe.enabled }} + livenessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.readReplicas.livenessProbe "enabled") "context" $) | nindent 12 }} + exec: + command: + - /bin/sh + - -c + {{- if (include "postgresql.database" .) }} + - exec pg_isready -U {{ default "postgres" $customUser | quote }} -d "dbname={{ include "postgresql.database" . }} {{- if and .Values.tls.enabled .Values.tls.certCAFilename }} sslcert={{ include "postgresql.tlsCert" . }} sslkey={{ include "postgresql.tlsCertKey" . }}{{- end }}" -h 127.0.0.1 -p {{ .Values.containerPorts.postgresql }} + {{- else }} + - exec pg_isready -U {{default "postgres" $customUser | quote }} {{- if and .Values.tls.enabled .Values.tls.certCAFilename }} -d "sslcert={{ include "postgresql.tlsCert" . }} sslkey={{ include "postgresql.tlsCertKey" . }}"{{- end }} -h 127.0.0.1 -p {{ .Values.containerPorts.postgresql }} + {{- end }} + {{- end }} + {{- if .Values.readReplicas.customReadinessProbe }} + readinessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.customReadinessProbe "context" $) | nindent 12 }} + {{- else if .Values.readReplicas.readinessProbe.enabled }} + readinessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.readReplicas.readinessProbe "enabled") "context" $) | nindent 12 }} + exec: + command: + - /bin/sh + - -c + - -e + {{- include "postgresql.readinessProbeCommand" . | nindent 16 }} + {{- end }} + {{- end }} + {{- if .Values.readReplicas.resources }} + resources: {{- toYaml .Values.readReplicas.resources | nindent 12 }} + {{- end }} + {{- if .Values.readReplicas.lifecycleHooks }} + lifecycle: {{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.lifecycleHooks "context" $) | nindent 12 }} + {{- end }} + volumeMounts: + {{- if .Values.auth.usePasswordFiles }} + - name: postgresql-password + mountPath: /opt/bitnami/postgresql/secrets/ + {{- end }} + {{- if .Values.readReplicas.extendedConfiguration }} + - name: postgresql-extended-config + mountPath: /bitnami/postgresql/conf/conf.d/ + {{- end }} + {{- if .Values.tls.enabled }} + - name: postgresql-certificates + mountPath: /opt/bitnami/postgresql/certs + readOnly: true + {{- end }} + {{- if .Values.shmVolume.enabled }} + - name: dshm + mountPath: /dev/shm + {{- end }} + {{- if .Values.readReplicas.persistence.enabled }} + - name: data + mountPath: {{ .Values.readReplicas.persistence.mountPath }} + {{- if .Values.readReplicas.persistence.subPath }} + subPath: {{ .Values.readReplicas.persistence.subPath }} + {{- end }} + {{- end }} + {{- if .Values.readReplicas.extraVolumeMounts }} + {{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.extraVolumeMounts "context" $) | nindent 12 }} + {{- end }} + {{- if .Values.metrics.enabled }} + - name: metrics + image: {{ include "postgresql.metrics.image" . }} + imagePullPolicy: {{ .Values.metrics.image.pullPolicy | quote }} + {{- if .Values.metrics.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.metrics.containerSecurityContext "enabled" | toYaml | nindent 12 }} + {{- end }} + {{- if .Values.diagnosticMode.enabled }} + command: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.command "context" $) | nindent 12 }} + args: {{- include "common.tplvalues.render" (dict "value" .Values.diagnosticMode.args "context" $) | nindent 12 }} + {{- else if .Values.metrics.customMetrics }} + args: [ "--extend.query-path", "/conf/custom-metrics.yaml" ] + {{- end }} + env: + {{- $database := required "In order to enable metrics you need to specify a database (.Values.auth.database or .Values.global.postgresql.auth.database)" (include "postgresql.database" .) }} + - name: DATA_SOURCE_URI + value: {{ printf "127.0.0.1:%d/%s?sslmode=disable" (int (include "postgresql.service.port" .)) $database }} + {{- if .Values.auth.usePasswordFiles }} + - name: DATA_SOURCE_PASS_FILE + value: {{ printf "/opt/bitnami/postgresql/secrets/%s" (ternary "password" "postgres-password" (and (not (empty $customUser)) (ne $customUser "postgres"))) }} + {{- else }} + - name: DATA_SOURCE_PASS + valueFrom: + secretKeyRef: + name: {{ include "postgresql.secretName" . }} + key: {{ include "postgresql.userPasswordKey" . }} + {{- end }} + - name: DATA_SOURCE_USER + value: {{ default "postgres" $customUser | quote }} + {{- if .Values.metrics.extraEnvVars }} + {{- include "common.tplvalues.render" (dict "value" .Values.metrics.extraEnvVars "context" $) | nindent 12 }} + {{- end }} + ports: + - name: http-metrics + containerPort: {{ .Values.metrics.containerPorts.metrics }} + {{- if not .Values.diagnosticMode.enabled }} + {{- if .Values.metrics.customStartupProbe }} + startupProbe: {{- include "common.tplvalues.render" (dict "value" .Values.metrics.customStartupProbe "context" $) | nindent 12 }} + {{- else if .Values.metrics.startupProbe.enabled }} + startupProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.metrics.startupProbe "enabled") "context" $) | nindent 12 }} + tcpSocket: + port: http-metrics + {{- end }} + {{- if .Values.metrics.customLivenessProbe }} + livenessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.metrics.customLivenessProbe "context" $) | nindent 12 }} + {{- else if .Values.metrics.livenessProbe.enabled }} + livenessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.metrics.livenessProbe "enabled") "context" $) | nindent 12 }} + httpGet: + path: / + port: http-metrics + {{- end }} + {{- if .Values.metrics.customReadinessProbe }} + readinessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.metrics.customReadinessProbe "context" $) | nindent 12 }} + {{- else if .Values.metrics.readinessProbe.enabled }} + readinessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.metrics.readinessProbe "enabled") "context" $) | nindent 12 }} + httpGet: + path: / + port: http-metrics + {{- end }} + {{- end }} + volumeMounts: + {{- if .Values.auth.usePasswordFiles }} + - name: postgresql-password + mountPath: /opt/bitnami/postgresql/secrets/ + {{- end }} + {{- if .Values.metrics.customMetrics }} + - name: custom-metrics + mountPath: /conf + readOnly: true + {{- end }} + {{- if .Values.metrics.resources }} + resources: {{- toYaml .Values.metrics.resources | nindent 12 }} + {{- end }} + {{- end }} + {{- if .Values.readReplicas.sidecars }} + {{- include "common.tplvalues.render" ( dict "value" .Values.readReplicas.sidecars "context" $ ) | nindent 8 }} + {{- end }} + volumes: + {{- if .Values.readReplicas.extendedConfiguration }} + - name: postgresql-extended-config + configMap: + name: {{ include "postgresql.readReplicas.extendedConfigmapName" . }} + {{- end }} + {{- if .Values.auth.usePasswordFiles }} + - name: postgresql-password + secret: + secretName: {{ include "postgresql.secretName" . }} + {{- end }} + {{- if .Values.tls.enabled }} + - name: raw-certificates + secret: + secretName: {{ include "postgresql.tlsSecretName" . }} + - name: postgresql-certificates + emptyDir: {} + {{- end }} + {{- if and .Values.metrics.enabled .Values.metrics.customMetrics }} + - name: custom-metrics + configMap: + name: {{ printf "%s-metrics" (include "common.names.fullname" .) }} + {{- end }} + {{- if .Values.shmVolume.enabled }} + - name: dshm + emptyDir: + medium: Memory + {{- if .Values.shmVolume.sizeLimit }} + sizeLimit: {{ .Values.shmVolume.sizeLimit }} + {{- end }} + {{- end }} + {{- if .Values.readReplicas.extraVolumes }} + {{- include "common.tplvalues.render" ( dict "value" .Values.readReplicas.extraVolumes "context" $ ) | nindent 8 }} + {{- end }} + {{- if and .Values.readReplicas.persistence.enabled .Values.readReplicas.persistence.existingClaim }} + - name: data + persistentVolumeClaim: + claimName: {{ tpl .Values.readReplicas.persistence.existingClaim $ }} + {{- else if not .Values.readReplicas.persistence.enabled }} + - name: data + emptyDir: {} + {{- else }} + volumeClaimTemplates: + - metadata: + name: data + {{- if .Values.readReplicas.persistence.annotations }} + annotations: {{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.persistence.annotations "context" $) | nindent 10 }} + {{- end }} + {{- if .Values.readReplicas.persistence.labels }} + labels: {{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.persistence.labels "context" $) | nindent 10 }} + {{- end }} + spec: + accessModes: + {{- range .Values.readReplicas.persistence.accessModes }} + - {{ . | quote }} + {{- end }} + {{- if .Values.readReplicas.persistence.dataSource }} + dataSource: {{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.persistence.dataSource "context" $) | nindent 10 }} + {{- end }} + resources: + requests: + storage: {{ .Values.readReplicas.persistence.size | quote }} + {{- if .Values.readReplicas.persistence.selector }} + selector: {{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.persistence.selector "context" $) | nindent 10 }} + {{- end -}} + {{- include "common.storage.class" (dict "persistence" .Values.readReplicas.persistence "global" .Values.global) | nindent 8 }} + {{- end }} +{{- end }} diff --git a/charts/kong/kong/2.41.0/charts/postgresql/templates/read/svc-headless.yaml b/charts/kong/kong/2.41.0/charts/postgresql/templates/read/svc-headless.yaml new file mode 100644 index 000000000..0371e49d4 --- /dev/null +++ b/charts/kong/kong/2.41.0/charts/postgresql/templates/read/svc-headless.yaml @@ -0,0 +1,33 @@ +{{- if eq .Values.architecture "replication" }} +apiVersion: v1 +kind: Service +metadata: + name: {{ include "postgresql.readReplica.svc.headless" . }} + namespace: {{ .Release.Namespace | quote }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + app.kubernetes.io/component: read + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} + # Use this annotation in addition to the actual publishNotReadyAddresses + # field below because the annotation will stop being respected soon but the + # field is broken in some versions of Kubernetes: + # https://github.com/kubernetes/kubernetes/issues/58662 + service.alpha.kubernetes.io/tolerate-unready-endpoints: "true" +spec: + type: ClusterIP + clusterIP: None + # We want all pods in the StatefulSet to have their addresses published for + # the sake of the other Postgresql pods even before they're ready, since they + # have to be able to talk to each other in order to become ready. + publishNotReadyAddresses: true + ports: + - name: tcp-postgresql + port: {{ include "postgresql.readReplica.service.port" . }} + targetPort: tcp-postgresql + selector: {{- include "common.labels.matchLabels" . | nindent 4 }} + app.kubernetes.io/component: read +{{- end }} diff --git a/charts/kong/kong/2.41.0/charts/postgresql/templates/read/svc.yaml b/charts/kong/kong/2.41.0/charts/postgresql/templates/read/svc.yaml new file mode 100644 index 000000000..3eece4dbb --- /dev/null +++ b/charts/kong/kong/2.41.0/charts/postgresql/templates/read/svc.yaml @@ -0,0 +1,53 @@ +{{- if eq .Values.architecture "replication" }} +apiVersion: v1 +kind: Service +metadata: + name: {{ include "postgresql.readReplica.fullname" . }} + namespace: {{ .Release.Namespace | quote }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + app.kubernetes.io/component: read + annotations: + {{- if .Values.commonAnnotations }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.readReplicas.service.annotations }} + {{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.service.annotations "context" $) | nindent 4 }} + {{- end }} +spec: + type: {{ .Values.readReplicas.service.type }} + {{- if or (eq .Values.readReplicas.service.type "LoadBalancer") (eq .Values.readReplicas.service.type "NodePort") }} + externalTrafficPolicy: {{ .Values.readReplicas.service.externalTrafficPolicy | quote }} + {{- end }} + {{- if and (eq .Values.readReplicas.service.type "LoadBalancer") (not (empty .Values.readReplicas.service.loadBalancerSourceRanges)) }} + loadBalancerSourceRanges: {{ .Values.readReplicas.service.loadBalancerSourceRanges }} + {{- end }} + {{- if and (eq .Values.readReplicas.service.type "LoadBalancer") (not (empty .Values.readReplicas.service.loadBalancerIP)) }} + loadBalancerIP: {{ .Values.readReplicas.service.loadBalancerIP }} + {{- end }} + {{- if and .Values.readReplicas.service.clusterIP (eq .Values.readReplicas.service.type "ClusterIP") }} + clusterIP: {{ .Values.readReplicas.service.clusterIP }} + {{- end }} + {{- if .Values.readReplicas.service.sessionAffinity }} + sessionAffinity: {{ .Values.readReplicas.service.sessionAffinity }} + {{- end }} + {{- if .Values.readReplicas.service.sessionAffinityConfig }} + sessionAffinityConfig: {{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.service.sessionAffinityConfig "context" $) | nindent 4 }} + {{- end }} + ports: + - name: tcp-postgresql + port: {{ include "postgresql.readReplica.service.port" . }} + targetPort: tcp-postgresql + {{- if and (or (eq .Values.readReplicas.service.type "NodePort") (eq .Values.readReplicas.service.type "LoadBalancer")) (not (empty .Values.readReplicas.service.nodePorts.postgresql)) }} + nodePort: {{ .Values.readReplicas.service.nodePorts.postgresql }} + {{- else if eq .Values.readReplicas.service.type "ClusterIP" }} + nodePort: null + {{- end }} + {{- if .Values.readReplicas.service.extraPorts }} + {{- include "common.tplvalues.render" (dict "value" .Values.readReplicas.service.extraPorts "context" $) | nindent 4 }} + {{- end }} + selector: {{- include "common.labels.matchLabels" . | nindent 4 }} + app.kubernetes.io/component: read +{{- end }} diff --git a/charts/kong/kong/2.41.0/charts/postgresql/templates/role.yaml b/charts/kong/kong/2.41.0/charts/postgresql/templates/role.yaml new file mode 100644 index 000000000..00f922232 --- /dev/null +++ b/charts/kong/kong/2.41.0/charts/postgresql/templates/role.yaml @@ -0,0 +1,31 @@ +{{- if .Values.rbac.create }} +kind: Role +apiVersion: {{ include "common.capabilities.rbac.apiVersion" . }} +metadata: + name: {{ include "common.names.fullname" . }} + namespace: {{ .Release.Namespace | quote }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +# yamllint disable rule:indentation +rules: + {{- $pspAvailable := (semverCompare "<1.25-0" (include "common.capabilities.kubeVersion" .)) -}} + {{- if and $pspAvailable .Values.psp.create }} + - apiGroups: + - 'policy' + resources: + - 'podsecuritypolicies' + verbs: + - 'use' + resourceNames: + - {{ include "common.names.fullname" . }} + {{- end }} + {{- if .Values.rbac.rules }} + {{- include "common.tplvalues.render" ( dict "value" .Values.rbac.rules "context" $ ) | nindent 2 }} + {{- end }} +# yamllint enable rule:indentation +{{- end }} diff --git a/charts/kong/kong/2.41.0/charts/postgresql/templates/rolebinding.yaml b/charts/kong/kong/2.41.0/charts/postgresql/templates/rolebinding.yaml new file mode 100644 index 000000000..0311c0ecc --- /dev/null +++ b/charts/kong/kong/2.41.0/charts/postgresql/templates/rolebinding.yaml @@ -0,0 +1,22 @@ +{{- if .Values.rbac.create }} +kind: RoleBinding +apiVersion: {{ include "common.capabilities.rbac.apiVersion" . }} +metadata: + name: {{ include "common.names.fullname" . }} + namespace: {{ .Release.Namespace | quote }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +roleRef: + kind: Role + name: {{ include "common.names.fullname" . }} + apiGroup: rbac.authorization.k8s.io +subjects: + - kind: ServiceAccount + name: {{ include "postgresql.serviceAccountName" . }} + namespace: {{ .Release.Namespace | quote }} +{{- end }} diff --git a/charts/kong/kong/2.41.0/charts/postgresql/templates/secrets.yaml b/charts/kong/kong/2.41.0/charts/postgresql/templates/secrets.yaml new file mode 100644 index 000000000..5f28fb374 --- /dev/null +++ b/charts/kong/kong/2.41.0/charts/postgresql/templates/secrets.yaml @@ -0,0 +1,29 @@ +{{- if (include "postgresql.createSecret" .) }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "common.names.fullname" . }} + namespace: {{ .Release.Namespace | quote }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +type: Opaque +data: + {{- if .Values.auth.enablePostgresUser }} + postgres-password: {{ include "common.secrets.passwords.manage" (dict "secret" (include "common.names.fullname" .) "key" "postgres-password" "providedValues" (list "global.postgresql.auth.postgresPassword" "auth.postgresPassword") "context" $) }} + {{- end }} + {{- if not (empty (include "postgresql.username" .)) }} + password: {{ include "common.secrets.passwords.manage" (dict "secret" (include "common.names.fullname" .) "key" "password" "providedValues" (list "global.postgresql.auth.password" "auth.password") "context" $) }} + {{- end }} + {{- if eq .Values.architecture "replication" }} + replication-password: {{ include "common.secrets.passwords.manage" (dict "secret" (include "common.names.fullname" .) "key" "replication-password" "providedValues" (list "auth.replicationPassword") "context" $) }} + {{- end }} + # We don't auto-generate LDAP password when it's not provided as we do for other passwords + {{- if and .Values.ldap.enabled (or .Values.ldap.bind_password .Values.ldap.bindpw) }} + ldap-password: {{ coalesce .Values.ldap.bind_password .Values.ldap.bindpw | b64enc | quote }} + {{- end }} +{{- end -}} diff --git a/charts/kong/kong/2.41.0/charts/postgresql/templates/serviceaccount.yaml b/charts/kong/kong/2.41.0/charts/postgresql/templates/serviceaccount.yaml new file mode 100644 index 000000000..179f8f2e4 --- /dev/null +++ b/charts/kong/kong/2.41.0/charts/postgresql/templates/serviceaccount.yaml @@ -0,0 +1,19 @@ +{{- if .Values.serviceAccount.create }} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "postgresql.serviceAccountName" . }} + namespace: {{ .Release.Namespace | quote }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + annotations: + {{- if .Values.commonAnnotations }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.serviceAccount.annotations }} + {{- include "common.tplvalues.render" ( dict "value" .Values.serviceAccount.annotations "context" $ ) | nindent 4 }} + {{- end }} +automountServiceAccountToken: {{ .Values.serviceAccount.automountServiceAccountToken }} +{{- end }} diff --git a/charts/kong/kong/2.41.0/charts/postgresql/templates/tls-secrets.yaml b/charts/kong/kong/2.41.0/charts/postgresql/templates/tls-secrets.yaml new file mode 100644 index 000000000..59c577647 --- /dev/null +++ b/charts/kong/kong/2.41.0/charts/postgresql/templates/tls-secrets.yaml @@ -0,0 +1,27 @@ +{{- if (include "postgresql.createTlsSecret" . ) }} +{{- $ca := genCA "postgresql-ca" 365 }} +{{- $fullname := include "common.names.fullname" . }} +{{- $releaseNamespace := .Release.Namespace }} +{{- $clusterDomain := .Values.clusterDomain }} +{{- $primaryHeadlessServiceName := include "postgresql.primary.svc.headless" . }} +{{- $readHeadlessServiceName := include "postgresql.readReplica.svc.headless" . }} +{{- $altNames := list (printf "*.%s.%s.svc.%s" $fullname $releaseNamespace $clusterDomain) (printf "%s.%s.svc.%s" $fullname $releaseNamespace $clusterDomain) (printf "*.%s.%s.svc.%s" $primaryHeadlessServiceName $releaseNamespace $clusterDomain) (printf "%s.%s.svc.%s" $primaryHeadlessServiceName $releaseNamespace $clusterDomain) (printf "*.%s.%s.svc.%s" $readHeadlessServiceName $releaseNamespace $clusterDomain) (printf "%s.%s.svc.%s" $readHeadlessServiceName $releaseNamespace $clusterDomain) $fullname }} +{{- $crt := genSignedCert $fullname nil $altNames 365 $ca }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ printf "%s-crt" (include "common.names.fullname" .) }} + namespace: {{ .Release.Namespace | quote }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +type: kubernetes.io/tls +data: + ca.crt: {{ $ca.Cert | b64enc | quote }} + tls.crt: {{ $crt.Cert | b64enc | quote }} + tls.key: {{ $crt.Key | b64enc | quote }} +{{- end }} diff --git a/charts/kong/kong/2.41.0/charts/postgresql/values.schema.json b/charts/kong/kong/2.41.0/charts/postgresql/values.schema.json new file mode 100644 index 000000000..fc41483cd --- /dev/null +++ b/charts/kong/kong/2.41.0/charts/postgresql/values.schema.json @@ -0,0 +1,156 @@ +{ + "$schema": "http://json-schema.org/schema#", + "type": "object", + "properties": { + "architecture": { + "type": "string", + "title": "PostgreSQL architecture", + "form": true, + "description": "Allowed values: `standalone` or `replication`" + }, + "auth": { + "type": "object", + "title": "Authentication configuration", + "form": true, + "properties": { + "enablePostgresUser": { + "type": "boolean", + "title": "Enable \"postgres\" admin user", + "description": "Assign a password to the \"postgres\" admin user. Otherwise, remote access will be blocked for this user", + "form": true + }, + "postgresPassword": { + "type": "string", + "title": "Password for the \"postgres\" admin user", + "description": "Defaults to a random 10-character alphanumeric string if not set", + "form": true + }, + "database": { + "type": "string", + "title": "PostgreSQL custom database", + "description": "Name of the custom database to be created during the 1st initialization of PostgreSQL", + "form": true + }, + "username": { + "type": "string", + "title": "PostgreSQL custom user", + "description": "Name of the custom user to be created during the 1st initialization of PostgreSQL. This user only has permissions on the PostgreSQL custom database", + "form": true + }, + "password": { + "type": "string", + "title": "Password for the custom user to create", + "description": "Defaults to a random 10-character alphanumeric string if not set", + "form": true + }, + "replicationUsername": { + "type": "string", + "title": "PostgreSQL replication user", + "description": "Name of user used to manage replication.", + "form": true, + "hidden": { + "value": "standalone", + "path": "architecture" + } + }, + "replicationPassword": { + "type": "string", + "title": "Password for PostgreSQL replication user", + "description": "Defaults to a random 10-character alphanumeric string if not set", + "form": true, + "hidden": { + "value": "standalone", + "path": "architecture" + } + } + } + }, + "persistence": { + "type": "object", + "properties": { + "size": { + "type": "string", + "title": "Persistent Volume Size", + "form": true, + "render": "slider", + "sliderMin": 1, + "sliderMax": 100, + "sliderUnit": "Gi" + } + } + }, + "resources": { + "type": "object", + "title": "Required Resources", + "description": "Configure resource requests", + "form": true, + "properties": { + "requests": { + "type": "object", + "properties": { + "memory": { + "type": "string", + "form": true, + "render": "slider", + "title": "Memory Request", + "sliderMin": 10, + "sliderMax": 2048, + "sliderUnit": "Mi" + }, + "cpu": { + "type": "string", + "form": true, + "render": "slider", + "title": "CPU Request", + "sliderMin": 10, + "sliderMax": 2000, + "sliderUnit": "m" + } + } + } + } + }, + "replication": { + "type": "object", + "form": true, + "title": "Replication Details", + "properties": { + "enabled": { + "type": "boolean", + "title": "Enable Replication", + "form": true + }, + "readReplicas": { + "type": "integer", + "title": "read Replicas", + "form": true, + "hidden": { + "value": "standalone", + "path": "architecture" + } + } + } + }, + "volumePermissions": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean", + "form": true, + "title": "Enable Init Containers", + "description": "Change the owner of the persist volume mountpoint to RunAsUser:fsGroup" + } + } + }, + "metrics": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean", + "title": "Configure metrics exporter", + "form": true + } + } + } + } +} diff --git a/charts/kong/kong/2.41.0/charts/postgresql/values.yaml b/charts/kong/kong/2.41.0/charts/postgresql/values.yaml new file mode 100644 index 000000000..8d0e5fe37 --- /dev/null +++ b/charts/kong/kong/2.41.0/charts/postgresql/values.yaml @@ -0,0 +1,1399 @@ +## @section Global parameters +## Please, note that this will override the parameters, including dependencies, configured to use the global value +## +global: + ## @param global.imageRegistry Global Docker image registry + ## + imageRegistry: "" + ## @param global.imagePullSecrets Global Docker registry secret names as an array + ## e.g. + ## imagePullSecrets: + ## - myRegistryKeySecretName + ## + imagePullSecrets: [] + ## @param global.storageClass Global StorageClass for Persistent Volume(s) + ## + storageClass: "" + postgresql: + ## @param global.postgresql.auth.postgresPassword Password for the "postgres" admin user (overrides `auth.postgresPassword`) + ## @param global.postgresql.auth.username Name for a custom user to create (overrides `auth.username`) + ## @param global.postgresql.auth.password Password for the custom user to create (overrides `auth.password`) + ## @param global.postgresql.auth.database Name for a custom database to create (overrides `auth.database`) + ## @param global.postgresql.auth.existingSecret Name of existing secret to use for PostgreSQL credentials (overrides `auth.existingSecret`). + ## @param global.postgresql.auth.secretKeys.adminPasswordKey Name of key in existing secret to use for PostgreSQL credentials (overrides `auth.secretKeys.adminPasswordKey`). Only used when `global.postgresql.auth.existingSecret` is set. + ## @param global.postgresql.auth.secretKeys.userPasswordKey Name of key in existing secret to use for PostgreSQL credentials (overrides `auth.secretKeys.userPasswordKey`). Only used when `global.postgresql.auth.existingSecret` is set. + ## @param global.postgresql.auth.secretKeys.replicationPasswordKey Name of key in existing secret to use for PostgreSQL credentials (overrides `auth.secretKeys.replicationPasswordKey`). Only used when `global.postgresql.auth.existingSecret` is set. + ## + auth: + postgresPassword: "" + username: "" + password: "" + database: "" + existingSecret: "" + secretKeys: + adminPasswordKey: "" + userPasswordKey: "" + replicationPasswordKey: "" + ## @param global.postgresql.service.ports.postgresql PostgreSQL service port (overrides `service.ports.postgresql`) + ## + service: + ports: + postgresql: "" + +## @section Common parameters +## + +## @param kubeVersion Override Kubernetes version +## +kubeVersion: "" +## @param nameOverride String to partially override common.names.fullname template (will maintain the release name) +## +nameOverride: "" +## @param fullnameOverride String to fully override common.names.fullname template +## +fullnameOverride: "" +## @param clusterDomain Kubernetes Cluster Domain +## +clusterDomain: cluster.local +## @param extraDeploy Array of extra objects to deploy with the release (evaluated as a template) +## +extraDeploy: [] +## @param commonLabels Add labels to all the deployed resources +## +commonLabels: {} +## @param commonAnnotations Add annotations to all the deployed resources +## +commonAnnotations: {} +## Enable diagnostic mode in the statefulset +## +diagnosticMode: + ## @param diagnosticMode.enabled Enable diagnostic mode (all probes will be disabled and the command will be overridden) + ## + enabled: false + ## @param diagnosticMode.command Command to override all containers in the statefulset + ## + command: + - sleep + ## @param diagnosticMode.args Args to override all containers in the statefulset + ## + args: + - infinity + +## @section PostgreSQL common parameters +## + +## Bitnami PostgreSQL image version +## ref: https://hub.docker.com/r/bitnami/postgresql/tags/ +## @param image.registry PostgreSQL image registry +## @param image.repository PostgreSQL image repository +## @param image.tag PostgreSQL image tag (immutable tags are recommended) +## @param image.digest PostgreSQL image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag +## @param image.pullPolicy PostgreSQL image pull policy +## @param image.pullSecrets Specify image pull secrets +## @param image.debug Specify if debug values should be set +## +image: + registry: docker.io + repository: bitnami/postgresql + tag: 14.5.0-debian-11-r35 + digest: "" + ## Specify a imagePullPolicy + ## Defaults to 'Always' if image tag is 'latest', else set to 'IfNotPresent' + ## ref: https://kubernetes.io/docs/user-guide/images/#pre-pulling-images + ## + pullPolicy: IfNotPresent + ## Optionally specify an array of imagePullSecrets. + ## Secrets must be manually created in the namespace. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## Example: + ## pullSecrets: + ## - myRegistryKeySecretName + ## + pullSecrets: [] + ## Set to true if you would like to see extra information on logs + ## + debug: false +## Authentication parameters +## ref: https://github.com/bitnami/containers/tree/main/bitnami/postgresql#setting-the-root-password-on-first-run +## ref: https://github.com/bitnami/containers/tree/main/bitnami/postgresql#creating-a-database-on-first-run +## ref: https://github.com/bitnami/containers/tree/main/bitnami/postgresql#creating-a-database-user-on-first-run +## +auth: + ## @param auth.enablePostgresUser Assign a password to the "postgres" admin user. Otherwise, remote access will be blocked for this user + ## + enablePostgresUser: true + ## @param auth.postgresPassword Password for the "postgres" admin user. Ignored if `auth.existingSecret` with key `postgres-password` is provided + ## + postgresPassword: "" + ## @param auth.username Name for a custom user to create + ## + username: "" + ## @param auth.password Password for the custom user to create. Ignored if `auth.existingSecret` with key `password` is provided + ## + password: "" + ## @param auth.database Name for a custom database to create + ## + database: "" + ## @param auth.replicationUsername Name of the replication user + ## + replicationUsername: repl_user + ## @param auth.replicationPassword Password for the replication user. Ignored if `auth.existingSecret` with key `replication-password` is provided + ## + replicationPassword: "" + ## @param auth.existingSecret Name of existing secret to use for PostgreSQL credentials. `auth.postgresPassword`, `auth.password`, and `auth.replicationPassword` will be ignored and picked up from this secret. The secret might also contains the key `ldap-password` if LDAP is enabled. `ldap.bind_password` will be ignored and picked from this secret in this case. + ## + existingSecret: "" + ## @param auth.secretKeys.adminPasswordKey Name of key in existing secret to use for PostgreSQL credentials. Only used when `auth.existingSecret` is set. + ## @param auth.secretKeys.userPasswordKey Name of key in existing secret to use for PostgreSQL credentials. Only used when `auth.existingSecret` is set. + ## @param auth.secretKeys.replicationPasswordKey Name of key in existing secret to use for PostgreSQL credentials. Only used when `auth.existingSecret` is set. + ## + secretKeys: + adminPasswordKey: postgres-password + userPasswordKey: password + replicationPasswordKey: replication-password + ## @param auth.usePasswordFiles Mount credentials as a files instead of using an environment variable + ## + usePasswordFiles: false +## @param architecture PostgreSQL architecture (`standalone` or `replication`) +## +architecture: standalone +## Replication configuration +## Ignored if `architecture` is `standalone` +## +replication: + ## @param replication.synchronousCommit Set synchronous commit mode. Allowed values: `on`, `remote_apply`, `remote_write`, `local` and `off` + ## @param replication.numSynchronousReplicas Number of replicas that will have synchronous replication. Note: Cannot be greater than `readReplicas.replicaCount`. + ## ref: https://www.postgresql.org/docs/current/runtime-config-wal.html#GUC-SYNCHRONOUS-COMMIT + ## + synchronousCommit: "off" + numSynchronousReplicas: 0 + ## @param replication.applicationName Cluster application name. Useful for advanced replication settings + ## + applicationName: my_application +## @param containerPorts.postgresql PostgreSQL container port +## +containerPorts: + postgresql: 5432 +## Audit settings +## https://github.com/bitnami/containers/tree/main/bitnami/postgresql#auditing +## @param audit.logHostname Log client hostnames +## @param audit.logConnections Add client log-in operations to the log file +## @param audit.logDisconnections Add client log-outs operations to the log file +## @param audit.pgAuditLog Add operations to log using the pgAudit extension +## @param audit.pgAuditLogCatalog Log catalog using pgAudit +## @param audit.clientMinMessages Message log level to share with the user +## @param audit.logLinePrefix Template for log line prefix (default if not set) +## @param audit.logTimezone Timezone for the log timestamps +## +audit: + logHostname: false + logConnections: false + logDisconnections: false + pgAuditLog: "" + pgAuditLogCatalog: "off" + clientMinMessages: error + logLinePrefix: "" + logTimezone: "" +## LDAP configuration +## @param ldap.enabled Enable LDAP support +## DEPRECATED ldap.url It will removed in a future, please use 'ldap.uri' instead +## @param ldap.server IP address or name of the LDAP server. +## @param ldap.port Port number on the LDAP server to connect to +## @param ldap.prefix String to prepend to the user name when forming the DN to bind +## @param ldap.suffix String to append to the user name when forming the DN to bind +## DEPRECATED ldap.baseDN It will removed in a future, please use 'ldap.basedn' instead +## DEPRECATED ldap.bindDN It will removed in a future, please use 'ldap.binddn' instead +## DEPRECATED ldap.bind_password It will removed in a future, please use 'ldap.bindpw' instead +## @param ldap.basedn Root DN to begin the search for the user in +## @param ldap.binddn DN of user to bind to LDAP +## @param ldap.bindpw Password for the user to bind to LDAP +## DEPRECATED ldap.search_attr It will removed in a future, please use 'ldap.searchAttribute' instead +## DEPRECATED ldap.search_filter It will removed in a future, please use 'ldap.searchFilter' instead +## @param ldap.searchAttribute Attribute to match against the user name in the search +## @param ldap.searchFilter The search filter to use when doing search+bind authentication +## @param ldap.scheme Set to `ldaps` to use LDAPS +## DEPRECATED ldap.tls as string is deprecated,please use 'ldap.tls.enabled' instead +## @param ldap.tls.enabled Se to true to enable TLS encryption +## +ldap: + enabled: false + server: "" + port: "" + prefix: "" + suffix: "" + basedn: "" + binddn: "" + bindpw: "" + searchAttribute: "" + searchFilter: "" + scheme: "" + tls: + enabled: false + ## @param ldap.uri LDAP URL beginning in the form `ldap[s]://host[:port]/basedn`. If provided, all the other LDAP parameters will be ignored. + ## Ref: https://www.postgresql.org/docs/current/auth-ldap.html + uri: "" +## @param postgresqlDataDir PostgreSQL data dir folder +## +postgresqlDataDir: /bitnami/postgresql/data +## @param postgresqlSharedPreloadLibraries Shared preload libraries (comma-separated list) +## +postgresqlSharedPreloadLibraries: "pgaudit" +## Start PostgreSQL pod(s) without limitations on shm memory. +## By default docker and containerd (and possibly other container runtimes) limit `/dev/shm` to `64M` +## ref: https://github.com/docker-library/postgres/issues/416 +## ref: https://github.com/containerd/containerd/issues/3654 +## +shmVolume: + ## @param shmVolume.enabled Enable emptyDir volume for /dev/shm for PostgreSQL pod(s) + ## + enabled: true + ## @param shmVolume.sizeLimit Set this to enable a size limit on the shm tmpfs + ## Note: the size of the tmpfs counts against container's memory limit + ## e.g: + ## sizeLimit: 1Gi + ## + sizeLimit: "" +## TLS configuration +## +tls: + ## @param tls.enabled Enable TLS traffic support + ## + enabled: false + ## @param tls.autoGenerated Generate automatically self-signed TLS certificates + ## + autoGenerated: false + ## @param tls.preferServerCiphers Whether to use the server's TLS cipher preferences rather than the client's + ## + preferServerCiphers: true + ## @param tls.certificatesSecret Name of an existing secret that contains the certificates + ## + certificatesSecret: "" + ## @param tls.certFilename Certificate filename + ## + certFilename: "" + ## @param tls.certKeyFilename Certificate key filename + ## + certKeyFilename: "" + ## @param tls.certCAFilename CA Certificate filename + ## If provided, PostgreSQL will authenticate TLS/SSL clients by requesting them a certificate + ## ref: https://www.postgresql.org/docs/9.6/auth-methods.html + ## + certCAFilename: "" + ## @param tls.crlFilename File containing a Certificate Revocation List + ## + crlFilename: "" + +## @section PostgreSQL Primary parameters +## +primary: + ## @param primary.name Name of the primary database (eg primary, master, leader, ...) + ## + name: primary + ## @param primary.configuration PostgreSQL Primary main configuration to be injected as ConfigMap + ## ref: https://www.postgresql.org/docs/current/static/runtime-config.html + ## + configuration: "" + ## @param primary.pgHbaConfiguration PostgreSQL Primary client authentication configuration + ## ref: https://www.postgresql.org/docs/current/static/auth-pg-hba-conf.html + ## e.g:# + ## pgHbaConfiguration: |- + ## local all all trust + ## host all all localhost trust + ## host mydatabase mysuser 192.168.0.0/24 md5 + ## + pgHbaConfiguration: "" + ## @param primary.existingConfigmap Name of an existing ConfigMap with PostgreSQL Primary configuration + ## NOTE: `primary.configuration` and `primary.pgHbaConfiguration` will be ignored + ## + existingConfigmap: "" + ## @param primary.extendedConfiguration Extended PostgreSQL Primary configuration (appended to main or default configuration) + ## ref: https://github.com/bitnami/containers/tree/main/bitnami/postgresql#allow-settings-to-be-loaded-from-files-other-than-the-default-postgresqlconf + ## + extendedConfiguration: "" + ## @param primary.existingExtendedConfigmap Name of an existing ConfigMap with PostgreSQL Primary extended configuration + ## NOTE: `primary.extendedConfiguration` will be ignored + ## + existingExtendedConfigmap: "" + ## Initdb configuration + ## ref: https://github.com/bitnami/containers/tree/main/bitnami/postgresql#specifying-initdb-arguments + ## + initdb: + ## @param primary.initdb.args PostgreSQL initdb extra arguments + ## + args: "" + ## @param primary.initdb.postgresqlWalDir Specify a custom location for the PostgreSQL transaction log + ## + postgresqlWalDir: "" + ## @param primary.initdb.scripts Dictionary of initdb scripts + ## Specify dictionary of scripts to be run at first boot + ## e.g: + ## scripts: + ## my_init_script.sh: | + ## #!/bin/sh + ## echo "Do something." + ## + scripts: {} + ## @param primary.initdb.scriptsConfigMap ConfigMap with scripts to be run at first boot + ## NOTE: This will override `primary.initdb.scripts` + ## + scriptsConfigMap: "" + ## @param primary.initdb.scriptsSecret Secret with scripts to be run at first boot (in case it contains sensitive information) + ## NOTE: This can work along `primary.initdb.scripts` or `primary.initdb.scriptsConfigMap` + ## + scriptsSecret: "" + ## @param primary.initdb.user Specify the PostgreSQL username to execute the initdb scripts + ## + user: "" + ## @param primary.initdb.password Specify the PostgreSQL password to execute the initdb scripts + ## + password: "" + ## Configure current cluster's primary server to be the standby server in other cluster. + ## This will allow cross cluster replication and provide cross cluster high availability. + ## You will need to configure pgHbaConfiguration if you want to enable this feature with local cluster replication enabled. + ## @param primary.standby.enabled Whether to enable current cluster's primary as standby server of another cluster or not + ## @param primary.standby.primaryHost The Host of replication primary in the other cluster + ## @param primary.standby.primaryPort The Port of replication primary in the other cluster + ## + standby: + enabled: false + primaryHost: "" + primaryPort: "" + ## @param primary.extraEnvVars Array with extra environment variables to add to PostgreSQL Primary nodes + ## e.g: + ## extraEnvVars: + ## - name: FOO + ## value: "bar" + ## + extraEnvVars: [] + ## @param primary.extraEnvVarsCM Name of existing ConfigMap containing extra env vars for PostgreSQL Primary nodes + ## + extraEnvVarsCM: "" + ## @param primary.extraEnvVarsSecret Name of existing Secret containing extra env vars for PostgreSQL Primary nodes + ## + extraEnvVarsSecret: "" + ## @param primary.command Override default container command (useful when using custom images) + ## + command: [] + ## @param primary.args Override default container args (useful when using custom images) + ## + args: [] + ## Configure extra options for PostgreSQL Primary containers' liveness, readiness and startup probes + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#configure-probes + ## @param primary.livenessProbe.enabled Enable livenessProbe on PostgreSQL Primary containers + ## @param primary.livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe + ## @param primary.livenessProbe.periodSeconds Period seconds for livenessProbe + ## @param primary.livenessProbe.timeoutSeconds Timeout seconds for livenessProbe + ## @param primary.livenessProbe.failureThreshold Failure threshold for livenessProbe + ## @param primary.livenessProbe.successThreshold Success threshold for livenessProbe + ## + livenessProbe: + enabled: true + initialDelaySeconds: 30 + periodSeconds: 10 + timeoutSeconds: 5 + failureThreshold: 6 + successThreshold: 1 + ## @param primary.readinessProbe.enabled Enable readinessProbe on PostgreSQL Primary containers + ## @param primary.readinessProbe.initialDelaySeconds Initial delay seconds for readinessProbe + ## @param primary.readinessProbe.periodSeconds Period seconds for readinessProbe + ## @param primary.readinessProbe.timeoutSeconds Timeout seconds for readinessProbe + ## @param primary.readinessProbe.failureThreshold Failure threshold for readinessProbe + ## @param primary.readinessProbe.successThreshold Success threshold for readinessProbe + ## + readinessProbe: + enabled: true + initialDelaySeconds: 5 + periodSeconds: 10 + timeoutSeconds: 5 + failureThreshold: 6 + successThreshold: 1 + ## @param primary.startupProbe.enabled Enable startupProbe on PostgreSQL Primary containers + ## @param primary.startupProbe.initialDelaySeconds Initial delay seconds for startupProbe + ## @param primary.startupProbe.periodSeconds Period seconds for startupProbe + ## @param primary.startupProbe.timeoutSeconds Timeout seconds for startupProbe + ## @param primary.startupProbe.failureThreshold Failure threshold for startupProbe + ## @param primary.startupProbe.successThreshold Success threshold for startupProbe + ## + startupProbe: + enabled: false + initialDelaySeconds: 30 + periodSeconds: 10 + timeoutSeconds: 1 + failureThreshold: 15 + successThreshold: 1 + ## @param primary.customLivenessProbe Custom livenessProbe that overrides the default one + ## + customLivenessProbe: {} + ## @param primary.customReadinessProbe Custom readinessProbe that overrides the default one + ## + customReadinessProbe: {} + ## @param primary.customStartupProbe Custom startupProbe that overrides the default one + ## + customStartupProbe: {} + ## @param primary.lifecycleHooks for the PostgreSQL Primary container to automate configuration before or after startup + ## + lifecycleHooks: {} + ## PostgreSQL Primary resource requests and limits + ## ref: https://kubernetes.io/docs/user-guide/compute-resources/ + ## @param primary.resources.limits The resources limits for the PostgreSQL Primary containers + ## @param primary.resources.requests.memory The requested memory for the PostgreSQL Primary containers + ## @param primary.resources.requests.cpu The requested cpu for the PostgreSQL Primary containers + ## + resources: + limits: {} + requests: + memory: 256Mi + cpu: 250m + ## Pod Security Context + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ + ## @param primary.podSecurityContext.enabled Enable security context + ## @param primary.podSecurityContext.fsGroup Group ID for the pod + ## + podSecurityContext: + enabled: true + fsGroup: 1001 + ## Container Security Context + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ + ## @param primary.containerSecurityContext.enabled Enable container security context + ## @param primary.containerSecurityContext.runAsUser User ID for the container + ## + containerSecurityContext: + enabled: true + runAsUser: 1001 + ## @param primary.hostAliases PostgreSQL primary pods host aliases + ## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/ + ## + hostAliases: [] + ## @param primary.hostNetwork Specify if host network should be enabled for PostgreSQL pod (postgresql primary) + ## + hostNetwork: false + ## @param primary.hostIPC Specify if host IPC should be enabled for PostgreSQL pod (postgresql primary) + ## + hostIPC: false + ## @param primary.labels Map of labels to add to the statefulset (postgresql primary) + ## + labels: {} + ## @param primary.annotations Annotations for PostgreSQL primary pods + ## + annotations: {} + ## @param primary.podLabels Map of labels to add to the pods (postgresql primary) + ## + podLabels: {} + ## @param primary.podAnnotations Map of annotations to add to the pods (postgresql primary) + ## + podAnnotations: {} + ## @param primary.podAffinityPreset PostgreSQL primary pod affinity preset. Ignored if `primary.affinity` is set. Allowed values: `soft` or `hard` + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity + ## + podAffinityPreset: "" + ## @param primary.podAntiAffinityPreset PostgreSQL primary pod anti-affinity preset. Ignored if `primary.affinity` is set. Allowed values: `soft` or `hard` + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity + ## + podAntiAffinityPreset: soft + ## PostgreSQL Primary node affinity preset + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity + ## + nodeAffinityPreset: + ## @param primary.nodeAffinityPreset.type PostgreSQL primary node affinity preset type. Ignored if `primary.affinity` is set. Allowed values: `soft` or `hard` + ## + type: "" + ## @param primary.nodeAffinityPreset.key PostgreSQL primary node label key to match Ignored if `primary.affinity` is set. + ## E.g. + ## key: "kubernetes.io/e2e-az-name" + ## + key: "" + ## @param primary.nodeAffinityPreset.values PostgreSQL primary node label values to match. Ignored if `primary.affinity` is set. + ## E.g. + ## values: + ## - e2e-az1 + ## - e2e-az2 + ## + values: [] + ## @param primary.affinity Affinity for PostgreSQL primary pods assignment + ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity + ## Note: primary.podAffinityPreset, primary.podAntiAffinityPreset, and primary.nodeAffinityPreset will be ignored when it's set + ## + affinity: {} + ## @param primary.nodeSelector Node labels for PostgreSQL primary pods assignment + ## ref: https://kubernetes.io/docs/user-guide/node-selection/ + ## + nodeSelector: {} + ## @param primary.tolerations Tolerations for PostgreSQL primary pods assignment + ## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ + ## + tolerations: [] + ## @param primary.topologySpreadConstraints Topology Spread Constraints for pod assignment spread across your cluster among failure-domains. Evaluated as a template + ## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/#spread-constraints-for-pods + ## + topologySpreadConstraints: [] + ## @param primary.priorityClassName Priority Class to use for each pod (postgresql primary) + ## + priorityClassName: "" + ## @param primary.schedulerName Use an alternate scheduler, e.g. "stork". + ## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/ + ## + schedulerName: "" + ## @param primary.terminationGracePeriodSeconds Seconds PostgreSQL primary pod needs to terminate gracefully + ## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods + ## + terminationGracePeriodSeconds: "" + ## @param primary.updateStrategy.type PostgreSQL Primary statefulset strategy type + ## @param primary.updateStrategy.rollingUpdate PostgreSQL Primary statefulset rolling update configuration parameters + ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#update-strategies + ## + updateStrategy: + type: RollingUpdate + rollingUpdate: {} + ## @param primary.extraVolumeMounts Optionally specify extra list of additional volumeMounts for the PostgreSQL Primary container(s) + ## + extraVolumeMounts: [] + ## @param primary.extraVolumes Optionally specify extra list of additional volumes for the PostgreSQL Primary pod(s) + ## + extraVolumes: [] + ## @param primary.sidecars Add additional sidecar containers to the PostgreSQL Primary pod(s) + ## For example: + ## sidecars: + ## - name: your-image-name + ## image: your-image + ## imagePullPolicy: Always + ## ports: + ## - name: portname + ## containerPort: 1234 + ## + sidecars: [] + ## @param primary.initContainers Add additional init containers to the PostgreSQL Primary pod(s) + ## Example + ## + ## initContainers: + ## - name: do-something + ## image: busybox + ## command: ['do', 'something'] + ## + initContainers: [] + ## @param primary.extraPodSpec Optionally specify extra PodSpec for the PostgreSQL Primary pod(s) + ## + extraPodSpec: {} + ## PostgreSQL Primary service configuration + ## + service: + ## @param primary.service.type Kubernetes Service type + ## + type: ClusterIP + ## @param primary.service.ports.postgresql PostgreSQL service port + ## + ports: + postgresql: 5432 + ## Node ports to expose + ## NOTE: choose port between <30000-32767> + ## @param primary.service.nodePorts.postgresql Node port for PostgreSQL + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport + ## + nodePorts: + postgresql: "" + ## @param primary.service.clusterIP Static clusterIP or None for headless services + ## e.g: + ## clusterIP: None + ## + clusterIP: "" + ## @param primary.service.annotations Annotations for PostgreSQL primary service + ## + annotations: {} + ## @param primary.service.loadBalancerIP Load balancer IP if service type is `LoadBalancer` + ## Set the LoadBalancer service type to internal only + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer + ## + loadBalancerIP: "" + ## @param primary.service.externalTrafficPolicy Enable client source IP preservation + ## ref https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip + ## + externalTrafficPolicy: Cluster + ## @param primary.service.loadBalancerSourceRanges Addresses that are allowed when service is LoadBalancer + ## https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service + ## + ## loadBalancerSourceRanges: + ## - 10.10.10.0/24 + ## + loadBalancerSourceRanges: [] + ## @param primary.service.extraPorts Extra ports to expose in the PostgreSQL primary service + ## + extraPorts: [] + ## @param primary.service.sessionAffinity Session Affinity for Kubernetes service, can be "None" or "ClientIP" + ## If "ClientIP", consecutive client requests will be directed to the same Pod + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies + ## + sessionAffinity: None + ## @param primary.service.sessionAffinityConfig Additional settings for the sessionAffinity + ## sessionAffinityConfig: + ## clientIP: + ## timeoutSeconds: 300 + ## + sessionAffinityConfig: {} + ## PostgreSQL Primary persistence configuration + ## + persistence: + ## @param primary.persistence.enabled Enable PostgreSQL Primary data persistence using PVC + ## + enabled: true + ## @param primary.persistence.existingClaim Name of an existing PVC to use + ## + existingClaim: "" + ## @param primary.persistence.mountPath The path the volume will be mounted at + ## Note: useful when using custom PostgreSQL images + ## + mountPath: /bitnami/postgresql + ## @param primary.persistence.subPath The subdirectory of the volume to mount to + ## Useful in dev environments and one PV for multiple services + ## + subPath: "" + ## @param primary.persistence.storageClass PVC Storage Class for PostgreSQL Primary data volume + ## If defined, storageClassName: + ## If set to "-", storageClassName: "", which disables dynamic provisioning + ## If undefined (the default) or set to null, no storageClassName spec is + ## set, choosing the default provisioner. (gp2 on AWS, standard on + ## GKE, AWS & OpenStack) + ## + storageClass: "" + ## @param primary.persistence.accessModes PVC Access Mode for PostgreSQL volume + ## + accessModes: + - ReadWriteOnce + ## @param primary.persistence.size PVC Storage Request for PostgreSQL volume + ## + size: 8Gi + ## @param primary.persistence.annotations Annotations for the PVC + ## + annotations: {} + ## @param primary.persistence.labels Labels for the PVC + ## + labels: {} + ## @param primary.persistence.selector Selector to match an existing Persistent Volume (this value is evaluated as a template) + ## selector: + ## matchLabels: + ## app: my-app + ## + selector: {} + ## @param primary.persistence.dataSource Custom PVC data source + ## + dataSource: {} + +## @section PostgreSQL read only replica parameters (only used when `architecture` is set to `replication`) +## +readReplicas: + ## @param readReplicas.name Name of the read replicas database (eg secondary, slave, ...) + ## + name: read + ## @param readReplicas.replicaCount Number of PostgreSQL read only replicas + ## + replicaCount: 1 + ## @param readReplicas.extendedConfiguration Extended PostgreSQL read only replicas configuration (appended to main or default configuration) + ## ref: https://github.com/bitnami/containers/tree/main/bitnami/postgresql#allow-settings-to-be-loaded-from-files-other-than-the-default-postgresqlconf + ## + extendedConfiguration: "" + ## @param readReplicas.extraEnvVars Array with extra environment variables to add to PostgreSQL read only nodes + ## e.g: + ## extraEnvVars: + ## - name: FOO + ## value: "bar" + ## + extraEnvVars: [] + ## @param readReplicas.extraEnvVarsCM Name of existing ConfigMap containing extra env vars for PostgreSQL read only nodes + ## + extraEnvVarsCM: "" + ## @param readReplicas.extraEnvVarsSecret Name of existing Secret containing extra env vars for PostgreSQL read only nodes + ## + extraEnvVarsSecret: "" + ## @param readReplicas.command Override default container command (useful when using custom images) + ## + command: [] + ## @param readReplicas.args Override default container args (useful when using custom images) + ## + args: [] + ## Configure extra options for PostgreSQL read only containers' liveness, readiness and startup probes + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#configure-probes + ## @param readReplicas.livenessProbe.enabled Enable livenessProbe on PostgreSQL read only containers + ## @param readReplicas.livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe + ## @param readReplicas.livenessProbe.periodSeconds Period seconds for livenessProbe + ## @param readReplicas.livenessProbe.timeoutSeconds Timeout seconds for livenessProbe + ## @param readReplicas.livenessProbe.failureThreshold Failure threshold for livenessProbe + ## @param readReplicas.livenessProbe.successThreshold Success threshold for livenessProbe + ## + livenessProbe: + enabled: true + initialDelaySeconds: 30 + periodSeconds: 10 + timeoutSeconds: 5 + failureThreshold: 6 + successThreshold: 1 + ## @param readReplicas.readinessProbe.enabled Enable readinessProbe on PostgreSQL read only containers + ## @param readReplicas.readinessProbe.initialDelaySeconds Initial delay seconds for readinessProbe + ## @param readReplicas.readinessProbe.periodSeconds Period seconds for readinessProbe + ## @param readReplicas.readinessProbe.timeoutSeconds Timeout seconds for readinessProbe + ## @param readReplicas.readinessProbe.failureThreshold Failure threshold for readinessProbe + ## @param readReplicas.readinessProbe.successThreshold Success threshold for readinessProbe + ## + readinessProbe: + enabled: true + initialDelaySeconds: 5 + periodSeconds: 10 + timeoutSeconds: 5 + failureThreshold: 6 + successThreshold: 1 + ## @param readReplicas.startupProbe.enabled Enable startupProbe on PostgreSQL read only containers + ## @param readReplicas.startupProbe.initialDelaySeconds Initial delay seconds for startupProbe + ## @param readReplicas.startupProbe.periodSeconds Period seconds for startupProbe + ## @param readReplicas.startupProbe.timeoutSeconds Timeout seconds for startupProbe + ## @param readReplicas.startupProbe.failureThreshold Failure threshold for startupProbe + ## @param readReplicas.startupProbe.successThreshold Success threshold for startupProbe + ## + startupProbe: + enabled: false + initialDelaySeconds: 30 + periodSeconds: 10 + timeoutSeconds: 1 + failureThreshold: 15 + successThreshold: 1 + ## @param readReplicas.customLivenessProbe Custom livenessProbe that overrides the default one + ## + customLivenessProbe: {} + ## @param readReplicas.customReadinessProbe Custom readinessProbe that overrides the default one + ## + customReadinessProbe: {} + ## @param readReplicas.customStartupProbe Custom startupProbe that overrides the default one + ## + customStartupProbe: {} + ## @param readReplicas.lifecycleHooks for the PostgreSQL read only container to automate configuration before or after startup + ## + lifecycleHooks: {} + ## PostgreSQL read only resource requests and limits + ## ref: https://kubernetes.io/docs/user-guide/compute-resources/ + ## @param readReplicas.resources.limits The resources limits for the PostgreSQL read only containers + ## @param readReplicas.resources.requests.memory The requested memory for the PostgreSQL read only containers + ## @param readReplicas.resources.requests.cpu The requested cpu for the PostgreSQL read only containers + ## + resources: + limits: {} + requests: + memory: 256Mi + cpu: 250m + ## Pod Security Context + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ + ## @param readReplicas.podSecurityContext.enabled Enable security context + ## @param readReplicas.podSecurityContext.fsGroup Group ID for the pod + ## + podSecurityContext: + enabled: true + fsGroup: 1001 + ## Container Security Context + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ + ## @param readReplicas.containerSecurityContext.enabled Enable container security context + ## @param readReplicas.containerSecurityContext.runAsUser User ID for the container + ## + containerSecurityContext: + enabled: true + runAsUser: 1001 + ## @param readReplicas.hostAliases PostgreSQL read only pods host aliases + ## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/ + ## + hostAliases: [] + ## @param readReplicas.hostNetwork Specify if host network should be enabled for PostgreSQL pod (PostgreSQL read only) + ## + hostNetwork: false + ## @param readReplicas.hostIPC Specify if host IPC should be enabled for PostgreSQL pod (postgresql primary) + ## + hostIPC: false + ## @param readReplicas.labels Map of labels to add to the statefulset (PostgreSQL read only) + ## + labels: {} + ## @param readReplicas.annotations Annotations for PostgreSQL read only pods + ## + annotations: {} + ## @param readReplicas.podLabels Map of labels to add to the pods (PostgreSQL read only) + ## + podLabels: {} + ## @param readReplicas.podAnnotations Map of annotations to add to the pods (PostgreSQL read only) + ## + podAnnotations: {} + ## @param readReplicas.podAffinityPreset PostgreSQL read only pod affinity preset. Ignored if `primary.affinity` is set. Allowed values: `soft` or `hard` + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity + ## + podAffinityPreset: "" + ## @param readReplicas.podAntiAffinityPreset PostgreSQL read only pod anti-affinity preset. Ignored if `primary.affinity` is set. Allowed values: `soft` or `hard` + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity + ## + podAntiAffinityPreset: soft + ## PostgreSQL read only node affinity preset + ## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity + ## + nodeAffinityPreset: + ## @param readReplicas.nodeAffinityPreset.type PostgreSQL read only node affinity preset type. Ignored if `primary.affinity` is set. Allowed values: `soft` or `hard` + ## + type: "" + ## @param readReplicas.nodeAffinityPreset.key PostgreSQL read only node label key to match Ignored if `primary.affinity` is set. + ## E.g. + ## key: "kubernetes.io/e2e-az-name" + ## + key: "" + ## @param readReplicas.nodeAffinityPreset.values PostgreSQL read only node label values to match. Ignored if `primary.affinity` is set. + ## E.g. + ## values: + ## - e2e-az1 + ## - e2e-az2 + ## + values: [] + ## @param readReplicas.affinity Affinity for PostgreSQL read only pods assignment + ## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity + ## Note: primary.podAffinityPreset, primary.podAntiAffinityPreset, and primary.nodeAffinityPreset will be ignored when it's set + ## + affinity: {} + ## @param readReplicas.nodeSelector Node labels for PostgreSQL read only pods assignment + ## ref: https://kubernetes.io/docs/user-guide/node-selection/ + ## + nodeSelector: {} + ## @param readReplicas.tolerations Tolerations for PostgreSQL read only pods assignment + ## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ + ## + tolerations: [] + ## @param readReplicas.topologySpreadConstraints Topology Spread Constraints for pod assignment spread across your cluster among failure-domains. Evaluated as a template + ## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/#spread-constraints-for-pods + ## + topologySpreadConstraints: [] + ## @param readReplicas.priorityClassName Priority Class to use for each pod (PostgreSQL read only) + ## + priorityClassName: "" + ## @param readReplicas.schedulerName Use an alternate scheduler, e.g. "stork". + ## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/ + ## + schedulerName: "" + ## @param readReplicas.terminationGracePeriodSeconds Seconds PostgreSQL read only pod needs to terminate gracefully + ## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods + ## + terminationGracePeriodSeconds: "" + ## @param readReplicas.updateStrategy.type PostgreSQL read only statefulset strategy type + ## @param readReplicas.updateStrategy.rollingUpdate PostgreSQL read only statefulset rolling update configuration parameters + ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#update-strategies + ## + updateStrategy: + type: RollingUpdate + rollingUpdate: {} + ## @param readReplicas.extraVolumeMounts Optionally specify extra list of additional volumeMounts for the PostgreSQL read only container(s) + ## + extraVolumeMounts: [] + ## @param readReplicas.extraVolumes Optionally specify extra list of additional volumes for the PostgreSQL read only pod(s) + ## + extraVolumes: [] + ## @param readReplicas.sidecars Add additional sidecar containers to the PostgreSQL read only pod(s) + ## For example: + ## sidecars: + ## - name: your-image-name + ## image: your-image + ## imagePullPolicy: Always + ## ports: + ## - name: portname + ## containerPort: 1234 + ## + sidecars: [] + ## @param readReplicas.initContainers Add additional init containers to the PostgreSQL read only pod(s) + ## Example + ## + ## initContainers: + ## - name: do-something + ## image: busybox + ## command: ['do', 'something'] + ## + initContainers: [] + ## @param readReplicas.extraPodSpec Optionally specify extra PodSpec for the PostgreSQL read only pod(s) + ## + extraPodSpec: {} + ## PostgreSQL read only service configuration + ## + service: + ## @param readReplicas.service.type Kubernetes Service type + ## + type: ClusterIP + ## @param readReplicas.service.ports.postgresql PostgreSQL service port + ## + ports: + postgresql: 5432 + ## Node ports to expose + ## NOTE: choose port between <30000-32767> + ## @param readReplicas.service.nodePorts.postgresql Node port for PostgreSQL + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#type-nodeport + ## + nodePorts: + postgresql: "" + ## @param readReplicas.service.clusterIP Static clusterIP or None for headless services + ## e.g: + ## clusterIP: None + ## + clusterIP: "" + ## @param readReplicas.service.annotations Annotations for PostgreSQL read only service + ## + annotations: {} + ## @param readReplicas.service.loadBalancerIP Load balancer IP if service type is `LoadBalancer` + ## Set the LoadBalancer service type to internal only + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#internal-load-balancer + ## + loadBalancerIP: "" + ## @param readReplicas.service.externalTrafficPolicy Enable client source IP preservation + ## ref https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip + ## + externalTrafficPolicy: Cluster + ## @param readReplicas.service.loadBalancerSourceRanges Addresses that are allowed when service is LoadBalancer + ## https://kubernetes.io/docs/tasks/access-application-cluster/configure-cloud-provider-firewall/#restrict-access-for-loadbalancer-service + ## + ## loadBalancerSourceRanges: + ## - 10.10.10.0/24 + ## + loadBalancerSourceRanges: [] + ## @param readReplicas.service.extraPorts Extra ports to expose in the PostgreSQL read only service + ## + extraPorts: [] + ## @param readReplicas.service.sessionAffinity Session Affinity for Kubernetes service, can be "None" or "ClientIP" + ## If "ClientIP", consecutive client requests will be directed to the same Pod + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#virtual-ips-and-service-proxies + ## + sessionAffinity: None + ## @param readReplicas.service.sessionAffinityConfig Additional settings for the sessionAffinity + ## sessionAffinityConfig: + ## clientIP: + ## timeoutSeconds: 300 + ## + sessionAffinityConfig: {} + ## PostgreSQL read only persistence configuration + ## + persistence: + ## @param readReplicas.persistence.enabled Enable PostgreSQL read only data persistence using PVC + ## + enabled: true + ## @param readReplicas.persistence.existingClaim Name of an existing PVC to use + ## + existingClaim: "" + ## @param readReplicas.persistence.mountPath The path the volume will be mounted at + ## Note: useful when using custom PostgreSQL images + ## + mountPath: /bitnami/postgresql + ## @param readReplicas.persistence.subPath The subdirectory of the volume to mount to + ## Useful in dev environments and one PV for multiple services + ## + subPath: "" + ## @param readReplicas.persistence.storageClass PVC Storage Class for PostgreSQL read only data volume + ## If defined, storageClassName: + ## If set to "-", storageClassName: "", which disables dynamic provisioning + ## If undefined (the default) or set to null, no storageClassName spec is + ## set, choosing the default provisioner. (gp2 on AWS, standard on + ## GKE, AWS & OpenStack) + ## + storageClass: "" + ## @param readReplicas.persistence.accessModes PVC Access Mode for PostgreSQL volume + ## + accessModes: + - ReadWriteOnce + ## @param readReplicas.persistence.size PVC Storage Request for PostgreSQL volume + ## + size: 8Gi + ## @param readReplicas.persistence.annotations Annotations for the PVC + ## + annotations: {} + ## @param readReplicas.persistence.labels Labels for the PVC + ## + labels: {} + ## @param readReplicas.persistence.selector Selector to match an existing Persistent Volume (this value is evaluated as a template) + ## selector: + ## matchLabels: + ## app: my-app + ## + selector: {} + ## @param readReplicas.persistence.dataSource Custom PVC data source + ## + dataSource: {} + +## @section NetworkPolicy parameters + +## Add networkpolicies +## +networkPolicy: + ## @param networkPolicy.enabled Enable network policies + ## + enabled: false + ## @param networkPolicy.metrics.enabled Enable network policies for metrics (prometheus) + ## @param networkPolicy.metrics.namespaceSelector [object] Monitoring namespace selector labels. These labels will be used to identify the prometheus' namespace. + ## @param networkPolicy.metrics.podSelector [object] Monitoring pod selector labels. These labels will be used to identify the Prometheus pods. + ## + metrics: + enabled: false + ## e.g: + ## namespaceSelector: + ## label: monitoring + ## + namespaceSelector: {} + ## e.g: + ## podSelector: + ## label: monitoring + ## + podSelector: {} + ## Ingress Rules + ## + ingressRules: + ## @param networkPolicy.ingressRules.primaryAccessOnlyFrom.enabled Enable ingress rule that makes PostgreSQL primary node only accessible from a particular origin. + ## @param networkPolicy.ingressRules.primaryAccessOnlyFrom.namespaceSelector [object] Namespace selector label that is allowed to access the PostgreSQL primary node. This label will be used to identified the allowed namespace(s). + ## @param networkPolicy.ingressRules.primaryAccessOnlyFrom.podSelector [object] Pods selector label that is allowed to access the PostgreSQL primary node. This label will be used to identified the allowed pod(s). + ## @param networkPolicy.ingressRules.primaryAccessOnlyFrom.customRules [object] Custom network policy for the PostgreSQL primary node. + ## + primaryAccessOnlyFrom: + enabled: false + ## e.g: + ## namespaceSelector: + ## label: ingress + ## + namespaceSelector: {} + ## e.g: + ## podSelector: + ## label: access + ## + podSelector: {} + ## custom ingress rules + ## e.g: + ## customRules: + ## - from: + ## - namespaceSelector: + ## matchLabels: + ## label: example + customRules: {} + ## @param networkPolicy.ingressRules.readReplicasAccessOnlyFrom.enabled Enable ingress rule that makes PostgreSQL read-only nodes only accessible from a particular origin. + ## @param networkPolicy.ingressRules.readReplicasAccessOnlyFrom.namespaceSelector [object] Namespace selector label that is allowed to access the PostgreSQL read-only nodes. This label will be used to identified the allowed namespace(s). + ## @param networkPolicy.ingressRules.readReplicasAccessOnlyFrom.podSelector [object] Pods selector label that is allowed to access the PostgreSQL read-only nodes. This label will be used to identified the allowed pod(s). + ## @param networkPolicy.ingressRules.readReplicasAccessOnlyFrom.customRules [object] Custom network policy for the PostgreSQL read-only nodes. + ## + readReplicasAccessOnlyFrom: + enabled: false + ## e.g: + ## namespaceSelector: + ## label: ingress + ## + namespaceSelector: {} + ## e.g: + ## podSelector: + ## label: access + ## + podSelector: {} + ## custom ingress rules + ## e.g: + ## CustomRules: + ## - from: + ## - namespaceSelector: + ## matchLabels: + ## label: example + customRules: {} + ## @param networkPolicy.egressRules.denyConnectionsToExternal Enable egress rule that denies outgoing traffic outside the cluster, except for DNS (port 53). + ## @param networkPolicy.egressRules.customRules [object] Custom network policy rule + ## + egressRules: + # Deny connections to external. This is not compatible with an external database. + denyConnectionsToExternal: false + ## Additional custom egress rules + ## e.g: + ## customRules: + ## - to: + ## - namespaceSelector: + ## matchLabels: + ## label: example + customRules: {} + +## @section Volume Permissions parameters + +## Init containers parameters: +## volumePermissions: Change the owner and group of the persistent volume(s) mountpoint(s) to 'runAsUser:fsGroup' on each node +## +volumePermissions: + ## @param volumePermissions.enabled Enable init container that changes the owner and group of the persistent volume + ## + enabled: false + ## @param volumePermissions.image.registry Init container volume-permissions image registry + ## @param volumePermissions.image.repository Init container volume-permissions image repository + ## @param volumePermissions.image.tag Init container volume-permissions image tag (immutable tags are recommended) + ## @param volumePermissions.image.digest Init container volume-permissions image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag + ## @param volumePermissions.image.pullPolicy Init container volume-permissions image pull policy + ## @param volumePermissions.image.pullSecrets Init container volume-permissions image pull secrets + ## + image: + registry: docker.io + repository: bitnami/bitnami-shell + tag: 11-debian-11-r45 + digest: "" + pullPolicy: IfNotPresent + ## Optionally specify an array of imagePullSecrets. + ## Secrets must be manually created in the namespace. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## Example: + ## pullSecrets: + ## - myRegistryKeySecretName + ## + pullSecrets: [] + ## Init container resource requests and limits + ## ref: https://kubernetes.io/docs/user-guide/compute-resources/ + ## @param volumePermissions.resources.limits Init container volume-permissions resource limits + ## @param volumePermissions.resources.requests Init container volume-permissions resource requests + ## + resources: + limits: {} + requests: {} + ## Init container' Security Context + ## Note: the chown of the data folder is done to containerSecurityContext.runAsUser + ## and not the below volumePermissions.containerSecurityContext.runAsUser + ## @param volumePermissions.containerSecurityContext.runAsUser User ID for the init container + ## + containerSecurityContext: + runAsUser: 0 + +## @section Other Parameters + +## Service account for PostgreSQL to use. +## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/ +## +serviceAccount: + ## @param serviceAccount.create Enable creation of ServiceAccount for PostgreSQL pod + ## + create: false + ## @param serviceAccount.name The name of the ServiceAccount to use. + ## If not set and create is true, a name is generated using the common.names.fullname template + ## + name: "" + ## @param serviceAccount.automountServiceAccountToken Allows auto mount of ServiceAccountToken on the serviceAccount created + ## Can be set to false if pods using this serviceAccount do not need to use K8s API + ## + automountServiceAccountToken: true + ## @param serviceAccount.annotations Additional custom annotations for the ServiceAccount + ## + annotations: {} +## Creates role for ServiceAccount +## @param rbac.create Create Role and RoleBinding (required for PSP to work) +## +rbac: + create: false + ## @param rbac.rules Custom RBAC rules to set + ## e.g: + ## rules: + ## - apiGroups: + ## - "" + ## resources: + ## - pods + ## verbs: + ## - get + ## - list + ## + rules: [] +## Pod Security Policy +## ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/ +## @param psp.create Whether to create a PodSecurityPolicy. WARNING: PodSecurityPolicy is deprecated in Kubernetes v1.21 or later, unavailable in v1.25 or later +## +psp: + create: false + +## @section Metrics Parameters + +metrics: + ## @param metrics.enabled Start a prometheus exporter + ## + enabled: false + ## @param metrics.image.registry PostgreSQL Prometheus Exporter image registry + ## @param metrics.image.repository PostgreSQL Prometheus Exporter image repository + ## @param metrics.image.tag PostgreSQL Prometheus Exporter image tag (immutable tags are recommended) + ## @param metrics.image.digest PostgreSQL image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag + ## @param metrics.image.pullPolicy PostgreSQL Prometheus Exporter image pull policy + ## @param metrics.image.pullSecrets Specify image pull secrets + ## + image: + registry: docker.io + repository: bitnami/postgres-exporter + tag: 0.11.1-debian-11-r22 + digest: "" + pullPolicy: IfNotPresent + ## Optionally specify an array of imagePullSecrets. + ## Secrets must be manually created in the namespace. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## Example: + ## pullSecrets: + ## - myRegistryKeySecretName + ## + pullSecrets: [] + ## @param metrics.customMetrics Define additional custom metrics + ## ref: https://github.com/wrouesnel/postgres_exporter#adding-new-metrics-via-a-config-file + ## customMetrics: + ## pg_database: + ## query: "SELECT d.datname AS name, CASE WHEN pg_catalog.has_database_privilege(d.datname, 'CONNECT') THEN pg_catalog.pg_database_size(d.datname) ELSE 0 END AS size_bytes FROM pg_catalog.pg_database d where datname not in ('template0', 'template1', 'postgres')" + ## metrics: + ## - name: + ## usage: "LABEL" + ## description: "Name of the database" + ## - size_bytes: + ## usage: "GAUGE" + ## description: "Size of the database in bytes" + ## + customMetrics: {} + ## @param metrics.extraEnvVars Extra environment variables to add to PostgreSQL Prometheus exporter + ## see: https://github.com/wrouesnel/postgres_exporter#environment-variables + ## For example: + ## extraEnvVars: + ## - name: PG_EXPORTER_DISABLE_DEFAULT_METRICS + ## value: "true" + ## + extraEnvVars: [] + ## PostgreSQL Prometheus exporter containers' Security Context + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container + ## @param metrics.containerSecurityContext.enabled Enable PostgreSQL Prometheus exporter containers' Security Context + ## @param metrics.containerSecurityContext.runAsUser Set PostgreSQL Prometheus exporter containers' Security Context runAsUser + ## @param metrics.containerSecurityContext.runAsNonRoot Set PostgreSQL Prometheus exporter containers' Security Context runAsNonRoot + ## + containerSecurityContext: + enabled: true + runAsUser: 1001 + runAsNonRoot: true + ## Configure extra options for PostgreSQL Prometheus exporter containers' liveness, readiness and startup probes + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#configure-probes + ## @param metrics.livenessProbe.enabled Enable livenessProbe on PostgreSQL Prometheus exporter containers + ## @param metrics.livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe + ## @param metrics.livenessProbe.periodSeconds Period seconds for livenessProbe + ## @param metrics.livenessProbe.timeoutSeconds Timeout seconds for livenessProbe + ## @param metrics.livenessProbe.failureThreshold Failure threshold for livenessProbe + ## @param metrics.livenessProbe.successThreshold Success threshold for livenessProbe + ## + livenessProbe: + enabled: true + initialDelaySeconds: 5 + periodSeconds: 10 + timeoutSeconds: 5 + failureThreshold: 6 + successThreshold: 1 + ## @param metrics.readinessProbe.enabled Enable readinessProbe on PostgreSQL Prometheus exporter containers + ## @param metrics.readinessProbe.initialDelaySeconds Initial delay seconds for readinessProbe + ## @param metrics.readinessProbe.periodSeconds Period seconds for readinessProbe + ## @param metrics.readinessProbe.timeoutSeconds Timeout seconds for readinessProbe + ## @param metrics.readinessProbe.failureThreshold Failure threshold for readinessProbe + ## @param metrics.readinessProbe.successThreshold Success threshold for readinessProbe + ## + readinessProbe: + enabled: true + initialDelaySeconds: 5 + periodSeconds: 10 + timeoutSeconds: 5 + failureThreshold: 6 + successThreshold: 1 + ## @param metrics.startupProbe.enabled Enable startupProbe on PostgreSQL Prometheus exporter containers + ## @param metrics.startupProbe.initialDelaySeconds Initial delay seconds for startupProbe + ## @param metrics.startupProbe.periodSeconds Period seconds for startupProbe + ## @param metrics.startupProbe.timeoutSeconds Timeout seconds for startupProbe + ## @param metrics.startupProbe.failureThreshold Failure threshold for startupProbe + ## @param metrics.startupProbe.successThreshold Success threshold for startupProbe + ## + startupProbe: + enabled: false + initialDelaySeconds: 10 + periodSeconds: 10 + timeoutSeconds: 1 + failureThreshold: 15 + successThreshold: 1 + ## @param metrics.customLivenessProbe Custom livenessProbe that overrides the default one + ## + customLivenessProbe: {} + ## @param metrics.customReadinessProbe Custom readinessProbe that overrides the default one + ## + customReadinessProbe: {} + ## @param metrics.customStartupProbe Custom startupProbe that overrides the default one + ## + customStartupProbe: {} + ## @param metrics.containerPorts.metrics PostgreSQL Prometheus exporter metrics container port + ## + containerPorts: + metrics: 9187 + ## PostgreSQL Prometheus exporter resource requests and limits + ## ref: https://kubernetes.io/docs/user-guide/compute-resources/ + ## @param metrics.resources.limits The resources limits for the PostgreSQL Prometheus exporter container + ## @param metrics.resources.requests The requested resources for the PostgreSQL Prometheus exporter container + ## + resources: + limits: {} + requests: {} + ## Service configuration + ## + service: + ## @param metrics.service.ports.metrics PostgreSQL Prometheus Exporter service port + ## + ports: + metrics: 9187 + ## @param metrics.service.clusterIP Static clusterIP or None for headless services + ## ref: https://kubernetes.io/docs/concepts/services-networking/service/#choosing-your-own-ip-address + ## + clusterIP: "" + ## @param metrics.service.sessionAffinity Control where client requests go, to the same pod or round-robin + ## Values: ClientIP or None + ## ref: https://kubernetes.io/docs/user-guide/services/ + ## + sessionAffinity: None + ## @param metrics.service.annotations [object] Annotations for Prometheus to auto-discover the metrics endpoint + ## + annotations: + prometheus.io/scrape: "true" + prometheus.io/port: "{{ .Values.metrics.service.ports.metrics }}" + ## Prometheus Operator ServiceMonitor configuration + ## + serviceMonitor: + ## @param metrics.serviceMonitor.enabled Create ServiceMonitor Resource for scraping metrics using Prometheus Operator + ## + enabled: false + ## @param metrics.serviceMonitor.namespace Namespace for the ServiceMonitor Resource (defaults to the Release Namespace) + ## + namespace: "" + ## @param metrics.serviceMonitor.interval Interval at which metrics should be scraped. + ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#endpoint + ## + interval: "" + ## @param metrics.serviceMonitor.scrapeTimeout Timeout after which the scrape is ended + ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#endpoint + ## + scrapeTimeout: "" + ## @param metrics.serviceMonitor.labels Additional labels that can be used so ServiceMonitor will be discovered by Prometheus + ## + labels: {} + ## @param metrics.serviceMonitor.selector Prometheus instance selector labels + ## ref: https://github.com/bitnami/charts/tree/main/bitnami/prometheus-operator#prometheus-configuration + ## + selector: {} + ## @param metrics.serviceMonitor.relabelings RelabelConfigs to apply to samples before scraping + ## + relabelings: [] + ## @param metrics.serviceMonitor.metricRelabelings MetricRelabelConfigs to apply to samples before ingestion + ## + metricRelabelings: [] + ## @param metrics.serviceMonitor.honorLabels Specify honorLabels parameter to add the scrape endpoint + ## + honorLabels: false + ## @param metrics.serviceMonitor.jobLabel The name of the label on the target service to use as the job name in prometheus. + ## + jobLabel: "" + ## Custom PrometheusRule to be defined + ## The value is evaluated as a template, so, for example, the value can depend on .Release or .Chart + ## ref: https://github.com/coreos/prometheus-operator#customresourcedefinitions + ## + prometheusRule: + ## @param metrics.prometheusRule.enabled Create a PrometheusRule for Prometheus Operator + ## + enabled: false + ## @param metrics.prometheusRule.namespace Namespace for the PrometheusRule Resource (defaults to the Release Namespace) + ## + namespace: "" + ## @param metrics.prometheusRule.labels Additional labels that can be used so PrometheusRule will be discovered by Prometheus + ## + labels: {} + ## @param metrics.prometheusRule.rules PrometheusRule definitions + ## Make sure to constraint the rules to the current postgresql service. + ## rules: + ## - alert: HugeReplicationLag + ## expr: pg_replication_lag{service="{{ printf "%s-metrics" (include "common.names.fullname" .) }}"} / 3600 > 1 + ## for: 1m + ## labels: + ## severity: critical + ## annotations: + ## description: replication for {{ include "common.names.fullname" . }} PostgreSQL is lagging by {{ "{{ $value }}" }} hour(s). + ## summary: PostgreSQL replication is lagging by {{ "{{ $value }}" }} hour(s). + ## + rules: [] diff --git a/charts/kong/kong/2.41.0/crds/custom-resource-definitions.yaml b/charts/kong/kong/2.41.0/crds/custom-resource-definitions.yaml new file mode 100644 index 000000000..28bc3f2fc --- /dev/null +++ b/charts/kong/kong/2.41.0/crds/custom-resource-definitions.yaml @@ -0,0 +1,2974 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.16.1 + name: ingressclassparameterses.configuration.konghq.com +spec: + group: configuration.konghq.com + names: + kind: IngressClassParameters + listKind: IngressClassParametersList + plural: ingressclassparameterses + singular: ingressclassparameters + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: IngressClassParameters is the Schema for the IngressClassParameters + API. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Spec is the IngressClassParameters specification. + properties: + enableLegacyRegexDetection: + default: false + description: |- + EnableLegacyRegexDetection automatically detects if ImplementationSpecific Ingress paths are regular expression + paths using the legacy 2.x heuristic. The controller adds the "~" prefix to those paths if the Kong version is + 3.0 or higher. + type: boolean + serviceUpstream: + default: false + description: Offload load-balancing to kube-proxy or sidecar. + type: boolean + type: object + type: object + served: true + storage: true +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.16.1 + name: kongclusterplugins.configuration.konghq.com +spec: + group: configuration.konghq.com + names: + categories: + - kong-ingress-controller + kind: KongClusterPlugin + listKind: KongClusterPluginList + plural: kongclusterplugins + shortNames: + - kcp + singular: kongclusterplugin + scope: Cluster + versions: + - additionalPrinterColumns: + - description: Name of the plugin + jsonPath: .plugin + name: Plugin-Type + type: string + - description: Age + jsonPath: .metadata.creationTimestamp + name: Age + type: date + - description: Indicates if the plugin is disabled + jsonPath: .disabled + name: Disabled + priority: 1 + type: boolean + - description: Configuration of the plugin + jsonPath: .config + name: Config + priority: 1 + type: string + - jsonPath: .status.conditions[?(@.type=="Programmed")].status + name: Programmed + type: string + name: v1 + schema: + openAPIV3Schema: + description: KongClusterPlugin is the Schema for the kongclusterplugins API. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + config: + description: |- + Config contains the plugin configuration. It's a list of keys and values + required to configure the plugin. + Please read the documentation of the plugin being configured to set values + in here. For any plugin in Kong, anything that goes in the `config` JSON + key in the Admin API request, goes into this property. + Only one of `config` or `configFrom` may be used in a KongClusterPlugin, not both at once. + type: object + x-kubernetes-preserve-unknown-fields: true + configFrom: + description: |- + ConfigFrom references a secret containing the plugin configuration. + This should be used when the plugin configuration contains sensitive information, + such as AWS credentials in the Lambda plugin or the client secret in the OIDC plugin. + Only one of `config` or `configFrom` may be used in a KongClusterPlugin, not both at once. + properties: + secretKeyRef: + description: Specifies a name, a namespace, and a key of a secret + to refer to. + properties: + key: + description: The key containing the value. + type: string + name: + description: The secret containing the key. + type: string + namespace: + description: The namespace containing the secret. + type: string + required: + - key + - name + - namespace + type: object + required: + - secretKeyRef + type: object + configPatches: + description: |- + ConfigPatches represents JSON patches to the configuration of the plugin. + Each item means a JSON patch to add something in the configuration, + where path is specified in `path` and value is in `valueFrom` referencing + a key in a secret. + When Config is specified, patches will be applied to the configuration in Config. + Otherwise, patches will be applied to an empty object. + items: + description: |- + NamespacedConfigPatch is a JSON patch to add values from secrets to KongClusterPlugin + to the generated configuration of plugin in Kong. + properties: + path: + description: Path is the JSON path to add the patch. + type: string + valueFrom: + description: ValueFrom is the reference to a key of a secret where + the patched value comes from. + properties: + secretKeyRef: + description: Specifies a name, a namespace, and a key of a secret + to refer to. + properties: + key: + description: The key containing the value. + type: string + name: + description: The secret containing the key. + type: string + namespace: + description: The namespace containing the secret. + type: string + required: + - key + - name + - namespace + type: object + required: + - secretKeyRef + type: object + required: + - path + - valueFrom + type: object + type: array + consumerRef: + description: ConsumerRef is a reference to a particular consumer. + type: string + disabled: + description: Disabled set if the plugin is disabled or not. + type: boolean + instance_name: + description: |- + InstanceName is an optional custom name to identify an instance of the plugin. This is useful when running the + same plugin in multiple contexts, for example, on multiple services. + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + ordering: + description: |- + Ordering overrides the normal plugin execution order. It's only available on Kong Enterprise. + `` is a request processing phase (for example, `access` or `body_filter`) and + `` is the name of the plugin that will run before or after the KongPlugin. + For example, a KongPlugin with `plugin: rate-limiting` and `before.access: ["key-auth"]` + will create a rate limiting plugin that limits requests _before_ they are authenticated. + properties: + after: + additionalProperties: + items: + type: string + type: array + description: PluginOrderingPhase indicates which plugins in a phase + should affect the target plugin's order + type: object + before: + additionalProperties: + items: + type: string + type: array + description: PluginOrderingPhase indicates which plugins in a phase + should affect the target plugin's order + type: object + type: object + plugin: + description: PluginName is the name of the plugin to which to apply the + config. + type: string + protocols: + description: |- + Protocols configures plugin to run on requests received on specific + protocols. + items: + description: |- + KongProtocol is a valid Kong protocol. + This alias is necessary to deal with https://github.com/kubernetes-sigs/controller-tools/issues/342 + enum: + - http + - https + - grpc + - grpcs + - tcp + - tls + - udp + type: string + type: array + run_on: + description: |- + RunOn configures the plugin to run on the first or the second or both + nodes in case of a service mesh deployment. + enum: + - first + - second + - all + type: string + status: + description: Status represents the current status of the KongClusterPlugin + resource. + properties: + conditions: + default: + - lastTransitionTime: "1970-01-01T00:00:00Z" + message: Waiting for controller + reason: Pending + status: Unknown + type: Programmed + description: |- + Conditions describe the current conditions of the KongClusterPluginStatus. + + Known condition types are: + + * "Programmed" + items: + description: Condition contains details for one aspect of the current + state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + type: object + required: + - plugin + type: object + x-kubernetes-validations: + - message: Using both config and configFrom fields is not allowed. + rule: '!(has(self.config) && has(self.configFrom))' + - message: Using both configFrom and configPatches fields is not allowed. + rule: '!(has(self.configFrom) && has(self.configPatches))' + - message: The plugin field is immutable + rule: self.plugin == oldSelf.plugin + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.16.1 + name: kongconsumergroups.configuration.konghq.com +spec: + group: configuration.konghq.com + names: + categories: + - kong-ingress-controller + kind: KongConsumerGroup + listKind: KongConsumerGroupList + plural: kongconsumergroups + shortNames: + - kcg + singular: kongconsumergroup + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: Age + jsonPath: .metadata.creationTimestamp + name: Age + type: date + - jsonPath: .status.conditions[?(@.type=="Programmed")].status + name: Programmed + type: string + name: v1beta1 + schema: + openAPIV3Schema: + description: KongConsumerGroup is the Schema for the kongconsumergroups API. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + status: + description: Status represents the current status of the KongConsumerGroup + resource. + properties: + conditions: + default: + - lastTransitionTime: "1970-01-01T00:00:00Z" + message: Waiting for controller + reason: Pending + status: Unknown + type: Programmed + description: |- + Conditions describe the current conditions of the KongConsumerGroup. + + Known condition types are: + + * "Programmed" + items: + description: Condition contains details for one aspect of the current + state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + type: object + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.16.1 + name: kongconsumers.configuration.konghq.com +spec: + group: configuration.konghq.com + names: + categories: + - kong-ingress-controller + kind: KongConsumer + listKind: KongConsumerList + plural: kongconsumers + shortNames: + - kc + singular: kongconsumer + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: Username of a Kong Consumer + jsonPath: .username + name: Username + type: string + - description: Age + jsonPath: .metadata.creationTimestamp + name: Age + type: date + - jsonPath: .status.conditions[?(@.type=="Programmed")].status + name: Programmed + type: string + name: v1 + schema: + openAPIV3Schema: + description: KongConsumer is the Schema for the kongconsumers API. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + consumerGroups: + description: |- + ConsumerGroups are references to consumer groups (that consumer wants to be part of) + provisioned in Kong. + items: + type: string + type: array + x-kubernetes-list-type: set + credentials: + description: |- + Credentials are references to secrets containing a credential to be + provisioned in Kong. + items: + type: string + type: array + x-kubernetes-list-type: set + custom_id: + description: |- + CustomID is a Kong cluster-unique existing ID for the consumer - useful for mapping + Kong with users in your existing database. + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + status: + description: Status represents the current status of the KongConsumer + resource. + properties: + conditions: + default: + - lastTransitionTime: "1970-01-01T00:00:00Z" + message: Waiting for controller + reason: Pending + status: Unknown + type: Programmed + description: |- + Conditions describe the current conditions of the KongConsumer. + + Known condition types are: + + * "Programmed" + items: + description: Condition contains details for one aspect of the current + state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + type: object + username: + description: Username is a Kong cluster-unique username of the consumer. + type: string + type: object + x-kubernetes-validations: + - message: Need to provide either username or custom_id + rule: has(self.username) || has(self.custom_id) + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.16.1 + name: kongcustomentities.configuration.konghq.com +spec: + group: configuration.konghq.com + names: + categories: + - kong-ingress-controller + kind: KongCustomEntity + listKind: KongCustomEntityList + plural: kongcustomentities + shortNames: + - kce + singular: kongcustomentity + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: type of the Kong entity + jsonPath: .spec.type + name: Entity Type + type: string + - description: Age + jsonPath: .metadata.creationTimestamp + name: Age + type: date + - jsonPath: .status.conditions[?(@.type=="Programmed")].status + name: Programmed + type: string + name: v1alpha1 + schema: + openAPIV3Schema: + description: KongCustomEntity defines a "custom" Kong entity that KIC cannot + support the entity type directly. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + properties: + controllerName: + description: ControllerName specifies the controller that should reconcile + it, like ingress class. + type: string + fields: + description: Fields defines the fields of the Kong entity itself. + x-kubernetes-preserve-unknown-fields: true + parentRef: + description: |- + ParentRef references the kubernetes resource it attached to when its scope is "attached". + Currently only KongPlugin/KongClusterPlugin allowed. This will make the custom entity to be attached + to the entity(service/route/consumer) where the plugin is attached. + properties: + group: + type: string + kind: + type: string + name: + type: string + namespace: + description: Empty namespace means the same namespace of the owning + object. + type: string + required: + - name + type: object + type: + description: EntityType is the type of the Kong entity. The type is + used in generating declarative configuration. + type: string + required: + - controllerName + - fields + - type + type: object + status: + description: Status stores the reconciling status of the resource. + properties: + conditions: + default: + - lastTransitionTime: "1970-01-01T00:00:00Z" + message: Waiting for controller + reason: Pending + status: Unknown + type: Programmed + description: |- + Conditions describe the current conditions of the KongCustomEntityStatus. + + Known condition types are: + + * "Programmed" + items: + description: Condition contains details for one aspect of the current + state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + required: + - conditions + type: object + required: + - spec + type: object + x-kubernetes-validations: + - message: The spec.type field is immutable + rule: self.spec.type == oldSelf.spec.type + - message: The spec.type field cannot be known Kong entity types + rule: '!(self.spec.type in [''services'',''routes'',''upstreams'',''targets'',''plugins'',''consumers'',''consumer_groups''])' + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.16.1 + name: kongingresses.configuration.konghq.com +spec: + group: configuration.konghq.com + names: + categories: + - kong-ingress-controller + kind: KongIngress + listKind: KongIngressList + plural: kongingresses + shortNames: + - ki + singular: kongingress + scope: Namespaced + versions: + - name: v1 + schema: + openAPIV3Schema: + description: KongIngress is the Schema for the kongingresses API. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + proxy: + description: |- + Proxy defines additional connection options for the routes to be configured in the + Kong Gateway, e.g. `connection_timeout`, `retries`, etc. + properties: + connect_timeout: + description: "The timeout in milliseconds for\testablishing a connection + to the upstream server.\nDeprecated: use Service's \"konghq.com/connect-timeout\" + annotation instead." + minimum: 0 + type: integer + path: + description: |- + (optional) The path to be used in requests to the upstream server. + Deprecated: use Service's "konghq.com/path" annotation instead. + pattern: ^/.*$ + type: string + protocol: + description: |- + The protocol used to communicate with the upstream. + Deprecated: use Service's "konghq.com/protocol" annotation instead. + enum: + - http + - https + - grpc + - grpcs + - tcp + - tls + - udp + type: string + read_timeout: + description: |- + The timeout in milliseconds between two successive read operations + for transmitting a request to the upstream server. + Deprecated: use Service's "konghq.com/read-timeout" annotation instead. + minimum: 0 + type: integer + retries: + description: |- + The number of retries to execute upon failure to proxy. + Deprecated: use Service's "konghq.com/retries" annotation instead. + minimum: 0 + type: integer + write_timeout: + description: |- + The timeout in milliseconds between two successive write operations + for transmitting a request to the upstream server. + Deprecated: use Service's "konghq.com/write-timeout" annotation instead. + minimum: 0 + type: integer + type: object + route: + description: |- + Route define rules to match client requests. + Each Route is associated with a Service, + and a Service may have multiple Routes associated to it. + properties: + headers: + additionalProperties: + items: + type: string + type: array + description: |- + Headers contains one or more lists of values indexed by header name + that will cause this Route to match if present in the request. + The Host header cannot be used with this attribute. + Deprecated: use Ingress' "konghq.com/headers" annotation instead. + type: object + https_redirect_status_code: + description: |- + HTTPSRedirectStatusCode is the status code Kong responds with + when all properties of a Route match except the protocol. + Deprecated: use Ingress' "ingress.kubernetes.io/force-ssl-redirect" or + "konghq.com/https-redirect-status-code" annotations instead. + type: integer + methods: + description: |- + Methods is a list of HTTP methods that match this Route. + Deprecated: use Ingress' "konghq.com/methods" annotation instead. + items: + type: string + type: array + path_handling: + description: |- + PathHandling controls how the Service path, Route path and requested path + are combined when sending a request to the upstream. + Deprecated: use Ingress' "konghq.com/path-handling" annotation instead. + enum: + - v0 + - v1 + type: string + preserve_host: + description: |- + PreserveHost sets When matching a Route via one of the hosts domain names, + use the request Host header in the upstream request headers. + If set to false, the upstream Host header will be that of the Service’s host. + Deprecated: use Ingress' "konghq.com/preserve-host" annotation instead. + type: boolean + protocols: + description: |- + Protocols is an array of the protocols this Route should allow. + Deprecated: use Ingress' "konghq.com/protocols" annotation instead. + items: + description: |- + KongProtocol is a valid Kong protocol. + This alias is necessary to deal with https://github.com/kubernetes-sigs/controller-tools/issues/342 + enum: + - http + - https + - grpc + - grpcs + - tcp + - tls + - udp + type: string + type: array + regex_priority: + description: |- + RegexPriority is a number used to choose which route resolves a given request + when several routes match it using regexes simultaneously. + Deprecated: use Ingress' "konghq.com/regex-priority" annotation instead. + type: integer + request_buffering: + description: |- + RequestBuffering sets whether to enable request body buffering or not. + Deprecated: use Ingress' "konghq.com/request-buffering" annotation instead. + type: boolean + response_buffering: + description: |- + ResponseBuffering sets whether to enable response body buffering or not. + Deprecated: use Ingress' "konghq.com/response-buffering" annotation instead. + type: boolean + snis: + description: |- + SNIs is a list of SNIs that match this Route when using stream routing. + Deprecated: use Ingress' "konghq.com/snis" annotation instead. + items: + type: string + type: array + strip_path: + description: |- + StripPath sets When matching a Route via one of the paths + strip the matching prefix from the upstream request URL. + Deprecated: use Ingress' "konghq.com/strip-path" annotation instead. + type: boolean + type: object + upstream: + description: |- + Upstream represents a virtual hostname and can be used to loadbalance + incoming requests over multiple targets (e.g. Kubernetes `Services` can + be a target, OR `Endpoints` can be targets). + properties: + algorithm: + description: |- + Algorithm is the load balancing algorithm to use. + Accepted values are: "round-robin", "consistent-hashing", "least-connections", "latency". + enum: + - round-robin + - consistent-hashing + - least-connections + - latency + type: string + hash_fallback: + description: |- + HashFallback defines What to use as hashing input + if the primary hash_on does not return a hash. + Accepted values are: "none", "consumer", "ip", "header", "cookie". + type: string + hash_fallback_header: + description: |- + HashFallbackHeader is the header name to take the value from as hash input. + Only required when "hash_fallback" is set to "header". + type: string + hash_fallback_query_arg: + description: HashFallbackQueryArg is the "hash_fallback" version of + HashOnQueryArg. + type: string + hash_fallback_uri_capture: + description: HashFallbackURICapture is the "hash_fallback" version + of HashOnURICapture. + type: string + hash_on: + description: |- + HashOn defines what to use as hashing input. + Accepted values are: "none", "consumer", "ip", "header", "cookie", "path", "query_arg", "uri_capture". + type: string + hash_on_cookie: + description: |- + The cookie name to take the value from as hash input. + Only required when "hash_on" or "hash_fallback" is set to "cookie". + type: string + hash_on_cookie_path: + description: |- + The cookie path to set in the response headers. + Only required when "hash_on" or "hash_fallback" is set to "cookie". + type: string + hash_on_header: + description: |- + HashOnHeader defines the header name to take the value from as hash input. + Only required when "hash_on" is set to "header". + type: string + hash_on_query_arg: + description: HashOnQueryArg is the query string parameter whose value + is the hash input when "hash_on" is set to "query_arg". + type: string + hash_on_uri_capture: + description: |- + HashOnURICapture is the name of the capture group whose value is the hash input when "hash_on" is set to + "uri_capture". + type: string + healthchecks: + description: Healthchecks defines the health check configurations + in Kong. + properties: + active: + description: ActiveHealthcheck configures active health check + probing. + properties: + concurrency: + minimum: 1 + type: integer + headers: + additionalProperties: + items: + type: string + type: array + type: object + healthy: + description: |- + Healthy configures thresholds and HTTP status codes + to mark targets healthy for an upstream. + properties: + http_statuses: + items: + type: integer + type: array + interval: + minimum: 0 + type: integer + successes: + minimum: 0 + type: integer + type: object + http_path: + pattern: ^/.*$ + type: string + https_sni: + type: string + https_verify_certificate: + type: boolean + timeout: + minimum: 0 + type: integer + type: + type: string + unhealthy: + description: |- + Unhealthy configures thresholds and HTTP status codes + to mark targets unhealthy. + properties: + http_failures: + minimum: 0 + type: integer + http_statuses: + items: + type: integer + type: array + interval: + minimum: 0 + type: integer + tcp_failures: + minimum: 0 + type: integer + timeouts: + minimum: 0 + type: integer + type: object + type: object + passive: + description: |- + PassiveHealthcheck configures passive checks around + passive health checks. + properties: + healthy: + description: |- + Healthy configures thresholds and HTTP status codes + to mark targets healthy for an upstream. + properties: + http_statuses: + items: + type: integer + type: array + interval: + minimum: 0 + type: integer + successes: + minimum: 0 + type: integer + type: object + type: + type: string + unhealthy: + description: |- + Unhealthy configures thresholds and HTTP status codes + to mark targets unhealthy. + properties: + http_failures: + minimum: 0 + type: integer + http_statuses: + items: + type: integer + type: array + interval: + minimum: 0 + type: integer + tcp_failures: + minimum: 0 + type: integer + timeouts: + minimum: 0 + type: integer + type: object + type: object + threshold: + type: number + type: object + host_header: + description: |- + HostHeader is The hostname to be used as Host header + when proxying requests through Kong. + type: string + slots: + description: Slots is the number of slots in the load balancer algorithm. + minimum: 10 + type: integer + type: object + type: object + x-kubernetes-validations: + - message: '''proxy'' field is no longer supported, use Service''s annotations + instead' + rule: '!has(self.proxy)' + - message: '''route'' field is no longer supported, use Ingress'' annotations + instead' + rule: '!has(self.route)' + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.16.1 + name: konglicenses.configuration.konghq.com +spec: + group: configuration.konghq.com + names: + categories: + - kong-ingress-controller + kind: KongLicense + listKind: KongLicenseList + plural: konglicenses + shortNames: + - kl + singular: konglicense + scope: Cluster + versions: + - additionalPrinterColumns: + - description: Age + jsonPath: .metadata.creationTimestamp + name: Age + type: date + - description: Enabled to configure on Kong gateway instances + jsonPath: .enabled + name: Enabled + type: boolean + name: v1alpha1 + schema: + openAPIV3Schema: + description: KongLicense stores a Kong enterprise license to apply to managed + Kong gateway instances. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + enabled: + default: true + description: |- + Enabled is set to true to let controllers (like KIC or KGO) to reconcile it. + Default value is true to apply the license by default. + type: boolean + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + rawLicenseString: + description: RawLicenseString is a string with the raw content of the + license. + type: string + status: + description: Status is the status of the KongLicense being processed by + controllers. + properties: + controllers: + items: + description: |- + KongLicenseControllerStatus is the status of owning KongLicense being processed + identified by the controllerName field. + properties: + conditions: + default: + - lastTransitionTime: "1970-01-01T00:00:00Z" + message: Waiting for controller + reason: Pending + status: Unknown + type: Programmed + description: Conditions describe the current conditions of the + KongLicense on the controller. + items: + description: Condition contains details for one aspect of + the current state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, + Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + controllerName: + description: |- + ControllerName is an identifier of the controller to reconcile this KongLicense. + Should be unique in the list of controller statuses. + type: string + controllerRef: + description: |- + ControllerRef is the reference of the controller to reconcile this KongLicense. + It is usually the name of (KIC/KGO) pod that reconciles it. + properties: + group: + description: |- + Group is the group of referent. + It should be empty if the referent is in "core" group (like pod). + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: |- + Kind is the kind of the referent. + By default the nil kind means kind Pod. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the referent. + It should be empty if the referent is cluster scoped. + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + required: + - name + type: object + required: + - controllerName + type: object + type: array + x-kubernetes-list-map-keys: + - controllerName + x-kubernetes-list-type: map + type: object + required: + - enabled + - rawLicenseString + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.16.1 + name: kongplugins.configuration.konghq.com +spec: + group: configuration.konghq.com + names: + categories: + - kong-ingress-controller + kind: KongPlugin + listKind: KongPluginList + plural: kongplugins + shortNames: + - kp + singular: kongplugin + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: Name of the plugin + jsonPath: .plugin + name: Plugin-Type + type: string + - description: Age + jsonPath: .metadata.creationTimestamp + name: Age + type: date + - description: Indicates if the plugin is disabled + jsonPath: .disabled + name: Disabled + priority: 1 + type: boolean + - description: Configuration of the plugin + jsonPath: .config + name: Config + priority: 1 + type: string + - jsonPath: .status.conditions[?(@.type=="Programmed")].status + name: Programmed + type: string + name: v1 + schema: + openAPIV3Schema: + description: KongPlugin is the Schema for the kongplugins API. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + config: + description: |- + Config contains the plugin configuration. It's a list of keys and values + required to configure the plugin. + Please read the documentation of the plugin being configured to set values + in here. For any plugin in Kong, anything that goes in the `config` JSON + key in the Admin API request, goes into this property. + Only one of `config` or `configFrom` may be used in a KongPlugin, not both at once. + type: object + x-kubernetes-preserve-unknown-fields: true + configFrom: + description: |- + ConfigFrom references a secret containing the plugin configuration. + This should be used when the plugin configuration contains sensitive information, + such as AWS credentials in the Lambda plugin or the client secret in the OIDC plugin. + Only one of `config` or `configFrom` may be used in a KongPlugin, not both at once. + properties: + secretKeyRef: + description: Specifies a name and a key of a secret to refer to. The + namespace is implicitly set to the one of referring object. + properties: + key: + description: The key containing the value. + type: string + name: + description: The secret containing the key. + type: string + required: + - key + - name + type: object + required: + - secretKeyRef + type: object + configPatches: + description: |- + ConfigPatches represents JSON patches to the configuration of the plugin. + Each item means a JSON patch to add something in the configuration, + where path is specified in `path` and value is in `valueFrom` referencing + a key in a secret. + When Config is specified, patches will be applied to the configuration in Config. + Otherwise, patches will be applied to an empty object. + items: + description: |- + ConfigPatch is a JSON patch (RFC6902) to add values from Secret to the generated configuration. + It is an equivalent of the following patch: + `{"op": "add", "path": {.Path}, "value": {.ComputedValueFrom}}`. + properties: + path: + description: Path is the JSON-Pointer value (RFC6901) that references + a location within the target configuration. + type: string + valueFrom: + description: ValueFrom is the reference to a key of a secret where + the patched value comes from. + properties: + secretKeyRef: + description: Specifies a name and a key of a secret to refer + to. The namespace is implicitly set to the one of referring + object. + properties: + key: + description: The key containing the value. + type: string + name: + description: The secret containing the key. + type: string + required: + - key + - name + type: object + required: + - secretKeyRef + type: object + required: + - path + - valueFrom + type: object + type: array + consumerRef: + description: ConsumerRef is a reference to a particular consumer. + type: string + disabled: + description: Disabled set if the plugin is disabled or not. + type: boolean + instance_name: + description: |- + InstanceName is an optional custom name to identify an instance of the plugin. This is useful when running the + same plugin in multiple contexts, for example, on multiple services. + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + ordering: + description: |- + Ordering overrides the normal plugin execution order. It's only available on Kong Enterprise. + `` is a request processing phase (for example, `access` or `body_filter`) and + `` is the name of the plugin that will run before or after the KongPlugin. + For example, a KongPlugin with `plugin: rate-limiting` and `before.access: ["key-auth"]` + will create a rate limiting plugin that limits requests _before_ they are authenticated. + properties: + after: + additionalProperties: + items: + type: string + type: array + description: PluginOrderingPhase indicates which plugins in a phase + should affect the target plugin's order + type: object + before: + additionalProperties: + items: + type: string + type: array + description: PluginOrderingPhase indicates which plugins in a phase + should affect the target plugin's order + type: object + type: object + plugin: + description: PluginName is the name of the plugin to which to apply the + config. + type: string + protocols: + description: |- + Protocols configures plugin to run on requests received on specific + protocols. + items: + description: |- + KongProtocol is a valid Kong protocol. + This alias is necessary to deal with https://github.com/kubernetes-sigs/controller-tools/issues/342 + enum: + - http + - https + - grpc + - grpcs + - tcp + - tls + - udp + type: string + type: array + run_on: + description: |- + RunOn configures the plugin to run on the first or the second or both + nodes in case of a service mesh deployment. + enum: + - first + - second + - all + type: string + status: + description: Status represents the current status of the KongPlugin resource. + properties: + conditions: + default: + - lastTransitionTime: "1970-01-01T00:00:00Z" + message: Waiting for controller + reason: Pending + status: Unknown + type: Programmed + description: |- + Conditions describe the current conditions of the KongPluginStatus. + + Known condition types are: + + * "Programmed" + items: + description: Condition contains details for one aspect of the current + state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + type: object + required: + - plugin + type: object + x-kubernetes-validations: + - message: Using both config and configFrom fields is not allowed. + rule: '!(has(self.config) && has(self.configFrom))' + - message: Using both configFrom and configPatches fields is not allowed. + rule: '!(has(self.configFrom) && has(self.configPatches))' + - message: The plugin field is immutable + rule: self.plugin == oldSelf.plugin + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.16.1 + labels: + gateway.networking.k8s.io/policy: direct + name: kongupstreampolicies.configuration.konghq.com +spec: + group: configuration.konghq.com + names: + categories: + - kong-ingress-controller + kind: KongUpstreamPolicy + listKind: KongUpstreamPolicyList + plural: kongupstreampolicies + shortNames: + - kup + singular: kongupstreampolicy + scope: Namespaced + versions: + - name: v1beta1 + schema: + openAPIV3Schema: + description: |- + KongUpstreamPolicy allows configuring algorithm that should be used for load balancing traffic between Kong + Upstream's Targets. It also allows configuring health checks for Kong Upstream's Targets. + + Its configuration is similar to Kong Upstream object (https://docs.konghq.com/gateway/latest/admin-api/#upstream-object), + and it is applied to Kong Upstream objects created by the controller. + + It can be attached to Services. To attach it to a Service, it has to be annotated with + `konghq.com/upstream-policy: `, where `` is the name of the KongUpstreamPolicy + object in the same namespace as the Service. + + When attached to a Service, it will affect all Kong Upstreams created for the Service. + + When attached to a Service used in a Gateway API *Route rule with multiple BackendRefs, all of its Services MUST + be configured with the same KongUpstreamPolicy. Otherwise, the controller will *ignore* the KongUpstreamPolicy. + + Note: KongUpstreamPolicy doesn't implement Gateway API's GEP-713 strictly. + In particular, it doesn't use the TargetRef for attaching to Services and Gateway API *Routes - annotations are + used instead. This is to allow reusing the same KongUpstreamPolicy for multiple Services and Gateway API *Routes. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Spec contains the configuration of the Kong upstream. + properties: + algorithm: + description: |- + Algorithm is the load balancing algorithm to use. + Accepted values are: "round-robin", "consistent-hashing", "least-connections", "latency". + enum: + - round-robin + - consistent-hashing + - least-connections + - latency + type: string + hashOn: + description: |- + HashOn defines how to calculate hash for consistent-hashing load balancing algorithm. + Algorithm must be set to "consistent-hashing" for this field to have effect. + properties: + cookie: + description: Cookie is the name of the cookie to use as hash input. + type: string + cookiePath: + description: CookiePath is cookie path to set in the response + headers. + type: string + header: + description: Header is the name of the header to use as hash input. + type: string + input: + description: |- + Input allows using one of the predefined inputs (ip, consumer, path). + For other parametrized inputs, use one of the fields below. + enum: + - ip + - consumer + - path + type: string + queryArg: + description: QueryArg is the name of the query argument to use + as hash input. + type: string + uriCapture: + description: URICapture is the name of the URI capture group to + use as hash input. + type: string + type: object + hashOnFallback: + description: |- + HashOnFallback defines how to calculate hash for consistent-hashing load balancing algorithm if the primary hash + function fails. + Algorithm must be set to "consistent-hashing" for this field to have effect. + properties: + cookie: + description: Cookie is the name of the cookie to use as hash input. + type: string + cookiePath: + description: CookiePath is cookie path to set in the response + headers. + type: string + header: + description: Header is the name of the header to use as hash input. + type: string + input: + description: |- + Input allows using one of the predefined inputs (ip, consumer, path). + For other parametrized inputs, use one of the fields below. + enum: + - ip + - consumer + - path + type: string + queryArg: + description: QueryArg is the name of the query argument to use + as hash input. + type: string + uriCapture: + description: URICapture is the name of the URI capture group to + use as hash input. + type: string + type: object + healthchecks: + description: Healthchecks defines the health check configurations + in Kong. + properties: + active: + description: Active configures active health check probing. + properties: + concurrency: + description: Concurrency is the number of targets to check + concurrently. + minimum: 1 + type: integer + headers: + additionalProperties: + items: + type: string + type: array + description: Headers is a list of HTTP headers to add to the + probe request. + type: object + healthy: + description: Healthy configures thresholds and HTTP status + codes to mark targets healthy for an upstream. + properties: + httpStatuses: + description: HTTPStatuses is a list of HTTP status codes + that Kong considers a success. + items: + description: HTTPStatus is an HTTP status code. + maximum: 599 + minimum: 100 + type: integer + type: array + interval: + description: Interval is the interval between active health + checks for an upstream in seconds when in a healthy + state. + minimum: 0 + type: integer + successes: + description: Successes is the number of successes to consider + a target healthy. + minimum: 0 + type: integer + type: object + httpPath: + description: HTTPPath is the path to use in GET HTTP request + to run as a probe. + pattern: ^/.*$ + type: string + httpsSni: + description: HTTPSSNI is the SNI to use in GET HTTPS request + to run as a probe. + type: string + httpsVerifyCertificate: + description: HTTPSVerifyCertificate is a boolean value that + indicates if the certificate should be verified. + type: boolean + timeout: + description: Timeout is the probe timeout in seconds. + minimum: 0 + type: integer + type: + description: |- + Type determines whether to perform active health checks using HTTP or HTTPS, or just attempt a TCP connection. + Accepted values are "http", "https", "tcp", "grpc", "grpcs". + enum: + - http + - https + - tcp + - grpc + - grpcs + type: string + unhealthy: + description: Unhealthy configures thresholds and HTTP status + codes to mark targets unhealthy for an upstream. + properties: + httpFailures: + description: HTTPFailures is the number of failures to + consider a target unhealthy. + minimum: 0 + type: integer + httpStatuses: + description: HTTPStatuses is a list of HTTP status codes + that Kong considers a failure. + items: + description: HTTPStatus is an HTTP status code. + maximum: 599 + minimum: 100 + type: integer + type: array + interval: + description: Interval is the interval between active health + checks for an upstream in seconds when in an unhealthy + state. + minimum: 0 + type: integer + tcpFailures: + description: TCPFailures is the number of TCP failures + in a row to consider a target unhealthy. + minimum: 0 + type: integer + timeouts: + description: Timeouts is the number of timeouts in a row + to consider a target unhealthy. + minimum: 0 + type: integer + type: object + type: object + passive: + description: Passive configures passive health check probing. + properties: + healthy: + description: Healthy configures thresholds and HTTP status + codes to mark targets healthy for an upstream. + properties: + httpStatuses: + description: HTTPStatuses is a list of HTTP status codes + that Kong considers a success. + items: + description: HTTPStatus is an HTTP status code. + maximum: 599 + minimum: 100 + type: integer + type: array + interval: + description: Interval is the interval between active health + checks for an upstream in seconds when in a healthy + state. + minimum: 0 + type: integer + successes: + description: Successes is the number of successes to consider + a target healthy. + minimum: 0 + type: integer + type: object + type: + description: |- + Type determines whether to perform passive health checks interpreting HTTP/HTTPS statuses, + or just check for TCP connection success. + Accepted values are "http", "https", "tcp", "grpc", "grpcs". + enum: + - http + - https + - tcp + - grpc + - grpcs + type: string + unhealthy: + description: Unhealthy configures thresholds and HTTP status + codes to mark targets unhealthy. + properties: + httpFailures: + description: HTTPFailures is the number of failures to + consider a target unhealthy. + minimum: 0 + type: integer + httpStatuses: + description: HTTPStatuses is a list of HTTP status codes + that Kong considers a failure. + items: + description: HTTPStatus is an HTTP status code. + maximum: 599 + minimum: 100 + type: integer + type: array + interval: + description: Interval is the interval between active health + checks for an upstream in seconds when in an unhealthy + state. + minimum: 0 + type: integer + tcpFailures: + description: TCPFailures is the number of TCP failures + in a row to consider a target unhealthy. + minimum: 0 + type: integer + timeouts: + description: Timeouts is the number of timeouts in a row + to consider a target unhealthy. + minimum: 0 + type: integer + type: object + type: object + threshold: + description: |- + Threshold is the minimum percentage of the upstream’s targets’ weight that must be available for the whole + upstream to be considered healthy. + type: integer + type: object + slots: + description: |- + Slots is the number of slots in the load balancer algorithm. + If not set, the default value in Kong for the algorithm is used. + maximum: 65536 + minimum: 10 + type: integer + type: object + status: + description: Status defines the current state of KongUpstreamPolicy + properties: + ancestors: + description: |- + Ancestors is a list of ancestor resources (usually Gateways) that are + associated with the policy, and the status of the policy with respect to + each ancestor. When this policy attaches to a parent, the controller that + manages the parent and the ancestors MUST add an entry to this list when + the controller first sees the policy and SHOULD update the entry as + appropriate when the relevant ancestor is modified. + + Note that choosing the relevant ancestor is left to the Policy designers; + an important part of Policy design is designing the right object level at + which to namespace this status. + + Note also that implementations MUST ONLY populate ancestor status for + the Ancestor resources they are responsible for. Implementations MUST + use the ControllerName field to uniquely identify the entries in this list + that they are responsible for. + + Note that to achieve this, the list of PolicyAncestorStatus structs + MUST be treated as a map with a composite key, made up of the AncestorRef + and ControllerName fields combined. + + A maximum of 16 ancestors will be represented in this list. An empty list + means the Policy is not relevant for any ancestors. + + If this slice is full, implementations MUST NOT add further entries. + Instead they MUST consider the policy unimplementable and signal that + on any related resources such as the ancestor that would be referenced + here. For example, if this list was full on BackendTLSPolicy, no + additional Gateways would be able to reference the Service targeted by + the BackendTLSPolicy. + items: + description: |- + PolicyAncestorStatus describes the status of a route with respect to an + associated Ancestor. + + Ancestors refer to objects that are either the Target of a policy or above it + in terms of object hierarchy. For example, if a policy targets a Service, the + Policy's Ancestors are, in order, the Service, the HTTPRoute, the Gateway, and + the GatewayClass. Almost always, in this hierarchy, the Gateway will be the most + useful object to place Policy status on, so we recommend that implementations + SHOULD use Gateway as the PolicyAncestorStatus object unless the designers + have a _very_ good reason otherwise. + + In the context of policy attachment, the Ancestor is used to distinguish which + resource results in a distinct application of this policy. For example, if a policy + targets a Service, it may have a distinct result per attached Gateway. + + Policies targeting the same resource may have different effects depending on the + ancestors of those resources. For example, different Gateways targeting the same + Service may have different capabilities, especially if they have different underlying + implementations. + + For example, in BackendTLSPolicy, the Policy attaches to a Service that is + used as a backend in a HTTPRoute that is itself attached to a Gateway. + In this case, the relevant object for status is the Gateway, and that is the + ancestor object referred to in this status. + + Note that a parent is also an ancestor, so for objects where the parent is the + relevant object for status, this struct SHOULD still be used. + + This struct is intended to be used in a slice that's effectively a map, + with a composite key made up of the AncestorRef and the ControllerName. + properties: + ancestorRef: + description: |- + AncestorRef corresponds with a ParentRef in the spec that this + PolicyAncestorStatus struct describes the status of. + properties: + group: + default: gateway.networking.k8s.io + description: |- + Group is the group of the referent. + When unspecified, "gateway.networking.k8s.io" is inferred. + To set the core API group (such as for a "Service" kind referent), + Group must be explicitly set to "" (empty string). + + Support: Core + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: |- + Kind is kind of the referent. + + There are two kinds of parent resources with "Core" support: + + * Gateway (Gateway conformance profile) + * Service (Mesh conformance profile, ClusterIP Services only) + + Support for other resources is Implementation-Specific. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: |- + Name is the name of the referent. + + Support: Core + maxLength: 253 + minLength: 1 + type: string + namespace: + description: |- + Namespace is the namespace of the referent. When unspecified, this refers + to the local namespace of the Route. + + Note that there are specific rules for ParentRefs which cross namespace + boundaries. Cross-namespace references are only valid if they are explicitly + allowed by something in the namespace they are referring to. For example: + Gateway has the AllowedRoutes field, and ReferenceGrant provides a + generic way to enable any other kind of cross-namespace reference. + + + ParentRefs from a Route to a Service in the same namespace are "producer" + routes, which apply default routing rules to inbound connections from + any namespace to the Service. + + ParentRefs from a Route to a Service in a different namespace are + "consumer" routes, and these routing rules are only applied to outbound + connections originating from the same namespace as the Route, for which + the intended destination of the connections are a Service targeted as a + ParentRef of the Route. + + + Support: Core + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: |- + Port is the network port this Route targets. It can be interpreted + differently based on the type of parent resource. + + When the parent resource is a Gateway, this targets all listeners + listening on the specified port that also support this kind of Route(and + select this Route). It's not recommended to set `Port` unless the + networking behaviors specified in a Route must apply to a specific port + as opposed to a listener(s) whose port(s) may be changed. When both Port + and SectionName are specified, the name and port of the selected listener + must match both specified values. + + + When the parent resource is a Service, this targets a specific port in the + Service spec. When both Port (experimental) and SectionName are specified, + the name and port of the selected port must match both specified values. + + + Implementations MAY choose to support other parent resources. + Implementations supporting other types of parent resources MUST clearly + document how/if Port is interpreted. + + For the purpose of status, an attachment is considered successful as + long as the parent resource accepts it partially. For example, Gateway + listeners can restrict which Routes can attach to them by Route kind, + namespace, or hostname. If 1 of 2 Gateway listeners accept attachment + from the referencing Route, the Route MUST be considered successfully + attached. If no Gateway listeners accept attachment from this Route, + the Route MUST be considered detached from the Gateway. + + Support: Extended + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: |- + SectionName is the name of a section within the target resource. In the + following resources, SectionName is interpreted as the following: + + * Gateway: Listener name. When both Port (experimental) and SectionName + are specified, the name and port of the selected listener must match + both specified values. + * Service: Port name. When both Port (experimental) and SectionName + are specified, the name and port of the selected listener must match + both specified values. + + Implementations MAY choose to support attaching Routes to other resources. + If that is the case, they MUST clearly document how SectionName is + interpreted. + + When unspecified (empty string), this will reference the entire resource. + For the purpose of status, an attachment is considered successful if at + least one section in the parent resource accepts it. For example, Gateway + listeners can restrict which Routes can attach to them by Route kind, + namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from + the referencing Route, the Route MUST be considered successfully + attached. If no Gateway listeners accept attachment from this Route, the + Route MUST be considered detached from the Gateway. + + Support: Core + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + conditions: + description: Conditions describes the status of the Policy with + respect to the given Ancestor. + items: + description: Condition contains details for one aspect of + the current state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, + Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + controllerName: + description: |- + ControllerName is a domain/path string that indicates the name of the + controller that wrote this status. This corresponds with the + controllerName field on GatewayClass. + + Example: "example.net/gateway-controller". + + The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are + valid Kubernetes names + (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). + + Controllers MUST populate this field when writing status. Controllers should ensure that + entries to status populated with their ControllerName are cleaned up when they are no + longer necessary. + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + required: + - ancestorRef + - controllerName + type: object + maxItems: 16 + type: array + required: + - ancestors + type: object + type: object + x-kubernetes-validations: + - message: Only one of spec.hashOn.(input|cookie|header|uriCapture|queryArg) + can be set. + rule: 'has(self.spec.hashOn) ? [has(self.spec.hashOn.input), has(self.spec.hashOn.cookie), + has(self.spec.hashOn.header), has(self.spec.hashOn.uriCapture), has(self.spec.hashOn.queryArg)].filter(fieldSet, + fieldSet == true).size() <= 1 : true' + - message: When spec.hashOn.cookie is set, spec.hashOn.cookiePath is required. + rule: 'has(self.spec.hashOn) && has(self.spec.hashOn.cookie) ? has(self.spec.hashOn.cookiePath) + : true' + - message: When spec.hashOn.cookiePath is set, spec.hashOn.cookie is required. + rule: 'has(self.spec.hashOn) && has(self.spec.hashOn.cookiePath) ? has(self.spec.hashOn.cookie) + : true' + - message: spec.algorithm must be set to "consistent-hashing" when spec.hashOn + is set. + rule: 'has(self.spec.hashOn) ? has(self.spec.algorithm) && self.spec.algorithm + == "consistent-hashing" : true' + - message: Only one of spec.hashOnFallback.(input|header|uriCapture|queryArg) + can be set. + rule: 'has(self.spec.hashOnFallback) ? [has(self.spec.hashOnFallback.input), + has(self.spec.hashOnFallback.header), has(self.spec.hashOnFallback.uriCapture), + has(self.spec.hashOnFallback.queryArg)].filter(fieldSet, fieldSet == true).size() + <= 1 : true' + - message: spec.algorithm must be set to "consistent-hashing" when spec.hashOnFallback + is set. + rule: 'has(self.spec.hashOnFallback) ? has(self.spec.algorithm) && self.spec.algorithm + == "consistent-hashing" : true' + - message: spec.hashOnFallback.cookie must not be set. + rule: 'has(self.spec.hashOnFallback) ? !has(self.spec.hashOnFallback.cookie) + : true' + - message: spec.hashOnFallback.cookiePath must not be set. + rule: 'has(self.spec.hashOnFallback) ? !has(self.spec.hashOnFallback.cookiePath) + : true' + - message: spec.healthchecks.passive.healthy.interval must not be set. + rule: 'has(self.spec.healthchecks) && has(self.spec.healthchecks.passive) + && has(self.spec.healthchecks.passive.healthy) ? !has(self.spec.healthchecks.passive.healthy.interval) + : true' + - message: spec.healthchecks.passive.unhealthy.interval must not be set. + rule: 'has(self.spec.healthchecks) && has(self.spec.healthchecks.passive) + && has(self.spec.healthchecks.passive.unhealthy) ? !has(self.spec.healthchecks.passive.unhealthy.interval) + : true' + - message: spec.hashOnFallback must not be set when spec.hashOn.cookie is + set. + rule: 'has(self.spec.hashOn) && has(self.spec.hashOn.cookie) ? !has(self.spec.hashOnFallback) + : true' + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.16.1 + name: kongvaults.configuration.konghq.com +spec: + group: configuration.konghq.com + names: + categories: + - kong-ingress-controller + kind: KongVault + listKind: KongVaultList + plural: kongvaults + shortNames: + - kv + singular: kongvault + scope: Cluster + versions: + - additionalPrinterColumns: + - description: Name of the backend of the vault + jsonPath: .spec.backend + name: Backend Type + type: string + - description: Prefix of vault URI to reference the values in the vault + jsonPath: .spec.prefix + name: Prefix + type: string + - description: Age + jsonPath: .metadata.creationTimestamp + name: Age + type: date + - description: Description + jsonPath: .spec.description + name: Description + priority: 1 + type: string + - jsonPath: .status.conditions[?(@.type=="Programmed")].status + name: Programmed + type: string + name: v1alpha1 + schema: + openAPIV3Schema: + description: |- + KongVault is the schema for kongvaults API which defines a custom Kong vault. + A Kong vault is a storage to store sensitive data, where the values can be referenced in configuration of plugins. + See: https://docs.konghq.com/gateway/latest/kong-enterprise/secrets-management/ + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: KongVaultSpec defines specification of a custom Kong vault. + properties: + backend: + description: |- + Backend is the type of the backend storing the secrets in the vault. + The supported backends of Kong is listed here: + https://docs.konghq.com/gateway/latest/kong-enterprise/secrets-management/backends/ + minLength: 1 + type: string + config: + description: Config is the configuration of the vault. Varies for + different backends. + x-kubernetes-preserve-unknown-fields: true + description: + description: Description is the additional information about the vault. + type: string + prefix: + description: |- + Prefix is the prefix of vault URI for referencing values in the vault. + It is immutable after created. + minLength: 1 + type: string + required: + - backend + - prefix + type: object + status: + description: KongVaultStatus represents the current status of the KongVault + resource. + properties: + conditions: + default: + - lastTransitionTime: "1970-01-01T00:00:00Z" + message: Waiting for controller + reason: Pending + status: Unknown + type: Programmed + description: |- + Conditions describe the current conditions of the KongVaultStatus. + + Known condition types are: + + * "Programmed" + items: + description: Condition contains details for one aspect of the current + state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + required: + - conditions + type: object + required: + - spec + type: object + x-kubernetes-validations: + - message: The spec.prefix field is immutable + rule: self.spec.prefix == oldSelf.spec.prefix + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.16.1 + name: tcpingresses.configuration.konghq.com +spec: + group: configuration.konghq.com + names: + categories: + - kong-ingress-controller + kind: TCPIngress + listKind: TCPIngressList + plural: tcpingresses + singular: tcpingress + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: Address of the load balancer + jsonPath: .status.loadBalancer.ingress[*].ip + name: Address + type: string + - description: Age + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + schema: + openAPIV3Schema: + description: TCPIngress is the Schema for the tcpingresses API. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Spec is the TCPIngress specification. + properties: + rules: + description: A list of rules used to configure the Ingress. + items: + description: |- + IngressRule represents a rule to apply against incoming requests. + Matching is performed based on an (optional) SNI and port. + properties: + backend: + description: |- + Backend defines the referenced service endpoint to which the traffic + will be forwarded to. + properties: + serviceName: + description: Specifies the name of the referenced service. + minLength: 1 + type: string + servicePort: + description: Specifies the port of the referenced service. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + required: + - serviceName + - servicePort + type: object + host: + description: |- + Host is the fully qualified domain name of a network host, as defined + by RFC 3986. + If a Host is not specified, then port-based TCP routing is performed. Kong + doesn't care about the content of the TCP stream in this case. + If a Host is specified, the protocol must be TLS over TCP. + A plain-text TCP request cannot be routed based on Host. It can only + be routed based on Port. + type: string + port: + description: |- + Port is the port on which to accept TCP or TLS over TCP sessions and + route. It is a required field. If a Host is not specified, the requested + are routed based only on Port. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + required: + - backend + - port + type: object + type: array + tls: + description: |- + TLS configuration. This is similar to the `tls` section in the + Ingress resource in networking.v1beta1 group. + The mapping of SNIs to TLS cert-key pair defined here will be + used for HTTP Ingress rules as well. Once can define the mapping in + this resource or the original Ingress resource, both have the same + effect. + items: + description: IngressTLS describes the transport layer security. + properties: + hosts: + description: |- + Hosts are a list of hosts included in the TLS certificate. The values in + this list must match the name/s used in the tlsSecret. Defaults to the + wildcard host setting for the loadbalancer controller fulfilling this + Ingress, if left unspecified. + items: + type: string + type: array + secretName: + description: SecretName is the name of the secret used to terminate + SSL traffic. + type: string + type: object + type: array + type: object + status: + description: TCPIngressStatus defines the observed state of TCPIngress. + properties: + loadBalancer: + description: LoadBalancer contains the current status of the load-balancer. + properties: + ingress: + description: |- + Ingress is a list containing ingress points for the load-balancer. + Traffic intended for the service should be sent to these ingress points. + items: + description: |- + LoadBalancerIngress represents the status of a load-balancer ingress point: + traffic intended for the service should be sent to an ingress point. + properties: + hostname: + description: |- + Hostname is set for load-balancer ingress points that are DNS based + (typically AWS load-balancers) + type: string + ip: + description: |- + IP is set for load-balancer ingress points that are IP based + (typically GCE or OpenStack load-balancers) + type: string + ipMode: + description: |- + IPMode specifies how the load-balancer IP behaves, and may only be specified when the ip field is specified. + Setting this to "VIP" indicates that traffic is delivered to the node with + the destination set to the load-balancer's IP and port. + Setting this to "Proxy" indicates that traffic is delivered to the node or pod with + the destination set to the node's IP and node port or the pod's IP and port. + Service implementations may use this information to adjust traffic routing. + type: string + ports: + description: |- + Ports is a list of records of service ports + If used, every port defined in the service should have an entry in it + items: + properties: + error: + description: |- + Error is to record the problem with the service port + The format of the error shall comply with the following rules: + - built-in error values shall be specified in this file and those shall use + CamelCase names + - cloud provider specific error values must have names that comply with the + format foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + port: + description: Port is the port number of the service + port of which status is recorded here + format: int32 + type: integer + protocol: + description: |- + Protocol is the protocol of the service port of which status is recorded here + The supported values are: "TCP", "UDP", "SCTP" + type: string + required: + - error + - port + - protocol + type: object + type: array + x-kubernetes-list-type: atomic + type: object + type: array + x-kubernetes-list-type: atomic + type: object + type: object + type: object + served: true + storage: true + subresources: + status: {} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.16.1 + name: udpingresses.configuration.konghq.com +spec: + group: configuration.konghq.com + names: + categories: + - kong-ingress-controller + kind: UDPIngress + listKind: UDPIngressList + plural: udpingresses + singular: udpingress + scope: Namespaced + versions: + - additionalPrinterColumns: + - description: Address of the load balancer + jsonPath: .status.loadBalancer.ingress[*].ip + name: Address + type: string + - description: Age + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + schema: + openAPIV3Schema: + description: UDPIngress is the Schema for the udpingresses API. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Spec is the UDPIngress specification. + properties: + rules: + description: A list of rules used to configure the Ingress. + items: + description: |- + UDPIngressRule represents a rule to apply against incoming requests + wherein no Host matching is available for request routing, only the port + is used to match requests. + properties: + backend: + description: |- + Backend defines the Kubernetes service which accepts traffic from the + listening Port defined above. + properties: + serviceName: + description: Specifies the name of the referenced service. + minLength: 1 + type: string + servicePort: + description: Specifies the port of the referenced service. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + required: + - serviceName + - servicePort + type: object + port: + description: |- + Port indicates the port for the Kong proxy to accept incoming traffic + on, which will then be routed to the service Backend. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + required: + - backend + - port + type: object + type: array + type: object + status: + description: UDPIngressStatus defines the observed state of UDPIngress. + properties: + loadBalancer: + description: LoadBalancer contains the current status of the load-balancer. + properties: + ingress: + description: |- + Ingress is a list containing ingress points for the load-balancer. + Traffic intended for the service should be sent to these ingress points. + items: + description: |- + LoadBalancerIngress represents the status of a load-balancer ingress point: + traffic intended for the service should be sent to an ingress point. + properties: + hostname: + description: |- + Hostname is set for load-balancer ingress points that are DNS based + (typically AWS load-balancers) + type: string + ip: + description: |- + IP is set for load-balancer ingress points that are IP based + (typically GCE or OpenStack load-balancers) + type: string + ipMode: + description: |- + IPMode specifies how the load-balancer IP behaves, and may only be specified when the ip field is specified. + Setting this to "VIP" indicates that traffic is delivered to the node with + the destination set to the load-balancer's IP and port. + Setting this to "Proxy" indicates that traffic is delivered to the node or pod with + the destination set to the node's IP and node port or the pod's IP and port. + Service implementations may use this information to adjust traffic routing. + type: string + ports: + description: |- + Ports is a list of records of service ports + If used, every port defined in the service should have an entry in it + items: + properties: + error: + description: |- + Error is to record the problem with the service port + The format of the error shall comply with the following rules: + - built-in error values shall be specified in this file and those shall use + CamelCase names + - cloud provider specific error values must have names that comply with the + format foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + port: + description: Port is the port number of the service + port of which status is recorded here + format: int32 + type: integer + protocol: + description: |- + Protocol is the protocol of the service port of which status is recorded here + The supported values are: "TCP", "UDP", "SCTP" + type: string + required: + - error + - port + - protocol + type: object + type: array + x-kubernetes-list-type: atomic + type: object + type: array + x-kubernetes-list-type: atomic + type: object + type: object + type: object + served: true + storage: true + subresources: + status: {} diff --git a/charts/kong/kong/2.41.0/questions.yml b/charts/kong/kong/2.41.0/questions.yml new file mode 100644 index 000000000..27b774b9b --- /dev/null +++ b/charts/kong/kong/2.41.0/questions.yml @@ -0,0 +1,33 @@ +labels: + io.rancher.certified: partner + io.cattle.role: project # options are cluster/project +categories: +- API Gateway +questions: +- variable: admin.enabled + default: "false" + description: "Enable REST Admin API" + label: REST Admin API + type: boolean + show_subquestion_if: true + group: "Admin API" + subquestions: + - variable: admin.type + default: "LoadBalancer" + description: "Kubernetes Service Type" + label: Service Type + type: enum + options: + - ClusterIP + - NodePort + - LoadBalancer + - variable: admin.http.enabled + default: "false" + description: "Enable HTTP for REST Admin API" + label: REST Admin API - HTTP + type: boolean +- variable: proxy.http.enabled + default: "true" + description: "Enable HTTP for Proxy" + label: Proxy - HTTP + type: boolean diff --git a/charts/kong/kong/2.41.0/templates/NOTES.txt b/charts/kong/kong/2.41.0/templates/NOTES.txt new file mode 100644 index 000000000..bb370e95f --- /dev/null +++ b/charts/kong/kong/2.41.0/templates/NOTES.txt @@ -0,0 +1,48 @@ +To connect to Kong, please execute the following commands: +{{ if contains "LoadBalancer" .Values.proxy.type }} +HOST=$(kubectl get svc --namespace {{ template "kong.namespace" . }} {{ template "kong.fullname" . }}-proxy -o jsonpath='{.status.loadBalancer.ingress[0].ip}') +PORT=$(kubectl get svc --namespace {{ template "kong.namespace" . }} {{ template "kong.fullname" . }}-proxy -o jsonpath='{.spec.ports[0].port}') +{{ else if contains "NodePort" .Values.proxy.type }}HOST=$(kubectl get nodes --namespace {{ template "kong.namespace" . }} -o jsonpath='{.items[0].status.addresses[0].address}') +PORT=$(kubectl get svc --namespace {{ template "kong.namespace" . }} {{ template "kong.fullname" . }}-proxy -o jsonpath='{.spec.ports[0].nodePort}') +{{ end -}} +export PROXY_IP=${HOST}:${PORT} +curl $PROXY_IP + +Once installed, please follow along the getting started guide to start using +Kong: https://docs.konghq.com/kubernetes-ingress-controller/latest/guides/getting-started/ + +{{ $warnings := list -}} + +{{- if (hasKey .Values.ingressController "serviceAccount") -}} +{{- if (or (hasKey .Values.ingressController.serviceAccount "name") (hasKey .Values.ingressController.serviceAccount "annotations")) -}} +{{- $warnings = append $warnings "you have set either .ingressController.serviceAccount.name or .ingressController.serviceAccount.annotations. These settings have moved to .deployment.serviceAccount.name and .deployment.serviceAccount.annotations. You must move your configuration to the new location in values.yaml" -}} +{{- end -}} +{{- end -}} + +{{- if and .Values.manager.enabled (or .Values.manager.http.enabled .Values.manager.tls.enabled) -}} +{{- if not (and .Values.admin.enabled (or .Values.admin.http.enabled .Values.admin.tls.enabled)) -}} +{{- $warnings = append $warnings "Kong Manager will not be functional because the Admin API is not enabled. Setting both .admin.enabled and .admin.http.enabled and/or .admin.tls.enabled to true to enable the Admin API over HTTP/TLS." -}} +{{- end -}} +{{- end -}} + +{{- if and .Values.ingressController.konnect.enabled .Values.ingressController.konnect.runtimeGroupID -}} +{{- if not .Values.ingressController.konnect.controlPlaneID -}} +{{- $warnings = append $warnings "Please use `.ingressController.konnect.controlPlaneID` instead. `.ingressController.konnect.runtimeGroupID` will be removed in a future release." -}} +{{- end -}} +{{- end -}} + +{{- include "kong.deprecation-warnings" $warnings -}} + +{{- if .Values.demo -}} + +############################################################################################# +##### WARNING: DEMO VALUES USED +############################################################################################# + +The values file used has been marked as a demo configuration. +It should NOT be used in production without comprehensive review of all settings provided. + +############################################################################################# +##### WARNING: DEMO VALUES USED +############################################################################################# +{{- end -}} diff --git a/charts/kong/kong/2.41.0/templates/_helpers.tpl b/charts/kong/kong/2.41.0/templates/_helpers.tpl new file mode 100644 index 000000000..fe20eb4f3 --- /dev/null +++ b/charts/kong/kong/2.41.0/templates/_helpers.tpl @@ -0,0 +1,1844 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +*/}} + +{{- define "kong.namespace" -}} +{{- default .Release.Namespace .Values.namespace -}} +{{- end -}} + +{{- define "kong.release" -}} +{{- default .Release.Name -}} +{{- end -}} + +{{- define "kong.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{- define "kong.fullname" -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- default (printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-") .Values.fullnameOverride -}} +{{- end -}} + +{{- define "kong.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{- define "kong.metaLabels" -}} +app.kubernetes.io/name: {{ template "kong.name" . }} +helm.sh/chart: {{ template "kong.chart" . }} +app.kubernetes.io/instance: "{{ .Release.Name }}" +app.kubernetes.io/managed-by: "{{ .Release.Service }}" +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- range $key, $value := .Values.extraLabels }} +{{ $key }}: {{ include "kong.renderTpl" (dict "value" $value "context" $) | quote }} +{{- end }} +{{- end -}} + +{{- define "kong.selectorLabels" -}} +app.kubernetes.io/name: {{ template "kong.name" . }} +app.kubernetes.io/component: app +app.kubernetes.io/instance: "{{ .Release.Name }}" +{{- end -}} + +{{- define "kong.postgresql.fullname" -}} +{{- $name := default "postgresql" .Values.postgresql.nameOverride -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{- define "kong.dblessConfig.fullname" -}} +{{- $name := default "kong-custom-dbless-config" .Values.dblessConfig.nameOverride -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create the name of the service account to use +*/}} +{{- define "kong.serviceAccountName" -}} +{{- if .Values.deployment.serviceAccount.create -}} + {{ default (include "kong.fullname" .) .Values.deployment.serviceAccount.name }} +{{- else -}} + {{ default "default" .Values.deployment.serviceAccount.name }} +{{- end -}} +{{- end -}} + +{{/* +Create the name of the secret for service account token to use +*/}} +{{- define "kong.serviceAccountTokenName" -}} +{{ include "kong.serviceAccountName" . }}-token +{{- end -}} + +{{/* +Create Ingress resource for a Kong service +*/}} +{{- define "kong.ingress" -}} +{{- $servicePort := include "kong.ingress.servicePort" . }} +{{- $path := .ingress.path -}} +{{- $hostname := .ingress.hostname -}} +{{- $pathType := .ingress.pathType -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ .fullName }}-{{ .serviceName }} + namespace: {{ .namespace }} + labels: + {{- .metaLabels | nindent 4 }} + {{- range $key, $value := .ingress.labels }} + {{- $key | nindent 4 }}: {{ $value | quote }} + {{- end }} + {{- if .ingress.annotations }} + annotations: + {{- range $key, $value := .ingress.annotations }} + {{ $key }}: {{ $value | quote }} + {{- end }} + {{- end }} +spec: +{{- if .ingress.ingressClassName }} + ingressClassName: {{ .ingress.ingressClassName }} +{{- end }} + rules: + {{- if ( not (or $hostname .ingress.hosts)) }} + - http: + paths: + - backend: + service: + name: {{ .fullName }}-{{ .serviceName }} + port: + number: {{ $servicePort }} + path: {{ $path }} + pathType: {{ $pathType }} + {{- else if $hostname }} + - host: {{ $hostname | quote }} + http: + paths: + - backend: + service: + name: {{ .fullName }}-{{ .serviceName }} + port: + number: {{ $servicePort }} + path: {{ $path }} + pathType: {{ $pathType }} + {{- end }} + {{- range .ingress.hosts }} + - host: {{ .host | quote }} + http: + paths: + {{- range .paths }} + - backend: + {{- if .backend -}} + {{ .backend | toYaml | nindent 12 }} + {{- else }} + service: + name: {{ $.fullName }}-{{ $.serviceName }} + port: + number: {{ $servicePort }} + {{- end }} + {{- if (and $hostname (and (eq $path .path))) }} + {{- fail "duplication of specified ingress path" }} + {{- end }} + path: {{ .path }} + pathType: {{ .pathType }} + {{- end }} + {{- end }} + {{- if (hasKey .ingress "tls") }} + tls: + {{- if (kindIs "string" .ingress.tls) }} + - hosts: + {{- range .ingress.hosts }} + - {{ .host | quote }} + {{- end }} + {{- if $hostname }} + - {{ $hostname | quote }} + {{- end }} + secretName: {{ .ingress.tls }} + {{- else if (kindIs "slice" .ingress.tls) }} + {{- range .ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} + {{- end }} + {{- end }} +{{- end -}} + +{{/* +Create Service resource for a Kong service +*/}} +{{- define "kong.service" -}} +apiVersion: v1 +kind: Service +metadata: + name: {{ .fullName }}-{{ .serviceName }} + namespace: {{ .namespace }} + {{- if .annotations }} + annotations: + {{- range $key, $value := .annotations }} + {{ $key }}: {{ $value | quote }} + {{- end }} + {{- end }} + labels: + {{- .metaLabels | nindent 4 }} + {{- range $key, $value := .labels }} + {{ $key }}: {{ $value | quote }} + {{- end }} +spec: + type: {{ .type }} + {{- if eq .type "LoadBalancer" }} + {{- if .loadBalancerIP }} + loadBalancerIP: {{ .loadBalancerIP }} + {{- end }} + {{- if .loadBalancerSourceRanges }} + loadBalancerSourceRanges: + {{- range $cidr := .loadBalancerSourceRanges }} + - {{ $cidr }} + {{- end }} + {{- end }} + {{- if .loadBalancerClass }} + loadBalancerClass: {{ .loadBalancerClass }} + {{- end }} + {{- end }} + {{- if .externalIPs }} + externalIPs: + {{- range $ip := .externalIPs }} + - {{ $ip }} + {{- end -}} + {{- end }} + ports: + {{- if .http }} + {{- if .http.enabled }} + {{- if ne ( .http.servicePort | toString ) "0" }} + - name: kong-{{ .serviceName }} + port: {{ .http.servicePort }} + targetPort: {{ .http.containerPort }} + {{- if .http.appProtocol }} + appProtocol: {{ .http.appProtocol }} + {{- end }} + {{- if (and (or (eq .type "LoadBalancer") (eq .type "NodePort")) (not (empty .http.nodePort))) }} + nodePort: {{ .http.nodePort }} + {{- end }} + protocol: TCP + {{- end }} + {{- end }} + {{- end }} + {{- if .tls.enabled }} + - name: kong-{{ .serviceName }}-tls + port: {{ .tls.servicePort }} + targetPort: {{ .tls.overrideServiceTargetPort | default .tls.containerPort }} + {{- if .tls.appProtocol }} + appProtocol: {{ .tls.appProtocol }} + {{- end }} + {{- if (and (or (eq .type "LoadBalancer") (eq .type "NodePort")) (not (empty .tls.nodePort))) }} + nodePort: {{ .tls.nodePort }} + {{- end }} + protocol: TCP + {{- end }} + {{- if (hasKey . "stream") }} + {{- $defaultProtocol := "TCP" }} + {{- if (hasSuffix "udp-proxy" .serviceName) }} + {{- $defaultProtocol = "UDP" }} + {{- end }} + {{- range $index, $streamEntry := .stream }} + {{- if (not (hasKey $streamEntry "protocol")) }} + {{- $_ := set $streamEntry "protocol" $defaultProtocol }} + {{- end }} + {{- end }} + {{- range .stream }} + - name: stream{{ if (eq (default "TCP" .protocol) "UDP") }}udp{{ end }}-{{ .containerPort }} + port: {{ .servicePort }} + targetPort: {{ .containerPort }} + {{- if (and (or (eq $.type "LoadBalancer") (eq $.type "NodePort")) (not (empty .nodePort))) }} + nodePort: {{ .nodePort }} + {{- end }} + protocol: {{ .protocol | default "TCP" }} + {{- end }} + {{- end }} + {{- if .externalTrafficPolicy }} + externalTrafficPolicy: {{ .externalTrafficPolicy }} + {{- end }} + {{- if .clusterIP }} + {{- if (or (not (eq .clusterIP "None")) (and (eq .type "ClusterIP") (eq .clusterIP "None"))) }} + clusterIP: {{ .clusterIP }} + {{- end }} + {{- end }} + selector: + {{- .selectorLabels | nindent 4 }} +{{- end -}} + + +{{/* +Create KONG_SERVICE_LISTEN strings +Generic tool for creating KONG_PROXY_LISTEN, KONG_ADMIN_LISTEN, etc. +*/}} +{{- define "kong.listen" -}} + {{- $unifiedListen := list -}} + {{- $defaultAddrs := (list "0.0.0.0" "[::]") -}} + + {{/* Some services do not support these blocks at all, so these checks are a + two-stage "is it safe to evaluate this?" and then "should we evaluate + this?" + */}} + {{- if .http -}} + {{- if .http.enabled -}} + {{- $listenConfig := dict -}} + {{- $listenConfig := merge $listenConfig .http -}} + {{- $addresses := (default $defaultAddrs .addresses) -}} + {{- range $addresses -}} + {{- $_ := set $listenConfig "address" . -}} + {{- $httpListen := (include "kong.singleListen" $listenConfig) -}} + {{- $unifiedListen = append $unifiedListen $httpListen -}} + {{- end -}} + {{- end -}} + {{- end -}} + + {{- if .tls -}} + {{- if .tls.enabled -}} + {{/* + This is a bit of a hack to support always including "ssl" in the parameter + list for TLS listens. It's not possible to set a variable to an object from + .Values and then modify one of the objects values locally, although + https://github.com/helm/helm/issues/4987 indicates it should be. Instead, + this creates a new object and new parameters list built from the original. + */}} + {{- $listenConfig := dict -}} + {{- $listenConfig := merge $listenConfig .tls -}} + {{- $parameters := append .tls.parameters "ssl" -}} + {{- $_ := set $listenConfig "parameters" $parameters -}} + {{- $addresses := (default $defaultAddrs .addresses) -}} + {{- range $addresses -}} + {{- $_ := set $listenConfig "address" . -}} + {{- $tlsListen := (include "kong.singleListen" $listenConfig) -}} + {{- $unifiedListen = append $unifiedListen $tlsListen -}} + {{- end -}} + {{- end -}} + {{- end -}} + + {{- $listenString := ($unifiedListen | join ", ") -}} + {{- if eq (len $listenString) 0 -}} + {{- $listenString = "off" -}} + {{- end -}} + {{- $listenString -}} +{{- end -}} + +{{/* +Create KONG_PORT_MAPS string +Parameters: takes a service (e.g. .Values.proxy) as its argument and returns KONG_PORT_MAPS for that service. +*/}} +{{- define "kong.port_maps" -}} + {{- $portMaps := list -}} + + {{- if .http.enabled -}} + {{- if ne (.http.servicePort | toString ) "0" -}} + {{- $portMaps = append $portMaps (printf "%d:%d" (int64 .http.servicePort) (int64 .http.containerPort)) -}} + {{- end -}} + {{- end -}} + + {{- if .tls.enabled -}} + {{- $portMaps = append $portMaps (printf "%d:%d" (int64 .tls.servicePort) (int64 .tls.containerPort)) -}} + {{- end -}} + + {{- $portMapsString := ($portMaps | join ", ") -}} + {{- $portMapsString -}} +{{- end -}} + +{{/* +Create KONG_STREAM_LISTEN string +*/}} +{{- define "kong.streamListen" -}} + {{- $unifiedListen := list -}} + {{- $defaultAddrs := (list "0.0.0.0" "[::]") -}} + {{- range .stream -}} + {{- $listenConfig := dict -}} + {{- $listenConfig := merge $listenConfig . -}} + {{- $addresses := (default $defaultAddrs .addresses) -}} + {{- range $addresses -}} + {{- $_ := set $listenConfig "address" . -}} + {{/* You set NGINX stream listens to UDP using a parameter due to historical reasons. + Our configuration is dual-purpose, for both the Service and listen string, so we + forcibly inject this parameter if that's the Service protocol. The default handles + configs that predate the addition of the protocol field, where we only supported TCP. */}} + {{- if (eq (default "TCP" $listenConfig.protocol) "UDP") -}} + {{- $_ := set $listenConfig "parameters" (append (default (list) $listenConfig.parameters) "udp") -}} + {{- end -}} + {{- $unifiedListen = append $unifiedListen (include "kong.singleListen" $listenConfig ) -}} + {{- end -}} + {{- end -}} + + {{- $listenString := ($unifiedListen | join ", ") -}} + {{- if eq (len $listenString) 0 -}} + {{- $listenString = "" -}} + {{- end -}} + {{- $listenString -}} +{{- end -}} + +{{/* +Create a single listen (IP+port+parameter combo) +*/}} +{{- define "kong.singleListen" -}} + {{- $listen := list -}} + {{- $listen = append $listen (printf "%s:%d" .address (int64 .containerPort)) -}} + {{- range $param := .parameters | default (list) | uniq }} + {{- $listen = append $listen $param -}} + {{- end -}} + {{- $listen | join " " -}} +{{- end -}} + +{{/* +Return the admin API service name for service discovery +*/}} +{{- define "kong.adminSvc" -}} +{{- $gatewayDiscovery := .Values.ingressController.gatewayDiscovery -}} +{{- if $gatewayDiscovery.enabled -}} + {{- $adminApiService := $gatewayDiscovery.adminApiService -}} + {{- $adminApiServiceName := $gatewayDiscovery.adminApiService.name -}} + {{- $generateAdminApiService := $gatewayDiscovery.generateAdminApiService -}} + + {{- if and $generateAdminApiService $adminApiService.name -}} + {{- fail (printf ".Values.ingressController.gatewayDiscovery.adminApiService and .Values.ingressController.gatewayDiscovery.generateAdminApiService must not be provided at the same time") -}} + {{- end -}} + + {{- if $generateAdminApiService -}} + {{- $adminApiServiceName = (printf "%s-%s" .Release.Name "gateway-admin") -}} + {{- else }} + {{- $_ := required ".ingressController.gatewayDiscovery.adminApiService.name has to be provided when .Values.ingressController.gatewayDiscovery.enabled is set to true" $adminApiServiceName -}} + {{- end }} + + {{- if (semverCompare "< 2.9.0" (include "kong.effectiveVersion" .Values.ingressController.image)) }} + {{- fail (printf "Gateway discovery is available in controller versions 2.9 and up. Detected %s" (include "kong.effectiveVersion" .Values.ingressController.image)) }} + {{- end }} + + {{- if .Values.deployment.kong.enabled }} + {{- fail "deployment.kong.enabled and ingressController.gatewayDiscovery.enabled are mutually exclusive and cannot be enabled at once. Gateway discovery requires a split release installation of Gateways and Ingress Controller." }} + {{- end }} + + {{- $namespace := $adminApiService.namespace | default ( include "kong.namespace" . ) -}} + {{- printf "%s/%s" $namespace $adminApiServiceName -}} +{{- else -}} + {{- fail "Can't use gateway discovery when .Values.ingressController.gatewayDiscovery.enabled is set to false." -}} +{{- end -}} +{{- end -}} + +{{/* +Return the local admin API URL, preferring HTTPS if available +*/}} +{{- define "kong.adminLocalURL" -}} + {{- if .Values.admin.tls.enabled -}} +https://localhost:{{ .Values.admin.tls.containerPort }} + {{- else if .Values.admin.http.enabled -}} +http://localhost:{{ .Values.admin.http.containerPort }} + {{- else -}} +http://localhost:9999 # You have no admin listens! The controller will not work unless you set .Values.admin.http.enabled=true or .Values.admin.tls.enabled=true! + {{- end -}} +{{- end -}} + +{{/* +Create the ingress servicePort value string +*/}} + +{{- define "kong.ingress.servicePort" -}} +{{- if .tls.enabled -}} + {{ .tls.servicePort }} +{{- else -}} + {{ .http.servicePort }} +{{- end -}} +{{- end -}} + +{{/* +Generate an appropriate external URL from a Kong service's ingress configuration +Strips trailing slashes from the path. Manager at least does not handle these +intelligently and will append its own slash regardless, and the admin API cannot handle +the extra slash. +*/}} + +{{- define "kong.ingress.serviceUrl" -}} +{{- if .tls -}} + https://{{ .hostname }}{{ .path | trimSuffix "/" }} +{{- else -}} + http://{{ .hostname }}{{ .path | trimSuffix "/" }} +{{- end -}} +{{- end -}} + +{{/* +The name of the service used for the ingress controller's validation webhook +*/}} + +{{- define "kong.service.validationWebhook" -}} +{{ include "kong.fullname" . }}-validation-webhook +{{- end -}} + + +{{/* +The name of the Service which will be used by the controller to update the Ingress status field. +*/}} + +{{- define "kong.controller-publish-service" -}} +{{- $proxyOverride := "" -}} + {{- if .Values.proxy.nameOverride -}} + {{- $proxyOverride = ( tpl .Values.proxy.nameOverride . ) -}} + {{- end -}} +{{- (printf "%s/%s" ( include "kong.namespace" . ) ( default ( printf "%s-proxy" (include "kong.fullname" . )) $proxyOverride )) -}} +{{- end -}} + +{{- define "kong.ingressController.env" -}} +{{/* + ====== AUTO-GENERATED ENVIRONMENT VARIABLES ====== +*/}} + + +{{- $autoEnv := dict -}} + {{- $_ := set $autoEnv "CONTROLLER_KONG_ADMIN_TLS_SKIP_VERIFY" true -}} + {{- $_ := set $autoEnv "CONTROLLER_PUBLISH_SERVICE" ( include "kong.controller-publish-service" . ) -}} + {{- $_ := set $autoEnv "CONTROLLER_INGRESS_CLASS" .Values.ingressController.ingressClass -}} + {{- $_ := set $autoEnv "CONTROLLER_ELECTION_ID" (printf "kong-ingress-controller-leader-%s" .Values.ingressController.ingressClass) -}} + + {{- if .Values.ingressController.admissionWebhook.enabled }} + {{- $address := (default "0.0.0.0" .Values.ingressController.admissionWebhook.address) -}} + {{- $_ := set $autoEnv "CONTROLLER_ADMISSION_WEBHOOK_LISTEN" (printf "%s:%d" $address (int64 .Values.ingressController.admissionWebhook.port)) -}} + {{- end }} + {{- if (not (eq (len .Values.ingressController.watchNamespaces) 0)) }} + {{- $_ := set $autoEnv "CONTROLLER_WATCH_NAMESPACE" (.Values.ingressController.watchNamespaces | join ",") -}} + {{- end }} + +{{/* + ====== ADMIN API CONFIGURATION ====== +*/}} + + {{- if .Values.ingressController.gatewayDiscovery.enabled -}} + {{- $_ := set $autoEnv "CONTROLLER_KONG_ADMIN_SVC" (include "kong.adminSvc" . ) -}} + {{- else -}} + {{- $_ := set $autoEnv "CONTROLLER_KONG_ADMIN_URL" (include "kong.adminLocalURL" .) -}} + {{- end -}} + + {{- if .Values.ingressController.adminApi.tls.client.enabled }} + {{- $_ := set $autoEnv "CONTROLLER_KONG_ADMIN_TLS_CLIENT_CERT_FILE" "/etc/secrets/admin-api-cert/tls.crt" -}} + {{- $_ := set $autoEnv "CONTROLLER_KONG_ADMIN_TLS_CLIENT_KEY_FILE" "/etc/secrets/admin-api-cert/tls.key" -}} + {{- end }} + +{{/* + ====== KONNECT ENVIRONMENT VARIABLES ====== +*/}} + +{{- if .Values.ingressController.konnect.enabled }} + {{- if (semverCompare "< 2.9.0" (include "kong.effectiveVersion" .Values.ingressController.image)) }} + {{- fail (printf "Konnect sync is available in controller versions 2.9 and up. Detected %s" (include "kong.effectiveVersion" .Values.ingressController.image)) }} + {{- end }} + + {{- if not .Values.ingressController.gatewayDiscovery.enabled }} + {{- fail "ingressController.gatewayDiscovery.enabled has to be true when ingressController.konnect.enabled"}} + {{- end }} + + {{- $konnect := .Values.ingressController.konnect -}} + {{- $_ := required "ingressController.konnect.controlPlaneID is required when ingressController.konnect.enabled" $konnect.controlPlaneID -}} + + {{- if $konnect.controlPlaneID }} + {{- $_ = set $autoEnv "CONTROLLER_KONNECT_CONTROL_PLANE_ID" $konnect.controlPlaneID -}} + {{- else if $konnect.runtimeGroupID }} + {{- $_ = set $autoEnv "CONTROLLER_KONNECT_CONTROL_PLANE_ID" $konnect.runtimeGroupID -}} + {{- else }} + {{- fail "At least one of konnect.controlPlaneID or konnect.runtimeGroupID must be set." -}} + {{- end }} + + {{- $_ = set $autoEnv "CONTROLLER_KONNECT_SYNC_ENABLED" true -}} + {{- $_ = set $autoEnv "CONTROLLER_KONNECT_ADDRESS" (printf "https://%s" .Values.ingressController.konnect.apiHostname) -}} + + {{- $tlsCert := include "secretkeyref" (dict "name" $konnect.tlsClientCertSecretName "key" "tls.crt") -}} + {{- $tlsKey := include "secretkeyref" (dict "name" $konnect.tlsClientCertSecretName "key" "tls.key") -}} + {{- $_ = set $autoEnv "CONTROLLER_KONNECT_TLS_CLIENT_CERT" $tlsCert -}} + {{- $_ = set $autoEnv "CONTROLLER_KONNECT_TLS_CLIENT_KEY" $tlsKey -}} + + {{- if $konnect.license.enabled }} + {{- $_ = set $autoEnv "CONTROLLER_KONNECT_LICENSING_ENABLED" true -}} + {{- end }} +{{- end }} + +{{/* + ====== USER-SET ENVIRONMENT VARIABLES ====== +*/}} + +{{- $userEnv := dict -}} +{{- range $key, $val := .Values.ingressController.env }} + {{- $upper := upper $key -}} + {{- $var := printf "CONTROLLER_%s" $upper -}} + {{- $_ := set $userEnv $var $val -}} +{{- end -}} + +{{/* + ====== CUSTOM-SET INGRESS CONTROLLER ENVIRONMENT VARIABLES ====== +*/}} + +{{- $customIngressEnv := dict -}} +{{- range $key, $val := .Values.ingressController.customEnv }} + {{- $upper := upper $key -}} + {{- $_ := set $customIngressEnv $upper $val -}} +{{- end -}} + +{{/* + ====== MERGE AND RENDER ENV BLOCK ====== +*/}} + +{{- $completeEnv := mergeOverwrite $autoEnv $userEnv $customIngressEnv -}} +{{- template "kong.renderEnv" $completeEnv -}} + +{{- end -}} + +{{- define "kong.userDefinedVolumes" -}} +{{- if .Values.deployment.userDefinedVolumes }} +{{- toYaml .Values.deployment.userDefinedVolumes }} +{{- end }} +{{- end -}} + +{{- define "kong.volumes" -}} +- name: {{ template "kong.fullname" . }}-prefix-dir + emptyDir: + sizeLimit: {{ .Values.deployment.prefixDir.sizeLimit }} +- name: {{ template "kong.fullname" . }}-tmp + emptyDir: + sizeLimit: {{ .Values.deployment.tmpDir.sizeLimit }} +{{- if (and (not .Values.deployment.serviceAccount.automountServiceAccountToken) (or .Values.deployment.serviceAccount.create .Values.deployment.serviceAccount.name)) }} +- name: {{ template "kong.serviceAccountTokenName" . }} + {{- /* Due to GKE versions (e.g. v1.23.15-gke.1900) we need to handle pre-release part of the version as well. + See the related documentation of semver module that Helm depends on for semverCompare: + https://github.com/Masterminds/semver#working-with-prerelease-versions + Related Helm issue: https://github.com/helm/helm/issues/3810 */}} + {{- if semverCompare ">=1.20.0-0" .Capabilities.KubeVersion.Version }} + projected: + sources: + - serviceAccountToken: + expirationSeconds: 3607 + path: token + - configMap: + items: + - key: ca.crt + path: ca.crt + name: kube-root-ca.crt + - downwardAPI: + items: + - fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + path: namespace + {{- else }} + secret: + secretName: {{ template "kong.serviceAccountTokenName" . }} + items: + - key: token + path: token + - key: ca.crt + path: ca.crt + - key: namespace + path: namespace + {{- end }} +{{- end }} +{{- if and ( .Capabilities.APIVersions.Has "cert-manager.io/v1" ) .Values.certificates.enabled -}} +{{- if .Values.certificates.cluster.enabled }} +- name: {{ include "kong.fullname" . }}-cluster-cert + secret: + secretName: {{ include "kong.fullname" . }}-cluster-cert +{{- end }} +{{- if .Values.certificates.proxy.enabled }} +- name: {{ include "kong.fullname" . }}-proxy-cert + secret: + secretName: {{ include "kong.fullname" . }}-proxy-cert +{{- end }} +{{- if .Values.certificates.admin.enabled }} +- name: {{ include "kong.fullname" . }}-admin-cert + secret: + secretName: {{ include "kong.fullname" . }}-admin-cert +{{- end }} +{{- if .Values.enterprise.enabled }} +{{- if .Values.certificates.portal.enabled }} +- name: {{ include "kong.fullname" . }}-portal-cert + secret: + secretName: {{ include "kong.fullname" . }}-portal-cert +{{- end }} +{{- end }} +{{- end }} +{{- if (and (.Values.postgresql.enabled) .Values.waitImage.enabled) }} +- name: {{ template "kong.fullname" . }}-bash-wait-for-postgres + configMap: + name: {{ template "kong.fullname" . }}-bash-wait-for-postgres + defaultMode: 0755 +{{- end }} +{{- range .Values.plugins.configMaps }} +- name: kong-plugin-{{ .pluginName }} + configMap: + name: {{ .name }} +{{- range .subdirectories }} +- name: {{ .name }} + configMap: + name: {{ .name }} +{{- end }} +{{- end }} +{{- range .Values.plugins.secrets }} +- name: kong-plugin-{{ .pluginName }} + secret: + secretName: {{ .name }} +{{- range .subdirectories }} +- name: {{ .name }} + secret: + secretName: {{ .name }} +{{- end }} +{{- end }} + +{{- if (and (not .Values.ingressController.enabled) (eq .Values.env.database "off")) }} + {{- $dblessSourceCount := (add (.Values.dblessConfig.configMap | len | min 1) (.Values.dblessConfig.secret | len | min 1) (.Values.dblessConfig.config | len | min 1)) -}} + {{- if gt $dblessSourceCount 1 -}} + {{- fail "Ambiguous configuration: only one of of .Values.dblessConfig.configMap, .Values.dblessConfig.secret, and .Values.dblessConfig.config can be set." -}} + {{- else if eq $dblessSourceCount 1 }} +- name: kong-custom-dbless-config-volume + {{- if .Values.dblessConfig.configMap }} + configMap: + name: {{ .Values.dblessConfig.configMap }} + {{- else if .Values.dblessConfig.secret }} + secret: + secretName: {{ .Values.dblessConfig.secret }} + {{- else }} + configMap: + name: {{ template "kong.dblessConfig.fullname" . }} + {{- end }} + {{- end }} +{{- end }} + +{{- if and .Values.ingressController.enabled .Values.ingressController.admissionWebhook.enabled }} +- name: webhook-cert + secret: + {{- if .Values.ingressController.admissionWebhook.certificate.provided }} + secretName: {{ .Values.ingressController.admissionWebhook.certificate.secretName }} + {{- else }} + secretName: {{ template "kong.fullname" . }}-validation-webhook-keypair + {{- end }} +{{- end }} +{{- if or $.Values.admin.tls.client.secretName $.Values.admin.tls.client.caBundle }} +- name: admin-client-ca + configMap: + name: {{ template "kong.fullname" . }}-admin-client-ca +{{- end -}} +{{- range $secretVolume := .Values.secretVolumes }} +- name: {{ . }} + secret: + secretName: {{ . }} +{{- end }} +{{- range .Values.extraConfigMaps }} +- name: {{ .name }} + configMap: + name: {{ .name }} +{{- end }} +{{- range .Values.extraSecrets }} +- name: {{ .name }} + secret: + secretName: {{ .name }} +{{- end }} +{{- if and .Values.ingressController.adminApi.tls.client.enabled .Values.ingressController.enabled }} +- name: admin-api-cert + secret: + secretName: {{ template "adminApiService.certSecretName" . }} +{{- end }} +{{- end -}} + +{{- define "controller.adminApiCertVolumeMount" -}} +{{- if and .Values.ingressController.adminApi.tls.client.enabled .Values.ingressController.enabled }} +- name: admin-api-cert + mountPath: /etc/secrets/admin-api-cert + readOnly: true +{{- end -}} +{{- end -}} + +{{- define "kong.userDefinedVolumeMounts" -}} +{{- if .userDefinedVolumeMounts }} +{{- toYaml .userDefinedVolumeMounts }} +{{- end }} +{{- end -}} + +{{- define "kong.volumeMounts" -}} +- name: {{ template "kong.fullname" . }}-prefix-dir + mountPath: /kong_prefix/ +- name: {{ template "kong.fullname" . }}-tmp + mountPath: /tmp +{{- if and ( .Capabilities.APIVersions.Has "cert-manager.io/v1" ) .Values.certificates.enabled -}} +{{- if .Values.certificates.cluster.enabled }} +- name: {{ include "kong.fullname" . }}-cluster-cert + mountPath: /etc/cert-manager/cluster/ +{{- end }} +{{- if .Values.certificates.proxy.enabled }} +- name: {{ include "kong.fullname" . }}-proxy-cert + mountPath: /etc/cert-manager/proxy/ +{{- end }} +{{- if .Values.certificates.admin.enabled }} +- name: {{ include "kong.fullname" . }}-admin-cert + mountPath: /etc/cert-manager/admin/ +{{- end }} +{{- if .Values.enterprise.enabled }} +{{- if .Values.certificates.portal.enabled }} +- name: {{ include "kong.fullname" . }}-portal-cert + mountPath: /etc/cert-manager/portal/ +{{- end }} +{{- end }} +{{- end }} +{{- $dblessSourceCount := (add (.Values.dblessConfig.configMap | len | min 1) (.Values.dblessConfig.secret | len | min 1) (.Values.dblessConfig.config | len | min 1)) -}} + {{- if eq $dblessSourceCount 1 -}} + {{- if (and (not .Values.ingressController.enabled) (eq .Values.env.database "off")) }} +- name: kong-custom-dbless-config-volume + mountPath: /kong_dbless/ + {{- end }} + {{- end }} +{{- if or $.Values.admin.tls.client.caBundle $.Values.admin.tls.client.secretName }} +- name: admin-client-ca + mountPath: /etc/admin-client-ca/ + readOnly: true +{{- end -}} +{{- range .Values.secretVolumes }} +- name: {{ . }} + mountPath: /etc/secrets/{{ . }} +{{- end }} +{{- range .Values.plugins.configMaps }} +{{- $mountPath := printf "/opt/kong/plugins/%s" .pluginName }} +- name: kong-plugin-{{ .pluginName }} + mountPath: {{ $mountPath }} + readOnly: true +{{- range .subdirectories }} +- name: {{ .name }} + mountPath: {{ printf "%s/%s" $mountPath ( .path | default .name ) }} + readOnly: true +{{- end }} +{{- end }} +{{- range .Values.plugins.secrets }} +{{- $mountPath := printf "/opt/kong/plugins/%s" .pluginName }} +- name: kong-plugin-{{ .pluginName }} + mountPath: {{ $mountPath }} + readOnly: true +{{- range .subdirectories }} +- name: {{ .name }} + mountPath: {{ printf "%s/%s" $mountPath .path }} + readOnly: true +{{- end }} +{{- end }} + +{{- range .Values.extraConfigMaps }} +- name: {{ .name }} + mountPath: {{ .mountPath }} + + {{- if .subPath }} + subPath: {{ .subPath }} + {{- end }} +{{- end }} +{{- range .Values.extraSecrets }} +- name: {{ .name }} + mountPath: {{ .mountPath }} + + {{- if .subPath }} + subPath: {{ .subPath }} + {{- end }} +{{- end }} + +{{- end -}} + +{{- define "kong.plugins" -}} +{{ $myList := list "bundled" }} +{{- range .Values.plugins.configMaps -}} +{{- $myList = append $myList .pluginName -}} +{{- end -}} +{{- range .Values.plugins.secrets -}} + {{ $myList = append $myList .pluginName -}} +{{- end }} +{{- $myList | uniq | join "," -}} +{{- end -}} + +{{- define "kong.wait-for-db" -}} +- name: wait-for-db + image: {{ include "kong.getRepoTag" .Values.image }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + securityContext: + {{ toYaml .Values.containerSecurityContext | nindent 4 }} + env: + {{- include "kong.env" . | nindent 2 }} + {{- include "kong.envFrom" .Values.envFrom | nindent 2 }} +{{/* TODO the prefix override is to work around https://github.com/Kong/charts/issues/295 + Note that we use args instead of command here to /not/ override the standard image entrypoint. */}} + args: [ "/bin/bash", "-c", "export KONG_NGINX_DAEMON=on KONG_PREFIX=`mktemp -d` KONG_KEYRING_ENABLED=off; until kong start; do echo 'waiting for db'; sleep 1; done; kong stop"] + volumeMounts: + {{- include "kong.volumeMounts" . | nindent 4 }} + {{- include "kong.userDefinedVolumeMounts" .Values.deployment | nindent 4 }} + resources: + {{- toYaml .Values.resources | nindent 4 }} +{{- end -}} + +{{/* effectiveVersion takes an image dict from values.yaml. if .effectiveSemver is set, it returns that, else it returns .tag */}} +{{- define "kong.effectiveVersion" -}} +{{- /* Because Kong Gateway enterprise uses versions with 4 segments and not 3 */ -}} +{{- /* as semver does, we need to account for that here by extracting */ -}} +{{- /* first 3 segments for comparison */ -}} +{{- if .effectiveSemver -}} + {{- if regexMatch "^[0-9]+.[0-9]+.[0-9]+" .effectiveSemver -}} + {{- regexFind "^[0-9]+.[0-9]+.[0-9]+" .effectiveSemver -}} + {{- else -}} + {{- .effectiveSemver -}} + {{- end -}} +{{- else -}} + {{- $tag := (trimSuffix "-redhat" .tag) -}} + {{- if regexMatch "^[0-9]+.[0-9]+.[0-9]+" .tag -}} + {{- regexFind "^[0-9]+.[0-9]+.[0-9]+" .tag -}} + {{- else -}} + {{- .tag -}} + {{- end -}} +{{- end -}} +{{- end -}} + +{{- define "kong.controller-container" -}} +- name: ingress-controller + securityContext: +{{ toYaml .Values.containerSecurityContext | nindent 4 }} + args: + {{ if .Values.ingressController.args}} + {{- range $val := .Values.ingressController.args }} + - {{ $val }} + {{- end }} + {{- end }} + ports: + {{- if .Values.ingressController.admissionWebhook.enabled }} + - name: webhook + containerPort: {{ .Values.ingressController.admissionWebhook.port }} + protocol: TCP + {{- end }} + {{ if (semverCompare ">= 2.0.0" (include "kong.effectiveVersion" .Values.ingressController.image)) -}} + - name: cmetrics + containerPort: 10255 + protocol: TCP + {{- end }} + - name: cstatus + containerPort: 10254 + protocol: TCP + env: + - name: POD_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace +{{- include "kong.ingressController.env" . | indent 2 }} +{{ include "kong.envFrom" .Values.ingressController.envFrom | indent 2 }} + image: {{ include "kong.getRepoTag" .Values.ingressController.image }} + imagePullPolicy: {{ .Values.image.pullPolicy }} +{{/* disableReadiness is a hidden setting to drop this block entirely for use with a debugger + Helm value interpretation doesn't let you replace the default HTTP checks with any other + check type, and all HTTP checks freeze when a debugger pauses operation. + Setting disableReadiness to ANY value disables the probes. +*/}} +{{- if (not (hasKey .Values.ingressController "disableProbes")) }} + readinessProbe: +{{ toYaml .Values.ingressController.readinessProbe | indent 4 }} + livenessProbe: +{{ toYaml .Values.ingressController.livenessProbe | indent 4 }} +{{- end }} + resources: +{{ toYaml .Values.ingressController.resources | indent 4 }} + volumeMounts: +{{- if .Values.ingressController.admissionWebhook.enabled }} + - name: webhook-cert + mountPath: /admission-webhook + readOnly: true +{{- end }} +{{- if (and (not .Values.deployment.serviceAccount.automountServiceAccountToken) (or .Values.deployment.serviceAccount.create .Values.deployment.serviceAccount.name)) }} + - name: {{ template "kong.serviceAccountTokenName" . }} + mountPath: /var/run/secrets/kubernetes.io/serviceaccount + readOnly: true +{{- end }} + {{- include "kong.userDefinedVolumeMounts" .Values.ingressController | nindent 2 }} + {{- include "controller.adminApiCertVolumeMount" . | nindent 2 }} +{{- end -}} + +{{- define "secretkeyref" -}} +valueFrom: + secretKeyRef: + name: {{ .name }} + key: {{ .key }} +{{- end -}} + +{{/* +Use the Pod security context defined in Values or set the UID by default +*/}} +{{- define "kong.podsecuritycontext" -}} +{{ .Values.securityContext | toYaml }} +{{- end -}} + +{{- define "kong.no_daemon_env" -}} +{{- template "kong.env" . }} +- name: KONG_NGINX_DAEMON + value: "off" +{{- end -}} + +{{/* +The environment values passed to Kong; this should come after all +the template that it itself is using form the above sections. +*/}} +{{- define "kong.env" -}} +{{/* + ====== AUTO-GENERATED ENVIRONMENT VARIABLES ====== +*/}} +{{- $autoEnv := dict -}} + +{{- $_ := set $autoEnv "KONG_LUA_PACKAGE_PATH" "/opt/?.lua;/opt/?/init.lua;;" -}} + +{{- $_ := set $autoEnv "KONG_PROXY_ACCESS_LOG" "/dev/stdout" -}} +{{- $_ := set $autoEnv "KONG_PROXY_STREAM_ACCESS_LOG" "/dev/stdout basic" -}} +{{- $_ := set $autoEnv "KONG_ADMIN_ACCESS_LOG" "/dev/stdout" -}} +{{- $_ := set $autoEnv "KONG_STATUS_ACCESS_LOG" "off" -}} +{{- $_ := set $autoEnv "KONG_PROXY_ERROR_LOG" "/dev/stderr" -}} +{{- $_ := set $autoEnv "KONG_PROXY_STREAM_ERROR_LOG" "/dev/stderr" -}} +{{- $_ := set $autoEnv "KONG_ADMIN_ERROR_LOG" "/dev/stderr" -}} +{{- $_ := set $autoEnv "KONG_STATUS_ERROR_LOG" "/dev/stderr" -}} + +{{- if .Values.ingressController.enabled -}} + {{- $_ := set $autoEnv "KONG_KIC" "on" -}} +{{- end -}} + +{{- with .Values.admin -}} + {{- $listenConfig := dict -}} + {{- $listenConfig := merge $listenConfig . -}} + {{- if (and (not (hasKey . "addresses")) (not .enabled)) -}} + {{- $_ := set $listenConfig "addresses" (list "127.0.0.1" "[::1]") -}} + {{- end -}} + {{- $_ := set $autoEnv "KONG_ADMIN_LISTEN" (include "kong.listen" $listenConfig) -}} + + {{- if or .tls.client.secretName .tls.client.caBundle -}} + {{- $_ := set $autoEnv "KONG_NGINX_ADMIN_SSL_VERIFY_CLIENT" "on" -}} + {{- $_ := set $autoEnv "KONG_NGINX_ADMIN_SSL_CLIENT_CERTIFICATE" "/etc/admin-client-ca/tls.crt" -}} + {{- end -}} + +{{- end -}} + +{{- if and ( .Capabilities.APIVersions.Has "cert-manager.io/v1" ) .Values.certificates.enabled -}} + {{- if (and .Values.certificates.cluster.enabled .Values.cluster.enabled) -}} + {{- $_ := set $autoEnv "KONG_CLUSTER_MTLS" "pki" -}} + {{- $_ := set $autoEnv "KONG_CLUSTER_SERVER_NAME" .Values.certificates.cluster.commonName -}} + {{- $_ := set $autoEnv "KONG_CLUSTER_CA_CERT" "/etc/cert-manager/cluster/ca.crt" -}} + {{- $_ := set $autoEnv "KONG_CLUSTER_CERT" "/etc/cert-manager/cluster/tls.crt" -}} + {{- $_ := set $autoEnv "KONG_CLUSTER_CERT_KEY" "/etc/cert-manager/cluster/tls.key" -}} + {{- end -}} + + {{- if .Values.certificates.proxy.enabled -}} + {{- $_ := set $autoEnv "KONG_SSL_CERT" "/etc/cert-manager/proxy/tls.crt" -}} + {{- $_ := set $autoEnv "KONG_SSL_CERT_KEY" "/etc/cert-manager/proxy/tls.key" -}} + {{- end -}} + + {{- if .Values.certificates.admin.enabled -}} + {{- $_ := set $autoEnv "KONG_ADMIN_SSL_CERT" "/etc/cert-manager/admin/tls.crt" -}} + {{- $_ := set $autoEnv "KONG_ADMIN_SSL_CERT_KEY" "/etc/cert-manager/admin/tls.key" -}} + {{- if .Values.enterprise.enabled }} + {{- $_ := set $autoEnv "KONG_ADMIN_GUI_SSL_CERT" "/etc/cert-manager/admin/tls.crt" -}} + {{- $_ := set $autoEnv "KONG_ADMIN_GUI_SSL_CERT_KEY" "/etc/cert-manager/admin/tls.key" -}} + {{- end -}} + {{- end -}} + + {{- if .Values.enterprise.enabled }} + {{- if .Values.certificates.portal.enabled -}} + {{- $_ := set $autoEnv "KONG_PORTAL_API_SSL_CERT" "/etc/cert-manager/portal/tls.crt" -}} + {{- $_ := set $autoEnv "KONG_PORTAL_API_SSL_CERT_KEY" "/etc/cert-manager/portal/tls.key" -}} + {{- $_ := set $autoEnv "KONG_PORTAL_GUI_SSL_CERT" "/etc/cert-manager/portal/tls.crt" -}} + {{- $_ := set $autoEnv "KONG_PORTAL_GUI_SSL_CERT_KEY" "/etc/cert-manager/portal/tls.key" -}} + {{- end -}} + {{- end -}} +{{- end -}} + +{{- if .Values.admin.ingress.enabled }} + {{- $_ := set $autoEnv "KONG_ADMIN_GUI_API_URL" (include "kong.ingress.serviceUrl" .Values.admin.ingress) -}} + {{- $_ := set $autoEnv "KONG_ADMIN_API_URI" (include "kong.ingress.serviceUrl" .Values.admin.ingress) -}} +{{- end -}} + +{{- $_ := set $autoEnv "KONG_PROXY_LISTEN" (include "kong.listen" .Values.proxy) -}} + +{{- $streamStrings := list -}} +{{- if .Values.proxy.enabled -}} + {{- $tcpStreamString := (include "kong.streamListen" .Values.proxy) -}} + {{- if (not (eq $tcpStreamString "")) -}} + {{- $streamStrings = (append $streamStrings $tcpStreamString) -}} + {{- end -}} +{{- end -}} +{{- if .Values.udpProxy.enabled -}} + {{- $udpStreamString := (include "kong.streamListen" .Values.udpProxy) -}} + {{- if (not (eq $udpStreamString "")) -}} + {{- $streamStrings = (append $streamStrings $udpStreamString) -}} + {{- end -}} +{{- end -}} +{{- $streamString := $streamStrings | join ", " -}} +{{- if (eq (len $streamString) 0) -}} + {{- $streamString = "off" -}} +{{- end -}} +{{- $_ := set $autoEnv "KONG_STREAM_LISTEN" $streamString -}} + +{{- $_ := set $autoEnv "KONG_STATUS_LISTEN" (include "kong.listen" .Values.status) -}} + +{{- if .Values.proxy.enabled -}} + {{- $_ := set $autoEnv "KONG_PORT_MAPS" (include "kong.port_maps" .Values.proxy) -}} +{{- end -}} + +{{- $_ := set $autoEnv "KONG_CLUSTER_LISTEN" (include "kong.listen" .Values.cluster) -}} + +{{- if .Values.enterprise.enabled }} + {{- $_ := set $autoEnv "KONG_PORTAL_API_ACCESS_LOG" "/dev/stdout" -}} + {{- $_ := set $autoEnv "KONG_PORTAL_GUI_ACCESS_LOG" "/dev/stdout" -}} + {{- $_ := set $autoEnv "KONG_ADMIN_GUI_ACCESS_LOG" "/dev/stdout" -}} + {{- $_ := set $autoEnv "KONG_PORTAL_API_ERROR_LOG" "/dev/stderr" -}} + {{- $_ := set $autoEnv "KONG_PORTAL_GUI_ERROR_LOG" "/dev/stderr" -}} + {{- $_ := set $autoEnv "KONG_ADMIN_GUI_ERROR_LOG" "/dev/stderr" -}} + + {{- $_ := set $autoEnv "KONG_ADMIN_GUI_LISTEN" (include "kong.listen" .Values.manager) -}} + {{- if .Values.manager.ingress.enabled }} + {{- $_ := set $autoEnv "KONG_ADMIN_GUI_URL" (include "kong.ingress.serviceUrl" .Values.manager.ingress) -}} + {{- end -}} + + {{- if not .Values.enterprise.vitals.enabled }} + {{- $_ := set $autoEnv "KONG_VITALS" "off" -}} + {{- end }} + {{- $_ := set $autoEnv "KONG_CLUSTER_TELEMETRY_LISTEN" (include "kong.listen" .Values.clustertelemetry) -}} + + {{- if .Values.enterprise.portal.enabled }} + {{- $_ := set $autoEnv "KONG_PORTAL" "on" -}} + {{- $_ := set $autoEnv "KONG_PORTAL_GUI_LISTEN" (include "kong.listen" .Values.portal) -}} + {{- $_ := set $autoEnv "KONG_PORTAL_API_LISTEN" (include "kong.listen" .Values.portalapi) -}} + + {{- if .Values.portal.ingress.enabled }} + {{- $_ := set $autoEnv "KONG_PORTAL_GUI_HOST" .Values.portal.ingress.hostname -}} + {{- if .Values.portal.ingress.tls }} + {{- $_ := set $autoEnv "KONG_PORTAL_GUI_PROTOCOL" "https" -}} + {{- else }} + {{- $_ := set $autoEnv "KONG_PORTAL_GUI_PROTOCOL" "http" -}} + {{- end }} + {{- end }} + + {{- if .Values.portalapi.ingress.enabled }} + {{- $_ := set $autoEnv "KONG_PORTAL_API_URL" (include "kong.ingress.serviceUrl" .Values.portalapi.ingress) -}} + {{- end }} + {{- end }} + + {{- if .Values.enterprise.rbac.enabled }} + {{- $_ := set $autoEnv "KONG_ENFORCE_RBAC" "on" -}} + {{- $_ := set $autoEnv "KONG_ADMIN_GUI_AUTH" .Values.enterprise.rbac.admin_gui_auth | default "basic-auth" -}} + + {{- if not (eq .Values.enterprise.rbac.admin_gui_auth "basic-auth") }} + {{- $guiAuthConf := include "secretkeyref" (dict "name" .Values.enterprise.rbac.admin_gui_auth_conf_secret "key" "admin_gui_auth_conf") -}} + {{- $_ := set $autoEnv "KONG_ADMIN_GUI_AUTH_CONF" $guiAuthConf -}} + {{- end }} + + {{/* + KONG_ADMIN_GUI_SESSION_CONF is required for Kong versions <3.6.0. + For >=3.6.0, when openid-connect is used as the admin_gui_auth, the session_conf_secret is not required. + https://docs.konghq.com/gateway/3.6.x/kong-manager/auth/oidc/migrate/ + */}} + {{- if or (not (eq .Values.enterprise.rbac.admin_gui_auth "openid-connect")) + (semverCompare "< 3.6.0" (include "kong.effectiveVersion" .Values.image)) + -}} + {{- $guiSessionConf := include "secretkeyref" (dict "name" .Values.enterprise.rbac.session_conf_secret "key" "admin_gui_session_conf") -}} + {{- $_ := set $autoEnv "KONG_ADMIN_GUI_SESSION_CONF" $guiSessionConf -}} + {{- end }} + {{- end }} + + {{- if .Values.enterprise.smtp.enabled }} + {{- $_ := set $autoEnv "KONG_SMTP_MOCK" "off" -}} + {{- $_ := set $autoEnv "KONG_PORTAL_EMAILS_FROM" .Values.enterprise.smtp.portal_emails_from -}} + {{- $_ := set $autoEnv "KONG_PORTAL_EMAILS_REPLY_TO" .Values.enterprise.smtp.portal_emails_reply_to -}} + {{- $_ := set $autoEnv "KONG_ADMIN_EMAILS_FROM" .Values.enterprise.smtp.admin_emails_from -}} + {{- $_ := set $autoEnv "KONG_ADMIN_EMAILS_REPLY_TO" .Values.enterprise.smtp.admin_emails_reply_to -}} + {{- $_ := set $autoEnv "KONG_SMTP_ADMIN_EMAILS" .Values.enterprise.smtp.smtp_admin_emails -}} + {{- $_ := set $autoEnv "KONG_SMTP_HOST" .Values.enterprise.smtp.smtp_host -}} + {{- $_ := set $autoEnv "KONG_SMTP_AUTH_TYPE" .Values.enterprise.smtp.smtp_auth_type -}} + {{- $_ := set $autoEnv "KONG_SMTP_SSL" .Values.enterprise.smtp.smtp_ssl -}} + {{- $_ := set $autoEnv "KONG_SMTP_PORT" .Values.enterprise.smtp.smtp_port -}} + {{- $_ := set $autoEnv "KONG_SMTP_STARTTLS" (quote .Values.enterprise.smtp.smtp_starttls) -}} + {{- if .Values.enterprise.smtp.auth.smtp_username }} + {{- $_ := set $autoEnv "KONG_SMTP_USERNAME" .Values.enterprise.smtp.auth.smtp_username -}} + {{- $smtpPassword := include "secretkeyref" (dict "name" .Values.enterprise.smtp.auth.smtp_password_secret "key" "smtp_password") -}} + {{- $_ := set $autoEnv "KONG_SMTP_PASSWORD" $smtpPassword -}} + {{- end }} + {{- else }} + {{- $_ := set $autoEnv "KONG_SMTP_MOCK" "on" -}} + {{- end }} + + {{- if .Values.enterprise.license_secret -}} + {{- $lic := include "secretkeyref" (dict "name" .Values.enterprise.license_secret "key" "license") -}} + {{- $_ := set $autoEnv "KONG_LICENSE_DATA" $lic -}} + {{- end }} + +{{- end }} {{/* End of the Enterprise settings block */}} + +{{- if .Values.postgresql.enabled }} + {{- $_ := set $autoEnv "KONG_PG_HOST" (include "kong.postgresql.fullname" .) -}} + {{- $_ := set $autoEnv "KONG_PG_PORT" .Values.postgresql.service.ports.postgresql -}} + {{- $pgPassword := include "secretkeyref" (dict "name" (include "kong.postgresql.fullname" .) "key" "password") -}} + + {{- $_ := set $autoEnv "KONG_PG_PASSWORD" $pgPassword -}} +{{- else if eq .Values.env.database "postgres" }} + {{- $_ := set $autoEnv "KONG_PG_PORT" "5432" }} +{{- end }} + +{{- if (and (not .Values.ingressController.enabled) (eq .Values.env.database "off")) }} +{{- $dblessSourceCount := (add (.Values.dblessConfig.configMap | len | min 1) (.Values.dblessConfig.secret | len | min 1) (.Values.dblessConfig.config | len | min 1)) -}} +{{- if eq $dblessSourceCount 1 -}} + {{- $_ := set $autoEnv "KONG_DECLARATIVE_CONFIG" "/kong_dbless/kong.yml" -}} +{{- end }} +{{- end }} + +{{- if (.Values.plugins) }} +{{- $_ := set $autoEnv "KONG_PLUGINS" (include "kong.plugins" .) -}} +{{- end }} + +{{/* + ====== USER-SET ENVIRONMENT VARIABLES ====== +*/}} + +{{- $userEnv := dict -}} +{{- range $key, $val := .Values.env }} + {{- if (contains "_log" $key) -}} + {{- if (eq (typeOf $val) "bool") -}} + {{- fail (printf "env.%s must use string 'off' to disable. Without quotes, YAML will coerce the value to a boolean and Kong will reject it" $key) -}} + {{- end -}} + {{- end -}} + {{- $upper := upper $key -}} + {{- $var := printf "KONG_%s" $upper -}} + {{- $_ := set $userEnv $var $val -}} +{{- end -}} + +{{/* + ====== CUSTOM-SET ENVIRONMENT VARIABLES ====== +*/}} + +{{- $customEnv := dict -}} +{{- range $key, $val := .Values.customEnv }} + {{- $upper := upper $key -}} + {{- $_ := set $customEnv $upper $val -}} +{{- end -}} + +{{/* + ====== MERGE AND RENDER ENV BLOCK ====== +*/}} + +{{- $completeEnv := mergeOverwrite $autoEnv $userEnv $customEnv -}} +{{- template "kong.renderEnv" $completeEnv -}} + +{{- end -}} + +{{/* +Given a dictionary of variable=value pairs, render a container env block. +Environment variables are sorted alphabetically +*/}} +{{- define "kong.renderEnv" -}} + +{{- $dict := . -}} + +{{- range keys . | sortAlpha }} +{{- $val := pluck . $dict | first -}} +{{- $valueType := printf "%T" $val -}} +{{ if eq $valueType "map[string]interface {}" }} +- name: {{ . }} +{{ toYaml $val | indent 2 -}} +{{- else if eq $valueType "string" }} +{{- if regexMatch "valueFrom" $val }} +- name: {{ . }} +{{ $val | indent 2 }} +{{- else }} +- name: {{ . }} + value: {{ $val | quote }} +{{- end }} +{{- else }} +- name: {{ . }} + value: {{ $val | quote }} +{{- end }} +{{- end -}} + +{{- end -}} + +{{- define "kong.wait-for-postgres" -}} +- name: wait-for-postgres +{{- if (or .Values.waitImage.unifiedRepoTag .Values.waitImage.repository) }} + image: {{ include "kong.getRepoTag" .Values.waitImage }} +{{- else }} {{/* default to the Kong image */}} + image: {{ include "kong.getRepoTag" .Values.image }} +{{- end }} + imagePullPolicy: {{ .Values.waitImage.pullPolicy }} + env: + {{- include "kong.no_daemon_env" . | nindent 2 }} + {{- include "kong.envFrom" .Values.envFrom | nindent 2 }} + command: [ "bash", "/wait_postgres/wait.sh" ] + volumeMounts: + - name: {{ template "kong.fullname" . }}-bash-wait-for-postgres + mountPath: /wait_postgres + resources: + {{- toYaml .Values.migrations.resources | nindent 4 }} +{{- end -}} + +{{- define "kong.deprecation-warnings" -}} + {{- $warnings := list -}} + {{- range $warning := . }} + {{- $warnings = append $warnings (wrap 80 (printf "WARNING: %s" $warning)) -}} + {{- $warnings = append $warnings "\n\n" -}} + {{- end -}} + {{- $warningString := ($warnings | join "") -}} + {{- $warningString -}} +{{- end -}} + +{{- define "kong.getRepoTag" -}} +{{- if .unifiedRepoTag }} +{{- .unifiedRepoTag }} +{{- else if .repository }} +{{- .repository }}:{{ .tag }} +{{- end -}} +{{- end -}} + +{{/* +kong.kubernetesRBACRoles outputs a static list of RBAC rules (the "rules" block +of a Role or ClusterRole) that provide the ingress controller access to the +Kubernetes namespace-scoped resources it uses to build Kong configuration. + +Collectively, these are built from: +kubectl kustomize github.com/kong/kubernetes-ingress-controller/config/rbac?ref=main +kubectl kustomize github.com/kong/kubernetes-ingress-controller/config/rbac/gateway?ref=main + +However, there is no way to generate the split between cluster and namespaced +role sets used in the charts. Updating these requires separating out cluster +resource roles into their separate templates. +*/}} +{{- define "kong.kubernetesRBACRules" -}} +{{- if (semverCompare ">= 3.2.0" (include "kong.effectiveVersion" .Values.ingressController.image)) }} +- apiGroups: + - configuration.konghq.com + resources: + - kongcustomentities + verbs: + - get + - list + - watch +- apiGroups: + - configuration.konghq.com + resources: + - kongcustomentities/status + verbs: + - get + - patch + - update +{{- end }} +{{- if and (semverCompare ">= 3.1.0" (include "kong.effectiveVersion" .Values.ingressController.image)) + (contains (print .Values.ingressController.env.feature_gates) "KongServiceFacade=true") }} +- apiGroups: + - incubator.ingress-controller.konghq.com + resources: + - kongservicefacades + verbs: + - get + - list + - watch +- apiGroups: + - incubator.ingress-controller.konghq.com + resources: + - kongservicefacades/status + verbs: + - get + - patch + - update +{{- end }} +{{- if (semverCompare ">= 3.0.0" (include "kong.effectiveVersion" .Values.ingressController.image)) }} +- apiGroups: + - configuration.konghq.com + resources: + - kongupstreampolicies + verbs: + - get + - list + - watch +- apiGroups: + - configuration.konghq.com + resources: + - kongupstreampolicies/status + verbs: + - get + - patch + - update +{{- end }} +{{- if (semverCompare ">= 2.11.0" (include "kong.effectiveVersion" .Values.ingressController.image)) }} +- apiGroups: + - configuration.konghq.com + resources: + - kongconsumergroups + verbs: + - get + - list + - watch +- apiGroups: + - configuration.konghq.com + resources: + - kongconsumergroups/status + verbs: + - get + - patch + - update +{{- end }} +{{- if (semverCompare "< 2.10.0" (include "kong.effectiveVersion" .Values.ingressController.image)) }} +- apiGroups: + - "" + resources: + - endpoints + verbs: + - list + - watch +{{- end }} +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch +- apiGroups: + - "" + resources: + - nodes + verbs: + - list + - watch +- apiGroups: + - "" + resources: + - pods + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - secrets + verbs: + - list + - watch +- apiGroups: + - "" + resources: + - services + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - services/status + verbs: + - get + - patch + - update +- apiGroups: + - configuration.konghq.com + resources: + - ingressclassparameterses + verbs: + - get + - list + - watch +- apiGroups: + - configuration.konghq.com + resources: + - kongconsumers + verbs: + - get + - list + - watch +- apiGroups: + - configuration.konghq.com + resources: + - kongconsumers/status + verbs: + - get + - patch + - update +- apiGroups: + - configuration.konghq.com + resources: + - kongingresses + verbs: + - get + - list + - watch +- apiGroups: + - configuration.konghq.com + resources: + - kongingresses/status + verbs: + - get + - patch + - update +- apiGroups: + - configuration.konghq.com + resources: + - kongplugins + verbs: + - get + - list + - watch +- apiGroups: + - configuration.konghq.com + resources: + - kongplugins/status + verbs: + - get + - patch + - update +- apiGroups: + - configuration.konghq.com + resources: + - tcpingresses + verbs: + - get + - list + - watch +- apiGroups: + - configuration.konghq.com + resources: + - tcpingresses/status + verbs: + - get + - patch + - update +- apiGroups: + - configuration.konghq.com + resources: + - udpingresses + verbs: + - get + - list + - watch +- apiGroups: + - configuration.konghq.com + resources: + - udpingresses/status + verbs: + - get + - patch + - update +- apiGroups: + - extensions + resources: + - ingresses + verbs: + - get + - list + - watch +- apiGroups: + - extensions + resources: + - ingresses/status + verbs: + - get + - patch + - update +{{- if or (.Capabilities.APIVersions.Has "gateway.networking.k8s.io/v1alpha2") (.Capabilities.APIVersions.Has "gateway.networking.k8s.io/v1beta1") (.Capabilities.APIVersions.Has "gateway.networking.k8s.io/v1")}} +- apiGroups: + - gateway.networking.k8s.io + resources: + - gateways + verbs: + - get + - list + - update + - watch +- apiGroups: + - gateway.networking.k8s.io + resources: + - gateways/status + verbs: + - get + - update +- apiGroups: + - gateway.networking.k8s.io + resources: + - httproutes + verbs: + - get + - list + - watch +- apiGroups: + - gateway.networking.k8s.io + resources: + - httproutes/status + verbs: + - get + - update +- apiGroups: + - gateway.networking.k8s.io + resources: + - referencegrants + verbs: + - get + - list + - watch +- apiGroups: + - gateway.networking.k8s.io + resources: + - referencegrants/status + verbs: + - get +- apiGroups: + - gateway.networking.k8s.io + resources: + - tcproutes + verbs: + - get + - list + - watch +- apiGroups: + - gateway.networking.k8s.io + resources: + - tcproutes/status + verbs: + - get + - update +- apiGroups: + - gateway.networking.k8s.io + resources: + - tlsroutes + verbs: + - get + - list + - watch +- apiGroups: + - gateway.networking.k8s.io + resources: + - tlsroutes/status + verbs: + - get + - update +- apiGroups: + - gateway.networking.k8s.io + resources: + - udproutes + verbs: + - get + - list + - watch +- apiGroups: + - gateway.networking.k8s.io + resources: + - udproutes/status + verbs: + - get + - update +- apiGroups: + - gateway.networking.k8s.io + resources: + - grpcroutes + verbs: + - get + - list + - watch +- apiGroups: + - gateway.networking.k8s.io + resources: + - grpcroutes/status + verbs: + - get + - patch + - update +{{- end }} +{{- if (.Capabilities.APIVersions.Has "networking.internal.knative.dev/v1alpha1") }} +- apiGroups: + - networking.internal.knative.dev + resources: + - ingresses + verbs: + - get + - list + - watch +- apiGroups: + - networking.internal.knative.dev + resources: + - ingresses/status + verbs: + - get + - patch + - update +{{- end }} +- apiGroups: + - networking.k8s.io + resources: + - ingresses + verbs: + - get + - list + - watch +- apiGroups: + - networking.k8s.io + resources: + - ingresses/status + verbs: + - get + - patch + - update +- apiGroups: + - discovery.k8s.io + resources: + - endpointslices + verbs: + - get + - list + - watch +{{- end -}} + +{{/* +kong.kubernetesRBACClusterRoles outputs a static list of RBAC rules (the "rules" block +of a Role or ClusterRole) that provide the ingress controller access to the +Kubernetes Cluster-scoped resources it uses to build Kong configuration. +*/}} +{{- define "kong.kubernetesRBACClusterRules" -}} +{{- if (semverCompare ">= 3.1.0" (include "kong.effectiveVersion" .Values.ingressController.image)) }} +- apiGroups: + - configuration.konghq.com + resources: + - konglicenses + verbs: + - get + - list + - watch +- apiGroups: + - configuration.konghq.com + resources: + - konglicenses/status + verbs: + - get + - patch + - update +{{- end -}} +{{- if (semverCompare ">= 3.1.0" (include "kong.effectiveVersion" .Values.ingressController.image)) }} +- apiGroups: + - configuration.konghq.com + resources: + - kongvaults + verbs: + - get + - list + - watch +- apiGroups: + - configuration.konghq.com + resources: + - kongvaults/status + verbs: + - get + - patch + - update +{{- end }} +- apiGroups: + - configuration.konghq.com + resources: + - kongclusterplugins + verbs: + - get + - list + - watch +- apiGroups: + - configuration.konghq.com + resources: + - kongclusterplugins/status + verbs: + - get + - patch + - update +{{- if (semverCompare ">= 2.10.0" (include "kong.effectiveVersion" .Values.ingressController.image)) }} +- apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions + verbs: + - list + - watch +{{- end }} +{{- if or (.Capabilities.APIVersions.Has "gateway.networking.k8s.io/v1alpha2") (.Capabilities.APIVersions.Has "gateway.networking.k8s.io/v1beta1") (.Capabilities.APIVersions.Has "gateway.networking.k8s.io/v1")}} +- apiGroups: + - gateway.networking.k8s.io + resources: + - gatewayclasses + verbs: + - get + - list + - watch +- apiGroups: + - gateway.networking.k8s.io + resources: + - gatewayclasses/status + verbs: + - get + - update +- apiGroups: + - "" + resources: + - namespaces + verbs: + - get + - list + - watch +{{- end }} +- apiGroups: + - networking.k8s.io + resources: + - ingressclasses + verbs: + - get + - list + - watch +{{- end -}} + +{{- define "kong.autoscalingVersion" -}} +{{- if (.Capabilities.APIVersions.Has "autoscaling/v2") -}} +autoscaling/v2 +{{- else if (.Capabilities.APIVersions.Has "autoscaling/v2beta2") -}} +autoscaling/v2beta2 +{{- else -}} +autoscaling/v1 +{{- end -}} +{{- end -}} + +{{- define "kong.policyVersion" -}} +{{- if (.Capabilities.APIVersions.Has "policy/v1beta1" ) -}} +policy/v1beta1 +{{- else -}} +{{- fail (printf "Cluster doesn't have policy/v1beta1 API." ) }} +{{- end -}} +{{- end -}} + +{{- define "kong.renderTpl" -}} + {{- if typeIs "string" .value }} +{{- tpl .value .context }} + {{- else }} +{{- tpl (.value | toYaml) .context }} + {{- end }} +{{- end -}} + +{{- define "kong.ingressVersion" -}} +{{- if (.Capabilities.APIVersions.Has "networking.k8s.io/v1") -}} +networking.k8s.io/v1 +{{- else if (.Capabilities.APIVersions.Has "networking.k8s.io/v1beta1") -}} +networking.k8s.io/v1beta1 +{{- else -}} +extensions/v1beta1 +{{- end -}} +{{- end -}} + +{{- define "kong.proxy.compatibleReadiness" -}} +{{- $proxyReadiness := .Values.readinessProbe -}} +{{- if (or (semverCompare "< 3.3.0" (include "kong.effectiveVersion" .Values.image)) (and .Values.ingressController.enabled (semverCompare "< 2.11.0" (include "kong.effectiveVersion" .Values.ingressController.image)))) -}} + {{- if (eq $proxyReadiness.httpGet.path "/status/ready") -}} + {{- $_ := set $proxyReadiness.httpGet "path" "/status" -}} + {{- end -}} +{{- end -}} +{{- (toYaml $proxyReadiness) -}} +{{- end -}} + +{{- define "kong.envFrom" -}} + {{- if (gt (len .) 0) -}} +envFrom: +{{- toYaml . | nindent 2 -}} + {{- else -}} + {{- end -}} +{{- end -}} diff --git a/charts/kong/kong/2.41.0/templates/admission-webhook.yaml b/charts/kong/kong/2.41.0/templates/admission-webhook.yaml new file mode 100644 index 000000000..1f121eff0 --- /dev/null +++ b/charts/kong/kong/2.41.0/templates/admission-webhook.yaml @@ -0,0 +1,256 @@ +{{- if (and .Values.ingressController.admissionWebhook.enabled .Values.ingressController.enabled) }} +{{- $certCert := "" -}} +{{- $certKey := "" -}} +{{- $caCert := "" -}} +{{- $caKey := "" -}} +{{- if not .Values.ingressController.admissionWebhook.certificate.provided }} +{{- $cn := printf "%s.%s.svc" ( include "kong.service.validationWebhook" . ) ( include "kong.namespace" . ) -}} +{{- $ca := genCA "kong-admission-ca" 3650 -}} +{{- $cert := genSignedCert $cn nil (list $cn) 3650 $ca -}} +{{- $certCert = $cert.Cert -}} +{{- $certKey = $cert.Key -}} +{{- $caCert = $ca.Cert -}} +{{- $caKey = $ca.Key -}} + +{{- $caSecret := (lookup "v1" "Secret" (include "kong.namespace" .) (printf "%s-validation-webhook-ca-keypair" (include "kong.fullname" .))) -}} +{{- $certSecret := (lookup "v1" "Secret" (include "kong.namespace" .) (printf "%s-validation-webhook-keypair" (include "kong.fullname" .))) -}} +{{- if $certSecret }} +{{- $certCert = (b64dec (get $certSecret.data "tls.crt")) -}} +{{- $certKey = (b64dec (get $certSecret.data "tls.key")) -}} +{{- end }} +{{- if $caSecret }} +{{- $caCert = (b64dec (get $caSecret.data "tls.crt")) -}} +{{- $caKey = (b64dec (get $caSecret.data "tls.key")) -}} +{{- end }} +{{- end }} +kind: ValidatingWebhookConfiguration +{{- if .Capabilities.APIVersions.Has "admissionregistration.k8s.io/v1" }} +apiVersion: admissionregistration.k8s.io/v1 +{{- else }} +apiVersion: admissionregistration.k8s.io/v1beta1 +{{- end }} +metadata: + name: {{ template "kong.fullname" . }}-validations + namespace: {{ template "kong.namespace" . }} + labels: + {{- include "kong.metaLabels" . | nindent 4 }} + {{- if .Values.ingressController.admissionWebhook.annotations }} + annotations: + {{- range $key, $value := .Values.ingressController.admissionWebhook.annotations }} + {{ $key }}: {{ $value | quote }} + {{- end }} + {{- end }} +webhooks: +- admissionReviewVersions: + - v1 + clientConfig: + {{- if not .Values.ingressController.admissionWebhook.certificate.provided }} + caBundle: {{ b64enc $caCert }} + {{- else }} + {{- if .Values.ingressController.admissionWebhook.certificate.caBundle }} + caBundle: {{ b64enc .Values.ingressController.admissionWebhook.certificate.caBundle }} + {{- end }} + {{- end }} + service: + name: {{ template "kong.service.validationWebhook" . }} + namespace: {{ template "kong.namespace" . }} + failurePolicy: {{ .Values.ingressController.admissionWebhook.failurePolicy }} + matchPolicy: Equivalent + name: secrets.credentials.validation.ingress-controller.konghq.com + {{- with .Values.ingressController.admissionWebhook.namespaceSelector }} + namespaceSelector: + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.ingressController.admissionWebhook.timeoutSeconds }} + timeoutSeconds: {{ . }} + {{- end }} + objectSelector: + matchExpressions: + - key: "konghq.com/credential" + operator: "Exists" + rules: + - apiGroups: + - "" + apiVersions: + - v1 + operations: + - CREATE + - UPDATE + resources: + - secrets + sideEffects: None +- admissionReviewVersions: + - v1 + clientConfig: + {{- if not .Values.ingressController.admissionWebhook.certificate.provided }} + caBundle: {{ b64enc $caCert }} + {{- else }} + {{- if .Values.ingressController.admissionWebhook.certificate.caBundle }} + caBundle: {{ b64enc .Values.ingressController.admissionWebhook.certificate.caBundle }} + {{- end }} + {{- end }} + service: + name: {{ template "kong.service.validationWebhook" . }} + namespace: {{ template "kong.namespace" . }} + failurePolicy: {{ .Values.ingressController.admissionWebhook.failurePolicy }} + matchPolicy: Equivalent + name: secrets.plugins.validation.ingress-controller.konghq.com + {{- with .Values.ingressController.admissionWebhook.namespaceSelector }} + namespaceSelector: + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.ingressController.admissionWebhook.timeoutSeconds }} + timeoutSeconds: {{ . }} + {{- end }} + {{- if .Values.ingressController.admissionWebhook.filterSecrets }} + objectSelector: + matchExpressions: + - key: "konghq.com/validate" + operator: "Exists" + {{- else }} + objectSelector: + matchExpressions: + - key: owner + operator: NotIn + values: + - helm + {{- end }} + rules: + - apiGroups: + - "" + apiVersions: + - v1 + operations: + - CREATE + - UPDATE + resources: + - secrets + sideEffects: None +- name: validations.kong.konghq.com + {{- with .Values.ingressController.admissionWebhook.namespaceSelector }} + namespaceSelector: + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.ingressController.admissionWebhook.timeoutSeconds }} + timeoutSeconds: {{ . }} + {{- end }} + objectSelector: + matchExpressions: + - key: owner + operator: NotIn + values: + - helm + failurePolicy: {{ .Values.ingressController.admissionWebhook.failurePolicy }} + sideEffects: None + admissionReviewVersions: ["v1beta1"] + rules: + - apiGroups: + - configuration.konghq.com + apiVersions: + - '*' + operations: + - CREATE + - UPDATE + resources: + - kongconsumers + - kongplugins +{{- if (semverCompare ">= 2.0.4" (include "kong.effectiveVersion" .Values.ingressController.image)) }} + - kongclusterplugins +{{- end }} +{{- if (semverCompare ">= 2.8.0" (include "kong.effectiveVersion" .Values.ingressController.image)) }} + - kongingresses +{{- end }} +{{- if (semverCompare ">= 3.0.0" (include "kong.effectiveVersion" .Values.ingressController.image)) }} + - apiGroups: + - '' + apiVersions: + - 'v1' + operations: + - CREATE + - UPDATE + resources: + - services +{{- end }} +{{- if (semverCompare ">= 2.12.0" (include "kong.effectiveVersion" .Values.ingressController.image)) }} + - apiGroups: + - networking.k8s.io + apiVersions: + - 'v1' + operations: + - CREATE + - UPDATE + resources: + - ingresses + - apiGroups: + - gateway.networking.k8s.io + apiVersions: + - 'v1alpha2' + - 'v1beta1' +{{- if (semverCompare ">= 3.0.0" (include "kong.effectiveVersion" .Values.ingressController.image)) }} + - 'v1' +{{- end }} + operations: + - CREATE + - UPDATE + resources: + - gateways + - httproutes +{{- end }} + clientConfig: + {{- if not .Values.ingressController.admissionWebhook.certificate.provided }} + caBundle: {{ b64enc $caCert }} + {{- else }} + {{- if .Values.ingressController.admissionWebhook.certificate.caBundle }} + caBundle: {{ b64enc .Values.ingressController.admissionWebhook.certificate.caBundle }} + {{- end }} + {{- end }} + service: + name: {{ template "kong.service.validationWebhook" . }} + namespace: {{ template "kong.namespace" . }} +--- +apiVersion: v1 +kind: Service +metadata: + name: {{ template "kong.service.validationWebhook" . }} + namespace: {{ template "kong.namespace" . }} + labels: + {{- include "kong.metaLabels" . | nindent 4 }} + {{- if .Values.ingressController.admissionWebhook.service.labels }} + {{- toYaml .Values.ingressController.admissionWebhook.service.labels | nindent 4 }} + {{- end }} +spec: + ports: + - name: webhook + port: 443 + protocol: TCP + targetPort: webhook + selector: + {{- include "kong.metaLabels" . | nindent 4 }} + app.kubernetes.io/component: app +{{- if not .Values.ingressController.admissionWebhook.certificate.provided }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ template "kong.fullname" . }}-validation-webhook-ca-keypair + namespace: {{ template "kong.namespace" . }} + labels: + {{- include "kong.metaLabels" . | nindent 4 }} +type: kubernetes.io/tls +data: + tls.crt: {{ b64enc $caCert }} + tls.key: {{ b64enc $caKey }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ template "kong.fullname" . }}-validation-webhook-keypair + namespace: {{ template "kong.namespace" . }} + labels: + {{- include "kong.metaLabels" . | nindent 4 }} +type: kubernetes.io/tls +data: + tls.crt: {{ b64enc $certCert }} + tls.key: {{ b64enc $certKey }} +{{- end }} +{{- end }} diff --git a/charts/kong/kong/2.41.0/templates/certificate.yaml b/charts/kong/kong/2.41.0/templates/certificate.yaml new file mode 100644 index 000000000..a7079cd9f --- /dev/null +++ b/charts/kong/kong/2.41.0/templates/certificate.yaml @@ -0,0 +1,89 @@ +{{- if and ( .Capabilities.APIVersions.Has "cert-manager.io/v1" ) .Values.certificates.enabled -}} + +{{- $genericCertificateConfig := dict -}} +{{- $_ := set $genericCertificateConfig "fullName" (include "kong.fullname" .) -}} +{{- $_ := set $genericCertificateConfig "namespace" (include "kong.namespace" .) -}} +{{- $_ := set $genericCertificateConfig "metaLabels" (include "kong.metaLabels" .) -}} +{{- $_ := set $genericCertificateConfig "globalIssuer" .Values.certificates.issuer -}} +{{- $_ := set $genericCertificateConfig "globalClusterIssuer" .Values.certificates.clusterIssuer -}} +{{- $_ := set $genericCertificateConfig "globalSubject" .Values.certificates.subject -}} +{{- $_ := set $genericCertificateConfig "globalPrivateKey" .Values.certificates.privateKey -}} +{{- $_ := set $genericCertificateConfig "defaultIssuer" (printf "%s-%s-%s" .Release.Name .Chart.Name "selfsigned-issuer") -}} + +{{- if .Values.certificates.admin.enabled }} +{{- $certificateConfig := mustMerge (mustDeepCopy $genericCertificateConfig) .Values.certificates.admin -}} +{{- $_ := set $certificateConfig "serviceName" "admin" -}} +{{- include "kong.certificate" $certificateConfig -}} +{{- end }} + +{{- if (and .Values.certificates.portal.enabled .Values.enterprise.enabled) }} +{{- $certificateConfig := mustMerge (mustDeepCopy $genericCertificateConfig) .Values.certificates.portal -}} +{{- $_ := set $certificateConfig "serviceName" "portal" -}} +{{- include "kong.certificate" $certificateConfig -}} +{{- end }} + +{{- if .Values.certificates.proxy.enabled }} +{{- $certificateConfig := mustMerge (mustDeepCopy $genericCertificateConfig) .Values.certificates.proxy -}} +{{- $_ := set $certificateConfig "serviceName" "proxy" -}} +{{- include "kong.certificate" $certificateConfig -}} +{{- end }} + +{{- if .Values.certificates.cluster.enabled }} +{{- $certificateConfig := dict -}} +{{- $certificateConfig = mustMerge (mustDeepCopy $genericCertificateConfig) .Values.certificates.cluster -}} +{{- $_ := set $certificateConfig "serviceName" "cluster" -}} +{{- include "kong.certificate" $certificateConfig -}} +{{- end }} + +{{- end }} + +{{- define "kong.certificate" }} +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: {{ .fullName }}-{{ .serviceName }} + namespace: {{ .namespace }} + labels: + {{- .metaLabels | nindent 4 }} +spec: + secretName: {{ .fullName }}-{{ .serviceName }}-cert + commonName: {{ .commonName }} + dnsNames: + {{- range (append .dnsNames .commonName) }} + - {{ . | quote }} + {{- end }} + renewBefore: 360h0m0s + duration: 2160h0m0s + {{ if .subject -}} + subject: + {{- toYaml .subject | nindent 4 }} + {{ else if .globalSubject -}} + subject: + {{- toYaml .globalSubject | nindent 4 }} + {{- end }} + {{ if .privateKey -}} + privateKey: + {{- toYaml .privateKey | nindent 4 }} + {{ else if .globalPrivateKey -}} + privateKey: + {{- toYaml .globalPrivateKey | nindent 4 }} + {{- end }} + {{ if .clusterIssuer -}} + issuerRef: + name: {{ .clusterIssuer }} + kind: ClusterIssuer + {{ else if .issuer -}} + issuerRef: + name: {{ .issuer }} + kind: Issuer + {{ else if .globalClusterIssuer -}} + issuerRef: + name: {{ .globalClusterIssuer}} + kind: ClusterIssuer + {{ else if .globalIssuer -}} + issuerRef: + name: {{ .globalIssuer }} + kind: Issuer + {{- end -}} +{{- end }} diff --git a/charts/kong/kong/2.41.0/templates/config-dbless.yaml b/charts/kong/kong/2.41.0/templates/config-dbless.yaml new file mode 100644 index 000000000..5619b59a5 --- /dev/null +++ b/charts/kong/kong/2.41.0/templates/config-dbless.yaml @@ -0,0 +1,17 @@ +{{- if .Values.deployment.kong.enabled }} +{{- if (and (not .Values.ingressController.enabled) (eq .Values.env.database "off")) }} +{{- if not (or .Values.dblessConfig.configMap .Values.dblessConfig.secret) }} +{{- if .Values.dblessConfig.config }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "kong.dblessConfig.fullname" . }} + namespace: {{ template "kong.namespace" . }} + labels: + {{- include "kong.metaLabels" . | nindent 4 }} +data: + kong.yml: | {{- .Values.dblessConfig.config | nindent 4 }} +{{- end }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/kong/kong/2.41.0/templates/controller-rbac-resources.yaml b/charts/kong/kong/2.41.0/templates/controller-rbac-resources.yaml new file mode 100644 index 000000000..f5873f052 --- /dev/null +++ b/charts/kong/kong/2.41.0/templates/controller-rbac-resources.yaml @@ -0,0 +1,170 @@ +{{- if and .Values.ingressController.rbac.create .Values.ingressController.enabled -}} +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: {{ template "kong.fullname" . }} + namespace: {{ template "kong.namespace" . }} + labels: + {{- include "kong.metaLabels" . | nindent 4 }} +rules: + - apiGroups: + - "" + resources: + - configmaps + - pods + - secrets + - namespaces + verbs: + - get + - apiGroups: + - "" + resources: + - configmaps + resourceNames: + # Defaults to "-" + # Here: "-" + # This has to be adapted if you change either parameter + # when launching the nginx-ingress-controller. + - "kong-ingress-controller-leader-{{ .Values.ingressController.ingressClass }}-{{ .Values.ingressController.ingressClass }}" + verbs: + - get + - update + - apiGroups: + - "" + resources: + - configmaps + verbs: + - create +{{- if (semverCompare "< 2.10.0" (include "kong.effectiveVersion" .Values.ingressController.image)) }} + - apiGroups: + - "" + resources: + - endpoints + verbs: + - get +{{- end }} + # Begin KIC 2.x leader permissions + - apiGroups: + - "" + - coordination.k8s.io + resources: + - configmaps + - leases + verbs: + - get + - list + - watch + - create + - update + - patch + - delete + - apiGroups: + - "" + resources: + - events + verbs: + - create + - patch + - apiGroups: + - "" + resources: + - services + verbs: + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ template "kong.fullname" . }} + namespace: {{ template "kong.namespace" . }} + labels: + {{- include "kong.metaLabels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "kong.fullname" . }} +subjects: + - kind: ServiceAccount + name: {{ template "kong.serviceAccountName" . }} + namespace: {{ template "kong.namespace" . }} +{{- if eq (len .Values.ingressController.watchNamespaces) 0 }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + {{- include "kong.metaLabels" . | nindent 4 }} + name: {{ template "kong.fullname" . }} +rules: +{{ include "kong.kubernetesRBACRules" . }} +{{ include "kong.kubernetesRBACClusterRules" . }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "kong.fullname" . }} + labels: + {{- include "kong.metaLabels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "kong.fullname" . }} +subjects: + - kind: ServiceAccount + name: {{ template "kong.serviceAccountName" . }} + namespace: {{ template "kong.namespace" . }} +{{- else }} +{{- range .Values.ingressController.watchNamespaces }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + labels: + {{- include "kong.metaLabels" $ | nindent 4 }} + name: {{ template "kong.fullname" $ }}-{{ . }} + namespace: {{ . }} +rules: +{{ include "kong.kubernetesRBACRules" $ }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: {{ template "kong.fullname" $ }}-{{ . }} + labels: + {{- include "kong.metaLabels" $ | nindent 4 }} + namespace: {{ . }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: {{ template "kong.fullname" $ }}-{{ . }} +subjects: + - kind: ServiceAccount + name: {{ template "kong.serviceAccountName" $ }} + namespace: {{ template "kong.namespace" $ }} +{{- end }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + {{- include "kong.metaLabels" . | nindent 4 }} + name: {{ template "kong.fullname" . }} +rules: +{{ include "kong.kubernetesRBACClusterRules" . }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "kong.fullname" . }} + labels: + {{- include "kong.metaLabels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "kong.fullname" . }} +subjects: + - kind: ServiceAccount + name: {{ template "kong.serviceAccountName" . }} + namespace: {{ template "kong.namespace" . }} +{{- end -}} +{{- end -}} diff --git a/charts/kong/kong/2.41.0/templates/custom-resource-definitions.yaml b/charts/kong/kong/2.41.0/templates/custom-resource-definitions.yaml new file mode 100644 index 000000000..5a6dda1a6 --- /dev/null +++ b/charts/kong/kong/2.41.0/templates/custom-resource-definitions.yaml @@ -0,0 +1,34 @@ +{{- $installCRDs := false -}} +{{- if (hasKey .Values.ingressController "installCRDs") -}} + {{/* Explicitly set, honor whatever's set */}} + {{- $installCRDs = .Values.ingressController.installCRDs -}} +{{- else -}} + {{/* Legacy default handling. CRD installation is _not_ enabled, but CRDs are already present + and are managed by this release. This release previously relied on the <2.0 default + .Values.ingressController.installCRDs=true. The default change would delete CRDs on upgrade, + which would cascade delete all associated CRs. This unexpected loss of configuration is bad, + so this clause pretends the default didn't change if you have an existing release that relied + on it + */}} + {{- $kongPluginCRD := false -}} + {{- if .Capabilities.APIVersions.Has "apiextensions.k8s.io/v1/CustomResourceDefinition" -}} + {{- $kongPluginCRD = (lookup "apiextensions.k8s.io/v1" "CustomResourceDefinition" "" "kongplugins.configuration.konghq.com") -}} + {{- else -}} + {{/* TODO: remove the v1beta1 path when we no longer support k8s <1.16 */}} + {{- $kongPluginCRD = (lookup "apiextensions.k8s.io/v1beta1" "CustomResourceDefinition" "" "kongplugins.configuration.konghq.com") -}} + {{- end -}} + {{- if $kongPluginCRD -}} + {{- if (hasKey $kongPluginCRD.metadata "annotations") -}} + {{- if (eq .Release.Name (get $kongPluginCRD.metadata.annotations "meta.helm.sh/release-name")) -}} + {{- $installCRDs = true -}} + {{- end -}} + {{- end -}} + {{- end -}} +{{- end -}} + +{{- if $installCRDs -}} +{{- range $path, $bytes := .Files.Glob "crds/*.yaml" }} +{{ $.Files.Get $path }} +--- +{{- end }} +{{- end }} diff --git a/charts/kong/kong/2.41.0/templates/deployment.yaml b/charts/kong/kong/2.41.0/templates/deployment.yaml new file mode 100644 index 000000000..4f4fe902d --- /dev/null +++ b/charts/kong/kong/2.41.0/templates/deployment.yaml @@ -0,0 +1,313 @@ +{{- if or .Values.deployment.kong.enabled .Values.ingressController.enabled }} +apiVersion: apps/v1 +{{- if .Values.deployment.daemonset }} +kind: DaemonSet +{{- else }} +kind: Deployment +{{- end }} +metadata: + name: {{ template "kong.fullname" . }} + namespace: {{ template "kong.namespace" . }} + labels: + {{- include "kong.metaLabels" . | nindent 4 }} + app.kubernetes.io/component: app + {{- if .Values.deploymentAnnotations }} + annotations: + {{- range $key, $value := .Values.deploymentAnnotations }} + {{ $key }}: {{ include "kong.renderTpl" (dict "value" $value "context" $) | quote }} + {{- end }} + {{- end }} +spec: + {{- if not .Values.autoscaling.enabled }} + {{- if not .Values.deployment.daemonset }} + replicas: {{ .Values.replicaCount }} + {{- end }} + {{- end }} + {{- if .Values.deployment.revisionHistoryLimit }} + revisionHistoryLimit: {{ .Values.deployment.revisionHistoryLimit }} + {{- end }} + selector: + matchLabels: + {{- include "kong.selectorLabels" . | nindent 6 }} + {{- if .Values.updateStrategy }} + {{- if .Values.deployment.daemonset }} + updateStrategy: + {{- else }} + strategy: + {{- end }} +{{ toYaml .Values.updateStrategy | indent 4 }} + {{- end }} + {{- if .Values.deployment.minReadySeconds }} + minReadySeconds: {{ .Values.deployment.minReadySeconds }} + {{- end }} + + template: + metadata: + annotations: + {{- if (and (not .Values.deployment.serviceAccount.automountServiceAccountToken) (or .Values.deployment.serviceAccount.create .Values.deployment.serviceAccount.name)) }} + kuma.io/service-account-token-volume: {{ template "kong.serviceAccountTokenName" . }} + {{- end }} + {{- if (and (not .Values.ingressController.enabled) (eq .Values.env.database "off" )) }} + {{- if .Values.dblessConfig.config }} + checksum/dbless.config: {{ toYaml .Values.dblessConfig.config | sha256sum }} + {{- end }} + {{- end }} + {{- if .Values.podAnnotations }} + {{- range $key, $value := .Values.podAnnotations }} + {{ $key }}: {{ include "kong.renderTpl" (dict "value" $value "context" $) | quote }} + {{- end }} + {{- end }} + labels: + {{- include "kong.metaLabels" . | nindent 8 }} + app.kubernetes.io/component: app + app: {{ template "kong.fullname" . }} + version: {{ .Chart.AppVersion | quote }} + {{- if .Values.podLabels }} + {{ include "kong.renderTpl" (dict "value" .Values.podLabels "context" $) | nindent 8 }} + {{- end }} + spec: + {{- if .Values.deployment.hostname }} + hostname: {{ .Values.deployment.hostname }} + {{- end }} + {{- if .Values.deployment.hostNetwork }} + hostNetwork: true + {{- end }} + {{- if .Values.priorityClassName }} + priorityClassName: "{{ .Values.priorityClassName }}" + {{- end }} + {{- if or .Values.deployment.serviceAccount.create .Values.deployment.serviceAccount.name }} + serviceAccountName: {{ template "kong.serviceAccountName" . }} + {{- end }} + {{- if (and (or .Values.deployment.serviceAccount.create .Values.deployment.serviceAccount.name) .Values.deployment.serviceAccount.automountServiceAccountToken) }} + automountServiceAccountToken: true + {{- else }} + automountServiceAccountToken: false + {{ end }} + {{- if .Values.image.pullSecrets }} + imagePullSecrets: + {{- range .Values.image.pullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} + {{- if .Values.deployment.kong.enabled }} + initContainers: + - name: clear-stale-pid + image: {{ include "kong.getRepoTag" .Values.image }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + securityContext: + {{ toYaml .Values.containerSecurityContext | nindent 10 }} + resources: +{{ toYaml .Values.resources | indent 10 }} + command: + - "rm" + - "-vrf" + - "$KONG_PREFIX/pids" + env: + {{- include "kong.env" . | nindent 8 }} + {{- include "kong.envFrom" .Values.envFrom | nindent 8 }} + volumeMounts: + {{- include "kong.volumeMounts" . | nindent 8 }} + {{- if .Values.deployment.initContainers }} + {{- toYaml .Values.deployment.initContainers | nindent 6 }} + {{- end }} + {{- if (and (not (eq .Values.env.database "off")) .Values.waitImage.enabled) }} + {{- include "kong.wait-for-db" . | nindent 6 }} + {{- end }} + {{- end }} + {{- if .Values.deployment.hostAliases }} + hostAliases: + {{- toYaml .Values.deployment.hostAliases | nindent 6 }} + {{- end}} + {{- if .Values.dnsPolicy }} + dnsPolicy: {{ .Values.dnsPolicy | quote }} + {{- end }} + {{- if .Values.dnsConfig }} + dnsConfig: +{{ toYaml .Values.dnsConfig | indent 8 }} + {{- end }} + containers: + {{- if .Values.ingressController.enabled }} + {{- include "kong.controller-container" . | nindent 6 }} + {{ end }} + {{- if .Values.deployment.sidecarContainers }} + {{- toYaml .Values.deployment.sidecarContainers | nindent 6 }} + {{- end }} + {{- if .Values.deployment.kong.enabled }} + - name: "proxy" + image: {{ include "kong.getRepoTag" .Values.image }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + securityContext: + {{ toYaml .Values.containerSecurityContext | nindent 10 }} + env: + {{- include "kong.no_daemon_env" . | nindent 8 }} + {{- include "kong.envFrom" .Values.envFrom | nindent 8 }} + lifecycle: + {{- toYaml .Values.lifecycle | nindent 10 }} + ports: + {{- if (and .Values.admin.http.enabled .Values.admin.enabled) }} + - name: admin + containerPort: {{ .Values.admin.http.containerPort }} + {{- if .Values.admin.http.hostPort }} + hostPort: {{ .Values.admin.http.hostPort }} + {{- end}} + protocol: TCP + {{- end }} + {{- if (and .Values.admin.tls.enabled .Values.admin.enabled) }} + - name: admin-tls + containerPort: {{ .Values.admin.tls.containerPort }} + {{- if .Values.admin.tls.hostPort }} + hostPort: {{ .Values.admin.tls.hostPort }} + {{- end}} + protocol: TCP + {{- end }} + {{- if (and .Values.proxy.http.enabled .Values.proxy.enabled) }} + - name: proxy + containerPort: {{ .Values.proxy.http.containerPort }} + {{- if .Values.proxy.http.hostPort }} + hostPort: {{ .Values.proxy.http.hostPort }} + {{- end}} + protocol: TCP + {{- end }} + {{- if (and .Values.proxy.tls.enabled .Values.proxy.enabled)}} + - name: proxy-tls + containerPort: {{ .Values.proxy.tls.containerPort }} + {{- if .Values.proxy.tls.hostPort }} + hostPort: {{ .Values.proxy.tls.hostPort }} + {{- end}} + protocol: TCP + {{- end }} + {{- range .Values.proxy.stream }} + - name: stream{{ if (eq (default "TCP" .protocol) "UDP") }}udp{{ end }}-{{ .containerPort }} + containerPort: {{ .containerPort }} + {{- if .hostPort }} + hostPort: {{ .hostPort }} + {{- end}} + protocol: {{ .protocol }} + {{- end }} + {{- range .Values.udpProxy.stream }} + - name: streamudp-{{ .containerPort }} + containerPort: {{ .containerPort }} + {{- if .hostPort }} + hostPort: {{ .hostPort }} + {{- end}} + protocol: {{ .protocol }} + {{- end }} + {{- if (and .Values.status.http.enabled .Values.status.enabled)}} + - name: status + containerPort: {{ .Values.status.http.containerPort }} + {{- if .Values.status.http.hostPort }} + hostPort: {{ .Values.status.http.hostPort }} + {{- end}} + protocol: TCP + {{- end }} + {{- if (and .Values.status.tls.enabled .Values.status.enabled) }} + - name: status-tls + containerPort: {{ .Values.status.tls.containerPort }} + {{- if .Values.status.tls.hostPort }} + hostPort: {{ .Values.status.tls.hostPort }} + {{- end}} + protocol: TCP + {{- end }} + {{- if (and .Values.cluster.tls.enabled .Values.cluster.enabled) }} + - name: cluster-tls + containerPort: {{ .Values.cluster.tls.containerPort }} + {{- if .Values.cluster.tls.hostPort }} + hostPort: {{ .Values.cluster.tls.hostPort }} + {{- end}} + protocol: TCP + {{- end }} + {{- if .Values.enterprise.enabled }} + {{- if (and .Values.manager.http.enabled .Values.manager.enabled) }} + - name: manager + containerPort: {{ .Values.manager.http.containerPort }} + {{- if .Values.manager.http.hostPort }} + hostPort: {{ .Values.manager.http.hostPort }} + {{- end}} + protocol: TCP + {{- end }} + {{- if (and .Values.manager.tls.enabled .Values.manager.enabled) }} + - name: manager-tls + containerPort: {{ .Values.manager.tls.containerPort }} + {{- if .Values.manager.tls.hostPort }} + hostPort: {{ .Values.manager.tls.hostPort }} + {{- end}} + protocol: TCP + {{- end }} + {{- if (and .Values.portal.http.enabled .Values.portal.enabled) }} + - name: portal + containerPort: {{ .Values.portal.http.containerPort }} + {{- if .Values.portal.http.hostPort }} + hostPort: {{ .Values.portal.http.hostPort }} + {{- end}} + protocol: TCP + {{- end }} + {{- if (and .Values.portal.tls.enabled .Values.portal.enabled) }} + - name: portal-tls + containerPort: {{ .Values.portal.tls.containerPort }} + {{- if .Values.portal.tls.hostPort }} + hostPort: {{ .Values.portal.tls.hostPort }} + {{- end}} + protocol: TCP + {{- end }} + {{- if (and .Values.portalapi.http.enabled .Values.portalapi.enabled) }} + - name: portalapi + containerPort: {{ .Values.portalapi.http.containerPort }} + {{- if .Values.portalapi.http.hostPort }} + hostPort: {{ .Values.portalapi.http.hostPort }} + {{- end}} + protocol: TCP + {{- end }} + {{- if (and .Values.portalapi.tls.enabled .Values.portalapi.enabled) }} + - name: portalapi-tls + containerPort: {{ .Values.portalapi.tls.containerPort }} + {{- if .Values.portalapi.tls.hostPort }} + hostPort: {{ .Values.portalapi.tls.hostPort }} + {{- end}} + protocol: TCP + {{- end }} + {{- if (and .Values.clustertelemetry.tls.enabled .Values.clustertelemetry.enabled) }} + - name: clustert-tls + containerPort: {{ .Values.clustertelemetry.tls.containerPort }} + {{- if .Values.clustertelemetry.tls.hostPort }} + hostPort: {{ .Values.clustertelemetry.tls.hostPort }} + {{- end}} + protocol: TCP + {{- end }} + {{- end }} + volumeMounts: + {{- include "kong.volumeMounts" . | nindent 10 }} + {{- include "kong.userDefinedVolumeMounts" .Values.deployment | nindent 10 }} + readinessProbe: +{{ include "kong.proxy.compatibleReadiness" . | indent 10 }} + livenessProbe: +{{ toYaml .Values.livenessProbe | indent 10 }} + {{- if .Values.startupProbe }} + startupProbe: +{{ toYaml .Values.startupProbe | indent 10 }} + {{- end }} + resources: +{{ toYaml .Values.resources | indent 10 }} + {{- end }} {{/* End of Kong container spec */}} + {{- if .Values.affinity }} + affinity: +{{ toYaml .Values.affinity | indent 8 }} + {{- end }} + {{- if .Values.topologySpreadConstraints }} + topologySpreadConstraints: +{{ toYaml .Values.topologySpreadConstraints | indent 8 }} + {{- end }} + securityContext: + {{- include "kong.podsecuritycontext" . | nindent 8 }} + {{- if .Values.nodeSelector }} + nodeSelector: +{{ toYaml .Values.nodeSelector | indent 8 }} + {{- end }} + terminationGracePeriodSeconds: {{ .Values.terminationGracePeriodSeconds }} + {{- if .Values.tolerations }} + tolerations: +{{ toYaml .Values.tolerations | indent 8 }} + {{- end }} + volumes: + {{- include "kong.volumes" . | nindent 8 -}} + {{- include "kong.userDefinedVolumes" . | nindent 8 -}} +{{- end }} diff --git a/charts/kong/kong/2.41.0/templates/extraManifests.yaml b/charts/kong/kong/2.41.0/templates/extraManifests.yaml new file mode 100644 index 000000000..a9bb3b6ba --- /dev/null +++ b/charts/kong/kong/2.41.0/templates/extraManifests.yaml @@ -0,0 +1,4 @@ +{{ range .Values.extraObjects }} +--- +{{ tpl (toYaml .) $ }} +{{ end }} diff --git a/charts/kong/kong/2.41.0/templates/hpa.yaml b/charts/kong/kong/2.41.0/templates/hpa.yaml new file mode 100644 index 000000000..922ade82d --- /dev/null +++ b/charts/kong/kong/2.41.0/templates/hpa.yaml @@ -0,0 +1,26 @@ +{{- if .Values.autoscaling.enabled }} +apiVersion: {{ include "kong.autoscalingVersion" . }} +kind: HorizontalPodAutoscaler +metadata: + name: "{{ template "kong.fullname" . }}" + namespace: {{ template "kong.namespace" . }} + labels: + {{- include "kong.metaLabels" . | nindent 4 }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: "{{ template "kong.fullname" . }}" + minReplicas: {{ .Values.autoscaling.minReplicas }} + maxReplicas: {{ .Values.autoscaling.maxReplicas }} + {{- if .Values.autoscaling.behavior }} + behavior: + {{- toYaml .Values.autoscaling.behavior | nindent 4 }} + {{- end }} + {{- if contains "autoscaling/v2" (include "kong.autoscalingVersion" . ) }} + metrics: + {{- toYaml .Values.autoscaling.metrics | nindent 4 }} + {{- else }} + targetCPUUtilizationPercentage: {{ .Values.autoscaling.targetCPUUtilizationPercentage | default 80 }} + {{- end }} +{{- end }} diff --git a/charts/kong/kong/2.41.0/templates/ingress-class.yaml b/charts/kong/kong/2.41.0/templates/ingress-class.yaml new file mode 100644 index 000000000..d2ac47d69 --- /dev/null +++ b/charts/kong/kong/2.41.0/templates/ingress-class.yaml @@ -0,0 +1,33 @@ +{{/* Default to not managing if unsupported or created outside this chart */}} +{{- $includeIngressClass := false -}} +{{- if .Values.ingressController.enabled -}} + {{- if (.Capabilities.APIVersions.Has "networking.k8s.io/v1/IngressClass") -}} + {{- with (lookup "networking.k8s.io/v1" "IngressClass" "" .Values.ingressController.ingressClass) -}} + {{- if (hasKey .metadata "annotations") -}} + {{- if (eq $.Release.Name (get .metadata.annotations "meta.helm.sh/release-name")) -}} + {{/* IngressClass exists and is managed by this chart */}} + {{- $includeIngressClass = true -}} + {{- end -}} + {{- end -}} + {{- else -}} + {{/* IngressClass doesn't exist */}} + {{- $includeIngressClass = true -}} + {{- end -}} + {{- end -}} +{{- end -}} +{{- if $includeIngressClass -}} +apiVersion: networking.k8s.io/v1 +kind: IngressClass +metadata: + name: {{ .Values.ingressController.ingressClass }} + {{- if .Values.ingressController.ingressClassAnnotations }} + annotations: + {{- range $key, $value := .Values.ingressController.ingressClassAnnotations }} + {{ $key }}: {{ $value | quote }} + {{- end }} + {{- end }} + labels: + {{- include "kong.metaLabels" . | nindent 4 }} +spec: + controller: ingress-controllers.konghq.com/kong +{{- end -}} diff --git a/charts/kong/kong/2.41.0/templates/migrations-post-upgrade.yaml b/charts/kong/kong/2.41.0/templates/migrations-post-upgrade.yaml new file mode 100644 index 000000000..73225392c --- /dev/null +++ b/charts/kong/kong/2.41.0/templates/migrations-post-upgrade.yaml @@ -0,0 +1,97 @@ +{{- if .Values.deployment.kong.enabled }} +{{- if (and .Values.migrations.postUpgrade (not (eq .Values.env.database "off"))) }} +# Why is this Job duplicated and not using only helm hooks? +# See: https://github.com/helm/charts/pull/7362 +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ template "kong.fullname" . }}-post-upgrade-migrations + namespace: {{ template "kong.namespace" . }} + labels: + {{- include "kong.metaLabels" . | nindent 4 }} + app.kubernetes.io/component: post-upgrade-migrations + annotations: + helm.sh/hook: "post-upgrade" + helm.sh/hook-delete-policy: "before-hook-creation" + {{- range $key, $value := .Values.migrations.jobAnnotations }} + {{ $key }}: {{ $value | quote }} + {{- end }} +spec: + backoffLimit: {{ .Values.migrations.backoffLimit }} + template: + metadata: + name: {{ template "kong.name" . }}-post-upgrade-migrations + labels: + {{- include "kong.metaLabels" . | nindent 8 }} + app.kubernetes.io/component: post-upgrade-migrations + {{- if .Values.migrations.annotations }} + annotations: + {{- range $key, $value := .Values.migrations.annotations }} + {{ $key }}: {{ $value | quote }} + {{- end }} + {{- if (and (not .Values.deployment.serviceAccount.automountServiceAccountToken) (or .Values.deployment.serviceAccount.create .Values.deployment.serviceAccount.name)) }} + kuma.io/service-account-token-volume: {{ template "kong.serviceAccountTokenName" . }} + {{- end }} + {{- end }} + spec: + {{- if or .Values.deployment.serviceAccount.create .Values.deployment.serviceAccount.name }} + serviceAccountName: {{ template "kong.serviceAccountName" . }} + {{- end }} + {{- if (and (or .Values.deployment.serviceAccount.create .Values.deployment.serviceAccount.name) .Values.deployment.serviceAccount.automountServiceAccountToken) }} + automountServiceAccountToken: true + {{- else }} + automountServiceAccountToken: false + {{ end }} + {{- if .Values.image.pullSecrets }} + imagePullSecrets: + {{- range .Values.image.pullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} + {{- if (or (and (.Values.postgresql.enabled) .Values.waitImage.enabled) .Values.deployment.initContainers) }} + initContainers: + {{- if .Values.deployment.initContainers }} + {{- toYaml .Values.deployment.initContainers | nindent 6 }} + {{- end }} + {{- if (and (.Values.postgresql.enabled) .Values.waitImage.enabled) }} + {{- include "kong.wait-for-postgres" . | nindent 6 }} + {{- end }} + {{- end }} + containers: + {{- if .Values.migrations.sidecarContainers }} + {{- toYaml .Values.migrations.sidecarContainers | nindent 6 }} + {{- end }} + - name: {{ template "kong.name" . }}-post-upgrade-migrations + image: {{ include "kong.getRepoTag" .Values.image }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + securityContext: + {{ toYaml .Values.containerSecurityContext | nindent 10 }} + env: + {{- include "kong.no_daemon_env" . | nindent 8 }} + {{- include "kong.envFrom" .Values.envFrom | nindent 8 }} + args: [ "kong", "migrations", "finish" ] + volumeMounts: + {{- include "kong.volumeMounts" . | nindent 8 }} + {{- include "kong.userDefinedVolumeMounts" .Values.deployment | nindent 8 }} + resources: + {{- toYaml .Values.migrations.resources | nindent 10 }} + securityContext: + {{- include "kong.podsecuritycontext" . | nindent 8 }} + {{- if .Values.affinity }} + affinity: + {{- toYaml .Values.affinity | nindent 8 }} + {{- end }} + {{- if .Values.nodeSelector }} + nodeSelector: + {{- toYaml .Values.nodeSelector | nindent 8 }} + {{- end }} + {{- if .Values.tolerations }} + tolerations: + {{- toYaml .Values.tolerations | nindent 8 }} + {{- end }} + restartPolicy: OnFailure + volumes: + {{- include "kong.volumes" . | nindent 6 -}} + {{- include "kong.userDefinedVolumes" . | nindent 6 -}} +{{- end }} +{{- end }} diff --git a/charts/kong/kong/2.41.0/templates/migrations-pre-upgrade.yaml b/charts/kong/kong/2.41.0/templates/migrations-pre-upgrade.yaml new file mode 100644 index 000000000..9efb8baea --- /dev/null +++ b/charts/kong/kong/2.41.0/templates/migrations-pre-upgrade.yaml @@ -0,0 +1,99 @@ +{{- if .Values.deployment.kong.enabled }} +{{- if (and .Values.migrations.preUpgrade (not (eq .Values.env.database "off"))) }} +# Why is this Job duplicated and not using only helm hooks? +# See: https://github.com/helm/charts/pull/7362 +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ template "kong.fullname" . }}-pre-upgrade-migrations + namespace: {{ template "kong.namespace" . }} + labels: + {{- include "kong.metaLabels" . | nindent 4 }} + app.kubernetes.io/component: pre-upgrade-migrations + annotations: + helm.sh/hook: "pre-upgrade" + helm.sh/hook-delete-policy: "before-hook-creation" + argocd.argoproj.io/hook: Sync + argocd.argoproj.io/hook-delete-policy: BeforeHookCreation + {{- range $key, $value := .Values.migrations.jobAnnotations }} + {{ $key }}: {{ $value | quote }} + {{- end }} +spec: + backoffLimit: {{ .Values.migrations.backoffLimit }} + template: + metadata: + name: {{ template "kong.name" . }}-pre-upgrade-migrations + labels: + {{- include "kong.metaLabels" . | nindent 8 }} + app.kubernetes.io/component: pre-upgrade-migrations + {{- if .Values.migrations.annotations }} + annotations: + {{- range $key, $value := .Values.migrations.annotations }} + {{ $key }}: {{ $value | quote }} + {{- end }} + {{- if (and (not .Values.deployment.serviceAccount.automountServiceAccountToken) (or .Values.deployment.serviceAccount.create .Values.deployment.serviceAccount.name)) }} + kuma.io/service-account-token-volume: {{ template "kong.serviceAccountTokenName" . }} + {{- end }} + {{- end }} + spec: + {{- if or .Values.deployment.serviceAccount.create .Values.deployment.serviceAccount.name }} + serviceAccountName: {{ template "kong.serviceAccountName" . }} + {{- end }} + {{- if (and (or .Values.deployment.serviceAccount.create .Values.deployment.serviceAccount.name) .Values.deployment.serviceAccount.automountServiceAccountToken) }} + automountServiceAccountToken: true + {{- else }} + automountServiceAccountToken: false + {{ end }} + {{- if .Values.image.pullSecrets }} + imagePullSecrets: + {{- range .Values.image.pullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} + {{- if (or (and (.Values.postgresql.enabled) .Values.waitImage.enabled) .Values.deployment.initContainers) }} + initContainers: + {{- if .Values.deployment.initContainers }} + {{- toYaml .Values.deployment.initContainers | nindent 6 }} + {{- end }} + {{- if (and (.Values.postgresql.enabled) .Values.waitImage.enabled) }} + {{- include "kong.wait-for-postgres" . | nindent 6 }} + {{- end }} + {{- end }} + containers: + {{- if .Values.migrations.sidecarContainers }} + {{- toYaml .Values.migrations.sidecarContainers | nindent 6 }} + {{- end }} + - name: {{ template "kong.name" . }}-upgrade-migrations + image: {{ include "kong.getRepoTag" .Values.image }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + securityContext: + {{ toYaml .Values.containerSecurityContext | nindent 10 }} + env: + {{- include "kong.no_daemon_env" . | nindent 8 }} + {{- include "kong.envFrom" .Values.envFrom | nindent 8 }} + args: [ "kong", "migrations", "up" ] + volumeMounts: + {{- include "kong.volumeMounts" . | nindent 8 }} + {{- include "kong.userDefinedVolumeMounts" .Values.deployment | nindent 8 }} + resources: + {{- toYaml .Values.migrations.resources| nindent 10 }} + securityContext: + {{- include "kong.podsecuritycontext" . | nindent 8 }} + {{- if .Values.affinity }} + affinity: + {{- toYaml .Values.affinity | nindent 8 }} + {{- end }} + {{- if .Values.nodeSelector }} + nodeSelector: + {{- toYaml .Values.nodeSelector | nindent 8 }} + {{- end }} + {{- if .Values.tolerations }} + tolerations: + {{- toYaml .Values.tolerations | nindent 8 }} + {{- end }} + restartPolicy: OnFailure + volumes: + {{- include "kong.volumes" . | nindent 6 -}} + {{- include "kong.userDefinedVolumes" . | nindent 6 -}} +{{- end }} +{{- end }} diff --git a/charts/kong/kong/2.41.0/templates/migrations.yaml b/charts/kong/kong/2.41.0/templates/migrations.yaml new file mode 100644 index 000000000..e1a85fb90 --- /dev/null +++ b/charts/kong/kong/2.41.0/templates/migrations.yaml @@ -0,0 +1,108 @@ +{{- if .Values.deployment.kong.enabled }} +{{- if .Release.IsInstall -}} +{{/* .migrations.init isn't normally exposed in values.yaml, since it should + generally always run on install--there should never be any reason to + disable it, and at worst it's a no-op. However, https://github.com/helm/helm/issues/3308 + means we cannot use the default function to create a hidden value, hence + the workaround with this $runInit variable. + */}} +{{- $runInit := true -}} +{{- if (hasKey .Values.migrations "init") -}} + {{- $runInit = .Values.migrations.init -}} +{{- end -}} + +{{- if (and ($runInit) (not (eq .Values.env.database "off"))) }} +apiVersion: batch/v1 +kind: Job +metadata: + name: {{ template "kong.fullname" . }}-init-migrations + namespace: {{ template "kong.namespace" . }} + labels: + {{- include "kong.metaLabels" . | nindent 4 }} + app.kubernetes.io/component: init-migrations + annotations: + argocd.argoproj.io/hook: Sync + argocd.argoproj.io/hook-delete-policy: BeforeHookCreation + {{- range $key, $value := .Values.migrations.jobAnnotations }} + {{ $key }}: {{ $value | quote }} + {{- end }} +spec: + backoffLimit: {{ .Values.migrations.backoffLimit }} + template: + metadata: + name: {{ template "kong.name" . }}-init-migrations + labels: + {{- include "kong.metaLabels" . | nindent 8 }} + app.kubernetes.io/component: init-migrations + {{- if .Values.migrations.annotations }} + annotations: + {{- range $key, $value := .Values.migrations.annotations }} + {{ $key }}: {{ $value | quote }} + {{- end }} + {{- if (and (not .Values.deployment.serviceAccount.automountServiceAccountToken) (or .Values.deployment.serviceAccount.create .Values.deployment.serviceAccount.name)) }} + kuma.io/service-account-token-volume: {{ template "kong.serviceAccountTokenName" . }} + {{- end }} + {{- end }} + spec: + {{- if or .Values.deployment.serviceAccount.create .Values.deployment.serviceAccount.name }} + serviceAccountName: {{ template "kong.serviceAccountName" . }} + {{- end }} + {{- if (and (or .Values.deployment.serviceAccount.create .Values.deployment.serviceAccount.name) .Values.deployment.serviceAccount.automountServiceAccountToken) }} + automountServiceAccountToken: true + {{- else }} + automountServiceAccountToken: false + {{ end }} + {{- if .Values.image.pullSecrets }} + imagePullSecrets: + {{- range .Values.image.pullSecrets }} + - name: {{ . }} + {{- end }} + {{- end }} + {{- if (or (and (.Values.postgresql.enabled) .Values.waitImage.enabled) .Values.deployment.initContainers) }} + initContainers: + {{- if .Values.deployment.initContainers }} + {{- toYaml .Values.deployment.initContainers | nindent 6 }} + {{- end }} + {{- if (and (.Values.postgresql.enabled) .Values.waitImage.enabled) }} + {{- include "kong.wait-for-postgres" . | nindent 6 }} + {{- end }} + {{- end }} + containers: + {{- if .Values.migrations.sidecarContainers }} + {{- toYaml .Values.migrations.sidecarContainers | nindent 6 }} + {{- end }} + - name: {{ template "kong.name" . }}-migrations + image: {{ include "kong.getRepoTag" .Values.image }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + securityContext: + {{ toYaml .Values.containerSecurityContext | nindent 10 }} + env: + {{- include "kong.no_daemon_env" . | nindent 8 }} + {{- include "kong.envFrom" .Values.envFrom | nindent 8 }} + args: [ "kong", "migrations", "bootstrap" ] + volumeMounts: + {{- include "kong.volumeMounts" . | nindent 8 }} + {{- include "kong.userDefinedVolumeMounts" .Values.deployment | nindent 8 }} + resources: + {{- toYaml .Values.migrations.resources | nindent 10 }} + securityContext: + {{- include "kong.podsecuritycontext" . | nindent 8 }} + {{- if .Values.affinity }} + affinity: + {{- toYaml .Values.affinity | nindent 8 }} + {{- end }} + {{- if .Values.nodeSelector }} + nodeSelector: + {{- toYaml .Values.nodeSelector | nindent 8 }} + {{- end }} + {{- if .Values.tolerations }} + tolerations: + {{- toYaml .Values.tolerations | nindent 8 }} + {{- end }} + restartPolicy: OnFailure + volumes: + {{- include "kong.volumes" . | nindent 6 -}} + {{- include "kong.userDefinedVolumes" . | nindent 6 -}} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/kong/kong/2.41.0/templates/pdb.yaml b/charts/kong/kong/2.41.0/templates/pdb.yaml new file mode 100644 index 000000000..8d918c5a5 --- /dev/null +++ b/charts/kong/kong/2.41.0/templates/pdb.yaml @@ -0,0 +1,26 @@ +{{- if .Values.podDisruptionBudget.enabled }} +{{- if and (not .Values.autoscaling.enabled) (le (int .Values.replicaCount) 1) }} +{{- fail "Enabling PodDisruptionBudget with replicaCount: 1 and no autoscaling prevents pod restarts during upgrades" }} +{{- end }} +{{- if and .Values.autoscaling.enabled (le (int .Values.autoscaling.minReplicas) 1) }} +{{- fail "Enabling PodDisruptionBudget with autoscaling.minReplicas: 1 prevents pod restarts during upgrades" }} +{{- end }} +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: {{ template "kong.fullname" . }} + namespace: {{ template "kong.namespace" . }} + labels: + {{- include "kong.metaLabels" . | nindent 4 }} +spec: + {{- if .Values.podDisruptionBudget.minAvailable }} + minAvailable: {{ .Values.podDisruptionBudget.minAvailable }} + {{- end }} + {{- if .Values.podDisruptionBudget.maxUnavailable }} + maxUnavailable: {{ .Values.podDisruptionBudget.maxUnavailable }} + {{- end }} + selector: + matchLabels: + {{- include "kong.metaLabels" . | nindent 6 }} + app.kubernetes.io/component: app +{{- end }} diff --git a/charts/kong/kong/2.41.0/templates/psp.yaml b/charts/kong/kong/2.41.0/templates/psp.yaml new file mode 100644 index 000000000..bc9844798 --- /dev/null +++ b/charts/kong/kong/2.41.0/templates/psp.yaml @@ -0,0 +1,53 @@ +{{- if and (.Values.podSecurityPolicy.enabled) }} +apiVersion: {{ include "kong.policyVersion" . }} +kind: PodSecurityPolicy +metadata: + name: {{ template "kong.serviceAccountName" . }}-psp + labels: + {{- include "kong.metaLabels" . | nindent 4 }} + {{- with .Values.podSecurityPolicy.labels }} + {{- range $key, $value := . }} + {{ $key }}: {{ $value }} + {{- end }} + {{- end }} + {{- with .Values.podSecurityPolicy.annotations }} + annotations: + {{- range $key, $value := . }} + {{ $key }}: {{ $value | quote }} + {{- end }} + {{- end }} +spec: +{{ .Values.podSecurityPolicy.spec | toYaml | indent 2 }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "kong.serviceAccountName" . }}-psp + labels: + {{- include "kong.metaLabels" . | nindent 4 }} +rules: + - apiGroups: + - policy + resources: + - podsecuritypolicies + verbs: + - use + resourceNames: + - {{ template "kong.serviceAccountName" . }}-psp +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "kong.serviceAccountName" . }}-psp + namespace: {{ template "kong.namespace" . }} + labels: + {{- include "kong.metaLabels" . | nindent 4 }} +subjects: + - kind: ServiceAccount + name: {{ template "kong.serviceAccountName" . }} + namespace: {{ template "kong.namespace" . }} +roleRef: + kind: ClusterRole + name: {{ template "kong.serviceAccountName" . }}-psp + apiGroup: rbac.authorization.k8s.io +{{- end }} diff --git a/charts/kong/kong/2.41.0/templates/secret-sa-token.yaml b/charts/kong/kong/2.41.0/templates/secret-sa-token.yaml new file mode 100644 index 000000000..fe8a67d23 --- /dev/null +++ b/charts/kong/kong/2.41.0/templates/secret-sa-token.yaml @@ -0,0 +1,14 @@ +{{- /* Due to GKE versions (e.g. v1.23.15-gke.1900) we need to handle pre-release part of the version as well. +See the related documentation of semver module that Helm depends on for semverCompare: +https://github.com/Masterminds/semver#working-with-prerelease-versions +Related Helm issue: https://github.com/helm/helm/issues/3810 */}} +{{- if and (or .Values.deployment.serviceAccount.create .Values.deployment.serviceAccount.name) (semverCompare "<1.20.0-0" .Capabilities.KubeVersion.Version) }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ template "kong.serviceAccountTokenName" . }} + namespace: {{ template "kong.namespace" . }} + annotations: + kubernetes.io/service-account.name: {{ template "kong.serviceAccountName" . }} +type: kubernetes.io/service-account-token +{{- end }} diff --git a/charts/kong/kong/2.41.0/templates/service-account.yaml b/charts/kong/kong/2.41.0/templates/service-account.yaml new file mode 100644 index 000000000..41ef6ace6 --- /dev/null +++ b/charts/kong/kong/2.41.0/templates/service-account.yaml @@ -0,0 +1,15 @@ +{{- if and (or .Values.deployment.kong.enabled .Values.ingressController.enabled) .Values.deployment.serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ template "kong.serviceAccountName" . }} + namespace: {{ template "kong.namespace" . }} + {{- if .Values.deployment.serviceAccount.annotations }} + annotations: + {{- range $key, $value := .Values.deployment.serviceAccount.annotations }} + {{ $key }}: {{ $value | quote }} + {{- end }} + {{- end }} + labels: + {{- include "kong.metaLabels" . | nindent 4 }} +{{- end -}} diff --git a/charts/kong/kong/2.41.0/templates/service-kong-admin.yaml b/charts/kong/kong/2.41.0/templates/service-kong-admin.yaml new file mode 100644 index 000000000..d00501653 --- /dev/null +++ b/charts/kong/kong/2.41.0/templates/service-kong-admin.yaml @@ -0,0 +1,113 @@ +{{- if .Values.deployment.kong.enabled }} +{{- if and .Values.admin.enabled (or .Values.admin.http.enabled .Values.admin.tls.enabled) -}} +{{- $serviceConfig := dict -}} +{{- $serviceConfig := merge $serviceConfig .Values.admin -}} +{{- $_ := set $serviceConfig "ingressVersion" (include "kong.ingressVersion" .) -}} +{{- $_ := set $serviceConfig "fullName" (include "kong.fullname" .) -}} +{{- $_ := set $serviceConfig "namespace" (include "kong.namespace" .) -}} +{{- $_ := set $serviceConfig "metaLabels" (include "kong.metaLabels" .) -}} +{{- $_ := set $serviceConfig "selectorLabels" (include "kong.selectorLabels" .) -}} +{{- $_ := set $serviceConfig "serviceName" "admin" -}} +{{- include "kong.service" $serviceConfig }} +{{ if .Values.admin.ingress.enabled }} +--- +{{ include "kong.ingress" $serviceConfig }} +{{- end -}} +{{- end -}} +{{- end -}} + +{{- define "adminApiService.certSecretName" -}} + {{- default (printf "%s-admin-api-keypair" (include "kong.fullname" .)) .Values.ingressController.adminApi.tls.client.secretName -}} +{{- end -}} + +{{- define "adminApiService.caSecretName" -}} + {{- default (printf "%s-admin-api-ca-keypair" (include "kong.fullname" .)) .Values.ingressController.adminApi.tls.client.caSecretName -}} +{{- end -}} + +{{- $clientVerifyEnabled := .Values.ingressController.adminApi.tls.client.enabled -}} +{{- $clientCertProvided := .Values.ingressController.adminApi.tls.client.certProvided -}} + +{{/* If the client verification is enabled but no secret was provided by the user, let's generate certificates. */ -}} +{{- if and $clientVerifyEnabled (not $clientCertProvided) }} +{{- $certCert := "" -}} +{{- $certKey := "" -}} + +{{- $cn := printf "admin.%s.svc" ( include "kong.namespace" . ) -}} +{{- $ca := genCA "admin-api-ca" 3650 -}} +{{- $cert := genSignedCert $cn nil (list $cn) 3650 $ca -}} + +{{- $certCert = $cert.Cert -}} +{{- $certKey = $cert.Key -}} +{{/* Verify whether a secret with a given name already exists. If it does, let's use its cert and key data. */}} +{{- $certSecret := (lookup "v1" "Secret" (include "kong.namespace" .) (include "adminApiService.certSecretName" .)) -}} +{{- if $certSecret }} +{{- $certCert = (b64dec (get $certSecret.data "tls.crt")) -}} +{{- $certKey = (b64dec (get $certSecret.data "tls.key")) -}} +{{- end }} + +{{- $caCert := $ca.Cert -}} +{{- $caKey := $ca.Key -}} +{{/* Verify whether a secret with a given name already exists. If it does, let's use its cert and key data. */ -}} +{{- $caSecret := (lookup "v1" "Secret" (include "kong.namespace" .) (include "adminApiService.caSecretName" .))}} +{{- if $caSecret }} +{{- $caCert = (b64dec (get $caSecret.data "tls.crt")) -}} +{{- $caKey = (b64dec (get $caSecret.data "tls.key")) -}} +{{- end }} + +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ template "adminApiService.certSecretName" . }} + namespace: {{ template "kong.namespace" . }} + labels: + {{- include "kong.metaLabels" . | nindent 4 }} +type: kubernetes.io/tls +data: + tls.crt: {{ b64enc $certCert }} + tls.key: {{ b64enc $certKey }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ template "adminApiService.caSecretName" . }} + namespace: {{ template "kong.namespace" . }} + labels: + {{- include "kong.metaLabels" . | nindent 4 }} +type: kubernetes.io/tls +data: + tls.crt: {{ b64enc $caCert }} + tls.key: {{ b64enc $caKey }} +{{- end }} + +{{- /* Create a CA ConfigMap for Kong. */ -}} +{{- $secretProvided := $.Values.admin.tls.client.secretName -}} +{{- $bundleProvided := $.Values.admin.tls.client.caBundle -}} + +{{- if or $secretProvided $bundleProvided -}} +{{- $cert := "" -}} + +{{- if $secretProvided -}} +{{- $certSecret := (lookup "v1" "Secret" (include "kong.namespace" .) $.Values.admin.tls.client.secretName) -}} +{{- if $certSecret }} +{{- $cert = (b64dec (get $certSecret.data "tls.crt")) -}} +{{- else -}} +{{- fail (printf "%s/%s secret not found" (include "kong.namespace" .) $.Values.admin.tls.client.secretName) -}} +{{- end }} +{{- end }} + +{{- if $bundleProvided -}} +{{- $cert = $.Values.admin.tls.client.caBundle -}} +{{- end }} + +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "kong.fullname" . }}-admin-client-ca + namespace: {{ template "kong.namespace" . }} + labels: + {{- include "kong.metaLabels" . | nindent 4 }} +data: + tls.crt: {{ $cert | quote }} +{{- end -}} diff --git a/charts/kong/kong/2.41.0/templates/service-kong-cluster-telemetry.yaml b/charts/kong/kong/2.41.0/templates/service-kong-cluster-telemetry.yaml new file mode 100644 index 000000000..b245bca94 --- /dev/null +++ b/charts/kong/kong/2.41.0/templates/service-kong-cluster-telemetry.yaml @@ -0,0 +1,17 @@ +{{- if .Values.deployment.kong.enabled }} +{{- if and .Values.clustertelemetry.enabled .Values.clustertelemetry.tls.enabled -}} +{{- $serviceConfig := dict -}} +{{- $serviceConfig := merge $serviceConfig .Values.clustertelemetry -}} +{{- $_ := set $serviceConfig "ingressVersion" (include "kong.ingressVersion" .) -}} +{{- $_ := set $serviceConfig "fullName" (include "kong.fullname" .) -}} +{{- $_ := set $serviceConfig "namespace" (include "kong.namespace" .) -}} +{{- $_ := set $serviceConfig "metaLabels" (include "kong.metaLabels" .) -}} +{{- $_ := set $serviceConfig "selectorLabels" (include "kong.selectorLabels" .) -}} +{{- $_ := set $serviceConfig "serviceName" "clustertelemetry" -}} +{{- include "kong.service" $serviceConfig }} +{{ if .Values.clustertelemetry.ingress.enabled }} +--- +{{ include "kong.ingress" $serviceConfig }} +{{- end -}} +{{- end -}} +{{- end -}} diff --git a/charts/kong/kong/2.41.0/templates/service-kong-cluster.yaml b/charts/kong/kong/2.41.0/templates/service-kong-cluster.yaml new file mode 100644 index 000000000..f4ef66296 --- /dev/null +++ b/charts/kong/kong/2.41.0/templates/service-kong-cluster.yaml @@ -0,0 +1,17 @@ +{{- if .Values.deployment.kong.enabled }} +{{- if and .Values.cluster.enabled .Values.cluster.tls.enabled -}} +{{- $serviceConfig := dict -}} +{{- $serviceConfig := merge $serviceConfig .Values.cluster -}} +{{- $_ := set $serviceConfig "ingressVersion" (include "kong.ingressVersion" .) -}} +{{- $_ := set $serviceConfig "fullName" (include "kong.fullname" .) -}} +{{- $_ := set $serviceConfig "namespace" (include "kong.namespace" .) -}} +{{- $_ := set $serviceConfig "metaLabels" (include "kong.metaLabels" .) -}} +{{- $_ := set $serviceConfig "selectorLabels" (include "kong.selectorLabels" .) -}} +{{- $_ := set $serviceConfig "serviceName" "cluster" -}} +{{- include "kong.service" $serviceConfig }} +{{ if .Values.cluster.ingress.enabled }} +--- +{{ include "kong.ingress" $serviceConfig }} +{{- end -}} +{{- end -}} +{{- end -}} diff --git a/charts/kong/kong/2.41.0/templates/service-kong-manager.yaml b/charts/kong/kong/2.41.0/templates/service-kong-manager.yaml new file mode 100644 index 000000000..e6732871b --- /dev/null +++ b/charts/kong/kong/2.41.0/templates/service-kong-manager.yaml @@ -0,0 +1,17 @@ +{{- if .Values.deployment.kong.enabled }} +{{- if and .Values.manager.enabled (or .Values.manager.http.enabled .Values.manager.tls.enabled) -}} +{{- $serviceConfig := dict -}} +{{- $serviceConfig := merge $serviceConfig .Values.manager -}} +{{- $_ := set $serviceConfig "ingressVersion" (include "kong.ingressVersion" .) -}} +{{- $_ := set $serviceConfig "fullName" (include "kong.fullname" .) -}} +{{- $_ := set $serviceConfig "namespace" (include "kong.namespace" .) -}} +{{- $_ := set $serviceConfig "metaLabels" (include "kong.metaLabels" .) -}} +{{- $_ := set $serviceConfig "selectorLabels" (include "kong.selectorLabels" .) -}} +{{- $_ := set $serviceConfig "serviceName" "manager" -}} +{{- include "kong.service" $serviceConfig }} +{{ if .Values.manager.ingress.enabled }} +--- +{{ include "kong.ingress" $serviceConfig }} +{{- end -}} +{{- end -}} +{{- end -}} diff --git a/charts/kong/kong/2.41.0/templates/service-kong-portal-api.yaml b/charts/kong/kong/2.41.0/templates/service-kong-portal-api.yaml new file mode 100644 index 000000000..710f20188 --- /dev/null +++ b/charts/kong/kong/2.41.0/templates/service-kong-portal-api.yaml @@ -0,0 +1,19 @@ +{{- if .Values.deployment.kong.enabled }} +{{- if .Values.enterprise.enabled }} +{{- if and .Values.portalapi.enabled (or .Values.portalapi.http.enabled .Values.portalapi.tls.enabled) -}} +{{- $serviceConfig := dict -}} +{{- $serviceConfig := merge $serviceConfig .Values.portalapi -}} +{{- $_ := set $serviceConfig "ingressVersion" (include "kong.ingressVersion" .) -}} +{{- $_ := set $serviceConfig "fullName" (include "kong.fullname" .) -}} +{{- $_ := set $serviceConfig "namespace" (include "kong.namespace" .) -}} +{{- $_ := set $serviceConfig "metaLabels" (include "kong.metaLabels" .) -}} +{{- $_ := set $serviceConfig "selectorLabels" (include "kong.selectorLabels" .) -}} +{{- $_ := set $serviceConfig "serviceName" "portalapi" -}} +{{- include "kong.service" $serviceConfig }} +{{ if .Values.portalapi.ingress.enabled }} +--- +{{ include "kong.ingress" $serviceConfig }} +{{- end -}} +{{- end -}} +{{- end -}} +{{- end -}} diff --git a/charts/kong/kong/2.41.0/templates/service-kong-portal.yaml b/charts/kong/kong/2.41.0/templates/service-kong-portal.yaml new file mode 100644 index 000000000..0be4b09b8 --- /dev/null +++ b/charts/kong/kong/2.41.0/templates/service-kong-portal.yaml @@ -0,0 +1,19 @@ +{{- if .Values.deployment.kong.enabled }} +{{- if .Values.enterprise.enabled }} +{{- if and .Values.portal.enabled (or .Values.portal.http.enabled .Values.portal.tls.enabled) -}} +{{- $serviceConfig := dict -}} +{{- $serviceConfig := merge $serviceConfig .Values.portal -}} +{{- $_ := set $serviceConfig "ingressVersion" (include "kong.ingressVersion" .) -}} +{{- $_ := set $serviceConfig "fullName" (include "kong.fullname" .) -}} +{{- $_ := set $serviceConfig "namespace" (include "kong.namespace" .) -}} +{{- $_ := set $serviceConfig "metaLabels" (include "kong.metaLabels" .) -}} +{{- $_ := set $serviceConfig "selectorLabels" (include "kong.selectorLabels" .) -}} +{{- $_ := set $serviceConfig "serviceName" "portal" -}} +{{- include "kong.service" $serviceConfig }} +{{ if .Values.portal.ingress.enabled }} +--- +{{ include "kong.ingress" $serviceConfig }} +{{- end -}} +{{- end -}} +{{- end -}} +{{- end -}} diff --git a/charts/kong/kong/2.41.0/templates/service-kong-proxy.yaml b/charts/kong/kong/2.41.0/templates/service-kong-proxy.yaml new file mode 100644 index 000000000..58a255ea2 --- /dev/null +++ b/charts/kong/kong/2.41.0/templates/service-kong-proxy.yaml @@ -0,0 +1,16 @@ +{{- if .Values.deployment.kong.enabled }} +{{- if and .Values.proxy.enabled (or .Values.proxy.http.enabled .Values.proxy.tls.enabled) -}} +{{- $serviceConfig := dict -}} +{{- $serviceConfig := merge $serviceConfig .Values.proxy -}} +{{- $_ := set $serviceConfig "fullName" (include "kong.fullname" .) -}} +{{- $_ := set $serviceConfig "namespace" (include "kong.namespace" .) -}} +{{- $_ := set $serviceConfig "metaLabels" (include "kong.metaLabels" .) -}} +{{- $_ := set $serviceConfig "selectorLabels" (include "kong.selectorLabels" .) -}} +{{- $_ := set $serviceConfig "serviceName" "proxy" -}} +{{- include "kong.service" $serviceConfig }} +{{ if .Values.proxy.ingress.enabled }} +--- +{{ include "kong.ingress" $serviceConfig }} +{{- end -}} +{{- end -}} +{{- end -}} diff --git a/charts/kong/kong/2.41.0/templates/service-kong-udp-proxy.yaml b/charts/kong/kong/2.41.0/templates/service-kong-udp-proxy.yaml new file mode 100644 index 000000000..bb25c5d74 --- /dev/null +++ b/charts/kong/kong/2.41.0/templates/service-kong-udp-proxy.yaml @@ -0,0 +1,15 @@ +{{- if .Values.deployment.kong.enabled }} +{{- if and .Values.udpProxy.enabled -}} +{{- $serviceConfig := dict -}} +{{- $serviceConfig := merge $serviceConfig .Values.udpProxy -}} +{{- $_ := set $serviceConfig "ingressVersion" (include "kong.ingressVersion" .) -}} +{{- $_ := set $serviceConfig "fullName" (include "kong.fullname" .) -}} +{{- $_ := set $serviceConfig "namespace" (include "kong.namespace" .) -}} +{{- $_ := set $serviceConfig "metaLabels" (include "kong.metaLabels" .) -}} +{{- $_ := set $serviceConfig "selectorLabels" (include "kong.selectorLabels" .) -}} +{{- $_ := set $serviceConfig "serviceName" "udp-proxy" -}} +{{- $_ := set $serviceConfig "tls" (dict "enabled" false) -}} +{{- $_ := set $serviceConfig "http" (dict "enabled" false) -}} +{{- include "kong.service" $serviceConfig }} +{{- end -}} +{{- end -}} diff --git a/charts/kong/kong/2.41.0/templates/servicemonitor.yaml b/charts/kong/kong/2.41.0/templates/servicemonitor.yaml new file mode 100644 index 000000000..6e1f3abb0 --- /dev/null +++ b/charts/kong/kong/2.41.0/templates/servicemonitor.yaml @@ -0,0 +1,57 @@ +{{- if and ( .Capabilities.APIVersions.Has "monitoring.coreos.com/v1" ) .Values.serviceMonitor.enabled }} +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: {{ template "kong.fullname" . }} + {{- if .Values.serviceMonitor.namespace }} + namespace: {{ .Values.serviceMonitor.namespace }} + {{- end }} + labels: + {{- include "kong.metaLabels" . | nindent 4 }} + {{- if .Values.serviceMonitor.labels }} + {{ toYaml .Values.serviceMonitor.labels | nindent 4 }} + {{- end }} +spec: + endpoints: + - targetPort: status + scheme: http + {{- if .Values.serviceMonitor.interval }} + interval: {{ .Values.serviceMonitor.interval }} + {{- end }} + {{- if .Values.serviceMonitor.honorLabels }} + honorLabels: true + {{- end }} + {{- if .Values.serviceMonitor.metricRelabelings }} + metricRelabelings: {{ toYaml .Values.serviceMonitor.metricRelabelings | nindent 6 }} + {{- end }} + {{- if .Values.serviceMonitor.relabelings }} + relabelings: {{ toYaml .Values.serviceMonitor.relabelings | nindent 6 }} + {{- end }} + {{- if and .Values.ingressController.enabled (semverCompare ">= 2.0.0" (include "kong.effectiveVersion" .Values.ingressController.image)) }} + - targetPort: cmetrics + scheme: http + {{- if .Values.serviceMonitor.interval }} + interval: {{ .Values.serviceMonitor.interval }} + {{- end }} + {{- if .Values.serviceMonitor.honorLabels }} + honorLabels: true + {{- end }} + {{- if .Values.serviceMonitor.metricRelabelings }} + metricRelabelings: {{ toYaml .Values.serviceMonitor.metricRelabelings | nindent 6 }} + {{- end }} + {{- if .Values.serviceMonitor.relabelings }} + relabelings: {{ toYaml .Values.serviceMonitor.relabelings | nindent 6 }} + {{- end }} + {{- end }} + jobLabel: {{ .Release.Name }} + namespaceSelector: + matchNames: + - {{ template "kong.namespace" . }} + selector: + matchLabels: + enable-metrics: "true" + {{- include "kong.metaLabels" . | nindent 6 }} + {{- if .Values.serviceMonitor.targetLabels }} + targetLabels: {{ toYaml .Values.serviceMonitor.targetLabels | nindent 4 }} + {{- end }} +{{- end }} diff --git a/charts/kong/kong/2.41.0/templates/wait-for-postgres-script.yaml b/charts/kong/kong/2.41.0/templates/wait-for-postgres-script.yaml new file mode 100644 index 000000000..67d2e8fc6 --- /dev/null +++ b/charts/kong/kong/2.41.0/templates/wait-for-postgres-script.yaml @@ -0,0 +1,15 @@ +{{ if (and (.Values.postgresql.enabled) .Values.waitImage.enabled) }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "kong.fullname" . }}-bash-wait-for-postgres + namespace: {{ template "kong.namespace" . }} + labels: + {{- include "kong.metaLabels" . | nindent 4 }} +data: + wait.sh: | + until timeout 2 bash -c "9<>/dev/tcp/${KONG_PG_HOST}/${KONG_PG_PORT}" + do echo "waiting for db - trying ${KONG_PG_HOST}:${KONG_PG_PORT}" + sleep 2 + done +{{ end }} diff --git a/charts/kong/kong/2.41.0/values.yaml b/charts/kong/kong/2.41.0/values.yaml new file mode 100644 index 000000000..2f18a5251 --- /dev/null +++ b/charts/kong/kong/2.41.0/values.yaml @@ -0,0 +1,1264 @@ +# Default values for Kong's Helm Chart. +# Declare variables to be passed into your templates. +# +# Sections: +# - Deployment parameters +# - Kong parameters +# - Ingress Controller parameters +# - Postgres sub-chart parameters +# - Miscellaneous parameters +# - Kong Enterprise parameters + +# ----------------------------------------------------------------------------- +# Deployment parameters +# ----------------------------------------------------------------------------- + +deployment: + kong: + # Enable or disable Kong itself + # Setting this to false with ingressController.enabled=true will create a + # controller-only release. + enabled: true + # The number of old `ReplicaSet`s to retain. + revisionHistoryLimit: 10 + + ## Minimum number of seconds for which a newly created pod should be ready without any of its container crashing, + ## for it to be considered available. + # minReadySeconds: 60 + ## Specify the service account to create and to be assigned to the deployment / daemonset and for the migrations + serviceAccount: + create: true + # Automount the service account token. By default, this is disabled, and the token is only mounted on the controller + # container. Some sidecars require enabling this. Note that enabling this exposes Kubernetes credentials to Kong + # Lua code, increasing potential attack surface. + automountServiceAccountToken: false + ## Optionally specify the name of the service account to create and the annotations to add. + # name: + # annotations: {} + + ## Optionally specify any extra sidecar containers to be included in the deployment + ## See https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.18/#container-v1-core + # sidecarContainers: + # - name: sidecar + # image: sidecar:latest + # initContainers: + # - name: initcon + # image: initcon:latest + # hostAliases: + # - ip: "127.0.0.1" + # hostnames: + # - "foo.local" + # - "bar.local" + + ## Define any volumes and mounts you want present in the Kong proxy container + # userDefinedVolumes: + # - name: "volumeName" + # emptyDir: {} + # userDefinedVolumeMounts: + # - name: "volumeName" + # mountPath: "/opt/user/dir/mount" + test: + # Enable creation of test resources for use with "helm test" + enabled: false + # Use a DaemonSet controller instead of a Deployment controller + daemonset: false + hostNetwork: false + # Set the Deployment's spec.template.hostname field. + # This propagates to Kong API endpoints that report + # the hostname, such as the admin API root and hybrid mode + # /clustering/data-planes endpoint + hostname: "" + # kong_prefix empty dir size + prefixDir: + sizeLimit: 256Mi + # tmp empty dir size + tmpDir: + sizeLimit: 1Gi +# Override namepsace for Kong chart resources. By default, the chart creates resources in the release namespace. +# This may not be desirable when using this chart as a dependency. +# namespace: "example" + +# ----------------------------------------------------------------------------- +# Kong parameters +# ----------------------------------------------------------------------------- + +# Specify Kong configuration +# This chart takes all entries defined under `.env` and transforms them into into `KONG_*` +# environment variables for Kong containers. +# Their names here should match the names used in https://github.com/Kong/kong/blob/master/kong.conf.default +# See https://docs.konghq.com/latest/configuration also for additional details +# Values here take precedence over values from other sections of values.yaml, +# e.g. setting pg_user here will override the value normally set when postgresql.enabled +# is set below. In general, you should not set values here if they are set elsewhere. +env: + database: "off" + # the chart uses the traditional router (for Kong 3.x+) because the ingress + # controller generates traditional routes. if you do not use the controller, + # you may set this to "traditional_compatible" or "expressions" to use the new + # DSL-based router + router_flavor: "traditional" + nginx_worker_processes: "2" + proxy_access_log: /dev/stdout + admin_access_log: /dev/stdout + admin_gui_access_log: /dev/stdout + portal_api_access_log: /dev/stdout + proxy_error_log: /dev/stderr + admin_error_log: /dev/stderr + admin_gui_error_log: /dev/stderr + portal_api_error_log: /dev/stderr + prefix: /kong_prefix/ + +# This section is any customer specific environments variables that doesn't require KONG_ prefix. +# These custom environment variables are typicall used in custom plugins or serverless plugins to +# access environment specific credentials or tokens. +# Example as below, uncomment if required and add additional attributes as required. +# Note that these environment variables will only apply to the proxy and init container. The ingress-controller +# container has its own customEnv section. + +# customEnv: +# api_token: +# valueFrom: +# secretKeyRef: +# key: token +# name: api_key +# client_name: testClient + +# Load all ConfigMap or Secret keys as environment variables: +# https://kubernetes.io/docs/tasks/configure-pod-container/configure-pod-configmap/#configure-all-key-value-pairs-in-a-configmap-as-container-environment-variables +envFrom: [] + +# This section can be used to configure some extra labels that will be added to each Kubernetes object generated. +extraLabels: {} + +# Specify Kong's Docker image and repository details here +image: + repository: kong + tag: "3.6" + # Kong Enterprise + # repository: kong/kong-gateway + # tag: "3.5" + + # Specify a semver version if your image tag is not one (e.g. "nightly") + effectiveSemver: + pullPolicy: IfNotPresent + ## Optionally specify an array of imagePullSecrets. + ## Secrets must be manually created in the namespace. + ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + ## + # pullSecrets: + # - myRegistrKeySecretName + +# Specify Kong admin API service and listener configuration +admin: + # Enable creating a Kubernetes service for the admin API + # Disabling this is recommended for most ingress controller configurations + # Enterprise users that wish to use Kong Manager with the controller should enable this + enabled: false + type: NodePort + loadBalancerClass: + # To specify annotations or labels for the admin service, add them to the respective + # "annotations" or "labels" dictionaries below. + annotations: {} + # service.beta.kubernetes.io/aws-load-balancer-proxy-protocol: "*" + labels: {} + + http: + # Enable plaintext HTTP listen for the admin API + # Disabling this and using a TLS listen only is recommended for most configuration + enabled: false + servicePort: 8001 + containerPort: 8001 + # Set a nodePort which is available if service type is NodePort + # nodePort: 32080 + # Additional listen parameters, e.g. "reuseport", "backlog=16384" + parameters: [] + + tls: + # Enable HTTPS listen for the admin API + enabled: true + servicePort: 8444 + containerPort: 8444 + # Set a target port for the TLS port in the admin API service, useful when using TLS + # termination on an ELB. + # overrideServiceTargetPort: 8000 + # Set a nodePort which is available if service type is NodePort + # nodePort: 32443 + # Additional listen parameters, e.g. "reuseport", "backlog=16384" + parameters: + - http2 + + # Specify the CA certificate to use for TLS verification of the Admin API client by: + # - secretName - the secret must contain a key named "tls.crt" with the PEM-encoded certificate. + # - caBundle (PEM-encoded certificate string). + # If both are set, caBundle takes precedence. + client: + caBundle: "" + secretName: "" + + # Kong admin ingress settings. Useful if you want to expose the Admin + # API of Kong outside the k8s cluster. + ingress: + # Enable/disable exposure using ingress. + enabled: false + ingressClassName: + # TLS secret name. + # tls: kong-admin.example.com-tls + # Ingress hostname + hostname: + # Map of ingress annotations. + annotations: {} + # Ingress path. + path: / + # Each path in an Ingress is required to have a corresponding path type. (ImplementationSpecific/Exact/Prefix) + pathType: ImplementationSpecific + +# Specify Kong status listener configuration +# This listen is internal-only. It cannot be exposed through a service or ingress. +status: + enabled: true + http: + # Enable plaintext HTTP listen for the status listen + enabled: true + containerPort: 8100 + parameters: [] + + tls: + # Enable HTTPS listen for the status listen + # Kong versions prior to 2.1 do not support TLS status listens. + # This setting must remain false on those versions + enabled: false + containerPort: 8543 + parameters: [] + +# Name the kong hybrid cluster CA certificate secret +clusterCaSecretName: "" + +# Specify Kong cluster service and listener configuration +# +# The cluster service *must* use TLS. It does not support the "http" block +# available on other services. +# +# The cluster service cannot be exposed through an Ingress, as it must perform +# TLS client validation directly and is not compatible with TLS-terminating +# proxies. If you need to expose it externally, you must use "type: +# LoadBalancer" and use a TCP-only load balancer (check your Kubernetes +# provider's documentation, as the configuration required for this varies). +cluster: + enabled: false + # To specify annotations or labels for the cluster service, add them to the respective + # "annotations" or "labels" dictionaries below. + annotations: {} + # service.beta.kubernetes.io/aws-load-balancer-proxy-protocol: "*" + labels: {} + + tls: + enabled: false + servicePort: 8005 + containerPort: 8005 + parameters: [] + + type: ClusterIP + loadBalancerClass: + + # Kong cluster ingress settings. Useful if you want to split CP and DP + # in different clusters. + ingress: + # Enable/disable exposure using ingress. + enabled: false + ingressClassName: + # TLS secret name. + # tls: kong-cluster.example.com-tls + # Ingress hostname + hostname: + # Map of ingress annotations. + annotations: {} + # Ingress path. + path: / + # Each path in an Ingress is required to have a corresponding path type. (ImplementationSpecific/Exact/Prefix) + pathType: ImplementationSpecific + +# Specify Kong proxy service configuration +proxy: + # Enable creating a Kubernetes service for the proxy + enabled: true + type: LoadBalancer + loadBalancerClass: + # Override proxy Service name + nameOverride: "" + # To specify annotations or labels for the proxy service, add them to the respective + # "annotations" or "labels" dictionaries below. + annotations: {} + # If terminating TLS at the ELB, the following annotations can be used + # "service.beta.kubernetes.io/aws-load-balancer-backend-protocol": "*", + # "service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled": "true", + # "service.beta.kubernetes.io/aws-load-balancer-ssl-cert": "arn:aws:acm:REGION:ACCOUNT:certificate/XXXXXX-XXXXXXX-XXXXXXX-XXXXXXXX", + # "service.beta.kubernetes.io/aws-load-balancer-ssl-ports": "kong-proxy-tls", + # "service.beta.kubernetes.io/aws-load-balancer-type": "elb" + labels: + enable-metrics: "true" + + http: + # Enable plaintext HTTP listen for the proxy + enabled: true + # Set the servicePort: 0 to skip exposing in the service but still + # let the port open in container to allow https to http mapping for + # tls terminated at LB. + servicePort: 80 + containerPort: 8000 + # Set a nodePort which is available if service type is NodePort + # nodePort: 32080 + # Additional listen parameters, e.g. "reuseport", "backlog=16384" + parameters: [] + + tls: + # Enable HTTPS listen for the proxy + enabled: true + servicePort: 443 + containerPort: 8443 + # Set a target port for the TLS port in proxy service + # overrideServiceTargetPort: 8000 + # Set a nodePort which is available if service type is NodePort + # nodePort: 32443 + # Additional listen parameters, e.g. "reuseport", "backlog=16384" + parameters: + - http2 + + # Specify the Service's TLS port's appProtocol. This can be useful when integrating with + # external load balancers that require the `appProtocol` field to be set (e.g. GCP). + appProtocol: "" + + # Define stream (TCP) listen + # To enable, remove "[]", uncomment the section below, and select your desired + # ports and parameters. Listens are dynamically named after their containerPort, + # e.g. "stream-9000" for the below. + # Note: although you can select the protocol here, you cannot set UDP if you + # use a LoadBalancer Service due to limitations in current Kubernetes versions. + # To proxy both TCP and UDP with LoadBalancers, you must enable the udpProxy Service + # in the next section and place all UDP stream listen configuration under it. + stream: [] + # # Set the container (internal) and service (external) ports for this listen. + # # These values should normally be the same. If your environment requires they + # # differ, note that Kong will match routes based on the containerPort only. + # - containerPort: 9000 + # servicePort: 9000 + # protocol: TCP + # # Optionally set a static nodePort if the service type is NodePort + # # nodePort: 32080 + # # Additional listen parameters, e.g. "ssl", "reuseport", "backlog=16384" + # # "ssl" is required for SNI-based routes. It is not supported on versions <2.0 + # parameters: [] + + # Kong proxy ingress settings. + # Note: You need this only if you are using another Ingress Controller + # to expose Kong outside the k8s cluster. + ingress: + # Enable/disable exposure using ingress. + enabled: false + ingressClassName: + # To specify annotations or labels for the ingress, add them to the respective + # "annotations" or "labels" dictionaries below. + annotations: {} + labels: {} + # Ingress hostname + hostname: + # Ingress path (when used with hostname above). + path: / + # Each path in an Ingress is required to have a corresponding path type (when used with hostname above). (ImplementationSpecific/Exact/Prefix) + pathType: ImplementationSpecific + # Ingress hosts. Use this instead of or in combination with hostname to specify multiple ingress host configurations + hosts: [] + # - host: kong-proxy.example.com + # paths: + # # Ingress path. + # - path: /* + # # Each path in an Ingress is required to have a corresponding path type. (ImplementationSpecific/Exact/Prefix) + # pathType: ImplementationSpecific + # - host: kong-proxy-other.example.com + # paths: + # # Ingress path. + # - path: /other + # # Each path in an Ingress is required to have a corresponding path type. (ImplementationSpecific/Exact/Prefix) + # pathType: ImplementationSpecific + # backend: + # service: + # name: kong-other-proxy + # port: + # number: 80 + # + # TLS secret(s) + # tls: kong-proxy.example.com-tls + # Or if multiple hosts/secrets needs to be configured: + # tls: + # - secretName: kong-proxy.example.com-tls + # hosts: + # - kong-proxy.example.com + # - secretName: kong-proxy-other.example.com-tls + # hosts: + # - kong-proxy-other.example.com + + # Optionally specify a static load balancer IP. + # loadBalancerIP: + +# Specify Kong UDP proxy service configuration +# Currently, LoadBalancer type Services are generally limited to a single transport protocol +# Multi-protocol Services are an alpha feature as of Kubernetes 1.20: +# https://kubernetes.io/docs/concepts/services-networking/service/#load-balancers-with-mixed-protocol-types +# You should enable this Service if you proxy UDP traffic, and configure UDP stream listens under it +udpProxy: + # Enable creating a Kubernetes service for UDP proxying + enabled: false + type: LoadBalancer + loadBalancerClass: + # To specify annotations or labels for the proxy service, add them to the respective + # "annotations" or "labels" dictionaries below. + annotations: {} + # service.beta.kubernetes.io/aws-load-balancer-proxy-protocol: "*" + labels: {} + # Optionally specify a static load balancer IP. + # loadBalancerIP: + + # Define stream (UDP) listen + # To enable, remove "[]", uncomment the section below, and select your desired + # ports and parameters. Listens are dynamically named after their servicePort, + # e.g. "stream-9000" for the below. + stream: [] + # # Set the container (internal) and service (external) ports for this listen. + # # These values should normally be the same. If your environment requires they + # # differ, note that Kong will match routes based on the containerPort only. + # - containerPort: 9000 + # servicePort: 9000 + # protocol: UDP + # # Optionally set a static nodePort if the service type is NodePort + # # nodePort: 32080 + # # Additional listen parameters, e.g. "ssl", "reuseport", "backlog=16384" + # # "ssl" is required for SNI-based routes. It is not supported on versions <2.0 + # parameters: [] + +# Custom Kong plugins can be loaded into Kong by mounting the plugin code +# into the file-system of Kong container. +# The plugin code should be present in ConfigMap or Secret inside the same +# namespace as Kong is being installed. +# The `name` property refers to the name of the ConfigMap or Secret +# itself, while the pluginName refers to the name of the plugin as it appears +# in Kong. +# Subdirectories (which are optional) require separate ConfigMaps/Secrets. +# "path" indicates their directory under the main plugin directory: the example +# below will mount the contents of kong-plugin-rewriter-migrations at "/opt/kong/rewriter/migrations". +plugins: {} + # configMaps: + # - pluginName: rewriter + # name: kong-plugin-rewriter + # subdirectories: + # - name: kong-plugin-rewriter-migrations + # path: migrations + # secrets: + # - pluginName: rewriter + # name: kong-plugin-rewriter +# Inject specified secrets as a volume in Kong Container at path /etc/secrets/{secret-name}/ +# This can be used to override default SSL certificates. +# Be aware that the secret name will be used verbatim, and that certain types +# of punctuation (e.g. `.`) can cause issues. +# Example configuration +# secretVolumes: +# - kong-proxy-tls +# - kong-admin-tls +secretVolumes: [] + +# Enable/disable migration jobs, and set annotations for them +migrations: + # Enable pre-upgrade migrations (run "kong migrations up") + preUpgrade: true + # Enable post-upgrade migrations (run "kong migrations finish") + postUpgrade: true + # Annotations to apply to migrations job pods + # By default, these disable service mesh sidecar injection for Istio and Kuma, + # as the sidecar containers do not terminate and prevent the jobs from completing + annotations: + sidecar.istio.io/inject: false + # Additional annotations to apply to migration jobs + # This is helpful in certain non-Helm installation situations such as GitOps + # where additional control is required around this job creation. + jobAnnotations: {} + # Optionally set a backoffLimit. If none is set, Jobs will use the cluster default + backoffLimit: + resources: {} + # Example reasonable setting for "resources": + # resources: + # limits: + # cpu: 100m + # memory: 256Mi + # requests: + # cpu: 50m + # memory: 128Mi + ## Optionally specify any extra sidecar containers to be included in the deployment + ## See https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.18/#container-v1-core + ## Keep in mind these containers should be terminated along with the main + ## migration containers + # sidecarContainers: + # - name: sidecar + # image: sidecar:latest + +# Kong's configuration for DB-less mode +# Note: Use this section only if you are deploying Kong in DB-less mode +# and not as an Ingress Controller. +dblessConfig: + # Either Kong's configuration is managed from an existing ConfigMap (with Key: kong.yml) + configMap: "" + # Or Kong's configuration is managed from an existing Secret (with Key: kong.yml) + secret: "" + # Or the configuration is passed in full-text below + config: | + # # _format_version: "1.1" + # # services: + # # # Example configuration + # # # - name: example.com + # # # url: http://example.com + # # # routes: + # # # - name: example + # # # paths: + # # # - "/example" + ## Optionally specify any extra sidecar containers to be included in the + ## migration jobs + ## See https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.18/#container-v1-core + # sidecarContainers: + # - name: sidecar + # image: sidecar:latest + +# ----------------------------------------------------------------------------- +# Ingress Controller parameters +# ----------------------------------------------------------------------------- + +# Kong Ingress Controller's primary purpose is to satisfy Ingress resources +# created in k8s. It uses CRDs for more fine grained control over routing and +# for Kong specific configuration. +ingressController: + enabled: true + image: + repository: kong/kubernetes-ingress-controller + tag: "3.3" + # Optionally set a semantic version for version-gated features. This can normally + # be left unset. You only need to set this if your tag is not a semver string, + # such as when you are using a "next" tag. Set this to the effective semantic + # version of your tag: for example if using a "next" image for an unreleased 3.1.0 + # version, set this to "3.1.0". + effectiveSemver: + args: [] + + gatewayDiscovery: + enabled: false + generateAdminApiService: false + adminApiService: + namespace: "" + name: "" + + # Specify individual namespaces to watch for ingress configuration. By default, + # when no namespaces are set, the controller watches all namespaces and uses a + # ClusterRole to grant access to Kubernetes resources. When you list specific + # namespaces, the controller will watch those namespaces only and will create + # namespaced-scoped Roles for each of them. The controller will still use a + # ClusterRole for cluster-scoped resources. + # Requires controller 2.0.0 or newer. + watchNamespaces: [] + + # Specify Kong Ingress Controller configuration via environment variables + env: + # The controller disables TLS verification by default because Kong + # generates self-signed certificates by default. Set this to false once you + # have installed CA-signed certificates. + kong_admin_tls_skip_verify: true + # If using Kong Enterprise with RBAC enabled, uncomment the section below + # and specify the secret/key containing your admin token. + # kong_admin_token: + # valueFrom: + # secretKeyRef: + # name: CHANGEME-admin-token-secret + # key: CHANGEME-admin-token-key + + # This section is any customer specific environments variables that doesn't require CONTROLLER_ prefix. + # Example as below, uncomment if required and add additional attributes as required. + # customEnv: + # TZ: "Europe/Berlin" + + # Load all ConfigMap or Secret keys as environment variables: + # https://kubernetes.io/docs/tasks/configure-pod-container/configure-pod-configmap/#configure-all-key-value-pairs-in-a-configmap-as-container-environment-variables + envFrom: [] + + admissionWebhook: + enabled: true + filterSecrets: false + failurePolicy: Ignore + port: 8080 + certificate: + provided: false + namespaceSelector: {} + # Specifiy the secretName when the certificate is provided via a TLS secret + # secretName: "" + # Specifiy the CA bundle of the provided certificate. + # This is a PEM encoded CA bundle which will be used to validate the webhook certificate. If unspecified, system trust roots on the apiserver are used. + # caBundle: + # | Add the CA bundle content here. + service: + # Specify custom labels for the validation webhook service. + labels: {} + # Tune the default Kubernetes timeoutSeconds of 10 seconds + # timeoutSeconds: 10 + + ingressClass: kong + # annotations for IngressClass resource (Kubernetes 1.18+) + ingressClassAnnotations: {} + + ## Define any volumes and mounts you want present in the ingress controller container + ## Volumes are defined above in deployment.userDefinedVolumes + # userDefinedVolumeMounts: + # - name: "volumeName" + # mountPath: "/opt/user/dir/mount" + + rbac: + # Specifies whether RBAC resources should be created + create: true + + # general properties + livenessProbe: + httpGet: + path: "/healthz" + port: 10254 + scheme: HTTP + initialDelaySeconds: 5 + timeoutSeconds: 5 + periodSeconds: 10 + successThreshold: 1 + failureThreshold: 3 + readinessProbe: + httpGet: + path: "/readyz" + port: 10254 + scheme: HTTP + initialDelaySeconds: 5 + timeoutSeconds: 5 + periodSeconds: 10 + successThreshold: 1 + failureThreshold: 3 + resources: {} + # Example reasonable setting for "resources": + # resources: + # limits: + # cpu: 100m + # memory: 256Mi + # requests: + # cpu: 50m + # memory: 128Mi + + konnect: + enabled: false + # Deprecated: Specifies a Konnect Runtime Group's ID that the controller will push its data-plane config to. + runtimeGroupID: "" + # Specifies a Konnect Control Plane's ID that the controller will push its data-plane config to. + controlPlaneID: "" + + # Specifies a Konnect API hostname that the controller will use to push its data-plane config to. + # By default, this is set to US region's production API hostname. + # If you are using a different region, you can set this to the appropriate hostname (e.g. "eu.kic.api.konghq.com"). + apiHostname: "us.kic.api.konghq.com" + + # Specifies a secret that contains a client TLS certificate that the controller + # will use to authenticate against Konnect APIs. + tlsClientCertSecretName: "konnect-client-tls" + + license: + # Specifies whether the controller should fetch a license from Konnect and apply it to managed Gateways. + enabled: false + + adminApi: + tls: + client: + # Enable TLS client authentication for the Admin API. + enabled: false + + # If set to false, Helm will generate certificates for you. + # If set to true, you are expected to provide your own secret (see secretName, caSecretName). + certProvided: false + + # Client TLS certificate/key pair secret name that Ingress Controller will use to authenticate with Kong Admin API. + # If certProvided is set to false, it is optional (can be specified though if you want to force Helm to use + # a specific secret name). + secretName: "" + + # CA TLS certificate/key pair secret name that the client TLS certificate is signed by. + # If certProvided is set to false, it is optional (can be specified though if you want to force Helm to use + # a specific secret name). + caSecretName: "" + + +# ----------------------------------------------------------------------------- +# Postgres sub-chart parameters +# ----------------------------------------------------------------------------- + +# Kong can run without a database or use either Postgres or Cassandra +# as a backend datatstore for it's configuration. +# By default, this chart installs Kong without a database. + +# If you would like to use a database, there are two options: +# - (recommended) Deploy and maintain a database and pass the connection +# details to Kong via the `env` section. +# - You can use the below `postgresql` sub-chart to deploy a database +# along-with Kong as part of a single Helm release. Running a database +# independently is recommended for production, but the built-in Postgres is +# useful for quickly creating test instances. + +# PostgreSQL chart documentation: +# https://github.com/bitnami/charts/blob/master/bitnami/postgresql/README.md +# +# WARNING: by default, the Postgres chart generates a random password each +# time it upgrades, which breaks access to existing volumes. You should set a +# password explicitly: +# https://github.com/Kong/charts/blob/main/charts/kong/FAQs.md#kong-fails-to-start-after-helm-upgrade-when-postgres-is-used-what-do-i-do + +postgresql: + enabled: false + auth: + username: kong + database: kong + image: + # use postgres < 14 until is https://github.com/Kong/kong/issues/8533 resolved and released + # enterprise (kong-gateway) supports postgres 14 + tag: 13.11.0-debian-11-r20 + service: + ports: + postgresql: "5432" + +# ----------------------------------------------------------------------------- +# Configure cert-manager integration +# ----------------------------------------------------------------------------- + +certificates: + enabled: false + + # Set either `issuer` or `clusterIssuer` to the name of the desired cert manager issuer + # If left blank a built in self-signed issuer will be created and utilized + issuer: "" + clusterIssuer: "" + + # Set proxy.enabled to true to issue default kong-proxy certificate with cert-manager + proxy: + enabled: true + # Set `issuer` or `clusterIssuer` to name of alternate cert-manager clusterIssuer to override default + # self-signed issuer. + issuer: "" + clusterIssuer: "" + # Use commonName and dnsNames to set the common name and dns alt names which this + # certificate is valid for. Wildcard records are supported by the included self-signed issuer. + commonName: "app.example" + # Remove the "[]" and uncomment/change the examples to add SANs + dnsNames: [] + # - "app.example" + # - "*.apps.example" + # - "*.kong.example" + + # Set admin.enabled true to issue kong admin api and manager certificate with cert-manager + admin: + enabled: true + # Set `issuer` or `clusterIssuer` to name of alternate cert-manager clusterIssuer to override default + # self-signed issuer. + issuer: "" + clusterIssuer: "" + # Use commonName and dnsNames to set the common name and dns alt names which this + # certificate is valid for. Wildcard records are supported by the included self-signed issuer. + commonName: "kong.example" + # Remove the "[]" and uncomment/change the examples to add SANs + dnsNames: [] + # - "manager.kong.example" + + # Set portal.enabled to true to issue a developer portal certificate with cert-manager + portal: + enabled: true + # Set `issuer` or `clusterIssuer` to name of alternate cert-manager clusterIssuer to override default + # self-signed issuer. + issuer: "" + clusterIssuer: "" + # Use commonName and dnsNames to set the common name and dns alt names which this + # certificate is valid for. Wildcard records are supported by the included self-signed issuer. + commonName: "developer.example" + # Remove the "{}" and uncomment/change the examples to add SANs + dnsNames: [] + # - "manager.kong.example" + + # Set cluster.enabled true to issue kong hybrid mtls certificate with cert-manager + cluster: + enabled: true + # Issuers used by the control and data plane releases must match for this certificate. + issuer: "" + clusterIssuer: "" + commonName: "kong_clustering" + dnsNames: [] + +# ----------------------------------------------------------------------------- +# Miscellaneous parameters +# ----------------------------------------------------------------------------- + +waitImage: + # Wait for the database to come online before starting Kong or running migrations + # If Kong is to access the database through a service mesh that injects a sidecar to + # Kong's container, this must be disabled. Otherwise there'll be a deadlock: + # InitContainer waiting for DB access that requires the sidecar, and the sidecar + # waiting for InitContainers to finish. + enabled: true + # Optionally specify an image that provides bash for pre-migration database + # checks. If none is specified, the chart uses the Kong image. The official + # Kong images provide bash + # repository: bash + # tag: 5 + pullPolicy: IfNotPresent + +# update strategy +updateStrategy: {} + # type: RollingUpdate + # rollingUpdate: + # maxSurge: "100%" + # maxUnavailable: "0%" + +# If you want to specify resources, uncomment the following +# lines, adjust them as necessary, and remove the curly braces after 'resources:'. +resources: {} + # limits: + # cpu: 1 + # memory: 2G + # requests: + # cpu: 1 + # memory: 2G + +# readinessProbe for Kong pods +readinessProbe: + httpGet: + path: "/status/ready" + port: status + scheme: HTTP + initialDelaySeconds: 5 + timeoutSeconds: 5 + periodSeconds: 10 + successThreshold: 1 + failureThreshold: 3 + +# livenessProbe for Kong pods +livenessProbe: + httpGet: + path: "/status" + port: status + scheme: HTTP + initialDelaySeconds: 5 + timeoutSeconds: 5 + periodSeconds: 10 + successThreshold: 1 + failureThreshold: 3 + +# startupProbe for Kong pods +# startupProbe: +# httpGet: +# path: "/status" +# port: status +# scheme: HTTP +# initialDelaySeconds: 5 +# timeoutSeconds: 5 +# periodSeconds: 2 +# successThreshold: 1 +# failureThreshold: 40 + +# Proxy container lifecycle hooks +# Ref: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/ +lifecycle: + preStop: + exec: + # kong quit has a default timeout of 10 seconds, and a default wait of 0 seconds. + # Note: together they should be less than the terminationGracePeriodSeconds setting below. + command: + - kong + - quit + - '--wait=15' + +# Sets the termination grace period for pods spawned by the Kubernetes Deployment. +# Ref: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#hook-handler-execution +terminationGracePeriodSeconds: 30 + +# Affinity for pod assignment +# Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity +# affinity: {} + +# Topology spread constraints for pod assignment (requires Kubernetes >= 1.19) +# Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/ +# topologySpreadConstraints: [] + +# Tolerations for pod assignment +# Ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/ +tolerations: [] + +# Node labels for pod assignment +# Ref: https://kubernetes.io/docs/user-guide/node-selection/ +nodeSelector: {} + +# Annotation to be added to Kong pods +podAnnotations: + kuma.io/gateway: enabled + traffic.sidecar.istio.io/includeInboundPorts: "" + +# Labels to be added to Kong pods +podLabels: {} + +# Kong pod count. +# It has no effect when autoscaling.enabled is set to true +replicaCount: 1 + +# Annotations to be added to Kong deployment +deploymentAnnotations: {} + +# Enable autoscaling using HorizontalPodAutoscaler +# When configuring an HPA, you must set resource requests on all containers via +# "resources" and, if using the controller, "ingressController.resources" in values.yaml +autoscaling: + enabled: false + minReplicas: 2 + maxReplicas: 5 + behavior: {} + ## targetCPUUtilizationPercentage only used if the cluster doesn't support autoscaling/v2 or autoscaling/v2beta + targetCPUUtilizationPercentage: + ## Otherwise for clusters that do support autoscaling/v2 or autoscaling/v2beta, use metrics + metrics: + - type: Resource + resource: + name: cpu + target: + type: Utilization + averageUtilization: 80 + +# Kong Pod Disruption Budget +podDisruptionBudget: + enabled: false + # Uncomment only one of the following when enabled is set to true + # maxUnavailable: "50%" + # minAvailable: "50%" + +podSecurityPolicy: + enabled: false + labels: {} + annotations: {} + spec: + privileged: false + fsGroup: + rule: RunAsAny + runAsUser: + rule: RunAsAny + runAsGroup: + rule: RunAsAny + seLinux: + rule: RunAsAny + supplementalGroups: + rule: RunAsAny + volumes: + - 'configMap' + - 'secret' + - 'emptyDir' + - 'projected' + allowPrivilegeEscalation: false + hostNetwork: false + hostIPC: false + hostPID: false + # Make the root filesystem read-only. This is not compatible with Kong Enterprise <1.5. + # If you use Kong Enterprise <1.5, this must be set to false. + readOnlyRootFilesystem: true + + +priorityClassName: "" + +# securityContext for Kong pods. +securityContext: {} + +# securityContext for containers. +containerSecurityContext: + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + runAsUser: 1000 + runAsNonRoot: true + seccompProfile: + type: RuntimeDefault + capabilities: + drop: + - ALL + +## Optional DNS configuration for Kong pods +# dnsPolicy: ClusterFirst +# dnsConfig: +# nameservers: +# - "10.100.0.10" +# options: +# - name: ndots +# value: "5" +# searches: +# - default.svc.cluster.local +# - svc.cluster.local +# - cluster.local +# - us-east-1.compute.internal + +serviceMonitor: + # Specifies whether ServiceMonitor for Prometheus operator should be created + # If you wish to gather metrics from a Kong instance with the proxy disabled (such as a hybrid control plane), see: + # https://github.com/Kong/charts/blob/main/charts/kong/README.md#prometheus-operator-integration + enabled: false + # interval: 30s + # Specifies namespace, where ServiceMonitor should be installed + # namespace: monitoring + # labels: + # foo: bar + # targetLabels: + # - foo + + # honorLabels: false + # metricRelabelings: [] + # relabelings: [] + +# ----------------------------------------------------------------------------- +# Kong Enterprise parameters +# ----------------------------------------------------------------------------- + +# Toggle Kong Enterprise features on or off +# RBAC and SMTP configuration have additional options that must all be set together +# Other settings should be added to the "env" settings below +enterprise: + enabled: false + # Kong Enterprise license secret name + # This secret must contain a single 'license' key, containing your base64-encoded license data + # The license secret is required to unlock all Enterprise features. If you omit it, + # Kong will run in free mode, with some Enterprise features disabled. + # license_secret: kong-enterprise-license + vitals: + enabled: true + portal: + enabled: false + rbac: + enabled: false + admin_gui_auth: basic-auth + # If RBAC is enabled, this Secret must contain an admin_gui_session_conf key + # The key value must be a secret configuration, following the example at + # https://docs.konghq.com/enterprise/latest/kong-manager/authentication/sessions + # If using 3.6+ and OIDC, session configuration is instead handled in the auth configuration, + # and this field can be left empty. + session_conf_secret: "kong-session-config" # CHANGEME + # If admin_gui_auth is not set to basic-auth, provide a secret name which + # has an admin_gui_auth_conf key containing the plugin config JSON + admin_gui_auth_conf_secret: CHANGEME-admin-gui-auth-conf-secret + # For configuring emails and SMTP, please read through: + # https://docs.konghq.com/enterprise/latest/developer-portal/configuration/smtp + # https://docs.konghq.com/enterprise/latest/kong-manager/networking/email + smtp: + enabled: false + portal_emails_from: none@example.com + portal_emails_reply_to: none@example.com + admin_emails_from: none@example.com + admin_emails_reply_to: none@example.com + smtp_admin_emails: none@example.com + smtp_host: smtp.example.com + smtp_port: 587 + smtp_auth_type: '' + smtp_ssl: nil + smtp_starttls: true + auth: + # If your SMTP server does not require authentication, this section can + # be left as-is. If smtp_username is set to anything other than an empty + # string, you must create a Secret with an smtp_password key containing + # your SMTP password and specify its name here. + smtp_username: '' # e.g. postmaster@example.com + smtp_password_secret: CHANGEME-smtp-password + +manager: + # Enable creating a Kubernetes service for Kong Manager + enabled: true + type: NodePort + loadBalancerClass: + # To specify annotations or labels for the Manager service, add them to the respective + # "annotations" or "labels" dictionaries below. + annotations: {} + # service.beta.kubernetes.io/aws-load-balancer-proxy-protocol: "*" + labels: {} + + http: + # Enable plaintext HTTP listen for Kong Manager + enabled: true + servicePort: 8002 + containerPort: 8002 + # Set a nodePort which is available if service type is NodePort + # nodePort: 32080 + # Additional listen parameters, e.g. "reuseport", "backlog=16384" + parameters: [] + + tls: + # Enable HTTPS listen for Kong Manager + enabled: true + servicePort: 8445 + containerPort: 8445 + # Set a nodePort which is available if service type is NodePort + # nodePort: 32443 + # Additional listen parameters, e.g. "reuseport", "backlog=16384" + parameters: + - http2 + + ingress: + # Enable/disable exposure using ingress. + enabled: false + ingressClassName: + # TLS secret name. + # tls: kong-manager.example.com-tls + # Ingress hostname + hostname: + # Map of ingress annotations. + annotations: {} + # Ingress path. + path: / + # Each path in an Ingress is required to have a corresponding path type. (ImplementationSpecific/Exact/Prefix) + pathType: ImplementationSpecific + +portal: + # Enable creating a Kubernetes service for the Developer Portal + enabled: true + type: NodePort + loadBalancerClass: + # To specify annotations or labels for the Portal service, add them to the respective + # "annotations" or "labels" dictionaries below. + annotations: {} + # service.beta.kubernetes.io/aws-load-balancer-proxy-protocol: "*" + labels: {} + + http: + # Enable plaintext HTTP listen for the Developer Portal + enabled: true + servicePort: 8003 + containerPort: 8003 + # Set a nodePort which is available if service type is NodePort + # nodePort: 32080 + # Additional listen parameters, e.g. "reuseport", "backlog=16384" + parameters: [] + + tls: + # Enable HTTPS listen for the Developer Portal + enabled: true + servicePort: 8446 + containerPort: 8446 + # Set a nodePort which is available if service type is NodePort + # nodePort: 32443 + # Additional listen parameters, e.g. "reuseport", "backlog=16384" + parameters: + - http2 + + ingress: + # Enable/disable exposure using ingress. + enabled: false + ingressClassName: + # TLS secret name. + # tls: kong-portal.example.com-tls + # Ingress hostname + hostname: + # Map of ingress annotations. + annotations: {} + # Ingress path. + path: / + # Each path in an Ingress is required to have a corresponding path type. (ImplementationSpecific/Exact/Prefix) + pathType: ImplementationSpecific + +portalapi: + # Enable creating a Kubernetes service for the Developer Portal API + enabled: true + type: NodePort + loadBalancerClass: + # To specify annotations or labels for the Portal API service, add them to the respective + # "annotations" or "labels" dictionaries below. + annotations: {} + # service.beta.kubernetes.io/aws-load-balancer-proxy-protocol: "*" + labels: {} + + http: + # Enable plaintext HTTP listen for the Developer Portal API + enabled: true + servicePort: 8004 + containerPort: 8004 + # Set a nodePort which is available if service type is NodePort + # nodePort: 32080 + # Additional listen parameters, e.g. "reuseport", "backlog=16384" + parameters: [] + + tls: + # Enable HTTPS listen for the Developer Portal API + enabled: true + servicePort: 8447 + containerPort: 8447 + # Set a nodePort which is available if service type is NodePort + # nodePort: 32443 + # Additional listen parameters, e.g. "reuseport", "backlog=16384" + parameters: + - http2 + + ingress: + # Enable/disable exposure using ingress. + enabled: false + ingressClassName: + # TLS secret name. + # tls: kong-portalapi.example.com-tls + # Ingress hostname + hostname: + # Map of ingress annotations. + annotations: {} + # Ingress path. + path: / + # Each path in an Ingress is required to have a corresponding path type. (ImplementationSpecific/Exact/Prefix) + pathType: ImplementationSpecific + +clustertelemetry: + enabled: false + # To specify annotations or labels for the cluster telemetry service, add them to the respective + # "annotations" or "labels" dictionaries below. + annotations: {} + # service.beta.kubernetes.io/aws-load-balancer-proxy-protocol: "*" + labels: {} + + tls: + enabled: false + servicePort: 8006 + containerPort: 8006 + parameters: [] + + type: ClusterIP + loadBalancerClass: + + # Kong clustertelemetry ingress settings. Useful if you want to split + # CP and DP in different clusters. + ingress: + # Enable/disable exposure using ingress. + enabled: false + ingressClassName: + # TLS secret name. + # tls: kong-clustertelemetry.example.com-tls + # Ingress hostname + hostname: + # Map of ingress annotations. + annotations: {} + # Ingress path. + path: / + # Each path in an Ingress is required to have a corresponding path type. (ImplementationSpecific/Exact/Prefix) + pathType: ImplementationSpecific + +extraConfigMaps: [] +# extraConfigMaps: +# - name: my-config-map +# mountPath: /mount/to/my/location +# subPath: my-subpath # Optional, if you wish to mount a single key and not the entire ConfigMap + +extraSecrets: [] +# extraSecrets: +# - name: my-secret +# mountPath: /mount/to/my/location +# subPath: my-subpath # Optional, if you wish to mount a single key and not the entire ConfigMap + +extraObjects: [] +# extraObjects: +# - apiVersion: configuration.konghq.com/v1 +# kind: KongClusterPlugin +# metadata: +# name: prometheus +# config: +# per_consumer: false +# plugin: prometheus diff --git a/charts/linkerd/linkerd-control-plane/2024.8.2/Chart.yaml b/charts/linkerd/linkerd-control-plane/2024.8.2/Chart.yaml index f342e868d..e04e3c15a 100644 --- a/charts/linkerd/linkerd-control-plane/2024.8.2/Chart.yaml +++ b/charts/linkerd/linkerd-control-plane/2024.8.2/Chart.yaml @@ -2,7 +2,6 @@ annotations: catalog.cattle.io/auto-install: linkerd-crds catalog.cattle.io/certified: partner catalog.cattle.io/display-name: Linkerd Control Plane - catalog.cattle.io/featured: "5" catalog.cattle.io/kube-version: '>=1.22.0-0' catalog.cattle.io/release-name: linkerd-control-plane apiVersion: v2 diff --git a/charts/linkerd/linkerd-control-plane/2024.8.3/.helmignore b/charts/linkerd/linkerd-control-plane/2024.8.3/.helmignore new file mode 100644 index 000000000..79c90a806 --- /dev/null +++ b/charts/linkerd/linkerd-control-plane/2024.8.3/.helmignore @@ -0,0 +1,22 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +OWNERS +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj diff --git a/charts/linkerd/linkerd-control-plane/2024.8.3/Chart.lock b/charts/linkerd/linkerd-control-plane/2024.8.3/Chart.lock new file mode 100644 index 000000000..a0cb7ec8c --- /dev/null +++ b/charts/linkerd/linkerd-control-plane/2024.8.3/Chart.lock @@ -0,0 +1,6 @@ +dependencies: +- name: partials + repository: file://../partials + version: 0.1.0 +digest: sha256:8e42f9c9d4a2dc883f17f94d6044c97518ced19ad0922f47b8760e47135369ba +generated: "2021-12-06T11:42:50.784240359-05:00" diff --git a/charts/linkerd/linkerd-control-plane/2024.8.3/Chart.yaml b/charts/linkerd/linkerd-control-plane/2024.8.3/Chart.yaml new file mode 100644 index 000000000..f3088b0a5 --- /dev/null +++ b/charts/linkerd/linkerd-control-plane/2024.8.3/Chart.yaml @@ -0,0 +1,29 @@ +annotations: + catalog.cattle.io/auto-install: linkerd-crds + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Linkerd Control Plane + catalog.cattle.io/featured: "5" + catalog.cattle.io/kube-version: '>=1.22.0-0' + catalog.cattle.io/release-name: linkerd-control-plane +apiVersion: v2 +appVersion: edge-24.8.3 +dependencies: +- name: partials + repository: file://./charts/partials + version: 0.1.0 +description: 'Linkerd gives you observability, reliability, and security for your + microservices — with no code change required. ' +home: https://linkerd.io +icon: file://assets/icons/linkerd-control-plane.png +keywords: +- service-mesh +kubeVersion: '>=1.22.0-0' +maintainers: +- email: cncf-linkerd-dev@lists.cncf.io + name: Linkerd authors + url: https://linkerd.io/ +name: linkerd-control-plane +sources: +- https://github.com/linkerd/linkerd2/ +type: application +version: 2024.8.3 diff --git a/charts/linkerd/linkerd-control-plane/2024.8.3/README.md b/charts/linkerd/linkerd-control-plane/2024.8.3/README.md new file mode 100644 index 000000000..3d871f7a7 --- /dev/null +++ b/charts/linkerd/linkerd-control-plane/2024.8.3/README.md @@ -0,0 +1,312 @@ +# linkerd-control-plane + +Linkerd gives you observability, reliability, and security +for your microservices — with no code change required. + +![Version: 2024.8.3](https://img.shields.io/badge/Version-2024.8.3-informational?style=flat-square) +![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) +![AppVersion: edge-XX.X.X](https://img.shields.io/badge/AppVersion-edge--XX.X.X-informational?style=flat-square) + +**Homepage:** + +## Quickstart and documentation + +You can run Linkerd on any Kubernetes cluster in a matter of seconds. See the +[Linkerd Getting Started Guide][getting-started] for how. + +For more comprehensive documentation, start with the [Linkerd +docs][linkerd-docs]. + +## Prerequisite: linkerd-crds chart + +Before installing this chart, please install the `linkerd-crds` chart, which +creates all the CRDs that the components from the current chart require. + +## Prerequisite: identity certificates + +The identity component of Linkerd requires setting up a trust anchor +certificate, and an issuer certificate with its key. These need to be provided +to Helm by the user (unlike when using the `linkerd install` CLI which can +generate these automatically). You can provide your own, or follow [these +instructions](https://linkerd.io/2/tasks/generate-certificates/) to generate new +ones. + +Alternatively, both trust anchor and identity issuer certificates may be +derived from in-cluster resources. Existing CA (trust anchor) certificates +**must** live in a `ConfigMap` resource named `linkerd-identity-trust-roots`. +Issuer certificates **must** live in a `Secret` named +`linkerd-identity-issuer`. Both resources should exist in the control-plane's +install namespace. In order to use an existing CA, Linkerd needs to be +installed with `identity.externalCA=true`. To use an existing issuer +certificate, Linkerd should be installed with +`identity.issuer.scheme=kubernetes.io/tls`. + +A more comprehensive description is in the [automatic certificate rotation +guide](https://linkerd.io/2.12/tasks/automatically-rotating-control-plane-tls-credentials/#a-note-on-third-party-cert-management-solutions). + +Note that the provided certificates must be ECDSA certificates. + +## Adding Linkerd's Helm repository + +Included here for completeness-sake, but should have already been added when +`linkerd-base` was installed. + +```bash +# To add the repo for Linkerd edge releases: +helm repo add linkerd https://helm.linkerd.io/edge +``` + +## Installing the chart + +You must provide the certificates and keys described in the preceding section, +and the same expiration date you used to generate the Issuer certificate. + +```bash +helm install linkerd-control-plane -n linkerd \ + --set-file identityTrustAnchorsPEM=ca.crt \ + --set-file identity.issuer.tls.crtPEM=issuer.crt \ + --set-file identity.issuer.tls.keyPEM=issuer.key \ + linkerd/linkerd-control-plane +``` + +Note that you require to install this chart in the same namespace you installed +the `linkerd-base` chart. + +## Setting High-Availability + +Besides the default `values.yaml` file, the chart provides a `values-ha.yaml` +file that overrides some default values as to set things up under a +high-availability scenario, analogous to the `--ha` option in `linkerd install`. +Values such as higher number of replicas, higher memory/cpu limits and +affinities are specified in that file. + +You can get ahold of `values-ha.yaml` by fetching the chart files: + +```bash +helm fetch --untar linkerd/linkerd-control-plane +``` + +Then use the `-f` flag to provide the override file, for example: + +```bash +helm install linkerd-control-plane -n linkerd \ + --set-file identityTrustAnchorsPEM=ca.crt \ + --set-file identity.issuer.tls.crtPEM=issuer.crt \ + --set-file identity.issuer.tls.keyPEM=issuer.key \ + -f linkerd2/values-ha.yaml + linkerd/linkerd-control-plane +``` + +## Get involved + +* Check out Linkerd's source code at [GitHub][linkerd2]. +* Join Linkerd's [user mailing list][linkerd-users], [developer mailing + list][linkerd-dev], and [announcements mailing list][linkerd-announce]. +* Follow [@linkerd][twitter] on Twitter. +* Join the [Linkerd Slack][slack]. + +[getting-started]: https://linkerd.io/2/getting-started/ +[linkerd2]: https://github.com/linkerd/linkerd2 +[linkerd-announce]: https://lists.cncf.io/g/cncf-linkerd-announce +[linkerd-dev]: https://lists.cncf.io/g/cncf-linkerd-dev +[linkerd-docs]: https://linkerd.io/2/overview/ +[linkerd-users]: https://lists.cncf.io/g/cncf-linkerd-users +[slack]: http://slack.linkerd.io +[twitter]: https://twitter.com/linkerd + +## Extensions for Linkerd + +The current chart installs the core Linkerd components, which grant you +reliability and security features. Other functionality is available through +extensions. Check the corresponding docs for each one of the following +extensions: + +* Observability: + [Linkerd-viz](https://github.com/linkerd/linkerd2/blob/main/viz/charts/linkerd-viz/README.md) +* Multicluster: + [Linkerd-multicluster](https://github.com/linkerd/linkerd2/blob/main/multicluster/charts/linkerd-multicluster/README.md) +* Tracing: + [Linkerd-jaeger](https://github.com/linkerd/linkerd2/blob/main/jaeger/charts/linkerd-jaeger/README.md) + +## Requirements + +Kubernetes: `>=1.22.0-0` + +| Repository | Name | Version | +|------------|------|---------| +| file://../partials | partials | 0.1.0 | + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| clusterDomain | string | `"cluster.local"` | Kubernetes DNS Domain name to use | +| clusterNetworks | string | `"10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16,fd00::/8"` | The cluster networks for which service discovery is performed. This should include the pod and service networks, but need not include the node network. By default, all IPv4 private networks and all accepted IPv6 ULAs are specified so that resolution works in typical Kubernetes environments. | +| cniEnabled | bool | `false` | enabling this omits the NET_ADMIN capability in the PSP and the proxy-init container when injecting the proxy; requires the linkerd-cni plugin to already be installed | +| commonLabels | object | `{}` | Labels to apply to all resources | +| controlPlaneTracing | bool | `false` | enables control plane tracing | +| controlPlaneTracingNamespace | string | `"linkerd-jaeger"` | namespace to send control plane traces to | +| controller.podDisruptionBudget | object | `{"maxUnavailable":1}` | sets pod disruption budget parameter for all deployments | +| controller.podDisruptionBudget.maxUnavailable | int | `1` | Maximum number of pods that can be unavailable during disruption | +| controllerGID | int | `-1` | Optional customisation of the group ID for the control plane components (the group ID will be omitted if lower than 0) | +| controllerImage | string | `"cr.l5d.io/linkerd/controller"` | Docker image for the destination and identity components | +| controllerImageVersion | string | `""` | Optionally allow a specific container image Tag (or SHA) to be specified for the controllerImage. | +| controllerLogFormat | string | `"plain"` | Log format for the control plane components | +| controllerLogLevel | string | `"info"` | Log level for the control plane components | +| controllerReplicas | int | `1` | Number of replicas for each control plane pod | +| controllerUID | int | `2103` | User ID for the control plane components | +| debugContainer.image.name | string | `"cr.l5d.io/linkerd/debug"` | Docker image for the debug container | +| debugContainer.image.pullPolicy | string | imagePullPolicy | Pull policy for the debug container image | +| debugContainer.image.version | string | linkerdVersion | Tag for the debug container image | +| deploymentStrategy | object | `{"rollingUpdate":{"maxSurge":"25%","maxUnavailable":"25%"}}` | default kubernetes deployment strategy | +| destinationController.meshedHttp2ClientProtobuf.keep_alive.interval.seconds | int | `10` | | +| destinationController.meshedHttp2ClientProtobuf.keep_alive.timeout.seconds | int | `3` | | +| destinationController.meshedHttp2ClientProtobuf.keep_alive.while_idle | bool | `true` | | +| disableHeartBeat | bool | `false` | Set to true to not start the heartbeat cronjob | +| disableIPv6 | bool | `true` | disables routing IPv6 traffic in addition to IPv4 traffic through the proxy (IPv6 routing only available as of proxy-init v2.3.0 and linkerd-cni v1.4.0) | +| enableEndpointSlices | bool | `true` | enables the use of EndpointSlice informers for the destination service; enableEndpointSlices should be set to true only if EndpointSlice K8s feature gate is on | +| enableH2Upgrade | bool | `true` | Allow proxies to perform transparent HTTP/2 upgrading | +| enablePSP | bool | `false` | Add a PSP resource and bind it to the control plane ServiceAccounts. Note PSP has been deprecated since k8s v1.21 | +| enablePodAntiAffinity | bool | `false` | enables pod anti affinity creation on deployments for high availability | +| enablePodDisruptionBudget | bool | `false` | enables the creation of pod disruption budgets for control plane components | +| enablePprof | bool | `false` | enables the use of pprof endpoints on control plane component's admin servers | +| identity.externalCA | bool | `false` | If the linkerd-identity-trust-roots ConfigMap has already been created | +| identity.issuer.clockSkewAllowance | string | `"20s"` | Amount of time to allow for clock skew within a Linkerd cluster | +| identity.issuer.issuanceLifetime | string | `"24h0m0s"` | Amount of time for which the Identity issuer should certify identity | +| identity.issuer.scheme | string | `"linkerd.io/tls"` | | +| identity.issuer.tls | object | `{"crtPEM":"","keyPEM":""}` | Which scheme is used for the identity issuer secret format | +| identity.issuer.tls.crtPEM | string | `""` | Issuer certificate (ECDSA). It must be provided during install. | +| identity.issuer.tls.keyPEM | string | `""` | Key for the issuer certificate (ECDSA). It must be provided during install | +| identity.kubeAPI.clientBurst | int | `200` | Burst value over clientQPS | +| identity.kubeAPI.clientQPS | int | `100` | Maximum QPS sent to the kube-apiserver before throttling. See [token bucket rate limiter implementation](https://github.com/kubernetes/client-go/blob/v12.0.0/util/flowcontrol/throttle.go) | +| identity.serviceAccountTokenProjection | bool | `true` | Use [Service Account token Volume projection](https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#service-account-token-volume-projection) for pod validation instead of the default token | +| identityTrustAnchorsPEM | string | `""` | Trust root certificate (ECDSA). It must be provided during install. | +| identityTrustDomain | string | clusterDomain | Trust domain used for identity | +| imagePullPolicy | string | `"IfNotPresent"` | Docker image pull policy | +| imagePullSecrets | list | `[]` | For Private docker registries, authentication is needed. Registry secrets are applied to the respective service accounts | +| kubeAPI.clientBurst | int | `200` | Burst value over clientQPS | +| kubeAPI.clientQPS | int | `100` | Maximum QPS sent to the kube-apiserver before throttling. See [token bucket rate limiter implementation](https://github.com/kubernetes/client-go/blob/v12.0.0/util/flowcontrol/throttle.go) | +| linkerdVersion | string | `"linkerdVersionValue"` | control plane version. See Proxy section for proxy version | +| networkValidator.connectAddr | string | `""` | Address to which the network-validator will attempt to connect. This should be an IP that the cluster is expected to be able to reach but a port it should not, e.g., a public IP for public clusters and a private IP for air-gapped clusters with a port like 20001. If empty, defaults to 1.1.1.1:20001 and [fd00::1]:20001 for IPv4 and IPv6 respectively. | +| networkValidator.enableSecurityContext | bool | `true` | Include a securityContext in the network-validator pod spec | +| networkValidator.listenAddr | string | `""` | Address to which network-validator listens to requests from itself. If empty, defaults to 0.0.0.0:4140 and [::]:4140 for IPv4 and IPv6 respectively. | +| networkValidator.logFormat | string | plain | Log format (`plain` or `json`) for network-validator | +| networkValidator.logLevel | string | debug | Log level for the network-validator | +| networkValidator.timeout | string | `"10s"` | Timeout before network-validator fails to validate the pod's network connectivity | +| nodeSelector | object | `{"kubernetes.io/os":"linux"}` | NodeSelector section, See the [K8S documentation](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector) for more information | +| podAnnotations | object | `{}` | Additional annotations to add to all pods | +| podLabels | object | `{}` | Additional labels to add to all pods | +| podMonitor.controller.enabled | bool | `true` | Enables the creation of PodMonitor for the control-plane | +| podMonitor.controller.namespaceSelector | string | `"matchNames:\n - {{ .Release.Namespace }}\n - linkerd-viz\n - linkerd-jaeger\n"` | Selector to select which namespaces the Endpoints objects are discovered from | +| podMonitor.enabled | bool | `false` | Enables the creation of Prometheus Operator [PodMonitor](https://prometheus-operator.dev/docs/operator/api/#monitoring.coreos.com/v1.PodMonitor) | +| podMonitor.labels | object | `{}` | Labels to apply to all pod Monitors | +| podMonitor.proxy.enabled | bool | `true` | Enables the creation of PodMonitor for the data-plane | +| podMonitor.scrapeInterval | string | `"10s"` | Interval at which metrics should be scraped | +| podMonitor.scrapeTimeout | string | `"10s"` | Iimeout after which the scrape is ended | +| podMonitor.serviceMirror.enabled | bool | `true` | Enables the creation of PodMonitor for the Service Mirror component | +| policyController.image.name | string | `"cr.l5d.io/linkerd/policy-controller"` | Docker image for the policy controller | +| policyController.image.pullPolicy | string | imagePullPolicy | Pull policy for the policy controller container image | +| policyController.image.version | string | linkerdVersion | Tag for the policy controller container image | +| policyController.logLevel | string | `"info"` | Log level for the policy controller | +| policyController.probeNetworks | list | `["0.0.0.0/0","::/0"]` | The networks from which probes are performed. By default, all networks are allowed so that all probes are authorized. | +| policyController.resources | object | `{"cpu":{"limit":"","request":""},"ephemeral-storage":{"limit":"","request":""},"memory":{"limit":"","request":""}}` | policy controller resource requests & limits | +| policyController.resources.cpu.limit | string | `""` | Maximum amount of CPU units that the policy controller can use | +| policyController.resources.cpu.request | string | `""` | Amount of CPU units that the policy controller requests | +| policyController.resources.ephemeral-storage.limit | string | `""` | Maximum amount of ephemeral storage that the policy controller can use | +| policyController.resources.ephemeral-storage.request | string | `""` | Amount of ephemeral storage that the policy controller requests | +| policyController.resources.memory.limit | string | `""` | Maximum amount of memory that the policy controller can use | +| policyController.resources.memory.request | string | `""` | Maximum amount of memory that the policy controller requests | +| policyValidator.caBundle | string | `""` | Bundle of CA certificates for proxy injector. If not provided nor injected with cert-manager, then Helm will use the certificate generated for `policyValidator.crtPEM`. If `policyValidator.externalSecret` is set to true, this value, injectCaFrom, or injectCaFromSecret must be set, as no certificate will be generated. See the cert-manager [CA Injector Docs](https://cert-manager.io/docs/concepts/ca-injector) for more information. | +| policyValidator.crtPEM | string | `""` | Certificate for the policy validator. If not provided and not using an external secret then Helm will generate one. | +| policyValidator.externalSecret | bool | `false` | Do not create a secret resource for the policyValidator webhook. If this is set to `true`, the value `policyValidator.caBundle` must be set or the ca bundle must injected with cert-manager ca injector using `policyValidator.injectCaFrom` or `policyValidator.injectCaFromSecret` (see below). | +| policyValidator.injectCaFrom | string | `""` | Inject the CA bundle from a cert-manager Certificate. See the cert-manager [CA Injector Docs](https://cert-manager.io/docs/concepts/ca-injector/#injecting-ca-data-from-a-certificate-resource) for more information. | +| policyValidator.injectCaFromSecret | string | `""` | Inject the CA bundle from a Secret. If set, the `cert-manager.io/inject-ca-from-secret` annotation will be added to the webhook. The Secret must have the CA Bundle stored in the `ca.crt` key and have the `cert-manager.io/allow-direct-injection` annotation set to `true`. See the cert-manager [CA Injector Docs](https://cert-manager.io/docs/concepts/ca-injector/#injecting-ca-data-from-a-secret-resource) for more information. | +| policyValidator.keyPEM | string | `""` | Certificate key for the policy validator. If not provided and not using an external secret then Helm will generate one. | +| policyValidator.namespaceSelector | object | `{"matchExpressions":[{"key":"config.linkerd.io/admission-webhooks","operator":"NotIn","values":["disabled"]}]}` | Namespace selector used by admission webhook | +| priorityClassName | string | `""` | Kubernetes priorityClassName for the Linkerd Pods | +| profileValidator.caBundle | string | `""` | Bundle of CA certificates for proxy injector. If not provided nor injected with cert-manager, then Helm will use the certificate generated for `profileValidator.crtPEM`. If `profileValidator.externalSecret` is set to true, this value, injectCaFrom, or injectCaFromSecret must be set, as no certificate will be generated. See the cert-manager [CA Injector Docs](https://cert-manager.io/docs/concepts/ca-injector) for more information. | +| profileValidator.crtPEM | string | `""` | Certificate for the service profile validator. If not provided and not using an external secret then Helm will generate one. | +| profileValidator.externalSecret | bool | `false` | Do not create a secret resource for the profileValidator webhook. If this is set to `true`, the value `proxyInjector.caBundle` must be set or the ca bundle must injected with cert-manager ca injector using `proxyInjector.injectCaFrom` or `proxyInjector.injectCaFromSecret` (see below). | +| profileValidator.injectCaFrom | string | `""` | Inject the CA bundle from a cert-manager Certificate. See the cert-manager [CA Injector Docs](https://cert-manager.io/docs/concepts/ca-injector/#injecting-ca-data-from-a-certificate-resource) for more information. | +| profileValidator.injectCaFromSecret | string | `""` | Inject the CA bundle from a Secret. If set, the `cert-manager.io/inject-ca-from-secret` annotation will be added to the webhook. The Secret must have the CA Bundle stored in the `ca.crt` key and have the `cert-manager.io/allow-direct-injection` annotation set to `true`. See the cert-manager [CA Injector Docs](https://cert-manager.io/docs/concepts/ca-injector/#injecting-ca-data-from-a-secret-resource) for more information. | +| profileValidator.keyPEM | string | `""` | Certificate key for the service profile validator. If not provided and not using an external secret then Helm will generate one. | +| profileValidator.namespaceSelector | object | `{"matchExpressions":[{"key":"config.linkerd.io/admission-webhooks","operator":"NotIn","values":["disabled"]}]}` | Namespace selector used by admission webhook | +| prometheusUrl | string | `""` | url of external prometheus instance (used for the heartbeat) | +| proxy.await | bool | `true` | If set, the application container will not start until the proxy is ready | +| proxy.control.streams.idleTimeout | string | `"5m"` | The timeout between consecutive updates from the control plane. | +| proxy.control.streams.initialTimeout | string | `"3s"` | The timeout for the first update from the control plane. | +| proxy.control.streams.lifetime | string | `"1h"` | The maximum duration for a response stream (i.e. before it will be reinitialized). | +| proxy.cores | int | `0` | The `cpu.limit` and `cores` should be kept in sync. The value of `cores` must be an integer and should typically be set by rounding up from the limit. E.g. if cpu.limit is '1500m', cores should be 2. | +| proxy.defaultInboundPolicy | string | "all-unauthenticated" | The default allow policy to use when no `Server` selects a pod. One of: "all-authenticated", "all-unauthenticated", "cluster-authenticated", "cluster-unauthenticated", "deny", "audit" | +| proxy.disableInboundProtocolDetectTimeout | bool | `false` | When set to true, disables the protocol detection timeout on the inbound side of the proxy by setting it to a very high value | +| proxy.disableOutboundProtocolDetectTimeout | bool | `false` | When set to true, disables the protocol detection timeout on the outbound side of the proxy by setting it to a very high value | +| proxy.enableExternalProfiles | bool | `false` | Enable service profiles for non-Kubernetes services | +| proxy.enableShutdownEndpoint | bool | `false` | Enables the proxy's /shutdown admin endpoint | +| proxy.gid | int | `-1` | Optional customisation of the group id under which the proxy runs (the group ID will be omitted if lower than 0) | +| proxy.image.name | string | `"cr.l5d.io/linkerd/proxy"` | Docker image for the proxy | +| proxy.image.pullPolicy | string | imagePullPolicy | Pull policy for the proxy container image | +| proxy.image.version | string | linkerdVersion | Tag for the proxy container image | +| proxy.inbound.server.http2.keepAliveInterval | string | `"10s"` | The interval at which PINGs are issued to remote HTTP/2 clients. | +| proxy.inbound.server.http2.keepAliveTimeout | string | `"3s"` | The timeout within which keep-alive PINGs must be acknowledged on inbound HTTP/2 connections. | +| proxy.inboundConnectTimeout | string | `"100ms"` | Maximum time allowed for the proxy to establish an inbound TCP connection | +| proxy.inboundDiscoveryCacheUnusedTimeout | string | `"90s"` | Maximum time allowed before an unused inbound discovery result is evicted from the cache | +| proxy.livenessProbe | object | `{"initialDelaySeconds":10,"timeoutSeconds":1}` | LivenessProbe timeout and delay configuration | +| proxy.logFormat | string | `"plain"` | Log format (`plain` or `json`) for the proxy | +| proxy.logHTTPHeaders | `off` or `insecure` | `"off"` | If set to `off`, will prevent the proxy from logging HTTP headers. If set to `insecure`, HTTP headers may be logged verbatim. Note that setting this to `insecure` is not alone sufficient to log HTTP headers; the proxy logLevel must also be set to debug. | +| proxy.logLevel | string | `"warn,linkerd=info,hickory=error"` | Log level for the proxy | +| proxy.nativeSidecar | bool | `false` | Enable KEP-753 native sidecars This is an experimental feature. It requires Kubernetes >= 1.29. If enabled, .proxy.waitBeforeExitSeconds should not be used. | +| proxy.opaquePorts | string | `"25,587,3306,4444,5432,6379,9300,11211"` | Default set of opaque ports - SMTP (25,587) server-first - MYSQL (3306) server-first - Galera (4444) server-first - PostgreSQL (5432) server-first - Redis (6379) server-first - ElasticSearch (9300) server-first - Memcached (11211) clients do not issue any preamble, which breaks detection | +| proxy.outbound.server.http2.keepAliveInterval | string | `"10s"` | The interval at which PINGs are issued to local application HTTP/2 clients. | +| proxy.outbound.server.http2.keepAliveTimeout | string | `"3s"` | The timeout within which keep-alive PINGs must be acknowledged on outbound HTTP/2 connections. | +| proxy.outboundConnectTimeout | string | `"1000ms"` | Maximum time allowed for the proxy to establish an outbound TCP connection | +| proxy.outboundDiscoveryCacheUnusedTimeout | string | `"5s"` | Maximum time allowed before an unused outbound discovery result is evicted from the cache | +| proxy.ports.admin | int | `4191` | Admin port for the proxy container | +| proxy.ports.control | int | `4190` | Control port for the proxy container | +| proxy.ports.inbound | int | `4143` | Inbound port for the proxy container | +| proxy.ports.outbound | int | `4140` | Outbound port for the proxy container | +| proxy.readinessProbe | object | `{"initialDelaySeconds":2,"timeoutSeconds":1}` | ReadinessProbe timeout and delay configuration | +| proxy.requireIdentityOnInboundPorts | string | `""` | | +| proxy.resources.cpu.limit | string | `""` | Maximum amount of CPU units that the proxy can use | +| proxy.resources.cpu.request | string | `""` | Amount of CPU units that the proxy requests | +| proxy.resources.ephemeral-storage.limit | string | `""` | Maximum amount of ephemeral storage that the proxy can use | +| proxy.resources.ephemeral-storage.request | string | `""` | Amount of ephemeral storage that the proxy requests | +| proxy.resources.memory.limit | string | `""` | Maximum amount of memory that the proxy can use | +| proxy.resources.memory.request | string | `""` | Maximum amount of memory that the proxy requests | +| proxy.shutdownGracePeriod | string | `""` | Grace period for graceful proxy shutdowns. If this timeout elapses before all open connections have completed, the proxy will terminate forcefully, closing any remaining connections. | +| proxy.startupProbe.failureThreshold | int | `120` | | +| proxy.startupProbe.initialDelaySeconds | int | `0` | | +| proxy.startupProbe.periodSeconds | int | `1` | | +| proxy.uid | int | `2102` | User id under which the proxy runs | +| proxy.waitBeforeExitSeconds | int | `0` | If set the injected proxy sidecars in the data plane will stay alive for at least the given period before receiving the SIGTERM signal from Kubernetes but no longer than the pod's `terminationGracePeriodSeconds`. See [Lifecycle hooks](https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks) for more info on container lifecycle hooks. | +| proxyInit.closeWaitTimeoutSecs | int | `0` | | +| proxyInit.ignoreInboundPorts | string | `"4567,4568"` | Default set of inbound ports to skip via iptables - Galera (4567,4568) | +| proxyInit.ignoreOutboundPorts | string | `"4567,4568"` | Default set of outbound ports to skip via iptables - Galera (4567,4568) | +| proxyInit.image.name | string | `"cr.l5d.io/linkerd/proxy-init"` | Docker image for the proxy-init container | +| proxyInit.image.pullPolicy | string | imagePullPolicy | Pull policy for the proxy-init container image | +| proxyInit.image.version | string | `"v2.4.1"` | Tag for the proxy-init container image | +| proxyInit.iptablesMode | string | `"legacy"` | Variant of iptables that will be used to configure routing. Currently, proxy-init can be run either in 'nft' or in 'legacy' mode. The mode will control which utility binary will be called. The host must support whichever mode will be used | +| proxyInit.kubeAPIServerPorts | string | `"443,6443"` | Default set of ports to skip via iptables for control plane components so they can communicate with the Kubernetes API Server | +| proxyInit.logFormat | string | plain | Log format (`plain` or `json`) for the proxy-init | +| proxyInit.logLevel | string | info | Log level for the proxy-init | +| proxyInit.privileged | bool | false | Privileged mode allows the container processes to inherit all security capabilities and bypass any security limitations enforced by the kubelet. When used with 'runAsRoot: true', the container will behave exactly as if it was running as root on the host. May escape cgroup limits and see other processes and devices on the host. | +| proxyInit.runAsGroup | int | `65534` | This value is used only if runAsRoot is false; otherwise runAsGroup will be 0 | +| proxyInit.runAsRoot | bool | `false` | Allow overriding the runAsNonRoot behaviour () | +| proxyInit.runAsUser | int | `65534` | This value is used only if runAsRoot is false; otherwise runAsUser will be 0 | +| proxyInit.skipSubnets | string | `""` | Comma-separated list of subnets in valid CIDR format that should be skipped by the proxy | +| proxyInit.xtMountPath.mountPath | string | `"/run"` | | +| proxyInit.xtMountPath.name | string | `"linkerd-proxy-init-xtables-lock"` | | +| proxyInjector.caBundle | string | `""` | Bundle of CA certificates for proxy injector. If not provided nor injected with cert-manager, then Helm will use the certificate generated for `proxyInjector.crtPEM`. If `proxyInjector.externalSecret` is set to true, this value, injectCaFrom, or injectCaFromSecret must be set, as no certificate will be generated. See the cert-manager [CA Injector Docs](https://cert-manager.io/docs/concepts/ca-injector) for more information. | +| proxyInjector.crtPEM | string | `""` | Certificate for the proxy injector. If not provided and not using an external secret then Helm will generate one. | +| proxyInjector.externalSecret | bool | `false` | Do not create a secret resource for the proxyInjector webhook. If this is set to `true`, the value `proxyInjector.caBundle` must be set or the ca bundle must injected with cert-manager ca injector using `proxyInjector.injectCaFrom` or `proxyInjector.injectCaFromSecret` (see below). | +| proxyInjector.injectCaFrom | string | `""` | Inject the CA bundle from a cert-manager Certificate. See the cert-manager [CA Injector Docs](https://cert-manager.io/docs/concepts/ca-injector/#injecting-ca-data-from-a-certificate-resource) for more information. | +| proxyInjector.injectCaFromSecret | string | `""` | Inject the CA bundle from a Secret. If set, the `cert-manager.io/inject-ca-from-secret` annotation will be added to the webhook. The Secret must have the CA Bundle stored in the `ca.crt` key and have the `cert-manager.io/allow-direct-injection` annotation set to `true`. See the cert-manager [CA Injector Docs](https://cert-manager.io/docs/concepts/ca-injector/#injecting-ca-data-from-a-secret-resource) for more information. | +| proxyInjector.keyPEM | string | `""` | Certificate key for the proxy injector. If not provided and not using an external secret then Helm will generate one. | +| proxyInjector.namespaceSelector | object | `{"matchExpressions":[{"key":"config.linkerd.io/admission-webhooks","operator":"NotIn","values":["disabled"]},{"key":"kubernetes.io/metadata.name","operator":"NotIn","values":["kube-system","cert-manager"]}]}` | Namespace selector used by admission webhook. | +| proxyInjector.objectSelector | object | `{"matchExpressions":[{"key":"linkerd.io/control-plane-component","operator":"DoesNotExist"},{"key":"linkerd.io/cni-resource","operator":"DoesNotExist"}]}` | Object selector used by admission webhook. | +| proxyInjector.timeoutSeconds | int | `10` | Timeout in seconds before the API Server cancels a request to the proxy injector. If timeout is exceeded, the webhookfailurePolicy is used. | +| revisionHistoryLimit | int | `10` | Specifies the number of old ReplicaSets to retain to allow rollback. | +| runtimeClassName | string | `""` | Runtime Class Name for all the pods | +| webhookFailurePolicy | string | `"Ignore"` | Failure policy for the proxy injector | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.12.0](https://github.com/norwoodj/helm-docs/releases/v1.12.0) diff --git a/charts/linkerd/linkerd-control-plane/2024.8.3/README.md.gotmpl b/charts/linkerd/linkerd-control-plane/2024.8.3/README.md.gotmpl new file mode 100644 index 000000000..19da2a82d --- /dev/null +++ b/charts/linkerd/linkerd-control-plane/2024.8.3/README.md.gotmpl @@ -0,0 +1,133 @@ +{{ template "chart.header" . }} +{{ template "chart.description" . }} + +{{ template "chart.versionBadge" . }} +{{ template "chart.typeBadge" . }} +{{ template "chart.appVersionBadge" . }} + +{{ template "chart.homepageLine" . }} + +## Quickstart and documentation + +You can run Linkerd on any Kubernetes cluster in a matter of seconds. See the +[Linkerd Getting Started Guide][getting-started] for how. + +For more comprehensive documentation, start with the [Linkerd +docs][linkerd-docs]. + +## Prerequisite: linkerd-crds chart + +Before installing this chart, please install the `linkerd-crds` chart, which +creates all the CRDs that the components from the current chart require. + +## Prerequisite: identity certificates + +The identity component of Linkerd requires setting up a trust anchor +certificate, and an issuer certificate with its key. These need to be provided +to Helm by the user (unlike when using the `linkerd install` CLI which can +generate these automatically). You can provide your own, or follow [these +instructions](https://linkerd.io/2/tasks/generate-certificates/) to generate new +ones. + +Alternatively, both trust anchor and identity issuer certificates may be +derived from in-cluster resources. Existing CA (trust anchor) certificates +**must** live in a `ConfigMap` resource named `linkerd-identity-trust-roots`. +Issuer certificates **must** live in a `Secret` named +`linkerd-identity-issuer`. Both resources should exist in the control-plane's +install namespace. In order to use an existing CA, Linkerd needs to be +installed with `identity.externalCA=true`. To use an existing issuer +certificate, Linkerd should be installed with +`identity.issuer.scheme=kubernetes.io/tls`. + +A more comprehensive description is in the [automatic certificate rotation +guide](https://linkerd.io/2.12/tasks/automatically-rotating-control-plane-tls-credentials/#a-note-on-third-party-cert-management-solutions). + +Note that the provided certificates must be ECDSA certificates. + +## Adding Linkerd's Helm repository + +Included here for completeness-sake, but should have already been added when +`linkerd-base` was installed. + +```bash +# To add the repo for Linkerd edge releases: +helm repo add linkerd https://helm.linkerd.io/edge +``` + +## Installing the chart + +You must provide the certificates and keys described in the preceding section, +and the same expiration date you used to generate the Issuer certificate. + +```bash +helm install linkerd-control-plane -n linkerd \ + --set-file identityTrustAnchorsPEM=ca.crt \ + --set-file identity.issuer.tls.crtPEM=issuer.crt \ + --set-file identity.issuer.tls.keyPEM=issuer.key \ + linkerd/linkerd-control-plane +``` + +Note that you require to install this chart in the same namespace you installed +the `linkerd-base` chart. + +## Setting High-Availability + +Besides the default `values.yaml` file, the chart provides a `values-ha.yaml` +file that overrides some default values as to set things up under a +high-availability scenario, analogous to the `--ha` option in `linkerd install`. +Values such as higher number of replicas, higher memory/cpu limits and +affinities are specified in that file. + +You can get ahold of `values-ha.yaml` by fetching the chart files: + +```bash +helm fetch --untar linkerd/linkerd-control-plane +``` + +Then use the `-f` flag to provide the override file, for example: + +```bash +helm install linkerd-control-plane -n linkerd \ + --set-file identityTrustAnchorsPEM=ca.crt \ + --set-file identity.issuer.tls.crtPEM=issuer.crt \ + --set-file identity.issuer.tls.keyPEM=issuer.key \ + -f linkerd2/values-ha.yaml + linkerd/linkerd-control-plane +``` + +## Get involved + +* Check out Linkerd's source code at [GitHub][linkerd2]. +* Join Linkerd's [user mailing list][linkerd-users], [developer mailing + list][linkerd-dev], and [announcements mailing list][linkerd-announce]. +* Follow [@linkerd][twitter] on Twitter. +* Join the [Linkerd Slack][slack]. + +[getting-started]: https://linkerd.io/2/getting-started/ +[linkerd2]: https://github.com/linkerd/linkerd2 +[linkerd-announce]: https://lists.cncf.io/g/cncf-linkerd-announce +[linkerd-dev]: https://lists.cncf.io/g/cncf-linkerd-dev +[linkerd-docs]: https://linkerd.io/2/overview/ +[linkerd-users]: https://lists.cncf.io/g/cncf-linkerd-users +[slack]: http://slack.linkerd.io +[twitter]: https://twitter.com/linkerd + +## Extensions for Linkerd + +The current chart installs the core Linkerd components, which grant you +reliability and security features. Other functionality is available through +extensions. Check the corresponding docs for each one of the following +extensions: + +* Observability: + [Linkerd-viz](https://github.com/linkerd/linkerd2/blob/main/viz/charts/linkerd-viz/README.md) +* Multicluster: + [Linkerd-multicluster](https://github.com/linkerd/linkerd2/blob/main/multicluster/charts/linkerd-multicluster/README.md) +* Tracing: + [Linkerd-jaeger](https://github.com/linkerd/linkerd2/blob/main/jaeger/charts/linkerd-jaeger/README.md) + +{{ template "chart.requirementsSection" . }} + +{{ template "chart.valuesSection" . }} + +{{ template "helm-docs.versionFooter" . }} diff --git a/charts/linkerd/linkerd-control-plane/2024.8.3/app-readme.md b/charts/linkerd/linkerd-control-plane/2024.8.3/app-readme.md new file mode 100644 index 000000000..351eac5f0 --- /dev/null +++ b/charts/linkerd/linkerd-control-plane/2024.8.3/app-readme.md @@ -0,0 +1,14 @@ +# Linkerd 2 Chart + +Linkerd is an ultra light, ultra simple, ultra powerful service mesh. Linkerd +adds security, observability, and reliability to Kubernetes, without the +complexity. + +This particular Helm chart only installs the control plane core. You will also need to install the +linkerd-crds chart. This chart should be automatically installed along with any other dependencies. +If it is not installed as a dependency, install it first. + +To gain access to the observability features, please install the linkerd-viz chart. +Other extensions are available (multicluster, jaeger) under the linkerd Helm repo. + +Full documentation available at: https://linkerd.io/2/overview/ diff --git a/charts/linkerd/linkerd-control-plane/2024.8.3/charts/partials/.helmignore b/charts/linkerd/linkerd-control-plane/2024.8.3/charts/partials/.helmignore new file mode 100644 index 000000000..f0c131944 --- /dev/null +++ b/charts/linkerd/linkerd-control-plane/2024.8.3/charts/partials/.helmignore @@ -0,0 +1,21 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj diff --git a/charts/linkerd/linkerd-control-plane/2024.8.3/charts/partials/Chart.yaml b/charts/linkerd/linkerd-control-plane/2024.8.3/charts/partials/Chart.yaml new file mode 100644 index 000000000..23cfc167e --- /dev/null +++ b/charts/linkerd/linkerd-control-plane/2024.8.3/charts/partials/Chart.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +description: 'A Helm chart containing Linkerd partial templates, depended by the ''linkerd'' + and ''patch'' charts. ' +name: partials +version: 0.1.0 diff --git a/charts/linkerd/linkerd-control-plane/2024.8.3/charts/partials/README.md b/charts/linkerd/linkerd-control-plane/2024.8.3/charts/partials/README.md new file mode 100644 index 000000000..10805c9b9 --- /dev/null +++ b/charts/linkerd/linkerd-control-plane/2024.8.3/charts/partials/README.md @@ -0,0 +1,9 @@ +# partials + +A Helm chart containing Linkerd partial templates, +depended by the 'linkerd' and 'patch' charts. + +![Version: 0.1.0](https://img.shields.io/badge/Version-0.1.0-informational?style=flat-square) + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.12.0](https://github.com/norwoodj/helm-docs/releases/v1.12.0) diff --git a/charts/linkerd/linkerd-control-plane/2024.8.3/charts/partials/README.md.gotmpl b/charts/linkerd/linkerd-control-plane/2024.8.3/charts/partials/README.md.gotmpl new file mode 100644 index 000000000..37f510106 --- /dev/null +++ b/charts/linkerd/linkerd-control-plane/2024.8.3/charts/partials/README.md.gotmpl @@ -0,0 +1,14 @@ +{{ template "chart.header" . }} +{{ template "chart.description" . }} + +{{ template "chart.versionBadge" . }} +{{ template "chart.typeBadge" . }} +{{ template "chart.appVersionBadge" . }} + +{{ template "chart.homepageLine" . }} + +{{ template "chart.requirementsSection" . }} + +{{ template "chart.valuesSection" . }} + +{{ template "helm-docs.versionFooter" . }} diff --git a/charts/linkerd/linkerd-control-plane/2024.8.3/charts/partials/templates/NOTES.txt b/charts/linkerd/linkerd-control-plane/2024.8.3/charts/partials/templates/NOTES.txt new file mode 100644 index 000000000..e69de29bb diff --git a/charts/linkerd/linkerd-control-plane/2024.8.3/charts/partials/templates/_affinity.tpl b/charts/linkerd/linkerd-control-plane/2024.8.3/charts/partials/templates/_affinity.tpl new file mode 100644 index 000000000..5dde1da47 --- /dev/null +++ b/charts/linkerd/linkerd-control-plane/2024.8.3/charts/partials/templates/_affinity.tpl @@ -0,0 +1,38 @@ +{{ define "linkerd.pod-affinity" -}} +podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: {{ default "linkerd.io/control-plane-component" .label }} + operator: In + values: + - {{ .component }} + topologyKey: topology.kubernetes.io/zone + weight: 100 + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: {{ default "linkerd.io/control-plane-component" .label }} + operator: In + values: + - {{ .component }} + topologyKey: kubernetes.io/hostname +{{- end }} + +{{ define "linkerd.node-affinity" -}} +nodeAffinity: +{{- toYaml .Values.nodeAffinity | trim | nindent 2 }} +{{- end }} + +{{ define "linkerd.affinity" -}} +{{- if or .Values.enablePodAntiAffinity .Values.nodeAffinity -}} +affinity: +{{- end }} +{{- if .Values.enablePodAntiAffinity -}} +{{- include "linkerd.pod-affinity" . | nindent 2 }} +{{- end }} +{{- if .Values.nodeAffinity -}} +{{- include "linkerd.node-affinity" . | nindent 2 }} +{{- end }} +{{- end }} diff --git a/charts/linkerd/linkerd-control-plane/2024.8.3/charts/partials/templates/_capabilities.tpl b/charts/linkerd/linkerd-control-plane/2024.8.3/charts/partials/templates/_capabilities.tpl new file mode 100644 index 000000000..a595d74c1 --- /dev/null +++ b/charts/linkerd/linkerd-control-plane/2024.8.3/charts/partials/templates/_capabilities.tpl @@ -0,0 +1,16 @@ +{{- define "partials.proxy.capabilities" -}} +capabilities: + {{- if .Values.proxy.capabilities.add }} + add: + {{- toYaml .Values.proxy.capabilities.add | trim | nindent 4 }} + {{- end }} + {{- if .Values.proxy.capabilities.drop }} + drop: + {{- toYaml .Values.proxy.capabilities.drop | trim | nindent 4 }} + {{- end }} +{{- end -}} + +{{- define "partials.proxy-init.capabilities.drop" -}} +drop: +{{ toYaml .Values.proxyInit.capabilities.drop | trim }} +{{- end -}} diff --git a/charts/linkerd/linkerd-control-plane/2024.8.3/charts/partials/templates/_debug.tpl b/charts/linkerd/linkerd-control-plane/2024.8.3/charts/partials/templates/_debug.tpl new file mode 100644 index 000000000..4df8cc77b --- /dev/null +++ b/charts/linkerd/linkerd-control-plane/2024.8.3/charts/partials/templates/_debug.tpl @@ -0,0 +1,15 @@ +{{- define "partials.debug" -}} +image: {{.Values.debugContainer.image.name}}:{{.Values.debugContainer.image.version | default .Values.linkerdVersion}} +imagePullPolicy: {{.Values.debugContainer.image.pullPolicy | default .Values.imagePullPolicy}} +name: linkerd-debug +terminationMessagePolicy: FallbackToLogsOnError +# some environments require probes, so we provide some infallible ones +livenessProbe: + exec: + command: + - "true" +readinessProbe: + exec: + command: + - "true" +{{- end -}} diff --git a/charts/linkerd/linkerd-control-plane/2024.8.3/charts/partials/templates/_helpers.tpl b/charts/linkerd/linkerd-control-plane/2024.8.3/charts/partials/templates/_helpers.tpl new file mode 100644 index 000000000..b6cdc34d0 --- /dev/null +++ b/charts/linkerd/linkerd-control-plane/2024.8.3/charts/partials/templates/_helpers.tpl @@ -0,0 +1,14 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Splits a coma separated list into a list of string values. +For example "11,22,55,44" will become "11","22","55","44" +*/}} +{{- define "partials.splitStringList" -}} +{{- if gt (len (toString .)) 0 -}} +{{- $ports := toString . | splitList "," -}} +{{- $last := sub (len $ports) 1 -}} +{{- range $i,$port := $ports -}} +"{{$port}}"{{ternary "," "" (ne $i $last)}} +{{- end -}} +{{- end -}} +{{- end -}} diff --git a/charts/linkerd/linkerd-control-plane/2024.8.3/charts/partials/templates/_metadata.tpl b/charts/linkerd/linkerd-control-plane/2024.8.3/charts/partials/templates/_metadata.tpl new file mode 100644 index 000000000..04d2f1bea --- /dev/null +++ b/charts/linkerd/linkerd-control-plane/2024.8.3/charts/partials/templates/_metadata.tpl @@ -0,0 +1,17 @@ +{{- define "partials.annotations.created-by" -}} +linkerd.io/created-by: {{ .Values.cliVersion | default (printf "linkerd/helm %s" ( (.Values.image).version | default .Values.linkerdVersion)) }} +{{- end -}} + +{{- define "partials.proxy.annotations" -}} +linkerd.io/proxy-version: {{.Values.proxy.image.version | default .Values.linkerdVersion}} +cluster-autoscaler.kubernetes.io/safe-to-evict: "true" +linkerd.io/trust-root-sha256: {{ .Values.identityTrustAnchorsPEM | sha256sum }} +{{- end -}} + +{{/* +To add labels to the control-plane components, instead update at individual component manifests as +adding here would also update `spec.selector.matchLabels` which are immutable and would fail upgrades. +*/}} +{{- define "partials.proxy.labels" -}} +linkerd.io/proxy-{{.workloadKind}}: {{.component}} +{{- end -}} diff --git a/charts/linkerd/linkerd-control-plane/2024.8.3/charts/partials/templates/_network-validator.tpl b/charts/linkerd/linkerd-control-plane/2024.8.3/charts/partials/templates/_network-validator.tpl new file mode 100644 index 000000000..276056395 --- /dev/null +++ b/charts/linkerd/linkerd-control-plane/2024.8.3/charts/partials/templates/_network-validator.tpl @@ -0,0 +1,45 @@ +{{- define "partials.network-validator" -}} +name: linkerd-network-validator +image: {{.Values.proxy.image.name}}:{{.Values.proxy.image.version | default .Values.linkerdVersion }} +imagePullPolicy: {{.Values.proxy.image.pullPolicy | default .Values.imagePullPolicy}} +{{ include "partials.resources" .Values.proxy.resources }} +{{- if or .Values.networkValidator.enableSecurityContext }} +securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsGroup: 65534 + runAsNonRoot: true + runAsUser: 65534 + seccompProfile: + type: RuntimeDefault +{{- end }} +command: + - /usr/lib/linkerd/linkerd2-network-validator +args: + - --log-format + - {{ .Values.networkValidator.logFormat }} + - --log-level + - {{ .Values.networkValidator.logLevel }} + - --connect-addr + {{- if .Values.networkValidator.connectAddr }} + - {{ .Values.networkValidator.connectAddr | quote }} + {{- else if .Values.disableIPv6}} + - "1.1.1.1:20001" + {{- else }} + - "[fd00::1]:20001" + {{- end }} + - --listen-addr + {{- if .Values.networkValidator.listenAddr }} + - {{ .Values.networkValidator.listenAddr | quote }} + {{- else if .Values.disableIPv6}} + - "0.0.0.0:4140" + {{- else }} + - "[::]:4140" + {{- end }} + - --timeout + - {{ .Values.networkValidator.timeout }} + +{{- end -}} diff --git a/charts/linkerd/linkerd-control-plane/2024.8.3/charts/partials/templates/_nodeselector.tpl b/charts/linkerd/linkerd-control-plane/2024.8.3/charts/partials/templates/_nodeselector.tpl new file mode 100644 index 000000000..4cde0ab16 --- /dev/null +++ b/charts/linkerd/linkerd-control-plane/2024.8.3/charts/partials/templates/_nodeselector.tpl @@ -0,0 +1,4 @@ +{{- define "linkerd.node-selector" -}} +nodeSelector: +{{- toYaml .Values.nodeSelector | trim | nindent 2 }} +{{- end -}} diff --git a/charts/linkerd/linkerd-control-plane/2024.8.3/charts/partials/templates/_proxy-config-ann.tpl b/charts/linkerd/linkerd-control-plane/2024.8.3/charts/partials/templates/_proxy-config-ann.tpl new file mode 100644 index 000000000..9651b3bd1 --- /dev/null +++ b/charts/linkerd/linkerd-control-plane/2024.8.3/charts/partials/templates/_proxy-config-ann.tpl @@ -0,0 +1,18 @@ +{{- define "partials.proxy.config.annotations" -}} +{{- with .cpu }} +{{- with .request -}} +config.linkerd.io/proxy-cpu-request: {{. | quote}} +{{end}} +{{- with .limit -}} +config.linkerd.io/proxy-cpu-limit: {{. | quote}} +{{- end}} +{{- end}} +{{- with .memory }} +{{- with .request }} +config.linkerd.io/proxy-memory-request: {{. | quote}} +{{end}} +{{- with .limit -}} +config.linkerd.io/proxy-memory-limit: {{. | quote}} +{{- end}} +{{- end }} +{{- end }} diff --git a/charts/linkerd/linkerd-control-plane/2024.8.3/charts/partials/templates/_proxy-init.tpl b/charts/linkerd/linkerd-control-plane/2024.8.3/charts/partials/templates/_proxy-init.tpl new file mode 100644 index 000000000..a307b1407 --- /dev/null +++ b/charts/linkerd/linkerd-control-plane/2024.8.3/charts/partials/templates/_proxy-init.tpl @@ -0,0 +1,98 @@ +{{- define "partials.proxy-init" -}} +args: +{{- if (.Values.proxyInit.iptablesMode | default "legacy" | eq "nft") }} +- --firewall-bin-path +- "iptables-nft" +- --firewall-save-bin-path +- "iptables-nft-save" +{{- else if not (eq .Values.proxyInit.iptablesMode "legacy") }} +{{ fail (printf "Unsupported value \"%s\" for proxyInit.iptablesMode\nValid values: [\"nft\", \"legacy\"]" .Values.proxyInit.iptablesMode) }} +{{end -}} +{{- if .Values.disableIPv6 }} +- --ipv6=false +{{- end }} +- --incoming-proxy-port +- {{.Values.proxy.ports.inbound | quote}} +- --outgoing-proxy-port +- {{.Values.proxy.ports.outbound | quote}} +- --proxy-uid +- {{.Values.proxy.uid | quote}} +{{- if ge (int .Values.proxy.gid) 0 }} +- --proxy-gid +- {{.Values.proxy.gid | quote}} +{{- end }} +- --inbound-ports-to-ignore +- "{{.Values.proxy.ports.control}},{{.Values.proxy.ports.admin}}{{ternary (printf ",%s" (.Values.proxyInit.ignoreInboundPorts | toString)) "" (not (empty .Values.proxyInit.ignoreInboundPorts)) }}" +{{- if .Values.proxyInit.ignoreOutboundPorts }} +- --outbound-ports-to-ignore +- {{.Values.proxyInit.ignoreOutboundPorts | quote}} +{{- end }} +{{- if .Values.proxyInit.closeWaitTimeoutSecs }} +- --timeout-close-wait-secs +- {{ .Values.proxyInit.closeWaitTimeoutSecs | quote}} +{{- end }} +{{- if .Values.proxyInit.logFormat }} +- --log-format +- {{ .Values.proxyInit.logFormat }} +{{- end }} +{{- if .Values.proxyInit.logLevel }} +- --log-level +- {{ .Values.proxyInit.logLevel }} +{{- end }} +{{- if .Values.proxyInit.skipSubnets }} +- --subnets-to-ignore +- {{ .Values.proxyInit.skipSubnets | quote }} +{{- end }} +image: {{.Values.proxyInit.image.name}}:{{.Values.proxyInit.image.version}} +imagePullPolicy: {{.Values.proxyInit.image.pullPolicy | default .Values.imagePullPolicy}} +name: linkerd-init +{{ include "partials.resources" .Values.proxy.resources }} +securityContext: + {{- if or .Values.proxyInit.closeWaitTimeoutSecs .Values.proxyInit.privileged }} + allowPrivilegeEscalation: true + {{- else }} + allowPrivilegeEscalation: false + {{- end }} + capabilities: + add: + - NET_ADMIN + - NET_RAW + {{- if .Values.proxyInit.capabilities -}} + {{- if .Values.proxyInit.capabilities.add }} + {{- toYaml .Values.proxyInit.capabilities.add | trim | nindent 4 }} + {{- end }} + {{- if .Values.proxyInit.capabilities.drop -}} + {{- include "partials.proxy-init.capabilities.drop" . | nindent 4 -}} + {{- end }} + {{- end }} + {{- if or .Values.proxyInit.closeWaitTimeoutSecs .Values.proxyInit.privileged }} + privileged: true + {{- else }} + privileged: false + {{- end }} + {{- if .Values.proxyInit.runAsRoot }} + runAsGroup: 0 + runAsNonRoot: false + runAsUser: 0 + {{- else }} + runAsNonRoot: true + runAsUser: {{ .Values.proxyInit.runAsUser | int | eq 0 | ternary 65534 .Values.proxyInit.runAsUser }} + runAsGroup: {{ .Values.proxyInit.runAsGroup | int | eq 0 | ternary 65534 .Values.proxyInit.runAsGroup }} + {{- end }} + readOnlyRootFilesystem: true + seccompProfile: + type: RuntimeDefault +terminationMessagePolicy: FallbackToLogsOnError +{{- if or (not .Values.cniEnabled) .Values.proxyInit.saMountPath }} +volumeMounts: +{{- end -}} +{{- if not .Values.cniEnabled }} +- mountPath: {{.Values.proxyInit.xtMountPath.mountPath}} + name: {{.Values.proxyInit.xtMountPath.name}} +{{- end -}} +{{- if .Values.proxyInit.saMountPath }} +- mountPath: {{.Values.proxyInit.saMountPath.mountPath}} + name: {{.Values.proxyInit.saMountPath.name}} + readOnly: {{.Values.proxyInit.saMountPath.readOnly}} +{{- end -}} +{{- end -}} diff --git a/charts/linkerd/linkerd-control-plane/2024.8.3/charts/partials/templates/_proxy.tpl b/charts/linkerd/linkerd-control-plane/2024.8.3/charts/partials/templates/_proxy.tpl new file mode 100644 index 000000000..7880b394c --- /dev/null +++ b/charts/linkerd/linkerd-control-plane/2024.8.3/charts/partials/templates/_proxy.tpl @@ -0,0 +1,267 @@ +{{ define "partials.proxy" -}} +{{ if and .Values.proxy.nativeSidecar .Values.proxy.waitBeforeExitSeconds }} +{{ fail "proxy.nativeSidecar and waitBeforeExitSeconds cannot be used simultaneously" }} +{{- end }} +{{- if not (has .Values.proxy.logHTTPHeaders (list "insecure" "off" "")) }} +{{- fail "logHTTPHeaders must be one of: insecure | off" }} +{{- end }} +{{- $trustDomain := (.Values.identityTrustDomain | default .Values.clusterDomain) -}} +env: +- name: _pod_name + valueFrom: + fieldRef: + fieldPath: metadata.name +- name: _pod_ns + valueFrom: + fieldRef: + fieldPath: metadata.namespace +- name: _pod_nodeName + valueFrom: + fieldRef: + fieldPath: spec.nodeName +{{- if .Values.proxy.cores }} +- name: LINKERD2_PROXY_CORES + value: {{.Values.proxy.cores | quote}} +{{- end }} +{{ if .Values.proxy.requireIdentityOnInboundPorts -}} +- name: LINKERD2_PROXY_INBOUND_PORTS_REQUIRE_IDENTITY + value: {{.Values.proxy.requireIdentityOnInboundPorts | quote}} +{{ end -}} +{{ if .Values.proxy.requireTLSOnInboundPorts -}} +- name: LINKERD2_PROXY_INBOUND_PORTS_REQUIRE_TLS + value: {{.Values.proxy.requireTLSOnInboundPorts | quote}} +{{ end -}} +- name: LINKERD2_PROXY_SHUTDOWN_ENDPOINT_ENABLED + value: {{.Values.proxy.enableShutdownEndpoint | quote}} +- name: LINKERD2_PROXY_LOG + value: "{{.Values.proxy.logLevel}}{{ if not (eq .Values.proxy.logHTTPHeaders "insecure") }},[{headers}]=off,[{request}]=off{{ end }}" +- name: LINKERD2_PROXY_LOG_FORMAT + value: {{.Values.proxy.logFormat | quote}} +- name: LINKERD2_PROXY_DESTINATION_SVC_ADDR + value: {{ternary "localhost.:8086" (printf "linkerd-dst-headless.%s.svc.%s.:8086" .Release.Namespace .Values.clusterDomain) (eq (toString .Values.proxy.component) "linkerd-destination")}} +- name: LINKERD2_PROXY_DESTINATION_PROFILE_NETWORKS + value: {{.Values.clusterNetworks | quote}} +- name: LINKERD2_PROXY_POLICY_SVC_ADDR + value: {{ternary "localhost.:8090" (printf "linkerd-policy.%s.svc.%s.:8090" .Release.Namespace .Values.clusterDomain) (eq (toString .Values.proxy.component) "linkerd-destination")}} +- name: LINKERD2_PROXY_POLICY_WORKLOAD + value: | + {"ns":"$(_pod_ns)", "pod":"$(_pod_name)"} +- name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY + value: {{.Values.proxy.defaultInboundPolicy}} +- name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS + value: {{.Values.clusterNetworks | quote}} +- name: LINKERD2_PROXY_CONTROL_STREAM_INITIAL_TIMEOUT + value: {{((.Values.proxy.control).streams).initialTimeout | default "" | quote}} +- name: LINKERD2_PROXY_CONTROL_STREAM_IDLE_TIMEOUT + value: {{((.Values.proxy.control).streams).idleTimeout | default "" | quote}} +- name: LINKERD2_PROXY_CONTROL_STREAM_LIFETIME + value: {{((.Values.proxy.control).streams).lifetime | default "" | quote}} +{{ if .Values.proxy.inboundConnectTimeout -}} +- name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT + value: {{.Values.proxy.inboundConnectTimeout | quote}} +{{ end -}} +{{ if .Values.proxy.outboundConnectTimeout -}} +- name: LINKERD2_PROXY_OUTBOUND_CONNECT_TIMEOUT + value: {{.Values.proxy.outboundConnectTimeout | quote}} +{{ end -}} +{{ if .Values.proxy.outboundDiscoveryCacheUnusedTimeout -}} +- name: LINKERD2_PROXY_OUTBOUND_DISCOVERY_IDLE_TIMEOUT + value: {{.Values.proxy.outboundDiscoveryCacheUnusedTimeout | quote}} +{{ end -}} +{{ if .Values.proxy.inboundDiscoveryCacheUnusedTimeout -}} +- name: LINKERD2_PROXY_INBOUND_DISCOVERY_IDLE_TIMEOUT + value: {{.Values.proxy.inboundDiscoveryCacheUnusedTimeout | quote}} +{{ end -}} +{{ if .Values.proxy.disableOutboundProtocolDetectTimeout -}} +- name: LINKERD2_PROXY_OUTBOUND_DETECT_TIMEOUT + value: "365d" +{{ end -}} +{{ if .Values.proxy.disableInboundProtocolDetectTimeout -}} +- name: LINKERD2_PROXY_INBOUND_DETECT_TIMEOUT + value: "365d" +{{ end -}} +- name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR + value: "{{ if .Values.disableIPv6 }}0.0.0.0{{ else }}[::]{{ end }}:{{.Values.proxy.ports.control}}" +- name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR + value: "{{ if .Values.disableIPv6 }}0.0.0.0{{ else }}[::]{{ end }}:{{.Values.proxy.ports.admin}}" +{{- /* Deprecated, superseded by LINKERD2_PROXY_OUTBOUND_LISTEN_ADDRS since proxy's v2.228.0 (deployed since edge-24.4.5) */}} +- name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR + value: "127.0.0.1:{{.Values.proxy.ports.outbound}}" +- name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDRS + value: "127.0.0.1:{{.Values.proxy.ports.outbound}}{{ if not .Values.disableIPv6}},[::1]:{{.Values.proxy.ports.outbound}}{{ end }}" +- name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR + value: "{{ if .Values.disableIPv6 }}0.0.0.0{{ else }}[::]{{ end }}:{{.Values.proxy.ports.inbound}}" +- name: LINKERD2_PROXY_INBOUND_IPS + valueFrom: + fieldRef: + fieldPath: status.podIPs +- name: LINKERD2_PROXY_INBOUND_PORTS + value: {{ .Values.proxy.podInboundPorts | quote }} +{{ if .Values.proxy.isGateway -}} +- name: LINKERD2_PROXY_INBOUND_GATEWAY_SUFFIXES + value: {{printf "svc.%s." .Values.clusterDomain}} +{{ end -}} +{{ if .Values.proxy.isIngress -}} +- name: LINKERD2_PROXY_INGRESS_MODE + value: "true" +{{ end -}} +- name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES + {{- $internalDomain := printf "svc.%s." .Values.clusterDomain }} + value: {{ternary "." $internalDomain .Values.proxy.enableExternalProfiles}} +- name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE + value: 10000ms +- name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE + value: 10000ms +{{- /* Configure inbound and outbound parameters, e.g. for HTTP/2 servers. */}} +{{ range $proxyK, $proxyV := (dict "inbound" .Values.proxy.inbound "outbound" .Values.proxy.outbound) -}} +{{ range $scopeK, $scopeV := $proxyV -}} +{{ range $protoK, $protoV := $scopeV -}} +{{ range $paramK, $paramV := $protoV -}} +- name: LINKERD2_PROXY_{{snakecase $proxyK | upper}}_{{snakecase $scopeK | upper}}_{{snakecase $protoK | upper}}_{{snakecase $paramK | upper}} + value: {{ quote $paramV }} +{{ end -}} +{{ end -}} +{{ end -}} +{{ end -}} +{{ if .Values.proxy.opaquePorts -}} +- name: LINKERD2_PROXY_INBOUND_PORTS_DISABLE_PROTOCOL_DETECTION + value: {{.Values.proxy.opaquePorts | quote}} +{{ end -}} +- name: LINKERD2_PROXY_DESTINATION_CONTEXT + value: | + {"ns":"$(_pod_ns)", "nodeName":"$(_pod_nodeName)", "pod":"$(_pod_name)"} +- name: _pod_sa + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName +- name: _l5d_ns + value: {{.Release.Namespace}} +- name: _l5d_trustdomain + value: {{$trustDomain}} +- name: LINKERD2_PROXY_IDENTITY_DIR + value: /var/run/linkerd/identity/end-entity +- name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS +{{- /* +Pods in the `linkerd` namespace are not injected by the proxy injector and instead obtain +the trust anchor bundle from the `linkerd-identity-trust-roots` configmap. This should not +be used in other contexts. +*/}} +{{- if .Values.proxy.loadTrustBundleFromConfigMap }} + valueFrom: + configMapKeyRef: + name: linkerd-identity-trust-roots + key: ca-bundle.crt +{{ else }} + value: | + {{- required "Please provide the identity trust anchors" .Values.identityTrustAnchorsPEM | trim | nindent 4 }} +{{ end -}} +- name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE +{{- if .Values.identity.serviceAccountTokenProjection }} + value: /var/run/secrets/tokens/linkerd-identity-token +{{ else }} + value: /var/run/secrets/kubernetes.io/serviceaccount/token +{{ end -}} +- name: LINKERD2_PROXY_IDENTITY_SVC_ADDR + value: {{ternary "localhost.:8080" (printf "linkerd-identity-headless.%s.svc.%s.:8080" .Release.Namespace .Values.clusterDomain) (eq (toString .Values.proxy.component) "linkerd-identity")}} +- name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME + value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.{{.Release.Namespace}}.{{$trustDomain}} +- name: LINKERD2_PROXY_IDENTITY_SVC_NAME + value: linkerd-identity.{{.Release.Namespace}}.serviceaccount.identity.{{.Release.Namespace}}.{{$trustDomain}} +- name: LINKERD2_PROXY_DESTINATION_SVC_NAME + value: linkerd-destination.{{.Release.Namespace}}.serviceaccount.identity.{{.Release.Namespace}}.{{$trustDomain}} +- name: LINKERD2_PROXY_POLICY_SVC_NAME + value: linkerd-destination.{{.Release.Namespace}}.serviceaccount.identity.{{.Release.Namespace}}.{{$trustDomain}} +{{ if .Values.proxy.accessLog -}} +- name: LINKERD2_PROXY_ACCESS_LOG + value: {{.Values.proxy.accessLog | quote}} +{{ end -}} +{{ if .Values.proxy.shutdownGracePeriod -}} +- name: LINKERD2_PROXY_SHUTDOWN_GRACE_PERIOD + value: {{.Values.proxy.shutdownGracePeriod | quote}} +{{ end -}} +{{ if .Values.proxy.additionalEnv -}} +{{ toYaml .Values.proxy.additionalEnv }} +{{ end -}} +{{ if .Values.proxy.experimentalEnv -}} +{{ toYaml .Values.proxy.experimentalEnv }} +{{ end -}} +image: {{.Values.proxy.image.name}}:{{.Values.proxy.image.version | default .Values.linkerdVersion}} +imagePullPolicy: {{.Values.proxy.image.pullPolicy | default .Values.imagePullPolicy}} +livenessProbe: + httpGet: + path: /live + port: {{.Values.proxy.ports.admin}} + initialDelaySeconds: {{.Values.proxy.livenessProbe.initialDelaySeconds }} + timeoutSeconds: {{.Values.proxy.livenessProbe.timeoutSeconds }} +name: linkerd-proxy +ports: +- containerPort: {{.Values.proxy.ports.inbound}} + name: linkerd-proxy +- containerPort: {{.Values.proxy.ports.admin}} + name: linkerd-admin +readinessProbe: + httpGet: + path: /ready + port: {{.Values.proxy.ports.admin}} + initialDelaySeconds: {{.Values.proxy.readinessProbe.initialDelaySeconds }} + timeoutSeconds: {{.Values.proxy.readinessProbe.timeoutSeconds }} +{{- if and .Values.proxy.nativeSidecar .Values.proxy.await }} +startupProbe: + httpGet: + path: /ready + port: {{.Values.proxy.ports.admin}} + initialDelaySeconds: {{.Values.proxy.startupProbe.initialDelaySeconds}} + periodSeconds: {{.Values.proxy.startupProbe.periodSeconds}} + failureThreshold: {{.Values.proxy.startupProbe.failureThreshold}} +{{- end }} +{{- if .Values.proxy.resources }} +{{ include "partials.resources" .Values.proxy.resources }} +{{- end }} +securityContext: + allowPrivilegeEscalation: false + {{- if .Values.proxy.capabilities -}} + {{- include "partials.proxy.capabilities" . | nindent 2 -}} + {{- end }} + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: {{.Values.proxy.uid}} +{{- if ge (int .Values.proxy.gid) 0 }} + runAsGroup: {{.Values.proxy.gid}} +{{- end }} + seccompProfile: + type: RuntimeDefault +terminationMessagePolicy: FallbackToLogsOnError +{{- if and (not .Values.proxy.nativeSidecar) (or .Values.proxy.await .Values.proxy.waitBeforeExitSeconds) }} +lifecycle: +{{- if .Values.proxy.await }} + postStart: + exec: + command: + - /usr/lib/linkerd/linkerd-await + - --timeout=2m + - --port={{.Values.proxy.ports.admin}} +{{- end }} +{{- if .Values.proxy.waitBeforeExitSeconds }} + preStop: + exec: + command: + - /bin/sleep + - {{.Values.proxy.waitBeforeExitSeconds | quote}} +{{- end }} +{{- end }} +volumeMounts: +- mountPath: /var/run/linkerd/identity/end-entity + name: linkerd-identity-end-entity +{{- if .Values.identity.serviceAccountTokenProjection }} +- mountPath: /var/run/secrets/tokens + name: linkerd-identity-token +{{- end }} +{{- if .Values.proxy.saMountPath }} +- mountPath: {{.Values.proxy.saMountPath.mountPath}} + name: {{.Values.proxy.saMountPath.name}} + readOnly: {{.Values.proxy.saMountPath.readOnly}} +{{- end -}} +{{- if .Values.proxy.nativeSidecar }} +restartPolicy: Always +{{- end -}} +{{- end }} diff --git a/charts/linkerd/linkerd-control-plane/2024.8.3/charts/partials/templates/_pull-secrets.tpl b/charts/linkerd/linkerd-control-plane/2024.8.3/charts/partials/templates/_pull-secrets.tpl new file mode 100644 index 000000000..0c9aa4f01 --- /dev/null +++ b/charts/linkerd/linkerd-control-plane/2024.8.3/charts/partials/templates/_pull-secrets.tpl @@ -0,0 +1,6 @@ +{{- define "partials.image-pull-secrets"}} +{{- if . }} +imagePullSecrets: +{{ toYaml . | indent 2 }} +{{- end }} +{{- end -}} diff --git a/charts/linkerd/linkerd-control-plane/2024.8.3/charts/partials/templates/_resources.tpl b/charts/linkerd/linkerd-control-plane/2024.8.3/charts/partials/templates/_resources.tpl new file mode 100644 index 000000000..1fd6789fd --- /dev/null +++ b/charts/linkerd/linkerd-control-plane/2024.8.3/charts/partials/templates/_resources.tpl @@ -0,0 +1,28 @@ +{{- define "partials.resources" -}} +{{- $ephemeralStorage := index . "ephemeral-storage" -}} +resources: + {{- if or (.cpu).limit (.memory).limit ($ephemeralStorage).limit }} + limits: + {{- with (.cpu).limit }} + cpu: {{. | quote}} + {{- end }} + {{- with (.memory).limit }} + memory: {{. | quote}} + {{- end }} + {{- with ($ephemeralStorage).limit }} + ephemeral-storage: {{. | quote}} + {{- end }} + {{- end }} + {{- if or (.cpu).request (.memory).request ($ephemeralStorage).request }} + requests: + {{- with (.cpu).request }} + cpu: {{. | quote}} + {{- end }} + {{- with (.memory).request }} + memory: {{. | quote}} + {{- end }} + {{- with ($ephemeralStorage).request }} + ephemeral-storage: {{. | quote}} + {{- end }} + {{- end }} +{{- end }} diff --git a/charts/linkerd/linkerd-control-plane/2024.8.3/charts/partials/templates/_tolerations.tpl b/charts/linkerd/linkerd-control-plane/2024.8.3/charts/partials/templates/_tolerations.tpl new file mode 100644 index 000000000..c2292b146 --- /dev/null +++ b/charts/linkerd/linkerd-control-plane/2024.8.3/charts/partials/templates/_tolerations.tpl @@ -0,0 +1,4 @@ +{{- define "linkerd.tolerations" -}} +tolerations: +{{ toYaml .Values.tolerations | trim | indent 2 }} +{{- end -}} diff --git a/charts/linkerd/linkerd-control-plane/2024.8.3/charts/partials/templates/_trace.tpl b/charts/linkerd/linkerd-control-plane/2024.8.3/charts/partials/templates/_trace.tpl new file mode 100644 index 000000000..dee059541 --- /dev/null +++ b/charts/linkerd/linkerd-control-plane/2024.8.3/charts/partials/templates/_trace.tpl @@ -0,0 +1,5 @@ +{{ define "partials.linkerd.trace" -}} +{{ if .Values.controlPlaneTracing -}} +- -trace-collector=collector.{{.Values.controlPlaneTracingNamespace}}.svc.{{.Values.clusterDomain}}:55678 +{{ end -}} +{{- end }} diff --git a/charts/linkerd/linkerd-control-plane/2024.8.3/charts/partials/templates/_validate.tpl b/charts/linkerd/linkerd-control-plane/2024.8.3/charts/partials/templates/_validate.tpl new file mode 100644 index 000000000..ba772c2fe --- /dev/null +++ b/charts/linkerd/linkerd-control-plane/2024.8.3/charts/partials/templates/_validate.tpl @@ -0,0 +1,19 @@ +{{- define "linkerd.webhook.validation" -}} + +{{- if and (.injectCaFrom) (.injectCaFromSecret) -}} +{{- fail "injectCaFrom and injectCaFromSecret cannot both be set" -}} +{{- end -}} + +{{- if and (or (.injectCaFrom) (.injectCaFromSecret)) (.caBundle) -}} +{{- fail "injectCaFrom or injectCaFromSecret cannot be set if providing a caBundle" -}} +{{- end -}} + +{{- if and (.externalSecret) (empty .caBundle) (empty .injectCaFrom) (empty .injectCaFromSecret) -}} +{{- fail "if externalSecret is set, then caBundle, injectCaFrom, or injectCaFromSecret must be set" -}} +{{- end }} + +{{- if and (or .injectCaFrom .injectCaFromSecret .caBundle) (not .externalSecret) -}} +{{- fail "if caBundle, injectCaFrom, or injectCaFromSecret is set, then externalSecret must be set" -}} +{{- end -}} + +{{- end -}} diff --git a/charts/linkerd/linkerd-control-plane/2024.8.3/charts/partials/templates/_volumes.tpl b/charts/linkerd/linkerd-control-plane/2024.8.3/charts/partials/templates/_volumes.tpl new file mode 100644 index 000000000..9684cf240 --- /dev/null +++ b/charts/linkerd/linkerd-control-plane/2024.8.3/charts/partials/templates/_volumes.tpl @@ -0,0 +1,20 @@ +{{ define "partials.proxy.volumes.identity" -}} +emptyDir: + medium: Memory +name: linkerd-identity-end-entity +{{- end -}} + +{{ define "partials.proxyInit.volumes.xtables" -}} +emptyDir: {} +name: {{ .Values.proxyInit.xtMountPath.name }} +{{- end -}} + +{{- define "partials.proxy.volumes.service-account-token" -}} +name: linkerd-identity-token +projected: + sources: + - serviceAccountToken: + path: linkerd-identity-token + expirationSeconds: 86400 {{- /* # 24 hours */}} + audience: identity.l5d.io +{{- end -}} diff --git a/charts/linkerd/linkerd-control-plane/2024.8.3/charts/partials/values.yaml b/charts/linkerd/linkerd-control-plane/2024.8.3/charts/partials/values.yaml new file mode 100644 index 000000000..e69de29bb diff --git a/charts/linkerd/linkerd-control-plane/2024.8.3/questions.yaml b/charts/linkerd/linkerd-control-plane/2024.8.3/questions.yaml new file mode 100644 index 000000000..4ae27870a --- /dev/null +++ b/charts/linkerd/linkerd-control-plane/2024.8.3/questions.yaml @@ -0,0 +1,19 @@ +questions: +- variable: identityTrustAnchorsPEM + label: "Trust root certificate (ECDSA)" + description: "Root certificate used to support mTLS connections between meshed pods" + required: true + type: multiline + group: Identity +- variable: identity.issuer.tls.crtPEM + label: "Issuer certificate (ECDSA)" + description: "Intermediate certificate, rooted on identityTrustAnchorsPEM, used to sign the Linkerd proxies' CSR" + required: true + type: multiline + group: Identity +- variable: identity.issuer.tls.keyPEM + label: "Key for the issuer certificate (ECDSA)" + description: "Private key for the certificate entered on crtPEM" + required: true + type: multiline + group: Identity diff --git a/charts/linkerd/linkerd-control-plane/2024.8.3/templates/NOTES.txt b/charts/linkerd/linkerd-control-plane/2024.8.3/templates/NOTES.txt new file mode 100644 index 000000000..4bd1be9fc --- /dev/null +++ b/charts/linkerd/linkerd-control-plane/2024.8.3/templates/NOTES.txt @@ -0,0 +1,19 @@ +The Linkerd control plane was successfully installed 🎉 + +To help you manage your Linkerd service mesh you can install the Linkerd CLI by running: + + curl -sL https://run.linkerd.io/install | sh + +Alternatively, you can download the CLI directly via the Linkerd releases page: + + https://github.com/linkerd/linkerd2/releases/ + +To make sure everything works as expected, run the following: + + linkerd check + +The viz extension can be installed by running: + + helm install linkerd-viz linkerd/linkerd-viz + +Looking for more? Visit https://linkerd.io/2/getting-started/ diff --git a/charts/linkerd/linkerd-control-plane/2024.8.3/templates/config-rbac.yaml b/charts/linkerd/linkerd-control-plane/2024.8.3/templates/config-rbac.yaml new file mode 100644 index 000000000..5f5c34203 --- /dev/null +++ b/charts/linkerd/linkerd-control-plane/2024.8.3/templates/config-rbac.yaml @@ -0,0 +1,16 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + labels: + linkerd.io/control-plane-ns: {{.Release.Namespace}} + {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }} + annotations: + {{ include "partials.annotations.created-by" . }} + name: ext-namespace-metadata-linkerd-config + namespace: {{ .Release.Namespace }} +rules: +- apiGroups: [""] + resources: ["configmaps"] + verbs: ["get"] + resourceNames: ["linkerd-config"] diff --git a/charts/linkerd/linkerd-control-plane/2024.8.3/templates/config.yaml b/charts/linkerd/linkerd-control-plane/2024.8.3/templates/config.yaml new file mode 100644 index 000000000..a9cea5f42 --- /dev/null +++ b/charts/linkerd/linkerd-control-plane/2024.8.3/templates/config.yaml @@ -0,0 +1,39 @@ +--- +kind: ConfigMap +apiVersion: v1 +metadata: + name: linkerd-config + namespace: {{ .Release.Namespace }} + labels: + linkerd.io/control-plane-component: controller + linkerd.io/control-plane-ns: {{.Release.Namespace}} + {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }} + annotations: + {{ include "partials.annotations.created-by" . }} +data: + linkerd-crds-chart-version: linkerd-crds-1.0.0-edge + values: | + {{- $values := deepCopy .Values }} + {{- /* + WARNING! All sensitive or private data such as TLS keys must be removed + here to avoid it being publicly readable. + */ -}} + {{- if kindIs "map" $values.identity.issuer.tls -}} + {{- $_ := unset $values.identity.issuer.tls "keyPEM"}} + {{- end -}} + {{- if kindIs "map" $values.profileValidator -}} + {{- $_ := unset $values.profileValidator "keyPEM"}} + {{- end -}} + {{- if kindIs "map" $values.proxyInjector -}} + {{- $_ := unset $values.proxyInjector "keyPEM"}} + {{- end -}} + {{- if kindIs "map" $values.policyValidator -}} + {{- $_ := unset $values.policyValidator "keyPEM"}} + {{- end -}} + {{- if (empty $values.identityTrustDomain) -}} + {{- $_ := set $values "identityTrustDomain" $values.clusterDomain}} + {{- end -}} + {{- $_ := unset $values "partials"}} + {{- $_ := unset $values "configs"}} + {{- $_ := unset $values "stage"}} + {{- toYaml $values | trim | nindent 4 }} diff --git a/charts/linkerd/linkerd-control-plane/2024.8.3/templates/destination-rbac.yaml b/charts/linkerd/linkerd-control-plane/2024.8.3/templates/destination-rbac.yaml new file mode 100644 index 000000000..38488cd04 --- /dev/null +++ b/charts/linkerd/linkerd-control-plane/2024.8.3/templates/destination-rbac.yaml @@ -0,0 +1,327 @@ +--- +### +### Destination Controller Service +### +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: linkerd-{{.Release.Namespace}}-destination + labels: + linkerd.io/control-plane-component: destination + linkerd.io/control-plane-ns: {{.Release.Namespace}} + {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }} +rules: +- apiGroups: ["apps"] + resources: ["replicasets"] + verbs: ["list", "get", "watch"] +- apiGroups: ["batch"] + resources: ["jobs"] + verbs: ["list", "get", "watch"] +- apiGroups: [""] + resources: ["pods", "endpoints", "services", "nodes"] + verbs: ["list", "get", "watch"] +- apiGroups: ["linkerd.io"] + resources: ["serviceprofiles"] + verbs: ["list", "get", "watch"] +- apiGroups: ["workload.linkerd.io"] + resources: ["externalworkloads"] + verbs: ["list", "get", "watch"] +- apiGroups: ["coordination.k8s.io"] + resources: ["leases"] + verbs: ["create", "get", "update", "patch"] + {{- if .Values.enableEndpointSlices }} +- apiGroups: ["discovery.k8s.io"] + resources: ["endpointslices"] + verbs: ["list", "get", "watch", "create", "update", "patch", "delete"] + {{- end }} +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: linkerd-{{.Release.Namespace}}-destination + labels: + linkerd.io/control-plane-component: destination + linkerd.io/control-plane-ns: {{.Release.Namespace}} + {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: linkerd-{{.Release.Namespace}}-destination +subjects: +- kind: ServiceAccount + name: linkerd-destination + namespace: {{.Release.Namespace}} +--- +kind: ServiceAccount +apiVersion: v1 +metadata: + name: linkerd-destination + namespace: {{ .Release.Namespace }} + labels: + linkerd.io/control-plane-component: destination + linkerd.io/control-plane-ns: {{.Release.Namespace}} + {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }} +{{- include "partials.image-pull-secrets" .Values.imagePullSecrets }} +--- +{{- $host := printf "linkerd-sp-validator.%s.svc" .Release.Namespace }} +{{- $ca := genSelfSignedCert $host (list) (list $host) 365 }} +{{- if (not .Values.profileValidator.externalSecret) }} +kind: Secret +apiVersion: v1 +metadata: + name: linkerd-sp-validator-k8s-tls + namespace: {{ .Release.Namespace }} + labels: + linkerd.io/control-plane-component: destination + linkerd.io/control-plane-ns: {{.Release.Namespace}} + {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }} + annotations: + {{ include "partials.annotations.created-by" . }} +type: kubernetes.io/tls +data: + tls.crt: {{ ternary (b64enc (trim $ca.Cert)) (b64enc (trim .Values.profileValidator.crtPEM)) (empty .Values.profileValidator.crtPEM) }} + tls.key: {{ ternary (b64enc (trim $ca.Key)) (b64enc (trim .Values.profileValidator.keyPEM)) (empty .Values.profileValidator.keyPEM) }} +--- +{{- end }} +{{- include "linkerd.webhook.validation" .Values.profileValidator }} +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + name: linkerd-sp-validator-webhook-config + {{- if or (.Values.profileValidator.injectCaFrom) (.Values.profileValidator.injectCaFromSecret) }} + annotations: + {{- if .Values.profileValidator.injectCaFrom }} + cert-manager.io/inject-ca-from: {{ .Values.profileValidator.injectCaFrom }} + {{- end }} + {{- if .Values.profileValidator.injectCaFromSecret }} + cert-manager.io/inject-ca-from-secret: {{ .Values.profileValidator.injectCaFromSecret }} + {{- end }} + {{- end }} + labels: + linkerd.io/control-plane-component: destination + linkerd.io/control-plane-ns: {{.Release.Namespace}} + {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }} +webhooks: +- name: linkerd-sp-validator.linkerd.io + namespaceSelector: + {{- toYaml .Values.profileValidator.namespaceSelector | trim | nindent 4 }} + clientConfig: + service: + name: linkerd-sp-validator + namespace: {{ .Release.Namespace }} + path: "/" + {{- if and (empty .Values.profileValidator.injectCaFrom) (empty .Values.profileValidator.injectCaFromSecret) }} + caBundle: {{ ternary (b64enc (trim $ca.Cert)) (b64enc (trim .Values.profileValidator.caBundle)) (empty .Values.profileValidator.caBundle) }} + {{- end }} + failurePolicy: {{.Values.webhookFailurePolicy}} + admissionReviewVersions: ["v1", "v1beta1"] + rules: + - operations: ["CREATE", "UPDATE"] + apiGroups: ["linkerd.io"] + apiVersions: ["v1alpha1", "v1alpha2"] + resources: ["serviceprofiles"] + sideEffects: None +--- +{{- $host := printf "linkerd-policy-validator.%s.svc" .Release.Namespace }} +{{- $ca := genSelfSignedCert $host (list) (list $host) 365 }} +{{- if (not .Values.policyValidator.externalSecret) }} +kind: Secret +apiVersion: v1 +metadata: + name: linkerd-policy-validator-k8s-tls + namespace: {{ .Release.Namespace }} + labels: + linkerd.io/control-plane-component: destination + linkerd.io/control-plane-ns: {{.Release.Namespace}} + {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }} + annotations: + {{ include "partials.annotations.created-by" . }} +type: kubernetes.io/tls +data: + tls.crt: {{ ternary (b64enc (trim $ca.Cert)) (b64enc (trim .Values.policyValidator.crtPEM)) (empty .Values.policyValidator.crtPEM) }} + tls.key: {{ ternary (b64enc (trim $ca.Key)) (b64enc (trim .Values.policyValidator.keyPEM)) (empty .Values.policyValidator.keyPEM) }} +--- +{{- end }} +{{- include "linkerd.webhook.validation" .Values.policyValidator }} +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + name: linkerd-policy-validator-webhook-config + {{- if or (.Values.policyValidator.injectCaFrom) (.Values.policyValidator.injectCaFromSecret) }} + annotations: + {{- if .Values.policyValidator.injectCaFrom }} + cert-manager.io/inject-ca-from: {{ .Values.policyValidator.injectCaFrom }} + {{- end }} + {{- if .Values.policyValidator.injectCaFromSecret }} + cert-manager.io/inject-ca-from-secret: {{ .Values.policyValidator.injectCaFromSecret }} + {{- end }} + {{- end }} + labels: + linkerd.io/control-plane-component: destination + linkerd.io/control-plane-ns: {{.Release.Namespace}} + {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }} +webhooks: +- name: linkerd-policy-validator.linkerd.io + namespaceSelector: + {{- toYaml .Values.policyValidator.namespaceSelector | trim | nindent 4 }} + clientConfig: + service: + name: linkerd-policy-validator + namespace: {{ .Release.Namespace }} + path: "/" + {{- if and (empty .Values.policyValidator.injectCaFrom) (empty .Values.policyValidator.injectCaFromSecret) }} + caBundle: {{ ternary (b64enc (trim $ca.Cert)) (b64enc (trim .Values.policyValidator.caBundle)) (empty .Values.policyValidator.caBundle) }} + {{- end }} + failurePolicy: {{.Values.webhookFailurePolicy}} + admissionReviewVersions: ["v1", "v1beta1"] + rules: + - operations: ["CREATE", "UPDATE"] + apiGroups: ["policy.linkerd.io"] + apiVersions: ["*"] + resources: + - authorizationpolicies + - httproutes + - networkauthentications + - meshtlsauthentications + - serverauthorizations + - servers + - operations: ["CREATE", "UPDATE"] + apiGroups: ["gateway.networking.k8s.io"] + apiVersions: ["*"] + resources: + - httproutes + - grpcroutes + sideEffects: None +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: linkerd-policy + labels: + app.kubernetes.io/part-of: Linkerd + linkerd.io/control-plane-component: destination + linkerd.io/control-plane-ns: {{.Release.Namespace}} + {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }} +rules: + - apiGroups: + - "" + resources: + - pods + verbs: + - get + - list + - watch + - apiGroups: + - apps + resources: + - deployments + verbs: + - get + - apiGroups: + - policy.linkerd.io + resources: + - authorizationpolicies + - httproutes + - meshtlsauthentications + - networkauthentications + - servers + - serverauthorizations + verbs: + - get + - list + - watch + - apiGroups: + - gateway.networking.k8s.io + resources: + - httproutes + - grpcroutes + verbs: + - get + - list + - watch + - apiGroups: + - policy.linkerd.io + resources: + - httproutes/status + verbs: + - patch + - apiGroups: + - gateway.networking.k8s.io + resources: + - httproutes/status + - grpcroutes/status + verbs: + - patch + - apiGroups: + - workload.linkerd.io + resources: + - externalworkloads + verbs: + - get + - list + - watch + - apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - create + - get + - patch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: linkerd-destination-policy + labels: + app.kubernetes.io/part-of: Linkerd + linkerd.io/control-plane-component: destination + linkerd.io/control-plane-ns: {{.Release.Namespace}} + {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: linkerd-policy +subjects: + - kind: ServiceAccount + name: linkerd-destination + namespace: {{.Release.Namespace}} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: remote-discovery + namespace: {{.Release.Namespace}} + labels: + app.kubernetes.io/part-of: Linkerd + linkerd.io/control-plane-component: destination + linkerd.io/control-plane-ns: {{.Release.Namespace}} + {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }} +rules: + - apiGroups: + - "" + resources: + - secrets + verbs: + - get + - list + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: linkerd-destination-remote-discovery + namespace: {{.Release.Namespace}} + labels: + app.kubernetes.io/part-of: Linkerd + linkerd.io/control-plane-component: destination + linkerd.io/control-plane-ns: {{.Release.Namespace}} + {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: remote-discovery +subjects: + - kind: ServiceAccount + name: linkerd-destination + namespace: {{.Release.Namespace}} diff --git a/charts/linkerd/linkerd-control-plane/2024.8.3/templates/destination.yaml b/charts/linkerd/linkerd-control-plane/2024.8.3/templates/destination.yaml new file mode 100644 index 000000000..b214c3c64 --- /dev/null +++ b/charts/linkerd/linkerd-control-plane/2024.8.3/templates/destination.yaml @@ -0,0 +1,417 @@ +--- +### +### Destination Controller Service +### +kind: Service +apiVersion: v1 +metadata: + name: linkerd-dst + namespace: {{ .Release.Namespace }} + labels: + linkerd.io/control-plane-component: destination + linkerd.io/control-plane-ns: {{.Release.Namespace}} + {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }} + annotations: + {{ include "partials.annotations.created-by" . }} +spec: + type: ClusterIP + selector: + linkerd.io/control-plane-component: destination + ports: + - name: grpc + port: 8086 + targetPort: 8086 +--- +kind: Service +apiVersion: v1 +metadata: + name: linkerd-dst-headless + namespace: {{ .Release.Namespace }} + labels: + linkerd.io/control-plane-component: destination + linkerd.io/control-plane-ns: {{.Release.Namespace}} + {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }} + annotations: + {{ include "partials.annotations.created-by" . }} +spec: + clusterIP: None + selector: + linkerd.io/control-plane-component: destination + ports: + - name: grpc + port: 8086 + targetPort: 8086 +--- +kind: Service +apiVersion: v1 +metadata: + name: linkerd-sp-validator + namespace: {{ .Release.Namespace }} + labels: + linkerd.io/control-plane-component: destination + linkerd.io/control-plane-ns: {{.Release.Namespace}} + {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }} + annotations: + {{ include "partials.annotations.created-by" . }} +spec: + type: ClusterIP + selector: + linkerd.io/control-plane-component: destination + ports: + - name: sp-validator + port: 443 + targetPort: sp-validator +--- +kind: Service +apiVersion: v1 +metadata: + name: linkerd-policy + namespace: {{ .Release.Namespace }} + labels: + linkerd.io/control-plane-component: destination + linkerd.io/control-plane-ns: {{.Release.Namespace}} + {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }} + annotations: + {{ include "partials.annotations.created-by" . }} +spec: + clusterIP: None + selector: + linkerd.io/control-plane-component: destination + ports: + - name: grpc + port: 8090 + targetPort: 8090 +--- +kind: Service +apiVersion: v1 +metadata: + name: linkerd-policy-validator + namespace: {{ .Release.Namespace }} + labels: + linkerd.io/control-plane-component: destination + linkerd.io/control-plane-ns: {{.Release.Namespace}} + {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }} + annotations: + {{ include "partials.annotations.created-by" . }} +spec: + type: ClusterIP + selector: + linkerd.io/control-plane-component: destination + ports: + - name: policy-https + port: 443 + targetPort: policy-https +{{- if .Values.enablePodDisruptionBudget }} +--- +kind: PodDisruptionBudget +apiVersion: policy/v1 +metadata: + name: linkerd-dst + namespace: {{ .Release.Namespace }} + labels: + linkerd.io/control-plane-component: destination + linkerd.io/control-plane-ns: {{.Release.Namespace}} + {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }} + annotations: + {{ include "partials.annotations.created-by" . }} +spec: + maxUnavailable: {{ .Values.controller.podDisruptionBudget.maxUnavailable }} + selector: + matchLabels: + linkerd.io/control-plane-component: destination +{{- end }} +--- +{{- $tree := deepCopy . }} +{{ $_ := set $tree.Values.proxy "workloadKind" "deployment" -}} +{{ $_ := set $tree.Values.proxy "component" "linkerd-destination" -}} +{{ $_ := set $tree.Values.proxy "waitBeforeExitSeconds" 0 -}} +{{- if not (empty .Values.destinationProxyResources) }} +{{- $c := dig "cores" .Values.proxy.cores .Values.destinationProxyResources }} +{{- $_ := set $tree.Values.proxy "cores" $c }} +{{- $r := merge .Values.destinationProxyResources .Values.proxy.resources }} +{{- $_ := set $tree.Values.proxy "resources" $r }} +{{- end }} +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: + {{ include "partials.annotations.created-by" . }} + labels: + app.kubernetes.io/name: destination + app.kubernetes.io/part-of: Linkerd + app.kubernetes.io/version: {{.Values.linkerdVersion}} + linkerd.io/control-plane-component: destination + linkerd.io/control-plane-ns: {{.Release.Namespace}} + {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }} + name: linkerd-destination + namespace: {{ .Release.Namespace }} +spec: + replicas: {{.Values.controllerReplicas}} + revisionHistoryLimit: {{.Values.revisionHistoryLimit}} + selector: + matchLabels: + linkerd.io/control-plane-component: destination + linkerd.io/control-plane-ns: {{.Release.Namespace}} + {{- include "partials.proxy.labels" $tree.Values.proxy | nindent 6}} + {{- if .Values.deploymentStrategy }} + strategy: + {{- with .Values.deploymentStrategy }}{{ toYaml . | trim | nindent 4 }}{{- end }} + {{- end }} + template: + metadata: + annotations: + checksum/config: {{ include (print $.Template.BasePath "/destination-rbac.yaml") . | sha256sum }} + {{ include "partials.annotations.created-by" . }} + {{- include "partials.proxy.annotations" . | nindent 8}} + {{- with .Values.podAnnotations }}{{ toYaml . | trim | nindent 8 }}{{- end }} + config.linkerd.io/default-inbound-policy: "all-unauthenticated" + labels: + linkerd.io/control-plane-component: destination + linkerd.io/control-plane-ns: {{.Release.Namespace}} + linkerd.io/workload-ns: {{.Release.Namespace}} + {{- include "partials.proxy.labels" $tree.Values.proxy | nindent 8}} + {{- with .Values.podLabels }}{{ toYaml . | trim | nindent 8 }}{{- end }} + spec: + {{- with .Values.runtimeClassName }} + runtimeClassName: {{ . | quote }} + {{- end }} + {{- if .Values.tolerations -}} + {{- include "linkerd.tolerations" . | nindent 6 }} + {{- end -}} + {{- include "linkerd.node-selector" . | nindent 6 }} + {{- $_ := set $tree "component" "destination" -}} + {{- include "linkerd.affinity" $tree | nindent 6 }} + containers: + {{- $_ := set $tree.Values.proxy "await" $tree.Values.proxy.await }} + {{- $_ := set $tree.Values.proxy "loadTrustBundleFromConfigMap" true }} + {{- $_ := set $tree.Values.proxy "podInboundPorts" "8086,8090,8443,9443,9990,9996,9997" }} + {{- $_ := set $tree.Values.proxy "outboundDiscoveryCacheUnusedTimeout" "5s" }} + {{- $_ := set $tree.Values.proxy "inboundDiscoveryCacheUnusedTimeout" "90s" }} + {{- /* + The pod needs to accept webhook traffic, and we can't rely on that originating in the + cluster network. + */}} + {{- $_ := set $tree.Values.proxy "defaultInboundPolicy" "all-unauthenticated" }} + {{- $_ := set $tree.Values.proxy "capabilities" (dict "drop" (list "ALL")) }} + {{- if not $tree.Values.proxy.nativeSidecar }} + - {{- include "partials.proxy" $tree | indent 8 | trimPrefix (repeat 7 " ") }} + {{- end }} + - args: + - destination + - -addr=:8086 + - -controller-namespace={{.Release.Namespace}} + - -enable-h2-upgrade={{.Values.enableH2Upgrade}} + - -log-level={{.Values.controllerLogLevel}} + - -log-format={{.Values.controllerLogFormat}} + - -enable-endpoint-slices={{.Values.enableEndpointSlices}} + - -cluster-domain={{.Values.clusterDomain}} + - -identity-trust-domain={{.Values.identityTrustDomain | default .Values.clusterDomain}} + - -default-opaque-ports={{.Values.proxy.opaquePorts}} + - -enable-ipv6={{not .Values.disableIPv6}} + - -enable-pprof={{.Values.enablePprof | default false}} + {{- if (.Values.destinationController).meshedHttp2ClientProtobuf }} + - --meshed-http2-client-params={{ toJson .Values.destinationController.meshedHttp2ClientProtobuf }} + {{- end }} + {{- range (.Values.destinationController).additionalArgs }} + - {{ . }} + {{- end }} + {{- range (.Values.destinationController).experimentalArgs }} + - {{ . }} + {{- end }} + {{- if or (.Values.destinationController).additionalEnv (.Values.destinationController).experimentalEnv }} + env: + {{- with (.Values.destinationController).additionalEnv }} + {{- toYaml . | nindent 8 -}} + {{- end }} + {{- with (.Values.destinationController).experimentalEnv }} + {{- toYaml . | nindent 8 -}} + {{- end }} + {{- end }} + {{- include "partials.linkerd.trace" . | nindent 8 -}} + image: {{.Values.controllerImage}}:{{.Values.controllerImageVersion | default .Values.linkerdVersion}} + imagePullPolicy: {{.Values.imagePullPolicy}} + livenessProbe: + httpGet: + path: /ping + port: 9996 + initialDelaySeconds: 10 + name: destination + ports: + - containerPort: 8086 + name: grpc + - containerPort: 9996 + name: admin-http + readinessProbe: + failureThreshold: 7 + httpGet: + path: /ready + port: 9996 + {{- if .Values.destinationResources -}} + {{- include "partials.resources" .Values.destinationResources | nindent 8 }} + {{- end }} + securityContext: + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: {{.Values.controllerUID}} + {{- if ge (int .Values.controllerGID) 0 }} + runAsGroup: {{.Values.controllerGID}} + {{- end }} + allowPrivilegeEscalation: false + seccompProfile: + type: RuntimeDefault + - args: + - sp-validator + - -log-level={{.Values.controllerLogLevel}} + - -log-format={{.Values.controllerLogFormat}} + - -enable-pprof={{.Values.enablePprof | default false}} + {{- if or (.Values.spValidator).additionalEnv (.Values.spValidator).experimentalEnv }} + env: + {{- with (.Values.spValidator).additionalEnv }} + {{- toYaml . | nindent 8 -}} + {{- end }} + {{- with (.Values.spValidator).experimentalEnv }} + {{- toYaml . | nindent 8 -}} + {{- end }} + {{- end }} + image: {{.Values.controllerImage}}:{{.Values.controllerImageVersion | default .Values.linkerdVersion}} + imagePullPolicy: {{.Values.imagePullPolicy}} + livenessProbe: + httpGet: + path: /ping + port: 9997 + initialDelaySeconds: 10 + name: sp-validator + ports: + - containerPort: 8443 + name: sp-validator + - containerPort: 9997 + name: admin-http + readinessProbe: + failureThreshold: 7 + httpGet: + path: /ready + port: 9997 + {{- if .Values.spValidatorResources -}} + {{- include "partials.resources" .Values.spValidatorResources | nindent 8 }} + {{- end }} + securityContext: + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: {{.Values.controllerUID}} + {{- if ge (int .Values.controllerGID) 0 }} + runAsGroup: {{.Values.controllerGID}} + {{- end }} + allowPrivilegeEscalation: false + seccompProfile: + type: RuntimeDefault + volumeMounts: + - mountPath: /var/run/linkerd/tls + name: sp-tls + readOnly: true + - args: + - --admin-addr={{ if .Values.disableIPv6 }}0.0.0.0{{ else }}[::]{{ end }}:9990 + - --control-plane-namespace={{.Release.Namespace}} + - --grpc-addr={{ if .Values.disableIPv6 }}0.0.0.0{{ else }}[::]{{ end }}:8090 + - --server-addr={{ if .Values.disableIPv6 }}0.0.0.0{{ else }}[::]{{ end }}:9443 + - --server-tls-key=/var/run/linkerd/tls/tls.key + - --server-tls-certs=/var/run/linkerd/tls/tls.crt + - --cluster-networks={{.Values.clusterNetworks}} + - --identity-domain={{.Values.identityTrustDomain | default .Values.clusterDomain}} + - --cluster-domain={{.Values.clusterDomain}} + - --default-policy={{.Values.proxy.defaultInboundPolicy}} + - --log-level={{.Values.policyController.logLevel | default "linkerd=info,warn"}} + - --log-format={{.Values.controllerLogFormat}} + - --default-opaque-ports={{.Values.proxy.opaquePorts}} + {{- if .Values.policyController.probeNetworks }} + - --probe-networks={{.Values.policyController.probeNetworks | join ","}} + {{- end}} + {{- range .Values.policyController.additionalArgs }} + - {{ . }} + {{- end }} + {{- range .Values.policyController.experimentalArgs }} + - {{ . }} + {{- end }} + image: {{.Values.policyController.image.name}}:{{.Values.policyController.image.version | default .Values.linkerdVersion}} + imagePullPolicy: {{.Values.policyController.image.pullPolicy | default .Values.imagePullPolicy}} + livenessProbe: + httpGet: + path: /live + port: admin-http + name: policy + ports: + - containerPort: 8090 + name: grpc + - containerPort: 9990 + name: admin-http + - containerPort: 9443 + name: policy-https + readinessProbe: + failureThreshold: 7 + httpGet: + path: /ready + port: admin-http + initialDelaySeconds: 10 + {{- if .Values.policyController.resources }} + {{- include "partials.resources" .Values.policyController.resources | nindent 8 }} + {{- end }} + securityContext: + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: {{.Values.controllerUID}} + {{- if ge (int .Values.controllerGID) 0 }} + runAsGroup: {{.Values.controllerGID}} + {{- end }} + allowPrivilegeEscalation: false + seccompProfile: + type: RuntimeDefault + volumeMounts: + - mountPath: /var/run/linkerd/tls + name: policy-tls + readOnly: true + initContainers: + {{ if .Values.cniEnabled -}} + - {{- include "partials.network-validator" $tree | indent 8 | trimPrefix (repeat 7 " ") }} + {{ else -}} + {{- /* + The destination controller needs to connect to the Kubernetes API before the proxy is able + to proxy requests, so we always skip these connections. + */}} + {{- $_ := set $tree.Values.proxyInit "ignoreOutboundPorts" .Values.proxyInit.kubeAPIServerPorts -}} + - {{- include "partials.proxy-init" $tree | indent 8 | trimPrefix (repeat 7 " ") }} + {{ end -}} + {{- if $tree.Values.proxy.nativeSidecar }} + {{- $_ := set $tree.Values.proxy "startupProbeInitialDelaySeconds" 35 }} + {{- $_ := set $tree.Values.proxy "startupProbePeriodSeconds" 5 }} + {{- $_ := set $tree.Values.proxy "startupProbeFailureThreshold" 20 }} + - {{- include "partials.proxy" $tree | indent 8 | trimPrefix (repeat 7 " ") }} + {{ end -}} + {{- if .Values.priorityClassName -}} + priorityClassName: {{ .Values.priorityClassName }} + {{ end -}} + securityContext: + seccompProfile: + type: RuntimeDefault + serviceAccountName: linkerd-destination + volumes: + - name: sp-tls + secret: + secretName: linkerd-sp-validator-k8s-tls + - name: policy-tls + secret: + secretName: linkerd-policy-validator-k8s-tls + {{ if not .Values.cniEnabled -}} + - {{- include "partials.proxyInit.volumes.xtables" . | indent 8 | trimPrefix (repeat 7 " ") }} + {{ end -}} + {{if .Values.identity.serviceAccountTokenProjection -}} + - {{- include "partials.proxy.volumes.service-account-token" . | indent 8 | trimPrefix (repeat 7 " ") }} + {{ end -}} + - {{- include "partials.proxy.volumes.identity" . | indent 8 | trimPrefix (repeat 7 " ") }} diff --git a/charts/linkerd/linkerd-control-plane/2024.8.3/templates/heartbeat-rbac.yaml b/charts/linkerd/linkerd-control-plane/2024.8.3/templates/heartbeat-rbac.yaml new file mode 100644 index 000000000..7b127543f --- /dev/null +++ b/charts/linkerd/linkerd-control-plane/2024.8.3/templates/heartbeat-rbac.yaml @@ -0,0 +1,78 @@ +{{ if not .Values.disableHeartBeat -}} +--- +### +### Heartbeat RBAC +### +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: linkerd-heartbeat + namespace: {{ .Release.Namespace }} + labels: + linkerd.io/control-plane-ns: {{.Release.Namespace}} + {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }} +rules: +- apiGroups: [""] + resources: ["configmaps"] + verbs: ["get"] + resourceNames: ["linkerd-config"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: linkerd-heartbeat + namespace: {{ .Release.Namespace }} + labels: + linkerd.io/control-plane-ns: {{.Release.Namespace}} + {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }} +roleRef: + kind: Role + name: linkerd-heartbeat + apiGroup: rbac.authorization.k8s.io +subjects: +- kind: ServiceAccount + name: linkerd-heartbeat + namespace: {{.Release.Namespace}} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: linkerd-heartbeat + labels: + linkerd.io/control-plane-ns: {{.Release.Namespace}} + {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }} +rules: +- apiGroups: [""] + resources: ["namespaces"] + verbs: ["list"] +- apiGroups: ["linkerd.io"] + resources: ["serviceprofiles"] + verbs: ["list"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: linkerd-heartbeat + labels: + linkerd.io/control-plane-ns: {{.Release.Namespace}} + {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }} +roleRef: + kind: ClusterRole + name: linkerd-heartbeat + apiGroup: rbac.authorization.k8s.io +subjects: +- kind: ServiceAccount + name: linkerd-heartbeat + namespace: {{.Release.Namespace}} +--- +kind: ServiceAccount +apiVersion: v1 +metadata: + name: linkerd-heartbeat + namespace: {{ .Release.Namespace }} + labels: + linkerd.io/control-plane-component: heartbeat + linkerd.io/control-plane-ns: {{.Release.Namespace}} + {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }} +{{- include "partials.image-pull-secrets" .Values.imagePullSecrets }} +{{- end }} diff --git a/charts/linkerd/linkerd-control-plane/2024.8.3/templates/heartbeat.yaml b/charts/linkerd/linkerd-control-plane/2024.8.3/templates/heartbeat.yaml new file mode 100644 index 000000000..956537623 --- /dev/null +++ b/charts/linkerd/linkerd-control-plane/2024.8.3/templates/heartbeat.yaml @@ -0,0 +1,94 @@ +{{ if not .Values.disableHeartBeat -}} +--- +### +### Heartbeat +### +apiVersion: batch/v1 +kind: CronJob +metadata: + name: linkerd-heartbeat + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: heartbeat + app.kubernetes.io/part-of: Linkerd + app.kubernetes.io/version: {{.Values.linkerdVersion}} + linkerd.io/control-plane-component: heartbeat + linkerd.io/control-plane-ns: {{.Release.Namespace}} + {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }} + annotations: + {{ include "partials.annotations.created-by" . }} +spec: + concurrencyPolicy: Replace + {{ if .Values.heartbeatSchedule -}} + schedule: "{{.Values.heartbeatSchedule}}" + {{ else -}} + schedule: "{{ dateInZone "04 15 * * *" (now | mustDateModify "+10m") "UTC"}}" + {{ end -}} + successfulJobsHistoryLimit: 0 + jobTemplate: + spec: + template: + metadata: + labels: + linkerd.io/control-plane-component: heartbeat + linkerd.io/workload-ns: {{.Release.Namespace}} + {{- with .Values.podLabels }}{{ toYaml . | trim | nindent 12 }}{{- end }} + annotations: + {{ include "partials.annotations.created-by" . }} + {{- with .Values.podAnnotations }}{{ toYaml . | trim | nindent 12 }}{{- end }} + spec: + {{- if .Values.priorityClassName }} + priorityClassName: {{ .Values.priorityClassName }} + {{- end -}} + {{- with .Values.runtimeClassName }} + runtimeClassName: {{ . | quote }} + {{- end }} + {{- if .Values.tolerations -}} + {{- include "linkerd.tolerations" . | nindent 10 }} + {{- end -}} + {{- include "linkerd.node-selector" . | nindent 10 }} + securityContext: + seccompProfile: + type: RuntimeDefault + serviceAccountName: linkerd-heartbeat + restartPolicy: Never + containers: + - name: heartbeat + image: {{.Values.controllerImage}}:{{.Values.controllerImageVersion | default .Values.linkerdVersion}} + imagePullPolicy: {{.Values.imagePullPolicy}} + env: + - name: LINKERD_DISABLED + value: "the heartbeat controller does not use the proxy" + {{- with (.Values.heartbeat).additionalEnv }} + {{- toYaml . | nindent 12 -}} + {{- end }} + {{- with (.Values.heartbeat).experimentalEnv }} + {{- toYaml . | nindent 12 -}} + {{- end }} + args: + - "heartbeat" + - "-controller-namespace={{.Release.Namespace}}" + - "-log-level={{.Values.controllerLogLevel}}" + - "-log-format={{.Values.controllerLogFormat}}" + {{- if .Values.prometheusUrl }} + - "-prometheus-url={{.Values.prometheusUrl}}" + {{- else }} + - "-prometheus-url=http://prometheus.linkerd-viz.svc.{{.Values.clusterDomain}}:9090" + {{- end }} + {{- if .Values.heartbeatResources -}} + {{- include "partials.resources" .Values.heartbeatResources | nindent 12 }} + {{- end }} + securityContext: + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: {{.Values.controllerUID}} + {{- if ge (int .Values.controllerGID) 0 }} + runAsGroup: {{.Values.controllerGID}} + {{- end }} + allowPrivilegeEscalation: false + seccompProfile: + type: RuntimeDefault +{{- end }} diff --git a/charts/linkerd/linkerd-control-plane/2024.8.3/templates/identity-rbac.yaml b/charts/linkerd/linkerd-control-plane/2024.8.3/templates/identity-rbac.yaml new file mode 100644 index 000000000..6efdb4e10 --- /dev/null +++ b/charts/linkerd/linkerd-control-plane/2024.8.3/templates/identity-rbac.yaml @@ -0,0 +1,49 @@ +--- +### +### Identity Controller Service RBAC +### +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: linkerd-{{.Release.Namespace}}-identity + labels: + linkerd.io/control-plane-component: identity + linkerd.io/control-plane-ns: {{.Release.Namespace}} + {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }} +rules: +- apiGroups: ["authentication.k8s.io"] + resources: ["tokenreviews"] + verbs: ["create"] +# TODO(ver) Restrict this to the Linkerd namespace. See +# https://github.com/linkerd/linkerd2/issues/9367 +- apiGroups: [""] + resources: ["events"] + verbs: ["create", "patch"] +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: linkerd-{{.Release.Namespace}}-identity + labels: + linkerd.io/control-plane-component: identity + linkerd.io/control-plane-ns: {{.Release.Namespace}} + {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: linkerd-{{.Release.Namespace}}-identity +subjects: +- kind: ServiceAccount + name: linkerd-identity + namespace: {{.Release.Namespace}} +--- +kind: ServiceAccount +apiVersion: v1 +metadata: + name: linkerd-identity + namespace: {{ .Release.Namespace }} + labels: + linkerd.io/control-plane-component: identity + linkerd.io/control-plane-ns: {{.Release.Namespace}} + {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }} +{{- include "partials.image-pull-secrets" .Values.imagePullSecrets }} diff --git a/charts/linkerd/linkerd-control-plane/2024.8.3/templates/identity.yaml b/charts/linkerd/linkerd-control-plane/2024.8.3/templates/identity.yaml new file mode 100644 index 000000000..bd3bcbe31 --- /dev/null +++ b/charts/linkerd/linkerd-control-plane/2024.8.3/templates/identity.yaml @@ -0,0 +1,267 @@ +{{if .Values.identity -}} +--- +### +### Identity Controller Service +### +{{ if and (.Values.identity.issuer) (eq .Values.identity.issuer.scheme "linkerd.io/tls") -}} +--- +kind: Secret +apiVersion: v1 +metadata: + name: linkerd-identity-issuer + namespace: {{ .Release.Namespace }} + labels: + linkerd.io/control-plane-component: identity + linkerd.io/control-plane-ns: {{.Release.Namespace}} + {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }} + annotations: + {{ include "partials.annotations.created-by" . }} +data: + crt.pem: {{b64enc (required "Please provide the identity issuer certificate" .Values.identity.issuer.tls.crtPEM | trim)}} + key.pem: {{b64enc (required "Please provide the identity issue private key" .Values.identity.issuer.tls.keyPEM | trim)}} +{{- end}} +{{ if not (.Values.identity.externalCA) -}} +--- +kind: ConfigMap +apiVersion: v1 +metadata: + name: linkerd-identity-trust-roots + namespace: {{ .Release.Namespace }} + labels: + linkerd.io/control-plane-component: identity + linkerd.io/control-plane-ns: {{.Release.Namespace}} + {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }} + annotations: + {{ include "partials.annotations.created-by" . }} +data: + ca-bundle.crt: |-{{.Values.identityTrustAnchorsPEM | trim | nindent 4}} +{{- end}} +--- +kind: Service +apiVersion: v1 +metadata: + name: linkerd-identity + namespace: {{ .Release.Namespace }} + labels: + linkerd.io/control-plane-component: identity + linkerd.io/control-plane-ns: {{.Release.Namespace}} + {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }} + annotations: + {{ include "partials.annotations.created-by" . }} +spec: + type: ClusterIP + selector: + linkerd.io/control-plane-component: identity + ports: + - name: grpc + port: 8080 + targetPort: 8080 +--- +kind: Service +apiVersion: v1 +metadata: + name: linkerd-identity-headless + namespace: {{ .Release.Namespace }} + labels: + linkerd.io/control-plane-component: identity + linkerd.io/control-plane-ns: {{.Release.Namespace}} + {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }} + annotations: + {{ include "partials.annotations.created-by" . }} +spec: + clusterIP: None + selector: + linkerd.io/control-plane-component: identity + ports: + - name: grpc + port: 8080 + targetPort: 8080 +{{- if .Values.enablePodDisruptionBudget }} +--- +kind: PodDisruptionBudget +apiVersion: policy/v1 +metadata: + name: linkerd-identity + namespace: {{ .Release.Namespace }} + labels: + linkerd.io/control-plane-component: identity + linkerd.io/control-plane-ns: {{.Release.Namespace}} + {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }} + annotations: + {{ include "partials.annotations.created-by" . }} +spec: + maxUnavailable: {{ .Values.controller.podDisruptionBudget.maxUnavailable }} + selector: + matchLabels: + linkerd.io/control-plane-component: identity +{{- end }} +--- +{{- $tree := deepCopy . }} +{{ $_ := set $tree.Values.proxy "workloadKind" "deployment" -}} +{{ $_ := set $tree.Values.proxy "component" "linkerd-identity" -}} +{{ $_ := set $tree.Values.proxy "waitBeforeExitSeconds" 0 -}} +{{- if not (empty .Values.identityProxyResources) }} +{{- $c := dig "cores" .Values.proxy.cores .Values.identityProxyResources }} +{{- $_ := set $tree.Values.proxy "cores" $c }} +{{- $r := merge .Values.identityProxyResources .Values.proxy.resources }} +{{- $_ := set $tree.Values.proxy "resources" $r }} +{{- end }} +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: + {{ include "partials.annotations.created-by" . }} + labels: + app.kubernetes.io/name: identity + app.kubernetes.io/part-of: Linkerd + app.kubernetes.io/version: {{.Values.linkerdVersion}} + linkerd.io/control-plane-component: identity + linkerd.io/control-plane-ns: {{.Release.Namespace}} + {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }} + name: linkerd-identity + namespace: {{ .Release.Namespace }} +spec: + replicas: {{.Values.controllerReplicas}} + revisionHistoryLimit: {{.Values.revisionHistoryLimit}} + selector: + matchLabels: + linkerd.io/control-plane-component: identity + linkerd.io/control-plane-ns: {{.Release.Namespace}} + {{- include "partials.proxy.labels" $tree.Values.proxy | nindent 6}} + {{- if .Values.deploymentStrategy }} + strategy: + {{- with .Values.deploymentStrategy }}{{ toYaml . | trim | nindent 4 }}{{- end }} + {{- end }} + template: + metadata: + annotations: + {{ include "partials.annotations.created-by" . }} + {{- include "partials.proxy.annotations" . | nindent 8}} + {{- with .Values.podAnnotations }}{{ toYaml . | trim | nindent 8 }}{{- end }} + config.linkerd.io/default-inbound-policy: "all-unauthenticated" + labels: + linkerd.io/control-plane-component: identity + linkerd.io/control-plane-ns: {{.Release.Namespace}} + linkerd.io/workload-ns: {{.Release.Namespace}} + {{- include "partials.proxy.labels" $tree.Values.proxy | nindent 8}} + {{- with .Values.podLabels }}{{ toYaml . | trim | nindent 8 }}{{- end }} + spec: + {{- with .Values.runtimeClassName }} + runtimeClassName: {{ . | quote }} + {{- end }} + {{- if .Values.tolerations -}} + {{- include "linkerd.tolerations" . | nindent 6 }} + {{- end -}} + {{- include "linkerd.node-selector" . | nindent 6 }} + {{- $_ := set $tree "component" "identity" -}} + {{- include "linkerd.affinity" $tree | nindent 6 }} + containers: + - args: + - identity + - -log-level={{.Values.controllerLogLevel}} + - -log-format={{.Values.controllerLogFormat}} + - -controller-namespace={{.Release.Namespace}} + - -identity-trust-domain={{.Values.identityTrustDomain | default .Values.clusterDomain}} + - -identity-issuance-lifetime={{.Values.identity.issuer.issuanceLifetime}} + - -identity-clock-skew-allowance={{.Values.identity.issuer.clockSkewAllowance}} + - -identity-scheme={{.Values.identity.issuer.scheme}} + - -enable-pprof={{.Values.enablePprof | default false}} + - -kube-apiclient-qps={{.Values.identity.kubeAPI.clientQPS}} + - -kube-apiclient-burst={{.Values.identity.kubeAPI.clientBurst}} + {{- include "partials.linkerd.trace" . | nindent 8 -}} + env: + - name: LINKERD_DISABLED + value: "linkerd-await cannot block the identity controller" + {{- with (.Values.identity).additionalEnv }} + {{- toYaml . | nindent 8 -}} + {{- end }} + {{- with (.Values.identity).experimentalEnv }} + {{- toYaml . | nindent 8 -}} + {{- end }} + image: {{.Values.controllerImage}}:{{.Values.controllerImageVersion | default .Values.linkerdVersion}} + imagePullPolicy: {{.Values.imagePullPolicy}} + livenessProbe: + httpGet: + path: /ping + port: 9990 + initialDelaySeconds: 10 + name: identity + ports: + - containerPort: 8080 + name: grpc + - containerPort: 9990 + name: admin-http + readinessProbe: + failureThreshold: 7 + httpGet: + path: /ready + port: 9990 + {{- if .Values.identityResources -}} + {{- include "partials.resources" .Values.identityResources | nindent 8 }} + {{- end }} + securityContext: + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: {{.Values.controllerUID}} + {{- if ge (int .Values.controllerGID) 0 }} + runAsGroup: {{.Values.controllerGID}} + {{- end }} + allowPrivilegeEscalation: false + seccompProfile: + type: RuntimeDefault + volumeMounts: + - mountPath: /var/run/linkerd/identity/issuer + name: identity-issuer + - mountPath: /var/run/linkerd/identity/trust-roots/ + name: trust-roots + {{- $_ := set $tree.Values.proxy "await" false }} + {{- $_ := set $tree.Values.proxy "loadTrustBundleFromConfigMap" true }} + {{- $_ := set $tree.Values.proxy "podInboundPorts" "8080,9990" }} + {{- $_ := set $tree.Values.proxy "nativeSidecar" false }} + {{- /* + The identity controller cannot discover policies, so we configure it with defaults that + enforce TLS on the identity service. + */}} + {{- $_ := set $tree.Values.proxy "defaultInboundPolicy" "all-unauthenticated" }} + {{- $_ := set $tree.Values.proxy "requireTLSOnInboundPorts" "8080" }} + {{- $_ := set $tree.Values.proxy "capabilities" (dict "drop" (list "ALL")) }} + {{- $_ := set $tree.Values.proxy "outboundDiscoveryCacheUnusedTimeout" "5s" }} + {{- $_ := set $tree.Values.proxy "inboundDiscoveryCacheUnusedTimeout" "90s" }} + - {{- include "partials.proxy" $tree | indent 8 | trimPrefix (repeat 7 " ") }} + initContainers: + {{ if .Values.cniEnabled -}} + - {{- include "partials.network-validator" $tree | indent 8 | trimPrefix (repeat 7 " ") }} + {{ else -}} + {{- /* + The identity controller needs to connect to the Kubernetes API before the proxy is able to + proxy requests, so we always skip these connections. The identity controller makes no other + outbound connections (so it's not important to persist any other skip ports here) + */}} + {{- $_ := set $tree.Values.proxyInit "ignoreOutboundPorts" .Values.proxyInit.kubeAPIServerPorts -}} + - {{- include "partials.proxy-init" $tree | indent 8 | trimPrefix (repeat 7 " ") }} + {{ end -}} + {{- if .Values.priorityClassName -}} + priorityClassName: {{ .Values.priorityClassName }} + {{ end -}} + securityContext: + seccompProfile: + type: RuntimeDefault + serviceAccountName: linkerd-identity + volumes: + - name: identity-issuer + secret: + secretName: linkerd-identity-issuer + - configMap: + name: linkerd-identity-trust-roots + name: trust-roots + {{ if not .Values.cniEnabled -}} + - {{- include "partials.proxyInit.volumes.xtables" . | indent 8 | trimPrefix (repeat 7 " ") }} + {{ end -}} + {{if .Values.identity.serviceAccountTokenProjection -}} + - {{- include "partials.proxy.volumes.service-account-token" . | indent 8 | trimPrefix (repeat 7 " ") }} + {{ end -}} + - {{- include "partials.proxy.volumes.identity" . | indent 8 | trimPrefix (repeat 7 " ") }} +{{end -}} diff --git a/charts/linkerd/linkerd-control-plane/2024.8.3/templates/namespace.yaml b/charts/linkerd/linkerd-control-plane/2024.8.3/templates/namespace.yaml new file mode 100644 index 000000000..61461c132 --- /dev/null +++ b/charts/linkerd/linkerd-control-plane/2024.8.3/templates/namespace.yaml @@ -0,0 +1,18 @@ +{{- if eq .Release.Service "CLI" -}} +--- +### +### Linkerd Namespace +### +kind: Namespace +apiVersion: v1 +metadata: + name: {{ .Release.Namespace }} + annotations: + linkerd.io/inject: disabled + labels: + linkerd.io/is-control-plane: "true" + config.linkerd.io/admission-webhooks: disabled + linkerd.io/control-plane-ns: {{.Release.Namespace}} + {{- /* linkerd-init requires extended capabilities and so requires priviledged mode */}} + pod-security.kubernetes.io/enforce: {{ ternary "restricted" "privileged" .Values.cniEnabled }} +{{ end -}} diff --git a/charts/linkerd/linkerd-control-plane/2024.8.3/templates/podmonitor.yaml b/charts/linkerd/linkerd-control-plane/2024.8.3/templates/podmonitor.yaml new file mode 100644 index 000000000..fd2b5d6ce --- /dev/null +++ b/charts/linkerd/linkerd-control-plane/2024.8.3/templates/podmonitor.yaml @@ -0,0 +1,128 @@ +{{- $podMonitor := .Values.podMonitor -}} +{{- if and $podMonitor.enabled $podMonitor.controller.enabled }} +--- +### +### Prometheus Operator PodMonitor for Linkerd control-plane +### +apiVersion: monitoring.coreos.com/v1 +kind: PodMonitor +metadata: + name: "linkerd-controller" + namespace: {{ .Release.Namespace }} + labels: + linkerd.io/control-plane-ns: {{ .Release.Namespace }} + {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }} + {{- with .Values.podMonitor.labels }}{{ toYaml . | trim | nindent 4 }}{{- end }} + annotations: + {{ include "partials.annotations.created-by" . }} +spec: + namespaceSelector: {{ tpl .Values.podMonitor.controller.namespaceSelector . | nindent 4 }} + selector: + matchLabels: {} + podMetricsEndpoints: + - interval: {{ $podMonitor.scrapeInterval }} + scrapeTimeout: {{ $podMonitor.scrapeTimeout }} + relabelings: + - sourceLabels: + - __meta_kubernetes_pod_container_port_name + action: keep + regex: admin-http + - sourceLabels: + - __meta_kubernetes_pod_container_name + action: replace + targetLabel: component +{{- end }} +{{- if and $podMonitor.enabled $podMonitor.serviceMirror.enabled }} +--- +### +### Prometheus Operator PodMonitor for Linkerd Service Mirror (multi-cluster) +### +apiVersion: monitoring.coreos.com/v1 +kind: PodMonitor +metadata: + name: "linkerd-service-mirror" + namespace: {{ .Release.Namespace }} + labels: + linkerd.io/control-plane-ns: {{ .Release.Namespace }} + {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }} + {{- with .Values.podMonitor.labels }}{{ toYaml . | trim | nindent 4 }}{{- end }} + annotations: + {{ include "partials.annotations.created-by" . }} +spec: + namespaceSelector: + any: true + selector: + matchLabels: {} + podMetricsEndpoints: + - interval: {{ $podMonitor.scrapeInterval }} + scrapeTimeout: {{ $podMonitor.scrapeTimeout }} + relabelings: + - sourceLabels: + - __meta_kubernetes_pod_label_linkerd_io_control_plane_component + - __meta_kubernetes_pod_container_port_name + action: keep + regex: linkerd-service-mirror;admin-http$ + - sourceLabels: + - __meta_kubernetes_pod_container_name + action: replace + targetLabel: component +{{- end }} +{{- if and $podMonitor.enabled $podMonitor.proxy.enabled }} +--- +### +### Prometheus Operator PodMonitor Linkerd data-plane +### +apiVersion: monitoring.coreos.com/v1 +kind: PodMonitor +metadata: + name: "linkerd-proxy" + namespace: {{ .Release.Namespace }} + labels: + linkerd.io/control-plane-ns: {{ .Release.Namespace }} + {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }} + {{- with .Values.podMonitor.labels }}{{ toYaml . | trim | nindent 4 }}{{- end }} + annotations: + {{ include "partials.annotations.created-by" . }} +spec: + namespaceSelector: + any: true + selector: + matchLabels: {} + podMetricsEndpoints: + - interval: {{ $podMonitor.scrapeInterval }} + scrapeTimeout: {{ $podMonitor.scrapeTimeout }} + relabelings: + - sourceLabels: + - __meta_kubernetes_pod_container_name + - __meta_kubernetes_pod_container_port_name + - __meta_kubernetes_pod_label_linkerd_io_control_plane_ns + action: keep + regex: ^linkerd-proxy;linkerd-admin;{{ .Release.Namespace }}$ + - sourceLabels: [ __meta_kubernetes_namespace ] + action: replace + targetLabel: namespace + - sourceLabels: [ __meta_kubernetes_pod_name ] + action: replace + targetLabel: pod + - sourceLabels: [ __meta_kubernetes_pod_label_linkerd_io_proxy_job ] + action: replace + targetLabel: k8s_job + - action: labeldrop + regex: __meta_kubernetes_pod_label_linkerd_io_proxy_job + - action: labelmap + regex: __meta_kubernetes_pod_label_linkerd_io_proxy_(.+) + - action: labeldrop + regex: __meta_kubernetes_pod_label_linkerd_io_proxy_(.+) + - action: labelmap + regex: __meta_kubernetes_pod_label_linkerd_io_(.+) + - action: labelmap + regex: __meta_kubernetes_pod_label_(.+) + replacement: __tmp_pod_label_$1 + - action: labelmap + regex: __tmp_pod_label_linkerd_io_(.+) + replacement: __tmp_pod_label_$1 + - action: labeldrop + regex: __tmp_pod_label_linkerd_io_(.+) + - action: labelmap + regex: __tmp_pod_label_(.+) +{{- end }} diff --git a/charts/linkerd/linkerd-control-plane/2024.8.3/templates/proxy-injector-rbac.yaml b/charts/linkerd/linkerd-control-plane/2024.8.3/templates/proxy-injector-rbac.yaml new file mode 100644 index 000000000..c2c84c5c1 --- /dev/null +++ b/charts/linkerd/linkerd-control-plane/2024.8.3/templates/proxy-injector-rbac.yaml @@ -0,0 +1,120 @@ +--- +### +### Proxy Injector RBAC +### +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: linkerd-{{.Release.Namespace}}-proxy-injector + labels: + linkerd.io/control-plane-component: proxy-injector + linkerd.io/control-plane-ns: {{.Release.Namespace}} + {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }} +rules: +- apiGroups: [""] + resources: ["events"] + verbs: ["create", "patch"] +- apiGroups: [""] + resources: ["namespaces", "replicationcontrollers"] + verbs: ["list", "get", "watch"] +- apiGroups: [""] + resources: ["pods"] + verbs: ["list", "watch"] +- apiGroups: ["extensions", "apps"] + resources: ["deployments", "replicasets", "daemonsets", "statefulsets"] + verbs: ["list", "get", "watch"] +- apiGroups: ["extensions", "batch"] + resources: ["cronjobs", "jobs"] + verbs: ["list", "get", "watch"] +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: linkerd-{{.Release.Namespace}}-proxy-injector + labels: + linkerd.io/control-plane-component: proxy-injector + linkerd.io/control-plane-ns: {{.Release.Namespace}} + {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }} +subjects: +- kind: ServiceAccount + name: linkerd-proxy-injector + namespace: {{.Release.Namespace}} + apiGroup: "" +roleRef: + kind: ClusterRole + name: linkerd-{{.Release.Namespace}}-proxy-injector + apiGroup: rbac.authorization.k8s.io +--- +kind: ServiceAccount +apiVersion: v1 +metadata: + name: linkerd-proxy-injector + namespace: {{ .Release.Namespace }} + labels: + linkerd.io/control-plane-component: proxy-injector + linkerd.io/control-plane-ns: {{.Release.Namespace}} + {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }} +{{- include "partials.image-pull-secrets" .Values.imagePullSecrets }} +--- +{{- $host := printf "linkerd-proxy-injector.%s.svc" .Release.Namespace }} +{{- $ca := genSelfSignedCert $host (list) (list $host) 365 }} +{{- if (not .Values.proxyInjector.externalSecret) }} +kind: Secret +apiVersion: v1 +metadata: + name: linkerd-proxy-injector-k8s-tls + namespace: {{ .Release.Namespace }} + labels: + linkerd.io/control-plane-component: proxy-injector + linkerd.io/control-plane-ns: {{.Release.Namespace}} + {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }} + annotations: + {{ include "partials.annotations.created-by" . }} +type: kubernetes.io/tls +data: + tls.crt: {{ ternary (b64enc (trim $ca.Cert)) (b64enc (trim .Values.proxyInjector.crtPEM)) (empty .Values.proxyInjector.crtPEM) }} + tls.key: {{ ternary (b64enc (trim $ca.Key)) (b64enc (trim .Values.proxyInjector.keyPEM)) (empty .Values.proxyInjector.keyPEM) }} +--- +{{- end }} +{{- include "linkerd.webhook.validation" .Values.proxyInjector }} +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: + name: linkerd-proxy-injector-webhook-config + {{- if or (.Values.proxyInjector.injectCaFrom) (.Values.proxyInjector.injectCaFromSecret) }} + annotations: + {{- if .Values.proxyInjector.injectCaFrom }} + cert-manager.io/inject-ca-from: {{ .Values.proxyInjector.injectCaFrom }} + {{- end }} + {{- if .Values.proxyInjector.injectCaFromSecret }} + cert-manager.io/inject-ca-from-secret: {{ .Values.proxyInjector.injectCaFromSecret }} + {{- end }} + {{- end }} + labels: + linkerd.io/control-plane-component: proxy-injector + linkerd.io/control-plane-ns: {{.Release.Namespace}} + {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }} +webhooks: +- name: linkerd-proxy-injector.linkerd.io + namespaceSelector: + {{- toYaml .Values.proxyInjector.namespaceSelector | trim | nindent 4 }} + objectSelector: + {{- toYaml .Values.proxyInjector.objectSelector | trim | nindent 4 }} + clientConfig: + service: + name: linkerd-proxy-injector + namespace: {{ .Release.Namespace }} + path: "/" + {{- if and (empty .Values.proxyInjector.injectCaFrom) (empty .Values.proxyInjector.injectCaFromSecret) }} + caBundle: {{ ternary (b64enc (trim $ca.Cert)) (b64enc (trim .Values.proxyInjector.caBundle)) (empty .Values.proxyInjector.caBundle) }} + {{- end }} + failurePolicy: {{.Values.webhookFailurePolicy}} + admissionReviewVersions: ["v1", "v1beta1"] + rules: + - operations: [ "CREATE" ] + apiGroups: [""] + apiVersions: ["v1"] + resources: ["pods", "services"] + scope: "Namespaced" + sideEffects: None + timeoutSeconds: {{ .Values.proxyInjector.timeoutSeconds | default 10 }} diff --git a/charts/linkerd/linkerd-control-plane/2024.8.3/templates/proxy-injector.yaml b/charts/linkerd/linkerd-control-plane/2024.8.3/templates/proxy-injector.yaml new file mode 100644 index 000000000..0f6b3bb87 --- /dev/null +++ b/charts/linkerd/linkerd-control-plane/2024.8.3/templates/proxy-injector.yaml @@ -0,0 +1,216 @@ +--- +### +### Proxy Injector +### +{{- $tree := deepCopy . }} +{{ $_ := set $tree.Values.proxy "workloadKind" "deployment" -}} +{{ $_ := set $tree.Values.proxy "component" "linkerd-proxy-injector" -}} +{{ $_ := set $tree.Values.proxy "waitBeforeExitSeconds" 0 -}} +{{- if not (empty .Values.proxyInjectorProxyResources) }} +{{- $c := dig "cores" .Values.proxy.cores .Values.proxyInjectorProxyResources }} +{{- $_ := set $tree.Values.proxy "cores" $c }} +{{- $r := merge .Values.proxyInjectorProxyResources .Values.proxy.resources }} +{{- $_ := set $tree.Values.proxy "resources" $r }} +{{- end }} +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: + {{ include "partials.annotations.created-by" . }} + labels: + app.kubernetes.io/name: proxy-injector + app.kubernetes.io/part-of: Linkerd + app.kubernetes.io/version: {{.Values.linkerdVersion}} + linkerd.io/control-plane-component: proxy-injector + linkerd.io/control-plane-ns: {{.Release.Namespace}} + {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }} + name: linkerd-proxy-injector + namespace: {{ .Release.Namespace }} +spec: + replicas: {{.Values.controllerReplicas}} + revisionHistoryLimit: {{.Values.revisionHistoryLimit}} + selector: + matchLabels: + linkerd.io/control-plane-component: proxy-injector + {{- if .Values.deploymentStrategy }} + strategy: + {{- with .Values.deploymentStrategy }}{{ toYaml . | trim | nindent 4 }}{{- end }} + {{- end }} + template: + metadata: + annotations: + checksum/config: {{ include (print $.Template.BasePath "/proxy-injector-rbac.yaml") . | sha256sum }} + {{ include "partials.annotations.created-by" . }} + {{- include "partials.proxy.annotations" . | nindent 8}} + {{- with .Values.podAnnotations }}{{ toYaml . | trim | nindent 8 }}{{- end }} + config.linkerd.io/opaque-ports: "8443" + config.linkerd.io/default-inbound-policy: "all-unauthenticated" + labels: + linkerd.io/control-plane-component: proxy-injector + linkerd.io/control-plane-ns: {{.Release.Namespace}} + linkerd.io/workload-ns: {{.Release.Namespace}} + {{- include "partials.proxy.labels" $tree.Values.proxy | nindent 8}} + {{- with .Values.podLabels }}{{ toYaml . | trim | nindent 8 }}{{- end }} + spec: + {{- with .Values.runtimeClassName }} + runtimeClassName: {{ . | quote }} + {{- end }} + {{- if .Values.tolerations -}} + {{- include "linkerd.tolerations" . | nindent 6 }} + {{- end -}} + {{- include "linkerd.node-selector" . | nindent 6 }} + {{- $_ := set $tree "component" "proxy-injector" -}} + {{- include "linkerd.affinity" $tree | nindent 6 }} + containers: + {{- $_ := set $tree.Values.proxy "await" $tree.Values.proxy.await }} + {{- $_ := set $tree.Values.proxy "loadTrustBundleFromConfigMap" true }} + {{- $_ := set $tree.Values.proxy "podInboundPorts" "8443,9995" }} + {{- /* + The pod needs to accept webhook traffic, and we can't rely on that originating in the + cluster network. + */}} + {{- $_ := set $tree.Values.proxy "defaultInboundPolicy" "all-unauthenticated" }} + {{- $_ := set $tree.Values.proxy "capabilities" (dict "drop" (list "ALL")) }} + {{- $_ := set $tree.Values.proxy "outboundDiscoveryCacheUnusedTimeout" "5s" }} + {{- $_ := set $tree.Values.proxy "inboundDiscoveryCacheUnusedTimeout" "90s" }} + {{- if not $tree.Values.proxy.nativeSidecar }} + - {{- include "partials.proxy" $tree | indent 8 | trimPrefix (repeat 7 " ") }} + {{- end }} + - args: + - proxy-injector + - -log-level={{.Values.controllerLogLevel}} + - -log-format={{.Values.controllerLogFormat}} + - -linkerd-namespace={{.Release.Namespace}} + - -enable-pprof={{.Values.enablePprof | default false}} + {{- if or (.Values.proxyInjector).additionalEnv (.Values.proxyInjector).experimentalEnv }} + env: + {{- with (.Values.proxyInjector).additionalEnv }} + {{- toYaml . | nindent 8 -}} + {{- end }} + {{- with (.Values.proxyInjector).experimentalEnv }} + {{- toYaml . | nindent 8 -}} + {{- end }} + {{- end }} + image: {{.Values.controllerImage}}:{{.Values.controllerImageVersion | default .Values.linkerdVersion}} + imagePullPolicy: {{.Values.imagePullPolicy}} + livenessProbe: + httpGet: + path: /ping + port: 9995 + initialDelaySeconds: 10 + name: proxy-injector + ports: + - containerPort: 8443 + name: proxy-injector + - containerPort: 9995 + name: admin-http + readinessProbe: + failureThreshold: 7 + httpGet: + path: /ready + port: 9995 + {{- if .Values.proxyInjectorResources -}} + {{- include "partials.resources" .Values.proxyInjectorResources | nindent 8 }} + {{- end }} + securityContext: + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: {{.Values.controllerUID}} + {{- if ge (int .Values.controllerGID) 0 }} + runAsGroup: {{.Values.controllerGID}} + {{- end }} + allowPrivilegeEscalation: false + seccompProfile: + type: RuntimeDefault + volumeMounts: + - mountPath: /var/run/linkerd/config + name: config + - mountPath: /var/run/linkerd/identity/trust-roots + name: trust-roots + - mountPath: /var/run/linkerd/tls + name: tls + readOnly: true + initContainers: + {{ if .Values.cniEnabled -}} + - {{- include "partials.network-validator" $tree | indent 8 | trimPrefix (repeat 7 " ") }} + {{ else -}} + {{- /* + The controller needs to connect to the Kubernetes API. There's no reason + to put the proxy in the way of that. + */}} + {{- $_ := set $tree.Values.proxyInit "ignoreOutboundPorts" .Values.proxyInit.kubeAPIServerPorts -}} + - {{- include "partials.proxy-init" $tree | indent 8 | trimPrefix (repeat 7 " ") }} + {{ end -}} + {{- if $tree.Values.proxy.nativeSidecar }} + {{- $_ := set $tree.Values.proxy "startupProbeInitialDelaySeconds" 35 }} + {{- $_ := set $tree.Values.proxy "startupProbePeriodSeconds" 5 }} + {{- $_ := set $tree.Values.proxy "startupProbeFailureThreshold" 20 }} + - {{- include "partials.proxy" $tree | indent 8 | trimPrefix (repeat 7 " ") }} + {{ end -}} + {{- if .Values.priorityClassName -}} + priorityClassName: {{ .Values.priorityClassName }} + {{ end -}} + securityContext: + seccompProfile: + type: RuntimeDefault + serviceAccountName: linkerd-proxy-injector + volumes: + - configMap: + name: linkerd-config + name: config + - configMap: + name: linkerd-identity-trust-roots + name: trust-roots + - name: tls + secret: + secretName: linkerd-proxy-injector-k8s-tls + {{ if not .Values.cniEnabled -}} + - {{- include "partials.proxyInit.volumes.xtables" . | indent 8 | trimPrefix (repeat 7 " ") }} + {{ end -}} + {{if .Values.identity.serviceAccountTokenProjection -}} + - {{- include "partials.proxy.volumes.service-account-token" . | indent 8 | trimPrefix (repeat 7 " ") }} + {{ end -}} + - {{- include "partials.proxy.volumes.identity" . | indent 8 | trimPrefix (repeat 7 " ") }} +--- +kind: Service +apiVersion: v1 +metadata: + name: linkerd-proxy-injector + namespace: {{ .Release.Namespace }} + labels: + linkerd.io/control-plane-component: proxy-injector + linkerd.io/control-plane-ns: {{.Release.Namespace}} + {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }} + annotations: + {{ include "partials.annotations.created-by" . }} + config.linkerd.io/opaque-ports: "443" +spec: + type: ClusterIP + selector: + linkerd.io/control-plane-component: proxy-injector + ports: + - name: proxy-injector + port: 443 + targetPort: proxy-injector +{{- if .Values.enablePodDisruptionBudget }} +--- +kind: PodDisruptionBudget +apiVersion: policy/v1 +metadata: + name: linkerd-proxy-injector + namespace: {{ .Release.Namespace }} + labels: + linkerd.io/control-plane-component: proxy-injector + linkerd.io/control-plane-ns: {{.Release.Namespace}} + {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }} + annotations: + {{ include "partials.annotations.created-by" . }} +spec: + maxUnavailable: {{ .Values.controller.podDisruptionBudget.maxUnavailable }} + selector: + matchLabels: + linkerd.io/control-plane-component: proxy-injector +{{- end }} diff --git a/charts/linkerd/linkerd-control-plane/2024.8.3/templates/psp.yaml b/charts/linkerd/linkerd-control-plane/2024.8.3/templates/psp.yaml new file mode 100644 index 000000000..db91fea67 --- /dev/null +++ b/charts/linkerd/linkerd-control-plane/2024.8.3/templates/psp.yaml @@ -0,0 +1,119 @@ +{{ if .Values.enablePSP -}} +--- +### +### Control Plane PSP +### +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: linkerd-{{.Release.Namespace}}-control-plane + annotations: + seccomp.security.alpha.kubernetes.io/allowedProfileNames: "runtime/default" + labels: + linkerd.io/control-plane-ns: {{.Release.Namespace}} + {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }} +spec: + {{- if or .Values.proxyInit.closeWaitTimeoutSecs .Values.proxyInit.runAsRoot }} + allowPrivilegeEscalation: true + {{- else }} + allowPrivilegeEscalation: false + {{- end }} + readOnlyRootFilesystem: true + {{- if empty .Values.cniEnabled }} + allowedCapabilities: + - NET_ADMIN + - NET_RAW + {{- end}} + requiredDropCapabilities: + - ALL + hostNetwork: false + hostIPC: false + hostPID: false + seLinux: + rule: RunAsAny + runAsUser: + {{- if .Values.cniEnabled }} + rule: MustRunAsNonRoot + {{- else }} + rule: RunAsAny + {{- end }} + runAsGroup: + {{- if .Values.cniEnabled }} + rule: MustRunAs + ranges: + - min: 1000 + max: 999999 + {{- else }} + rule: RunAsAny + {{- end }} + supplementalGroups: + rule: MustRunAs + ranges: + {{- if .Values.cniEnabled }} + - min: 10001 + max: 65535 + {{- else }} + - min: 1 + max: 65535 + {{- end }} + fsGroup: + rule: MustRunAs + ranges: + {{- if .Values.cniEnabled }} + - min: 10001 + max: 65535 + {{- else }} + - min: 1 + max: 65535 + {{- end }} + volumes: + - configMap + - emptyDir + - secret + - projected + - downwardAPI + - persistentVolumeClaim +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: linkerd-psp + namespace: {{ .Release.Namespace }} + labels: + linkerd.io/control-plane-ns: {{.Release.Namespace}} + {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }} +rules: +- apiGroups: ['policy', 'extensions'] + resources: ['podsecuritypolicies'] + verbs: ['use'] + resourceNames: + - linkerd-{{.Release.Namespace}}-control-plane +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: linkerd-psp + namespace: {{ .Release.Namespace }} + labels: + linkerd.io/control-plane-ns: {{.Release.Namespace}} + {{- with .Values.commonLabels }}{{ toYaml . | trim | nindent 4 }}{{- end }} +roleRef: + kind: Role + name: linkerd-psp + apiGroup: rbac.authorization.k8s.io +subjects: +- kind: ServiceAccount + name: linkerd-destination + namespace: {{.Release.Namespace}} +{{ if not .Values.disableHeartBeat -}} +- kind: ServiceAccount + name: linkerd-heartbeat + namespace: {{.Release.Namespace}} +{{ end -}} +- kind: ServiceAccount + name: linkerd-identity + namespace: {{.Release.Namespace}} +- kind: ServiceAccount + name: linkerd-proxy-injector + namespace: {{.Release.Namespace}} +{{ end -}} diff --git a/charts/linkerd/linkerd-control-plane/2024.8.3/values-ha.yaml b/charts/linkerd/linkerd-control-plane/2024.8.3/values-ha.yaml new file mode 100644 index 000000000..e3b8cbc07 --- /dev/null +++ b/charts/linkerd/linkerd-control-plane/2024.8.3/values-ha.yaml @@ -0,0 +1,63 @@ +# This values.yaml file contains the values needed to enable HA mode. +# Usage: +# helm install -f values-ha.yaml + +# -- Create PodDisruptionBudget resources for each control plane workload +enablePodDisruptionBudget: true + +controller: + # -- sets pod disruption budget parameter for all deployments + podDisruptionBudget: + # -- Maximum number of pods that can be unavailable during disruption + maxUnavailable: 1 + +# -- Specify a deployment strategy for each control plane workload +deploymentStrategy: + rollingUpdate: + maxUnavailable: 1 + maxSurge: 25% + +# -- add PodAntiAffinity to each control plane workload +enablePodAntiAffinity: true + +# nodeAffinity: + +# proxy configuration +proxy: + resources: + cpu: + request: 100m + memory: + limit: 250Mi + request: 20Mi + +# controller configuration +controllerReplicas: 3 +controllerResources: &controller_resources + cpu: &controller_resources_cpu + limit: "" + request: 100m + memory: + limit: 250Mi + request: 50Mi +destinationResources: *controller_resources + +# identity configuration +identityResources: + cpu: *controller_resources_cpu + memory: + limit: 250Mi + request: 10Mi + +# heartbeat configuration +heartbeatResources: *controller_resources + +# proxy injector configuration +proxyInjectorResources: *controller_resources +webhookFailurePolicy: Fail + +# service profile validator configuration +spValidatorResources: *controller_resources + +# flag for linkerd check +highAvailability: true diff --git a/charts/linkerd/linkerd-control-plane/2024.8.3/values.yaml b/charts/linkerd/linkerd-control-plane/2024.8.3/values.yaml new file mode 100644 index 000000000..b96b84355 --- /dev/null +++ b/charts/linkerd/linkerd-control-plane/2024.8.3/values.yaml @@ -0,0 +1,638 @@ +# Default values for linkerd. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. + +# -- Kubernetes DNS Domain name to use +clusterDomain: cluster.local + +# -- The cluster networks for which service discovery is performed. This should +# include the pod and service networks, but need not include the node network. +# +# By default, all IPv4 private networks and all accepted IPv6 ULAs are +# specified so that resolution works in typical Kubernetes environments. +clusterNetworks: "10.0.0.0/8,100.64.0.0/10,172.16.0.0/12,192.168.0.0/16,fd00::/8" +# -- Docker image pull policy +imagePullPolicy: IfNotPresent +# -- Specifies the number of old ReplicaSets to retain to allow rollback. +revisionHistoryLimit: 10 +# -- Log level for the control plane components +controllerLogLevel: info +# -- Log format for the control plane components +controllerLogFormat: plain +# -- enables control plane tracing +controlPlaneTracing: false +# -- namespace to send control plane traces to +controlPlaneTracingNamespace: linkerd-jaeger +# -- control plane version. See Proxy section for proxy version +linkerdVersion: edge-24.8.3 +# -- default kubernetes deployment strategy +deploymentStrategy: + rollingUpdate: + maxUnavailable: 25% + maxSurge: 25% +# -- enables the use of EndpointSlice informers for the destination service; +# enableEndpointSlices should be set to true only if EndpointSlice K8s feature +# gate is on +enableEndpointSlices: true +# -- enables pod anti affinity creation on deployments for high availability +enablePodAntiAffinity: false +# -- enables the use of pprof endpoints on control plane component's admin +# servers +enablePprof: false +# -- enables the creation of pod disruption budgets for control plane components +enablePodDisruptionBudget: false +# -- disables routing IPv6 traffic in addition to IPv4 traffic through the +# proxy (IPv6 routing only available as of proxy-init v2.3.0 and linkerd-cni +# v1.4.0) +disableIPv6: true + +controller: + # -- sets pod disruption budget parameter for all deployments + podDisruptionBudget: + # -- Maximum number of pods that can be unavailable during disruption + maxUnavailable: 1 +# -- enabling this omits the NET_ADMIN capability in the PSP +# and the proxy-init container when injecting the proxy; +# requires the linkerd-cni plugin to already be installed +cniEnabled: false +# -- Trust root certificate (ECDSA). It must be provided during install. +identityTrustAnchorsPEM: | +# -- Trust domain used for identity +# @default -- clusterDomain +identityTrustDomain: "" +kubeAPI: &kubeapi + # -- Maximum QPS sent to the kube-apiserver before throttling. + # See [token bucket rate limiter + # implementation](https://github.com/kubernetes/client-go/blob/v12.0.0/util/flowcontrol/throttle.go) + clientQPS: 100 + # -- Burst value over clientQPS + clientBurst: 200 +# -- Additional annotations to add to all pods +podAnnotations: {} +# -- Additional labels to add to all pods +podLabels: {} +# -- Labels to apply to all resources +commonLabels: {} +# -- Kubernetes priorityClassName for the Linkerd Pods +priorityClassName: "" +# -- Runtime Class Name for all the pods +runtimeClassName: "" + +# policy controller configuration +policyController: + image: + # -- Docker image for the policy controller + name: cr.l5d.io/linkerd/policy-controller + # -- Pull policy for the policy controller container image + # @default -- imagePullPolicy + pullPolicy: "" + # -- Tag for the policy controller container image + # @default -- linkerdVersion + version: "" + + # -- Log level for the policy controller + logLevel: info + + # -- The networks from which probes are performed. + # + # By default, all networks are allowed so that all probes are authorized. + probeNetworks: + - 0.0.0.0/0 + - "::/0" + + # -- policy controller resource requests & limits + resources: + cpu: + # -- Maximum amount of CPU units that the policy controller can use + limit: "" + # -- Amount of CPU units that the policy controller requests + request: "" + memory: + # -- Maximum amount of memory that the policy controller can use + limit: "" + # -- Maximum amount of memory that the policy controller requests + request: "" + ephemeral-storage: + # -- Maximum amount of ephemeral storage that the policy controller can use + limit: "" + # -- Amount of ephemeral storage that the policy controller requests + request: "" + +# proxy configuration +proxy: + # -- Enable service profiles for non-Kubernetes services + enableExternalProfiles: false + # -- Maximum time allowed for the proxy to establish an outbound TCP + # connection + outboundConnectTimeout: 1000ms + # -- Maximum time allowed for the proxy to establish an inbound TCP + # connection + inboundConnectTimeout: 100ms + # -- Maximum time allowed before an unused outbound discovery result + # is evicted from the cache + outboundDiscoveryCacheUnusedTimeout: "5s" + # -- Maximum time allowed before an unused inbound discovery result + # is evicted from the cache + inboundDiscoveryCacheUnusedTimeout: "90s" + # -- When set to true, disables the protocol detection timeout on the + # outbound side of the proxy by setting it to a very high value + disableOutboundProtocolDetectTimeout: false + # -- When set to true, disables the protocol detection timeout on the inbound + # side of the proxy by setting it to a very high value + disableInboundProtocolDetectTimeout: false + image: + # -- Docker image for the proxy + name: cr.l5d.io/linkerd/proxy + # -- Pull policy for the proxy container image + # @default -- imagePullPolicy + pullPolicy: "" + # -- Tag for the proxy container image + # @default -- linkerdVersion + version: "" + # -- Enables the proxy's /shutdown admin endpoint + enableShutdownEndpoint: false + # -- Log level for the proxy + logLevel: warn,linkerd=info,hickory=error + # -- Log format (`plain` or `json`) for the proxy + logFormat: plain + # -- (`off` or `insecure`) If set to `off`, will prevent the proxy from + # logging HTTP headers. If set to `insecure`, HTTP headers may be logged + # verbatim. Note that setting this to `insecure` is not alone sufficient to + # log HTTP headers; the proxy logLevel must also be set to debug. + logHTTPHeaders: "off" + ports: + # -- Admin port for the proxy container + admin: 4191 + # -- Control port for the proxy container + control: 4190 + # -- Inbound port for the proxy container + inbound: 4143 + # -- Outbound port for the proxy container + outbound: 4140 + # -- The `cpu.limit` and `cores` should be kept in sync. The value of `cores` + # must be an integer and should typically be set by rounding up from the + # limit. E.g. if cpu.limit is '1500m', cores should be 2. + cores: 0 + resources: + cpu: + # -- Maximum amount of CPU units that the proxy can use + limit: "" + # -- Amount of CPU units that the proxy requests + request: "" + memory: + # -- Maximum amount of memory that the proxy can use + limit: "" + # -- Maximum amount of memory that the proxy requests + request: "" + ephemeral-storage: + # -- Maximum amount of ephemeral storage that the proxy can use + limit: "" + # -- Amount of ephemeral storage that the proxy requests + request: "" + # -- User id under which the proxy runs + uid: 2102 + # -- (int) Optional customisation of the group id under which the proxy runs (the group ID will be omitted if lower than 0) + gid: -1 + + # -- If set the injected proxy sidecars in the data plane will stay alive for + # at least the given period before receiving the SIGTERM signal from + # Kubernetes but no longer than the pod's `terminationGracePeriodSeconds`. + # See [Lifecycle + # hooks](https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks) + # for more info on container lifecycle hooks. + waitBeforeExitSeconds: 0 + # -- If set, the application container will not start until the proxy is + # ready + await: true + requireIdentityOnInboundPorts: "" + # -- Default set of opaque ports + # - SMTP (25,587) server-first + # - MYSQL (3306) server-first + # - Galera (4444) server-first + # - PostgreSQL (5432) server-first + # - Redis (6379) server-first + # - ElasticSearch (9300) server-first + # - Memcached (11211) clients do not issue any preamble, which breaks detection + opaquePorts: "25,587,3306,4444,5432,6379,9300,11211" + # -- Grace period for graceful proxy shutdowns. If this timeout elapses before all open connections have completed, the proxy will terminate forcefully, closing any remaining connections. + shutdownGracePeriod: "" + # -- The default allow policy to use when no `Server` selects a pod. One of: "all-authenticated", + # "all-unauthenticated", "cluster-authenticated", "cluster-unauthenticated", "deny", "audit" + # @default -- "all-unauthenticated" + defaultInboundPolicy: "all-unauthenticated" + # -- Enable KEP-753 native sidecars + # This is an experimental feature. It requires Kubernetes >= 1.29. + # If enabled, .proxy.waitBeforeExitSeconds should not be used. + nativeSidecar: false + # -- Native sidecar proxy startup probe parameters. + # -- LivenessProbe timeout and delay configuration + livenessProbe: + initialDelaySeconds: 10 + timeoutSeconds: 1 + # -- ReadinessProbe timeout and delay configuration + readinessProbe: + initialDelaySeconds: 2 + timeoutSeconds: 1 + startupProbe: + initialDelaySeconds: 0 + periodSeconds: 1 + failureThreshold: 120 + # Configures general properties of the proxy's control plane clients. + control: + # Configures limits on API response streams. + streams: + # -- The timeout for the first update from the control plane. + initialTimeout: "3s" + # -- The timeout between consecutive updates from the control plane. + idleTimeout: "5m" + # -- The maximum duration for a response stream (i.e. before it will be + # reinitialized). + lifetime: "1h" + inbound: + server: + http2: + # -- The interval at which PINGs are issued to remote HTTP/2 clients. + keepAliveInterval: "10s" + # -- The timeout within which keep-alive PINGs must be acknowledged on inbound HTTP/2 connections. + keepAliveTimeout: "3s" + outbound: + server: + http2: + # -- The interval at which PINGs are issued to local application HTTP/2 clients. + keepAliveInterval: "10s" + # -- The timeout within which keep-alive PINGs must be acknowledged on outbound HTTP/2 connections. + keepAliveTimeout: "3s" + +# proxy-init configuration +proxyInit: + # -- Variant of iptables that will be used to configure routing. Currently, + # proxy-init can be run either in 'nft' or in 'legacy' mode. The mode will + # control which utility binary will be called. The host must support + # whichever mode will be used + iptablesMode: "legacy" + # -- Default set of inbound ports to skip via iptables + # - Galera (4567,4568) + ignoreInboundPorts: "4567,4568" + # -- Default set of outbound ports to skip via iptables + # - Galera (4567,4568) + ignoreOutboundPorts: "4567,4568" + # -- Default set of ports to skip via iptables for control plane + # components so they can communicate with the Kubernetes API Server + kubeAPIServerPorts: "443,6443" + # -- Comma-separated list of subnets in valid CIDR format that should be skipped by the proxy + skipSubnets: "" + # -- Log level for the proxy-init + # @default -- info + logLevel: "" + # -- Log format (`plain` or `json`) for the proxy-init + # @default -- plain + logFormat: "" + image: + # -- Docker image for the proxy-init container + name: cr.l5d.io/linkerd/proxy-init + # -- Pull policy for the proxy-init container image + # @default -- imagePullPolicy + pullPolicy: "" + # -- Tag for the proxy-init container image + version: v2.4.1 + closeWaitTimeoutSecs: 0 + # -- Privileged mode allows the container processes to inherit all security + # capabilities and bypass any security limitations enforced by the kubelet. + # When used with 'runAsRoot: true', the container will behave exactly as if + # it was running as root on the host. May escape cgroup limits and see other + # processes and devices on the host. + # @default -- false + privileged: false + # -- Allow overriding the runAsNonRoot behaviour () + runAsRoot: false + # -- This value is used only if runAsRoot is false; otherwise runAsUser will be 0 + runAsUser: 65534 + # -- This value is used only if runAsRoot is false; otherwise runAsGroup will be 0 + runAsGroup: 65534 + xtMountPath: + mountPath: /run + name: linkerd-proxy-init-xtables-lock + +# network validator configuration +# This runs on a host that uses iptables to reroute network traffic. The validator +# ensures that iptables is correctly routing requests before we start linkerd. +networkValidator: + # -- Log level for the network-validator + # @default -- debug + logLevel: debug + # -- Log format (`plain` or `json`) for network-validator + # @default -- plain + logFormat: plain + # -- Address to which the network-validator will attempt to connect. This should be an IP + # that the cluster is expected to be able to reach but a port it should not, e.g., a public IP + # for public clusters and a private IP for air-gapped clusters with a port like 20001. + # If empty, defaults to 1.1.1.1:20001 and [fd00::1]:20001 for IPv4 and IPv6 respectively. + connectAddr: "" + # -- Address to which network-validator listens to requests from itself. + # If empty, defaults to 0.0.0.0:4140 and [::]:4140 for IPv4 and IPv6 respectively. + listenAddr: "" + # -- Timeout before network-validator fails to validate the pod's network connectivity + timeout: "10s" + # -- Include a securityContext in the network-validator pod spec + enableSecurityContext: true + +# -- For Private docker registries, authentication is needed. +# Registry secrets are applied to the respective service accounts +imagePullSecrets: [] +# - name: my-private-docker-registry-login-secret + +# -- Allow proxies to perform transparent HTTP/2 upgrading +enableH2Upgrade: true + +# -- Add a PSP resource and bind it to the control plane ServiceAccounts. Note +# PSP has been deprecated since k8s v1.21 +enablePSP: false + +# -- Failure policy for the proxy injector +webhookFailurePolicy: Ignore + +# controllerImage -- Docker image for the destination and identity components +controllerImage: cr.l5d.io/linkerd/controller +# -- Optionally allow a specific container image Tag (or SHA) to be specified for the controllerImage. +controllerImageVersion: "" + +# -- Number of replicas for each control plane pod +controllerReplicas: 1 +# -- User ID for the control plane components +controllerUID: 2103 +# -- (int) Optional customisation of the group ID for the control plane components (the group ID will be omitted if lower than 0) +controllerGID: -1 + +# destination configuration +# set resources for the sp-validator and its linkerd proxy respectively +# see proxy.resources for details. +# destinationResources -- CPU, Memory and Ephemeral Storage resources required by destination (see `proxy.resources` for sub-fields) +#destinationResources: +# destinationProxyResources -- CPU, Memory and Ephemeral Storage resources required by proxy injected into destination pod (see `proxy.resources` for sub-fields) +#destinationProxyResources: + +destinationController: + meshedHttp2ClientProtobuf: + keep_alive: + interval: + seconds: 10 + timeout: + seconds: 3 + while_idle: true + +# debug configuration +debugContainer: + image: + # -- Docker image for the debug container + name: cr.l5d.io/linkerd/debug + # -- Pull policy for the debug container image + # @default -- imagePullPolicy + pullPolicy: "" + # -- Tag for the debug container image + # @default -- linkerdVersion + version: "" + +identity: + # -- If the linkerd-identity-trust-roots ConfigMap has already been created + externalCA: false + + # -- Use [Service Account token Volume projection](https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#service-account-token-volume-projection) for pod validation instead of the default token + serviceAccountTokenProjection: true + + issuer: + scheme: linkerd.io/tls + + # -- Amount of time to allow for clock skew within a Linkerd cluster + clockSkewAllowance: 20s + + # -- Amount of time for which the Identity issuer should certify identity + issuanceLifetime: 24h0m0s + + # -- Which scheme is used for the identity issuer secret format + tls: + # -- Issuer certificate (ECDSA). It must be provided during install. + crtPEM: | + + # -- Key for the issuer certificate (ECDSA). It must be provided during + # install + keyPEM: | + + kubeAPI: *kubeapi + +# -|- CPU, Memory and Ephemeral Storage resources required by the identity controller (see `proxy.resources` for sub-fields) +#identityResources: +# -|- CPU, Memory and Ephemeral Storage resources required by proxy injected into identity pod (see `proxy.resources` for sub-fields) +#identityProxyResources: + +# heartbeat configuration +# disableHeartBeat -- Set to true to not start the heartbeat cronjob +disableHeartBeat: false +# -- Config for the heartbeat cronjob +# heartbeatSchedule: "0 0 * * *" + +# proxy injector configuration +proxyInjector: + # -- Timeout in seconds before the API Server cancels a request to the proxy + # injector. If timeout is exceeded, the webhookfailurePolicy is used. + timeoutSeconds: 10 + # -- Do not create a secret resource for the proxyInjector webhook. + # If this is set to `true`, the value `proxyInjector.caBundle` must be set + # or the ca bundle must injected with cert-manager ca injector using + # `proxyInjector.injectCaFrom` or `proxyInjector.injectCaFromSecret` (see below). + externalSecret: false + + # -- Namespace selector used by admission webhook. + namespaceSelector: + matchExpressions: + - key: config.linkerd.io/admission-webhooks + operator: NotIn + values: + - disabled + - key: kubernetes.io/metadata.name + operator: NotIn + values: + - kube-system + - cert-manager + + # -- Object selector used by admission webhook. + objectSelector: + matchExpressions: + - key: linkerd.io/control-plane-component + operator: DoesNotExist + - key: linkerd.io/cni-resource + operator: DoesNotExist + + # -- Certificate for the proxy injector. If not provided and not using an external secret + # then Helm will generate one. + crtPEM: | + + # -- Certificate key for the proxy injector. If not provided and not using an external secret + # then Helm will generate one. + keyPEM: | + + # -- Bundle of CA certificates for proxy injector. + # If not provided nor injected with cert-manager, + # then Helm will use the certificate generated for `proxyInjector.crtPEM`. + # If `proxyInjector.externalSecret` is set to true, this value, injectCaFrom, or + # injectCaFromSecret must be set, as no certificate will be generated. + # See the cert-manager [CA Injector Docs](https://cert-manager.io/docs/concepts/ca-injector) for more information. + caBundle: | + + # -- Inject the CA bundle from a cert-manager Certificate. + # See the cert-manager [CA Injector Docs](https://cert-manager.io/docs/concepts/ca-injector/#injecting-ca-data-from-a-certificate-resource) + # for more information. + injectCaFrom: "" + + # -- Inject the CA bundle from a Secret. + # If set, the `cert-manager.io/inject-ca-from-secret` annotation will be added to the webhook. + # The Secret must have the CA Bundle stored in the `ca.crt` key and have + # the `cert-manager.io/allow-direct-injection` annotation set to `true`. + # See the cert-manager [CA Injector Docs](https://cert-manager.io/docs/concepts/ca-injector/#injecting-ca-data-from-a-secret-resource) + # for more information. + injectCaFromSecret: "" + +# -|- CPU, Memory and Ephemeral Storage resources required by the proxy injector (see +#`proxy.resources` for sub-fields) +#proxyInjectorResources: +#-|- CPU, Memory and Ephemeral Storage resources required by proxy injected into the proxy injector +#pod (see `proxy.resources` for sub-fields) +#proxyInjectorProxyResources: + +# service profile validator configuration +profileValidator: + # -- Do not create a secret resource for the profileValidator webhook. + # If this is set to `true`, the value `proxyInjector.caBundle` must be set + # or the ca bundle must injected with cert-manager ca injector using + # `proxyInjector.injectCaFrom` or `proxyInjector.injectCaFromSecret` (see below). + externalSecret: false + + # -- Namespace selector used by admission webhook + namespaceSelector: + matchExpressions: + - key: config.linkerd.io/admission-webhooks + operator: NotIn + values: + - disabled + + # -- Certificate for the service profile validator. If not provided and not using an external secret + # then Helm will generate one. + crtPEM: | + + # -- Certificate key for the service profile validator. If not provided and not using an external secret + # then Helm will generate one. + keyPEM: | + + # -- Bundle of CA certificates for proxy injector. + # If not provided nor injected with cert-manager, + # then Helm will use the certificate generated for `profileValidator.crtPEM`. + # If `profileValidator.externalSecret` is set to true, this value, injectCaFrom, or + # injectCaFromSecret must be set, as no certificate will be generated. + # See the cert-manager [CA Injector Docs](https://cert-manager.io/docs/concepts/ca-injector) for more information. + caBundle: | + + # -- Inject the CA bundle from a cert-manager Certificate. + # See the cert-manager [CA Injector Docs](https://cert-manager.io/docs/concepts/ca-injector/#injecting-ca-data-from-a-certificate-resource) + # for more information. + injectCaFrom: "" + + # -- Inject the CA bundle from a Secret. + # If set, the `cert-manager.io/inject-ca-from-secret` annotation will be added to the webhook. + # The Secret must have the CA Bundle stored in the `ca.crt` key and have + # the `cert-manager.io/allow-direct-injection` annotation set to `true`. + # See the cert-manager [CA Injector Docs](https://cert-manager.io/docs/concepts/ca-injector/#injecting-ca-data-from-a-secret-resource) + # for more information. + injectCaFromSecret: "" + +# policy validator configuration +policyValidator: + # -- Do not create a secret resource for the policyValidator webhook. + # If this is set to `true`, the value `policyValidator.caBundle` must be set + # or the ca bundle must injected with cert-manager ca injector using + # `policyValidator.injectCaFrom` or `policyValidator.injectCaFromSecret` (see below). + externalSecret: false + + # -- Namespace selector used by admission webhook + namespaceSelector: + matchExpressions: + - key: config.linkerd.io/admission-webhooks + operator: NotIn + values: + - disabled + + # -- Certificate for the policy validator. If not provided and not using an external secret + # then Helm will generate one. + crtPEM: | + + # -- Certificate key for the policy validator. If not provided and not using an external secret + # then Helm will generate one. + keyPEM: | + + # -- Bundle of CA certificates for proxy injector. + # If not provided nor injected with cert-manager, + # then Helm will use the certificate generated for `policyValidator.crtPEM`. + # If `policyValidator.externalSecret` is set to true, this value, injectCaFrom, or + # injectCaFromSecret must be set, as no certificate will be generated. + # See the cert-manager [CA Injector Docs](https://cert-manager.io/docs/concepts/ca-injector) for more information. + caBundle: | + + # -- Inject the CA bundle from a cert-manager Certificate. + # See the cert-manager [CA Injector Docs](https://cert-manager.io/docs/concepts/ca-injector/#injecting-ca-data-from-a-certificate-resource) + # for more information. + injectCaFrom: "" + + # -- Inject the CA bundle from a Secret. + # If set, the `cert-manager.io/inject-ca-from-secret` annotation will be added to the webhook. + # The Secret must have the CA Bundle stored in the `ca.crt` key and have + # the `cert-manager.io/allow-direct-injection` annotation set to `true`. + # See the cert-manager [CA Injector Docs](https://cert-manager.io/docs/concepts/ca-injector/#injecting-ca-data-from-a-secret-resource) + # for more information. + injectCaFromSecret: "" + +# -- NodeSelector section, See the [K8S +# documentation](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector) +# for more information +nodeSelector: + kubernetes.io/os: linux + +# -|- CPU, Memory and Ephemeral Storage resources required by the SP validator (see +#`proxy.resources` for sub-fields) +#spValidatorResources: + +# -|- Tolerations section, See the +# [K8S documentation](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) +# for more information +#tolerations: + +# -|- NodeAffinity section, See the +# [K8S documentation](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity) +# for more information +#nodeAffinity: + +# -- url of external prometheus instance (used for the heartbeat) +prometheusUrl: "" + +# Prometheus Operator PodMonitor configuration +podMonitor: + # -- Enables the creation of Prometheus Operator [PodMonitor](https://prometheus-operator.dev/docs/operator/api/#monitoring.coreos.com/v1.PodMonitor) + enabled: false + # -- Interval at which metrics should be scraped + scrapeInterval: 10s + # -- Iimeout after which the scrape is ended + scrapeTimeout: 10s + # -- Labels to apply to all pod Monitors + labels: {} + controller: + # -- Enables the creation of PodMonitor for the control-plane + enabled: true + # -- Selector to select which namespaces the Endpoints objects are discovered from + namespaceSelector: | + matchNames: + - {{ .Release.Namespace }} + - linkerd-viz + - linkerd-jaeger + serviceMirror: + # -- Enables the creation of PodMonitor for the Service Mirror component + enabled: true + proxy: + # -- Enables the creation of PodMonitor for the data-plane + enabled: true diff --git a/charts/linkerd/linkerd-crds/2024.8.3/.helmignore b/charts/linkerd/linkerd-crds/2024.8.3/.helmignore new file mode 100644 index 000000000..79c90a806 --- /dev/null +++ b/charts/linkerd/linkerd-crds/2024.8.3/.helmignore @@ -0,0 +1,22 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +OWNERS +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj diff --git a/charts/linkerd/linkerd-crds/2024.8.3/Chart.lock b/charts/linkerd/linkerd-crds/2024.8.3/Chart.lock new file mode 100644 index 000000000..a62a03063 --- /dev/null +++ b/charts/linkerd/linkerd-crds/2024.8.3/Chart.lock @@ -0,0 +1,6 @@ +dependencies: +- name: partials + repository: file://../partials + version: 0.1.0 +digest: sha256:8e42f9c9d4a2dc883f17f94d6044c97518ced19ad0922f47b8760e47135369ba +generated: "2021-08-17T10:42:52.610449255-05:00" diff --git a/charts/linkerd/linkerd-crds/2024.8.3/Chart.yaml b/charts/linkerd/linkerd-crds/2024.8.3/Chart.yaml new file mode 100644 index 000000000..e2eb3441c --- /dev/null +++ b/charts/linkerd/linkerd-crds/2024.8.3/Chart.yaml @@ -0,0 +1,26 @@ +annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Linkerd CRDs + catalog.cattle.io/kube-version: '>=1.22.0-0' + catalog.cattle.io/release-name: linkerd-crds +apiVersion: v2 +dependencies: +- name: partials + repository: file://./charts/partials + version: 0.1.0 +description: 'Linkerd gives you observability, reliability, and security for your + microservices — with no code change required. ' +home: https://linkerd.io +icon: file://assets/icons/linkerd-crds.png +keywords: +- service-mesh +kubeVersion: '>=1.22.0-0' +maintainers: +- email: cncf-linkerd-dev@lists.cncf.io + name: Linkerd authors + url: https://linkerd.io/ +name: linkerd-crds +sources: +- https://github.com/linkerd/linkerd2/ +type: application +version: 2024.8.3 diff --git a/charts/linkerd/linkerd-crds/2024.8.3/README.md b/charts/linkerd/linkerd-crds/2024.8.3/README.md new file mode 100644 index 000000000..616f763e3 --- /dev/null +++ b/charts/linkerd/linkerd-crds/2024.8.3/README.md @@ -0,0 +1,71 @@ +# linkerd-crds + +Linkerd gives you observability, reliability, and security +for your microservices — with no code change required. + +![Version: 2024.8.3](https://img.shields.io/badge/Version-2024.8.3-informational?style=flat-square) +![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) + +**Homepage:** + +## Quickstart and documentation + +You can run Linkerd on any Kubernetes cluster in a matter of seconds. See the +[Linkerd Getting Started Guide][getting-started] for how. + +For more comprehensive documentation, start with the [Linkerd +docs][linkerd-docs]. + +## Adding Linkerd's Helm repository + +```bash +# To add the repo for Linkerd edge releases: +helm repo add linkerd https://helm.linkerd.io/edge +``` + +## Installing the linkerd-crds chart + +This installs the `linkerd-crds` chart, which only persists the CRDs that +Linkerd requires. + +After installing this chart, you need then to install the +`linkerd-control-plane` chart in the same namespace, which provides all the +linkerd core control components. + +```bash +helm install linkerd-crds -n linkerd --create-namespace linkerd/linkerd-crds +``` + +## Get involved + +* Check out Linkerd's source code at [GitHub][linkerd2]. +* Join Linkerd's [user mailing list][linkerd-users], [developer mailing + list][linkerd-dev], and [announcements mailing list][linkerd-announce]. +* Follow [@linkerd][twitter] on Twitter. +* Join the [Linkerd Slack][slack]. + +[getting-started]: https://linkerd.io/2/getting-started/ +[linkerd2]: https://github.com/linkerd/linkerd2 +[linkerd-announce]: https://lists.cncf.io/g/cncf-linkerd-announce +[linkerd-dev]: https://lists.cncf.io/g/cncf-linkerd-dev +[linkerd-docs]: https://linkerd.io/2/overview/ +[linkerd-users]: https://lists.cncf.io/g/cncf-linkerd-users +[slack]: http://slack.linkerd.io +[twitter]: https://twitter.com/linkerd + +## Requirements + +Kubernetes: `>=1.22.0-0` + +| Repository | Name | Version | +|------------|------|---------| +| file://../partials | partials | 0.1.0 | + +## Values + +| Key | Type | Default | Description | +|-----|------|---------|-------------| +| enableHttpRoutes | bool | `true` | | + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.12.0](https://github.com/norwoodj/helm-docs/releases/v1.12.0) diff --git a/charts/linkerd/linkerd-crds/2024.8.3/README.md.gotmpl b/charts/linkerd/linkerd-crds/2024.8.3/README.md.gotmpl new file mode 100644 index 000000000..88be73954 --- /dev/null +++ b/charts/linkerd/linkerd-crds/2024.8.3/README.md.gotmpl @@ -0,0 +1,59 @@ +{{ template "chart.header" . }} +{{ template "chart.description" . }} + +{{ template "chart.versionBadge" . }} +{{ template "chart.typeBadge" . }} +{{ template "chart.appVersionBadge" . }} + +{{ template "chart.homepageLine" . }} + +## Quickstart and documentation + +You can run Linkerd on any Kubernetes cluster in a matter of seconds. See the +[Linkerd Getting Started Guide][getting-started] for how. + +For more comprehensive documentation, start with the [Linkerd +docs][linkerd-docs]. + +## Adding Linkerd's Helm repository + +```bash +# To add the repo for Linkerd edge releases: +helm repo add linkerd https://helm.linkerd.io/edge +``` + +## Installing the linkerd-crds chart + +This installs the `linkerd-crds` chart, which only persists the CRDs that +Linkerd requires. + +After installing this chart, you need then to install the +`linkerd-control-plane` chart in the same namespace, which provides all the +linkerd core control components. + +```bash +helm install linkerd-crds -n linkerd --create-namespace linkerd/linkerd-crds +``` + +## Get involved + +* Check out Linkerd's source code at [GitHub][linkerd2]. +* Join Linkerd's [user mailing list][linkerd-users], [developer mailing + list][linkerd-dev], and [announcements mailing list][linkerd-announce]. +* Follow [@linkerd][twitter] on Twitter. +* Join the [Linkerd Slack][slack]. + +[getting-started]: https://linkerd.io/2/getting-started/ +[linkerd2]: https://github.com/linkerd/linkerd2 +[linkerd-announce]: https://lists.cncf.io/g/cncf-linkerd-announce +[linkerd-dev]: https://lists.cncf.io/g/cncf-linkerd-dev +[linkerd-docs]: https://linkerd.io/2/overview/ +[linkerd-users]: https://lists.cncf.io/g/cncf-linkerd-users +[slack]: http://slack.linkerd.io +[twitter]: https://twitter.com/linkerd + +{{ template "chart.requirementsSection" . }} + +{{ template "chart.valuesSection" . }} + +{{ template "helm-docs.versionFooter" . }} diff --git a/charts/linkerd/linkerd-crds/2024.8.3/app-readme.md b/charts/linkerd/linkerd-crds/2024.8.3/app-readme.md new file mode 100644 index 000000000..59010a6b2 --- /dev/null +++ b/charts/linkerd/linkerd-crds/2024.8.3/app-readme.md @@ -0,0 +1,9 @@ +# Linkerd 2 CRDs Chart + +Linkerd is an ultra light, ultra simple, ultra powerful service mesh. Linkerd +adds security, observability, and reliability to Kubernetes, without the +complexity. + +This particular Helm chart only installs Linkerd CRDs. + +Full documentation available at: https://linkerd.io/2/overview/ diff --git a/charts/linkerd/linkerd-crds/2024.8.3/charts/partials/.helmignore b/charts/linkerd/linkerd-crds/2024.8.3/charts/partials/.helmignore new file mode 100644 index 000000000..f0c131944 --- /dev/null +++ b/charts/linkerd/linkerd-crds/2024.8.3/charts/partials/.helmignore @@ -0,0 +1,21 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj diff --git a/charts/linkerd/linkerd-crds/2024.8.3/charts/partials/Chart.yaml b/charts/linkerd/linkerd-crds/2024.8.3/charts/partials/Chart.yaml new file mode 100644 index 000000000..23cfc167e --- /dev/null +++ b/charts/linkerd/linkerd-crds/2024.8.3/charts/partials/Chart.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +description: 'A Helm chart containing Linkerd partial templates, depended by the ''linkerd'' + and ''patch'' charts. ' +name: partials +version: 0.1.0 diff --git a/charts/linkerd/linkerd-crds/2024.8.3/charts/partials/README.md b/charts/linkerd/linkerd-crds/2024.8.3/charts/partials/README.md new file mode 100644 index 000000000..10805c9b9 --- /dev/null +++ b/charts/linkerd/linkerd-crds/2024.8.3/charts/partials/README.md @@ -0,0 +1,9 @@ +# partials + +A Helm chart containing Linkerd partial templates, +depended by the 'linkerd' and 'patch' charts. + +![Version: 0.1.0](https://img.shields.io/badge/Version-0.1.0-informational?style=flat-square) + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.12.0](https://github.com/norwoodj/helm-docs/releases/v1.12.0) diff --git a/charts/linkerd/linkerd-crds/2024.8.3/charts/partials/README.md.gotmpl b/charts/linkerd/linkerd-crds/2024.8.3/charts/partials/README.md.gotmpl new file mode 100644 index 000000000..37f510106 --- /dev/null +++ b/charts/linkerd/linkerd-crds/2024.8.3/charts/partials/README.md.gotmpl @@ -0,0 +1,14 @@ +{{ template "chart.header" . }} +{{ template "chart.description" . }} + +{{ template "chart.versionBadge" . }} +{{ template "chart.typeBadge" . }} +{{ template "chart.appVersionBadge" . }} + +{{ template "chart.homepageLine" . }} + +{{ template "chart.requirementsSection" . }} + +{{ template "chart.valuesSection" . }} + +{{ template "helm-docs.versionFooter" . }} diff --git a/charts/linkerd/linkerd-crds/2024.8.3/charts/partials/templates/NOTES.txt b/charts/linkerd/linkerd-crds/2024.8.3/charts/partials/templates/NOTES.txt new file mode 100644 index 000000000..e69de29bb diff --git a/charts/linkerd/linkerd-crds/2024.8.3/charts/partials/templates/_affinity.tpl b/charts/linkerd/linkerd-crds/2024.8.3/charts/partials/templates/_affinity.tpl new file mode 100644 index 000000000..5dde1da47 --- /dev/null +++ b/charts/linkerd/linkerd-crds/2024.8.3/charts/partials/templates/_affinity.tpl @@ -0,0 +1,38 @@ +{{ define "linkerd.pod-affinity" -}} +podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: {{ default "linkerd.io/control-plane-component" .label }} + operator: In + values: + - {{ .component }} + topologyKey: topology.kubernetes.io/zone + weight: 100 + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: {{ default "linkerd.io/control-plane-component" .label }} + operator: In + values: + - {{ .component }} + topologyKey: kubernetes.io/hostname +{{- end }} + +{{ define "linkerd.node-affinity" -}} +nodeAffinity: +{{- toYaml .Values.nodeAffinity | trim | nindent 2 }} +{{- end }} + +{{ define "linkerd.affinity" -}} +{{- if or .Values.enablePodAntiAffinity .Values.nodeAffinity -}} +affinity: +{{- end }} +{{- if .Values.enablePodAntiAffinity -}} +{{- include "linkerd.pod-affinity" . | nindent 2 }} +{{- end }} +{{- if .Values.nodeAffinity -}} +{{- include "linkerd.node-affinity" . | nindent 2 }} +{{- end }} +{{- end }} diff --git a/charts/linkerd/linkerd-crds/2024.8.3/charts/partials/templates/_capabilities.tpl b/charts/linkerd/linkerd-crds/2024.8.3/charts/partials/templates/_capabilities.tpl new file mode 100644 index 000000000..a595d74c1 --- /dev/null +++ b/charts/linkerd/linkerd-crds/2024.8.3/charts/partials/templates/_capabilities.tpl @@ -0,0 +1,16 @@ +{{- define "partials.proxy.capabilities" -}} +capabilities: + {{- if .Values.proxy.capabilities.add }} + add: + {{- toYaml .Values.proxy.capabilities.add | trim | nindent 4 }} + {{- end }} + {{- if .Values.proxy.capabilities.drop }} + drop: + {{- toYaml .Values.proxy.capabilities.drop | trim | nindent 4 }} + {{- end }} +{{- end -}} + +{{- define "partials.proxy-init.capabilities.drop" -}} +drop: +{{ toYaml .Values.proxyInit.capabilities.drop | trim }} +{{- end -}} diff --git a/charts/linkerd/linkerd-crds/2024.8.3/charts/partials/templates/_debug.tpl b/charts/linkerd/linkerd-crds/2024.8.3/charts/partials/templates/_debug.tpl new file mode 100644 index 000000000..4df8cc77b --- /dev/null +++ b/charts/linkerd/linkerd-crds/2024.8.3/charts/partials/templates/_debug.tpl @@ -0,0 +1,15 @@ +{{- define "partials.debug" -}} +image: {{.Values.debugContainer.image.name}}:{{.Values.debugContainer.image.version | default .Values.linkerdVersion}} +imagePullPolicy: {{.Values.debugContainer.image.pullPolicy | default .Values.imagePullPolicy}} +name: linkerd-debug +terminationMessagePolicy: FallbackToLogsOnError +# some environments require probes, so we provide some infallible ones +livenessProbe: + exec: + command: + - "true" +readinessProbe: + exec: + command: + - "true" +{{- end -}} diff --git a/charts/linkerd/linkerd-crds/2024.8.3/charts/partials/templates/_helpers.tpl b/charts/linkerd/linkerd-crds/2024.8.3/charts/partials/templates/_helpers.tpl new file mode 100644 index 000000000..b6cdc34d0 --- /dev/null +++ b/charts/linkerd/linkerd-crds/2024.8.3/charts/partials/templates/_helpers.tpl @@ -0,0 +1,14 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Splits a coma separated list into a list of string values. +For example "11,22,55,44" will become "11","22","55","44" +*/}} +{{- define "partials.splitStringList" -}} +{{- if gt (len (toString .)) 0 -}} +{{- $ports := toString . | splitList "," -}} +{{- $last := sub (len $ports) 1 -}} +{{- range $i,$port := $ports -}} +"{{$port}}"{{ternary "," "" (ne $i $last)}} +{{- end -}} +{{- end -}} +{{- end -}} diff --git a/charts/linkerd/linkerd-crds/2024.8.3/charts/partials/templates/_metadata.tpl b/charts/linkerd/linkerd-crds/2024.8.3/charts/partials/templates/_metadata.tpl new file mode 100644 index 000000000..04d2f1bea --- /dev/null +++ b/charts/linkerd/linkerd-crds/2024.8.3/charts/partials/templates/_metadata.tpl @@ -0,0 +1,17 @@ +{{- define "partials.annotations.created-by" -}} +linkerd.io/created-by: {{ .Values.cliVersion | default (printf "linkerd/helm %s" ( (.Values.image).version | default .Values.linkerdVersion)) }} +{{- end -}} + +{{- define "partials.proxy.annotations" -}} +linkerd.io/proxy-version: {{.Values.proxy.image.version | default .Values.linkerdVersion}} +cluster-autoscaler.kubernetes.io/safe-to-evict: "true" +linkerd.io/trust-root-sha256: {{ .Values.identityTrustAnchorsPEM | sha256sum }} +{{- end -}} + +{{/* +To add labels to the control-plane components, instead update at individual component manifests as +adding here would also update `spec.selector.matchLabels` which are immutable and would fail upgrades. +*/}} +{{- define "partials.proxy.labels" -}} +linkerd.io/proxy-{{.workloadKind}}: {{.component}} +{{- end -}} diff --git a/charts/linkerd/linkerd-crds/2024.8.3/charts/partials/templates/_network-validator.tpl b/charts/linkerd/linkerd-crds/2024.8.3/charts/partials/templates/_network-validator.tpl new file mode 100644 index 000000000..276056395 --- /dev/null +++ b/charts/linkerd/linkerd-crds/2024.8.3/charts/partials/templates/_network-validator.tpl @@ -0,0 +1,45 @@ +{{- define "partials.network-validator" -}} +name: linkerd-network-validator +image: {{.Values.proxy.image.name}}:{{.Values.proxy.image.version | default .Values.linkerdVersion }} +imagePullPolicy: {{.Values.proxy.image.pullPolicy | default .Values.imagePullPolicy}} +{{ include "partials.resources" .Values.proxy.resources }} +{{- if or .Values.networkValidator.enableSecurityContext }} +securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsGroup: 65534 + runAsNonRoot: true + runAsUser: 65534 + seccompProfile: + type: RuntimeDefault +{{- end }} +command: + - /usr/lib/linkerd/linkerd2-network-validator +args: + - --log-format + - {{ .Values.networkValidator.logFormat }} + - --log-level + - {{ .Values.networkValidator.logLevel }} + - --connect-addr + {{- if .Values.networkValidator.connectAddr }} + - {{ .Values.networkValidator.connectAddr | quote }} + {{- else if .Values.disableIPv6}} + - "1.1.1.1:20001" + {{- else }} + - "[fd00::1]:20001" + {{- end }} + - --listen-addr + {{- if .Values.networkValidator.listenAddr }} + - {{ .Values.networkValidator.listenAddr | quote }} + {{- else if .Values.disableIPv6}} + - "0.0.0.0:4140" + {{- else }} + - "[::]:4140" + {{- end }} + - --timeout + - {{ .Values.networkValidator.timeout }} + +{{- end -}} diff --git a/charts/linkerd/linkerd-crds/2024.8.3/charts/partials/templates/_nodeselector.tpl b/charts/linkerd/linkerd-crds/2024.8.3/charts/partials/templates/_nodeselector.tpl new file mode 100644 index 000000000..4cde0ab16 --- /dev/null +++ b/charts/linkerd/linkerd-crds/2024.8.3/charts/partials/templates/_nodeselector.tpl @@ -0,0 +1,4 @@ +{{- define "linkerd.node-selector" -}} +nodeSelector: +{{- toYaml .Values.nodeSelector | trim | nindent 2 }} +{{- end -}} diff --git a/charts/linkerd/linkerd-crds/2024.8.3/charts/partials/templates/_proxy-config-ann.tpl b/charts/linkerd/linkerd-crds/2024.8.3/charts/partials/templates/_proxy-config-ann.tpl new file mode 100644 index 000000000..9651b3bd1 --- /dev/null +++ b/charts/linkerd/linkerd-crds/2024.8.3/charts/partials/templates/_proxy-config-ann.tpl @@ -0,0 +1,18 @@ +{{- define "partials.proxy.config.annotations" -}} +{{- with .cpu }} +{{- with .request -}} +config.linkerd.io/proxy-cpu-request: {{. | quote}} +{{end}} +{{- with .limit -}} +config.linkerd.io/proxy-cpu-limit: {{. | quote}} +{{- end}} +{{- end}} +{{- with .memory }} +{{- with .request }} +config.linkerd.io/proxy-memory-request: {{. | quote}} +{{end}} +{{- with .limit -}} +config.linkerd.io/proxy-memory-limit: {{. | quote}} +{{- end}} +{{- end }} +{{- end }} diff --git a/charts/linkerd/linkerd-crds/2024.8.3/charts/partials/templates/_proxy-init.tpl b/charts/linkerd/linkerd-crds/2024.8.3/charts/partials/templates/_proxy-init.tpl new file mode 100644 index 000000000..a307b1407 --- /dev/null +++ b/charts/linkerd/linkerd-crds/2024.8.3/charts/partials/templates/_proxy-init.tpl @@ -0,0 +1,98 @@ +{{- define "partials.proxy-init" -}} +args: +{{- if (.Values.proxyInit.iptablesMode | default "legacy" | eq "nft") }} +- --firewall-bin-path +- "iptables-nft" +- --firewall-save-bin-path +- "iptables-nft-save" +{{- else if not (eq .Values.proxyInit.iptablesMode "legacy") }} +{{ fail (printf "Unsupported value \"%s\" for proxyInit.iptablesMode\nValid values: [\"nft\", \"legacy\"]" .Values.proxyInit.iptablesMode) }} +{{end -}} +{{- if .Values.disableIPv6 }} +- --ipv6=false +{{- end }} +- --incoming-proxy-port +- {{.Values.proxy.ports.inbound | quote}} +- --outgoing-proxy-port +- {{.Values.proxy.ports.outbound | quote}} +- --proxy-uid +- {{.Values.proxy.uid | quote}} +{{- if ge (int .Values.proxy.gid) 0 }} +- --proxy-gid +- {{.Values.proxy.gid | quote}} +{{- end }} +- --inbound-ports-to-ignore +- "{{.Values.proxy.ports.control}},{{.Values.proxy.ports.admin}}{{ternary (printf ",%s" (.Values.proxyInit.ignoreInboundPorts | toString)) "" (not (empty .Values.proxyInit.ignoreInboundPorts)) }}" +{{- if .Values.proxyInit.ignoreOutboundPorts }} +- --outbound-ports-to-ignore +- {{.Values.proxyInit.ignoreOutboundPorts | quote}} +{{- end }} +{{- if .Values.proxyInit.closeWaitTimeoutSecs }} +- --timeout-close-wait-secs +- {{ .Values.proxyInit.closeWaitTimeoutSecs | quote}} +{{- end }} +{{- if .Values.proxyInit.logFormat }} +- --log-format +- {{ .Values.proxyInit.logFormat }} +{{- end }} +{{- if .Values.proxyInit.logLevel }} +- --log-level +- {{ .Values.proxyInit.logLevel }} +{{- end }} +{{- if .Values.proxyInit.skipSubnets }} +- --subnets-to-ignore +- {{ .Values.proxyInit.skipSubnets | quote }} +{{- end }} +image: {{.Values.proxyInit.image.name}}:{{.Values.proxyInit.image.version}} +imagePullPolicy: {{.Values.proxyInit.image.pullPolicy | default .Values.imagePullPolicy}} +name: linkerd-init +{{ include "partials.resources" .Values.proxy.resources }} +securityContext: + {{- if or .Values.proxyInit.closeWaitTimeoutSecs .Values.proxyInit.privileged }} + allowPrivilegeEscalation: true + {{- else }} + allowPrivilegeEscalation: false + {{- end }} + capabilities: + add: + - NET_ADMIN + - NET_RAW + {{- if .Values.proxyInit.capabilities -}} + {{- if .Values.proxyInit.capabilities.add }} + {{- toYaml .Values.proxyInit.capabilities.add | trim | nindent 4 }} + {{- end }} + {{- if .Values.proxyInit.capabilities.drop -}} + {{- include "partials.proxy-init.capabilities.drop" . | nindent 4 -}} + {{- end }} + {{- end }} + {{- if or .Values.proxyInit.closeWaitTimeoutSecs .Values.proxyInit.privileged }} + privileged: true + {{- else }} + privileged: false + {{- end }} + {{- if .Values.proxyInit.runAsRoot }} + runAsGroup: 0 + runAsNonRoot: false + runAsUser: 0 + {{- else }} + runAsNonRoot: true + runAsUser: {{ .Values.proxyInit.runAsUser | int | eq 0 | ternary 65534 .Values.proxyInit.runAsUser }} + runAsGroup: {{ .Values.proxyInit.runAsGroup | int | eq 0 | ternary 65534 .Values.proxyInit.runAsGroup }} + {{- end }} + readOnlyRootFilesystem: true + seccompProfile: + type: RuntimeDefault +terminationMessagePolicy: FallbackToLogsOnError +{{- if or (not .Values.cniEnabled) .Values.proxyInit.saMountPath }} +volumeMounts: +{{- end -}} +{{- if not .Values.cniEnabled }} +- mountPath: {{.Values.proxyInit.xtMountPath.mountPath}} + name: {{.Values.proxyInit.xtMountPath.name}} +{{- end -}} +{{- if .Values.proxyInit.saMountPath }} +- mountPath: {{.Values.proxyInit.saMountPath.mountPath}} + name: {{.Values.proxyInit.saMountPath.name}} + readOnly: {{.Values.proxyInit.saMountPath.readOnly}} +{{- end -}} +{{- end -}} diff --git a/charts/linkerd/linkerd-crds/2024.8.3/charts/partials/templates/_proxy.tpl b/charts/linkerd/linkerd-crds/2024.8.3/charts/partials/templates/_proxy.tpl new file mode 100644 index 000000000..7880b394c --- /dev/null +++ b/charts/linkerd/linkerd-crds/2024.8.3/charts/partials/templates/_proxy.tpl @@ -0,0 +1,267 @@ +{{ define "partials.proxy" -}} +{{ if and .Values.proxy.nativeSidecar .Values.proxy.waitBeforeExitSeconds }} +{{ fail "proxy.nativeSidecar and waitBeforeExitSeconds cannot be used simultaneously" }} +{{- end }} +{{- if not (has .Values.proxy.logHTTPHeaders (list "insecure" "off" "")) }} +{{- fail "logHTTPHeaders must be one of: insecure | off" }} +{{- end }} +{{- $trustDomain := (.Values.identityTrustDomain | default .Values.clusterDomain) -}} +env: +- name: _pod_name + valueFrom: + fieldRef: + fieldPath: metadata.name +- name: _pod_ns + valueFrom: + fieldRef: + fieldPath: metadata.namespace +- name: _pod_nodeName + valueFrom: + fieldRef: + fieldPath: spec.nodeName +{{- if .Values.proxy.cores }} +- name: LINKERD2_PROXY_CORES + value: {{.Values.proxy.cores | quote}} +{{- end }} +{{ if .Values.proxy.requireIdentityOnInboundPorts -}} +- name: LINKERD2_PROXY_INBOUND_PORTS_REQUIRE_IDENTITY + value: {{.Values.proxy.requireIdentityOnInboundPorts | quote}} +{{ end -}} +{{ if .Values.proxy.requireTLSOnInboundPorts -}} +- name: LINKERD2_PROXY_INBOUND_PORTS_REQUIRE_TLS + value: {{.Values.proxy.requireTLSOnInboundPorts | quote}} +{{ end -}} +- name: LINKERD2_PROXY_SHUTDOWN_ENDPOINT_ENABLED + value: {{.Values.proxy.enableShutdownEndpoint | quote}} +- name: LINKERD2_PROXY_LOG + value: "{{.Values.proxy.logLevel}}{{ if not (eq .Values.proxy.logHTTPHeaders "insecure") }},[{headers}]=off,[{request}]=off{{ end }}" +- name: LINKERD2_PROXY_LOG_FORMAT + value: {{.Values.proxy.logFormat | quote}} +- name: LINKERD2_PROXY_DESTINATION_SVC_ADDR + value: {{ternary "localhost.:8086" (printf "linkerd-dst-headless.%s.svc.%s.:8086" .Release.Namespace .Values.clusterDomain) (eq (toString .Values.proxy.component) "linkerd-destination")}} +- name: LINKERD2_PROXY_DESTINATION_PROFILE_NETWORKS + value: {{.Values.clusterNetworks | quote}} +- name: LINKERD2_PROXY_POLICY_SVC_ADDR + value: {{ternary "localhost.:8090" (printf "linkerd-policy.%s.svc.%s.:8090" .Release.Namespace .Values.clusterDomain) (eq (toString .Values.proxy.component) "linkerd-destination")}} +- name: LINKERD2_PROXY_POLICY_WORKLOAD + value: | + {"ns":"$(_pod_ns)", "pod":"$(_pod_name)"} +- name: LINKERD2_PROXY_INBOUND_DEFAULT_POLICY + value: {{.Values.proxy.defaultInboundPolicy}} +- name: LINKERD2_PROXY_POLICY_CLUSTER_NETWORKS + value: {{.Values.clusterNetworks | quote}} +- name: LINKERD2_PROXY_CONTROL_STREAM_INITIAL_TIMEOUT + value: {{((.Values.proxy.control).streams).initialTimeout | default "" | quote}} +- name: LINKERD2_PROXY_CONTROL_STREAM_IDLE_TIMEOUT + value: {{((.Values.proxy.control).streams).idleTimeout | default "" | quote}} +- name: LINKERD2_PROXY_CONTROL_STREAM_LIFETIME + value: {{((.Values.proxy.control).streams).lifetime | default "" | quote}} +{{ if .Values.proxy.inboundConnectTimeout -}} +- name: LINKERD2_PROXY_INBOUND_CONNECT_TIMEOUT + value: {{.Values.proxy.inboundConnectTimeout | quote}} +{{ end -}} +{{ if .Values.proxy.outboundConnectTimeout -}} +- name: LINKERD2_PROXY_OUTBOUND_CONNECT_TIMEOUT + value: {{.Values.proxy.outboundConnectTimeout | quote}} +{{ end -}} +{{ if .Values.proxy.outboundDiscoveryCacheUnusedTimeout -}} +- name: LINKERD2_PROXY_OUTBOUND_DISCOVERY_IDLE_TIMEOUT + value: {{.Values.proxy.outboundDiscoveryCacheUnusedTimeout | quote}} +{{ end -}} +{{ if .Values.proxy.inboundDiscoveryCacheUnusedTimeout -}} +- name: LINKERD2_PROXY_INBOUND_DISCOVERY_IDLE_TIMEOUT + value: {{.Values.proxy.inboundDiscoveryCacheUnusedTimeout | quote}} +{{ end -}} +{{ if .Values.proxy.disableOutboundProtocolDetectTimeout -}} +- name: LINKERD2_PROXY_OUTBOUND_DETECT_TIMEOUT + value: "365d" +{{ end -}} +{{ if .Values.proxy.disableInboundProtocolDetectTimeout -}} +- name: LINKERD2_PROXY_INBOUND_DETECT_TIMEOUT + value: "365d" +{{ end -}} +- name: LINKERD2_PROXY_CONTROL_LISTEN_ADDR + value: "{{ if .Values.disableIPv6 }}0.0.0.0{{ else }}[::]{{ end }}:{{.Values.proxy.ports.control}}" +- name: LINKERD2_PROXY_ADMIN_LISTEN_ADDR + value: "{{ if .Values.disableIPv6 }}0.0.0.0{{ else }}[::]{{ end }}:{{.Values.proxy.ports.admin}}" +{{- /* Deprecated, superseded by LINKERD2_PROXY_OUTBOUND_LISTEN_ADDRS since proxy's v2.228.0 (deployed since edge-24.4.5) */}} +- name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDR + value: "127.0.0.1:{{.Values.proxy.ports.outbound}}" +- name: LINKERD2_PROXY_OUTBOUND_LISTEN_ADDRS + value: "127.0.0.1:{{.Values.proxy.ports.outbound}}{{ if not .Values.disableIPv6}},[::1]:{{.Values.proxy.ports.outbound}}{{ end }}" +- name: LINKERD2_PROXY_INBOUND_LISTEN_ADDR + value: "{{ if .Values.disableIPv6 }}0.0.0.0{{ else }}[::]{{ end }}:{{.Values.proxy.ports.inbound}}" +- name: LINKERD2_PROXY_INBOUND_IPS + valueFrom: + fieldRef: + fieldPath: status.podIPs +- name: LINKERD2_PROXY_INBOUND_PORTS + value: {{ .Values.proxy.podInboundPorts | quote }} +{{ if .Values.proxy.isGateway -}} +- name: LINKERD2_PROXY_INBOUND_GATEWAY_SUFFIXES + value: {{printf "svc.%s." .Values.clusterDomain}} +{{ end -}} +{{ if .Values.proxy.isIngress -}} +- name: LINKERD2_PROXY_INGRESS_MODE + value: "true" +{{ end -}} +- name: LINKERD2_PROXY_DESTINATION_PROFILE_SUFFIXES + {{- $internalDomain := printf "svc.%s." .Values.clusterDomain }} + value: {{ternary "." $internalDomain .Values.proxy.enableExternalProfiles}} +- name: LINKERD2_PROXY_INBOUND_ACCEPT_KEEPALIVE + value: 10000ms +- name: LINKERD2_PROXY_OUTBOUND_CONNECT_KEEPALIVE + value: 10000ms +{{- /* Configure inbound and outbound parameters, e.g. for HTTP/2 servers. */}} +{{ range $proxyK, $proxyV := (dict "inbound" .Values.proxy.inbound "outbound" .Values.proxy.outbound) -}} +{{ range $scopeK, $scopeV := $proxyV -}} +{{ range $protoK, $protoV := $scopeV -}} +{{ range $paramK, $paramV := $protoV -}} +- name: LINKERD2_PROXY_{{snakecase $proxyK | upper}}_{{snakecase $scopeK | upper}}_{{snakecase $protoK | upper}}_{{snakecase $paramK | upper}} + value: {{ quote $paramV }} +{{ end -}} +{{ end -}} +{{ end -}} +{{ end -}} +{{ if .Values.proxy.opaquePorts -}} +- name: LINKERD2_PROXY_INBOUND_PORTS_DISABLE_PROTOCOL_DETECTION + value: {{.Values.proxy.opaquePorts | quote}} +{{ end -}} +- name: LINKERD2_PROXY_DESTINATION_CONTEXT + value: | + {"ns":"$(_pod_ns)", "nodeName":"$(_pod_nodeName)", "pod":"$(_pod_name)"} +- name: _pod_sa + valueFrom: + fieldRef: + fieldPath: spec.serviceAccountName +- name: _l5d_ns + value: {{.Release.Namespace}} +- name: _l5d_trustdomain + value: {{$trustDomain}} +- name: LINKERD2_PROXY_IDENTITY_DIR + value: /var/run/linkerd/identity/end-entity +- name: LINKERD2_PROXY_IDENTITY_TRUST_ANCHORS +{{- /* +Pods in the `linkerd` namespace are not injected by the proxy injector and instead obtain +the trust anchor bundle from the `linkerd-identity-trust-roots` configmap. This should not +be used in other contexts. +*/}} +{{- if .Values.proxy.loadTrustBundleFromConfigMap }} + valueFrom: + configMapKeyRef: + name: linkerd-identity-trust-roots + key: ca-bundle.crt +{{ else }} + value: | + {{- required "Please provide the identity trust anchors" .Values.identityTrustAnchorsPEM | trim | nindent 4 }} +{{ end -}} +- name: LINKERD2_PROXY_IDENTITY_TOKEN_FILE +{{- if .Values.identity.serviceAccountTokenProjection }} + value: /var/run/secrets/tokens/linkerd-identity-token +{{ else }} + value: /var/run/secrets/kubernetes.io/serviceaccount/token +{{ end -}} +- name: LINKERD2_PROXY_IDENTITY_SVC_ADDR + value: {{ternary "localhost.:8080" (printf "linkerd-identity-headless.%s.svc.%s.:8080" .Release.Namespace .Values.clusterDomain) (eq (toString .Values.proxy.component) "linkerd-identity")}} +- name: LINKERD2_PROXY_IDENTITY_LOCAL_NAME + value: $(_pod_sa).$(_pod_ns).serviceaccount.identity.{{.Release.Namespace}}.{{$trustDomain}} +- name: LINKERD2_PROXY_IDENTITY_SVC_NAME + value: linkerd-identity.{{.Release.Namespace}}.serviceaccount.identity.{{.Release.Namespace}}.{{$trustDomain}} +- name: LINKERD2_PROXY_DESTINATION_SVC_NAME + value: linkerd-destination.{{.Release.Namespace}}.serviceaccount.identity.{{.Release.Namespace}}.{{$trustDomain}} +- name: LINKERD2_PROXY_POLICY_SVC_NAME + value: linkerd-destination.{{.Release.Namespace}}.serviceaccount.identity.{{.Release.Namespace}}.{{$trustDomain}} +{{ if .Values.proxy.accessLog -}} +- name: LINKERD2_PROXY_ACCESS_LOG + value: {{.Values.proxy.accessLog | quote}} +{{ end -}} +{{ if .Values.proxy.shutdownGracePeriod -}} +- name: LINKERD2_PROXY_SHUTDOWN_GRACE_PERIOD + value: {{.Values.proxy.shutdownGracePeriod | quote}} +{{ end -}} +{{ if .Values.proxy.additionalEnv -}} +{{ toYaml .Values.proxy.additionalEnv }} +{{ end -}} +{{ if .Values.proxy.experimentalEnv -}} +{{ toYaml .Values.proxy.experimentalEnv }} +{{ end -}} +image: {{.Values.proxy.image.name}}:{{.Values.proxy.image.version | default .Values.linkerdVersion}} +imagePullPolicy: {{.Values.proxy.image.pullPolicy | default .Values.imagePullPolicy}} +livenessProbe: + httpGet: + path: /live + port: {{.Values.proxy.ports.admin}} + initialDelaySeconds: {{.Values.proxy.livenessProbe.initialDelaySeconds }} + timeoutSeconds: {{.Values.proxy.livenessProbe.timeoutSeconds }} +name: linkerd-proxy +ports: +- containerPort: {{.Values.proxy.ports.inbound}} + name: linkerd-proxy +- containerPort: {{.Values.proxy.ports.admin}} + name: linkerd-admin +readinessProbe: + httpGet: + path: /ready + port: {{.Values.proxy.ports.admin}} + initialDelaySeconds: {{.Values.proxy.readinessProbe.initialDelaySeconds }} + timeoutSeconds: {{.Values.proxy.readinessProbe.timeoutSeconds }} +{{- if and .Values.proxy.nativeSidecar .Values.proxy.await }} +startupProbe: + httpGet: + path: /ready + port: {{.Values.proxy.ports.admin}} + initialDelaySeconds: {{.Values.proxy.startupProbe.initialDelaySeconds}} + periodSeconds: {{.Values.proxy.startupProbe.periodSeconds}} + failureThreshold: {{.Values.proxy.startupProbe.failureThreshold}} +{{- end }} +{{- if .Values.proxy.resources }} +{{ include "partials.resources" .Values.proxy.resources }} +{{- end }} +securityContext: + allowPrivilegeEscalation: false + {{- if .Values.proxy.capabilities -}} + {{- include "partials.proxy.capabilities" . | nindent 2 -}} + {{- end }} + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: {{.Values.proxy.uid}} +{{- if ge (int .Values.proxy.gid) 0 }} + runAsGroup: {{.Values.proxy.gid}} +{{- end }} + seccompProfile: + type: RuntimeDefault +terminationMessagePolicy: FallbackToLogsOnError +{{- if and (not .Values.proxy.nativeSidecar) (or .Values.proxy.await .Values.proxy.waitBeforeExitSeconds) }} +lifecycle: +{{- if .Values.proxy.await }} + postStart: + exec: + command: + - /usr/lib/linkerd/linkerd-await + - --timeout=2m + - --port={{.Values.proxy.ports.admin}} +{{- end }} +{{- if .Values.proxy.waitBeforeExitSeconds }} + preStop: + exec: + command: + - /bin/sleep + - {{.Values.proxy.waitBeforeExitSeconds | quote}} +{{- end }} +{{- end }} +volumeMounts: +- mountPath: /var/run/linkerd/identity/end-entity + name: linkerd-identity-end-entity +{{- if .Values.identity.serviceAccountTokenProjection }} +- mountPath: /var/run/secrets/tokens + name: linkerd-identity-token +{{- end }} +{{- if .Values.proxy.saMountPath }} +- mountPath: {{.Values.proxy.saMountPath.mountPath}} + name: {{.Values.proxy.saMountPath.name}} + readOnly: {{.Values.proxy.saMountPath.readOnly}} +{{- end -}} +{{- if .Values.proxy.nativeSidecar }} +restartPolicy: Always +{{- end -}} +{{- end }} diff --git a/charts/linkerd/linkerd-crds/2024.8.3/charts/partials/templates/_pull-secrets.tpl b/charts/linkerd/linkerd-crds/2024.8.3/charts/partials/templates/_pull-secrets.tpl new file mode 100644 index 000000000..0c9aa4f01 --- /dev/null +++ b/charts/linkerd/linkerd-crds/2024.8.3/charts/partials/templates/_pull-secrets.tpl @@ -0,0 +1,6 @@ +{{- define "partials.image-pull-secrets"}} +{{- if . }} +imagePullSecrets: +{{ toYaml . | indent 2 }} +{{- end }} +{{- end -}} diff --git a/charts/linkerd/linkerd-crds/2024.8.3/charts/partials/templates/_resources.tpl b/charts/linkerd/linkerd-crds/2024.8.3/charts/partials/templates/_resources.tpl new file mode 100644 index 000000000..1fd6789fd --- /dev/null +++ b/charts/linkerd/linkerd-crds/2024.8.3/charts/partials/templates/_resources.tpl @@ -0,0 +1,28 @@ +{{- define "partials.resources" -}} +{{- $ephemeralStorage := index . "ephemeral-storage" -}} +resources: + {{- if or (.cpu).limit (.memory).limit ($ephemeralStorage).limit }} + limits: + {{- with (.cpu).limit }} + cpu: {{. | quote}} + {{- end }} + {{- with (.memory).limit }} + memory: {{. | quote}} + {{- end }} + {{- with ($ephemeralStorage).limit }} + ephemeral-storage: {{. | quote}} + {{- end }} + {{- end }} + {{- if or (.cpu).request (.memory).request ($ephemeralStorage).request }} + requests: + {{- with (.cpu).request }} + cpu: {{. | quote}} + {{- end }} + {{- with (.memory).request }} + memory: {{. | quote}} + {{- end }} + {{- with ($ephemeralStorage).request }} + ephemeral-storage: {{. | quote}} + {{- end }} + {{- end }} +{{- end }} diff --git a/charts/linkerd/linkerd-crds/2024.8.3/charts/partials/templates/_tolerations.tpl b/charts/linkerd/linkerd-crds/2024.8.3/charts/partials/templates/_tolerations.tpl new file mode 100644 index 000000000..c2292b146 --- /dev/null +++ b/charts/linkerd/linkerd-crds/2024.8.3/charts/partials/templates/_tolerations.tpl @@ -0,0 +1,4 @@ +{{- define "linkerd.tolerations" -}} +tolerations: +{{ toYaml .Values.tolerations | trim | indent 2 }} +{{- end -}} diff --git a/charts/linkerd/linkerd-crds/2024.8.3/charts/partials/templates/_trace.tpl b/charts/linkerd/linkerd-crds/2024.8.3/charts/partials/templates/_trace.tpl new file mode 100644 index 000000000..dee059541 --- /dev/null +++ b/charts/linkerd/linkerd-crds/2024.8.3/charts/partials/templates/_trace.tpl @@ -0,0 +1,5 @@ +{{ define "partials.linkerd.trace" -}} +{{ if .Values.controlPlaneTracing -}} +- -trace-collector=collector.{{.Values.controlPlaneTracingNamespace}}.svc.{{.Values.clusterDomain}}:55678 +{{ end -}} +{{- end }} diff --git a/charts/linkerd/linkerd-crds/2024.8.3/charts/partials/templates/_validate.tpl b/charts/linkerd/linkerd-crds/2024.8.3/charts/partials/templates/_validate.tpl new file mode 100644 index 000000000..ba772c2fe --- /dev/null +++ b/charts/linkerd/linkerd-crds/2024.8.3/charts/partials/templates/_validate.tpl @@ -0,0 +1,19 @@ +{{- define "linkerd.webhook.validation" -}} + +{{- if and (.injectCaFrom) (.injectCaFromSecret) -}} +{{- fail "injectCaFrom and injectCaFromSecret cannot both be set" -}} +{{- end -}} + +{{- if and (or (.injectCaFrom) (.injectCaFromSecret)) (.caBundle) -}} +{{- fail "injectCaFrom or injectCaFromSecret cannot be set if providing a caBundle" -}} +{{- end -}} + +{{- if and (.externalSecret) (empty .caBundle) (empty .injectCaFrom) (empty .injectCaFromSecret) -}} +{{- fail "if externalSecret is set, then caBundle, injectCaFrom, or injectCaFromSecret must be set" -}} +{{- end }} + +{{- if and (or .injectCaFrom .injectCaFromSecret .caBundle) (not .externalSecret) -}} +{{- fail "if caBundle, injectCaFrom, or injectCaFromSecret is set, then externalSecret must be set" -}} +{{- end -}} + +{{- end -}} diff --git a/charts/linkerd/linkerd-crds/2024.8.3/charts/partials/templates/_volumes.tpl b/charts/linkerd/linkerd-crds/2024.8.3/charts/partials/templates/_volumes.tpl new file mode 100644 index 000000000..9684cf240 --- /dev/null +++ b/charts/linkerd/linkerd-crds/2024.8.3/charts/partials/templates/_volumes.tpl @@ -0,0 +1,20 @@ +{{ define "partials.proxy.volumes.identity" -}} +emptyDir: + medium: Memory +name: linkerd-identity-end-entity +{{- end -}} + +{{ define "partials.proxyInit.volumes.xtables" -}} +emptyDir: {} +name: {{ .Values.proxyInit.xtMountPath.name }} +{{- end -}} + +{{- define "partials.proxy.volumes.service-account-token" -}} +name: linkerd-identity-token +projected: + sources: + - serviceAccountToken: + path: linkerd-identity-token + expirationSeconds: 86400 {{- /* # 24 hours */}} + audience: identity.l5d.io +{{- end -}} diff --git a/charts/linkerd/linkerd-crds/2024.8.3/charts/partials/values.yaml b/charts/linkerd/linkerd-crds/2024.8.3/charts/partials/values.yaml new file mode 100644 index 000000000..e69de29bb diff --git a/charts/linkerd/linkerd-crds/2024.8.3/templates/NOTES.txt b/charts/linkerd/linkerd-crds/2024.8.3/templates/NOTES.txt new file mode 100644 index 000000000..4ff5c1818 --- /dev/null +++ b/charts/linkerd/linkerd-crds/2024.8.3/templates/NOTES.txt @@ -0,0 +1,6 @@ +The linkerd-crds chart was successfully installed 🎉 + +To complete the linkerd core installation, please now proceed to install the +linkerd-control-plane chart in the {{ .Release.Namespace }} namespace. + +Looking for more? Visit https://linkerd.io/2/getting-started/ diff --git a/charts/linkerd/linkerd-crds/2024.8.3/templates/gateway.networking.k8s.io_grpcroutes.yaml b/charts/linkerd/linkerd-crds/2024.8.3/templates/gateway.networking.k8s.io_grpcroutes.yaml new file mode 100644 index 000000000..0050aac88 --- /dev/null +++ b/charts/linkerd/linkerd-crds/2024.8.3/templates/gateway.networking.k8s.io_grpcroutes.yaml @@ -0,0 +1,1507 @@ +{{- if .Values.enableHttpRoutes }} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/1923 + gateway.networking.k8s.io/bundle-version: v0.7.1 + gateway.networking.k8s.io/channel: experimental + {{ include "partials.annotations.created-by" . }} + labels: + helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + linkerd.io/control-plane-ns: {{.Release.Namespace}} + creationTimestamp: null + name: grpcroutes.gateway.networking.k8s.io +spec: + group: gateway.networking.k8s.io + names: + categories: + - gateway-api + kind: GRPCRoute + listKind: GRPCRouteList + plural: grpcroutes + singular: grpcroute + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .spec.hostnames + name: Hostnames + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha2 + schema: + openAPIV3Schema: + description: "GRPCRoute provides a way to route gRPC requests. This includes + the capability to match requests by hostname, gRPC service, gRPC method, + or HTTP/2 header. Filters can be used to specify additional processing steps. + Backends specify where matching requests will be routed. \n GRPCRoute falls + under extended support within the Gateway API. Within the following specification, + the word \"MUST\" indicates that an implementation supporting GRPCRoute + must conform to the indicated requirement, but an implementation not supporting + this route type need not follow the requirement unless explicitly indicated. + \n Implementations supporting `GRPCRoute` with the `HTTPS` `ProtocolType` + MUST accept HTTP/2 connections without an initial upgrade from HTTP/1.1, + i.e. via ALPN. If the implementation does not support this, then it MUST + set the \"Accepted\" condition to \"False\" for the affected listener with + a reason of \"UnsupportedProtocol\". Implementations MAY also accept HTTP/2 + connections with an upgrade from HTTP/1. \n Implementations supporting `GRPCRoute` + with the `HTTP` `ProtocolType` MUST support HTTP/2 over cleartext TCP (h2c, + https://www.rfc-editor.org/rfc/rfc7540#section-3.1) without an initial upgrade + from HTTP/1.1, i.e. with prior knowledge (https://www.rfc-editor.org/rfc/rfc7540#section-3.4). + If the implementation does not support this, then it MUST set the \"Accepted\" + condition to \"False\" for the affected listener with a reason of \"UnsupportedProtocol\". + Implementations MAY also accept HTTP/2 connections with an upgrade from + HTTP/1, i.e. without prior knowledge. \n Support: Extended" + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of GRPCRoute. + properties: + hostnames: + description: "Hostnames defines a set of hostnames to match against + the GRPC Host header to select a GRPCRoute to process the request. + This matches the RFC 1123 definition of a hostname with 2 notable + exceptions: \n 1. IPs are not allowed. 2. A hostname may be prefixed + with a wildcard label (`*.`). The wildcard label MUST appear by + itself as the first label. \n If a hostname is specified by both + the Listener and GRPCRoute, there MUST be at least one intersecting + hostname for the GRPCRoute to be attached to the Listener. For example: + \n * A Listener with `test.example.com` as the hostname matches + GRPCRoutes that have either not specified any hostnames, or have + specified at least one of `test.example.com` or `*.example.com`. + * A Listener with `*.example.com` as the hostname matches GRPCRoutes + that have either not specified any hostnames or have specified at + least one hostname that matches the Listener hostname. For example, + `test.example.com` and `*.example.com` would both match. On the + other hand, `example.com` and `test.example.net` would not match. + \n Hostnames that are prefixed with a wildcard label (`*.`) are + interpreted as a suffix match. That means that a match for `*.example.com` + would match both `test.example.com`, and `foo.test.example.com`, + but not `example.com`. \n If both the Listener and GRPCRoute have + specified hostnames, any GRPCRoute hostnames that do not match the + Listener hostname MUST be ignored. For example, if a Listener specified + `*.example.com`, and the GRPCRoute specified `test.example.com` + and `test.example.net`, `test.example.net` MUST NOT be considered + for a match. \n If both the Listener and GRPCRoute have specified + hostnames, and none match with the criteria above, then the GRPCRoute + MUST NOT be accepted by the implementation. The implementation MUST + raise an 'Accepted' Condition with a status of `False` in the corresponding + RouteParentStatus. \n If a Route (A) of type HTTPRoute or GRPCRoute + is attached to a Listener and that listener already has another + Route (B) of the other type attached and the intersection of the + hostnames of A and B is non-empty, then the implementation MUST + accept exactly one of these two routes, determined by the following + criteria, in order: \n * The oldest Route based on creation timestamp. + * The Route appearing first in alphabetical order by \"{namespace}/{name}\". + \n The rejected Route MUST raise an 'Accepted' condition with a + status of 'False' in the corresponding RouteParentStatus. \n Support: + Core" + items: + description: "Hostname is the fully qualified domain name of a network + host. This matches the RFC 1123 definition of a hostname with + 2 notable exceptions: \n 1. IPs are not allowed. 2. A hostname + may be prefixed with a wildcard label (`*.`). The wildcard label + must appear by itself as the first label. \n Hostname can be \"precise\" + which is a domain name without the terminating dot of a network + host (e.g. \"foo.example.com\") or \"wildcard\", which is a domain + name prefixed with a single wildcard label (e.g. `*.example.com`). + \n Note that as per RFC1035 and RFC1123, a *label* must consist + of lower case alphanumeric characters or '-', and must start and + end with an alphanumeric character. No other punctuation is allowed." + maxLength: 253 + minLength: 1 + pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + maxItems: 16 + type: array + parentRefs: + description: "ParentRefs references the resources (usually Gateways) + that a Route wants to be attached to. Note that the referenced parent + resource needs to allow this for the attachment to be complete. + For Gateways, that means the Gateway needs to allow attachment from + Routes of this kind and namespace. \n The only kind of parent resource + with \"Core\" support is Gateway. This API may be extended in the + future to support additional kinds of parent resources such as one + of the route kinds. \n It is invalid to reference an identical parent + more than once. It is valid to reference multiple distinct sections + within the same parent resource, such as 2 Listeners within a Gateway. + \n It is possible to separately reference multiple distinct objects + that may be collapsed by an implementation. For example, some implementations + may choose to merge compatible Gateway Listeners together. If that + is the case, the list of routes attached to those resources should + also be merged. \n Note that for ParentRefs that cross namespace + boundaries, there are specific rules. Cross-namespace references + are only valid if they are explicitly allowed by something in the + namespace they are referring to. For example, Gateway has the AllowedRoutes + field, and ReferenceGrant provides a generic way to enable any other + kind of cross-namespace reference." + items: + description: "ParentReference identifies an API object (usually + a Gateway) that can be considered a parent of this resource (usually + a route). The only kind of parent resource with \"Core\" support + is Gateway. This API may be extended in the future to support + additional kinds of parent resources, such as HTTPRoute. \n The + API object must be valid in the cluster; the Group and Kind must + be registered in the cluster for this reference to be valid." + properties: + group: + default: gateway.networking.k8s.io + description: "Group is the group of the referent. When unspecified, + \"gateway.networking.k8s.io\" is inferred. To set the core + API group (such as for a \"Service\" kind referent), Group + must be explicitly set to \"\" (empty string). \n Support: + Core" + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: "Kind is kind of the referent. \n Support: Core + (Gateway) \n Support: Implementation-specific (Other Resources)" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: "Name is the name of the referent. \n Support: + Core" + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the referent. When + unspecified, this refers to the local namespace of the Route. + \n Note that there are specific rules for ParentRefs which + cross namespace boundaries. Cross-namespace references are + only valid if they are explicitly allowed by something in + the namespace they are referring to. For example: Gateway + has the AllowedRoutes field, and ReferenceGrant provides a + generic way to enable any other kind of cross-namespace reference. + \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: "Port is the network port this Route targets. It + can be interpreted differently based on the type of parent + resource. \n When the parent resource is a Gateway, this targets + all listeners listening on the specified port that also support + this kind of Route(and select this Route). It's not recommended + to set `Port` unless the networking behaviors specified in + a Route must apply to a specific port as opposed to a listener(s) + whose port(s) may be changed. When both Port and SectionName + are specified, the name and port of the selected listener + must match both specified values. \n Implementations MAY choose + to support other parent resources. Implementations supporting + other types of parent resources MUST clearly document how/if + Port is interpreted. \n For the purpose of status, an attachment + is considered successful as long as the parent resource accepts + it partially. For example, Gateway listeners can restrict + which Routes can attach to them by Route kind, namespace, + or hostname. If 1 of 2 Gateway listeners accept attachment + from the referencing Route, the Route MUST be considered successfully + attached. If no Gateway listeners accept attachment from this + Route, the Route MUST be considered detached from the Gateway. + \n Support: Extended \n " + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: "SectionName is the name of a section within the + target resource. In the following resources, SectionName is + interpreted as the following: \n * Gateway: Listener Name. + When both Port (experimental) and SectionName are specified, + the name and port of the selected listener must match both + specified values. \n Implementations MAY choose to support + attaching Routes to other resources. If that is the case, + they MUST clearly document how SectionName is interpreted. + \n When unspecified (empty string), this will reference the + entire resource. For the purpose of status, an attachment + is considered successful if at least one section in the parent + resource accepts it. For example, Gateway listeners can restrict + which Routes can attach to them by Route kind, namespace, + or hostname. If 1 of 2 Gateway listeners accept attachment + from the referencing Route, the Route MUST be considered successfully + attached. If no Gateway listeners accept attachment from this + Route, the Route MUST be considered detached from the Gateway. + \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + maxItems: 32 + type: array + rules: + default: + - matches: + - method: + type: Exact + description: Rules are a list of GRPC matchers, filters and actions. + items: + description: GRPCRouteRule defines the semantics for matching a + gRPC request based on conditions (matches), processing it (filters), + and forwarding the request to an API object (backendRefs). + properties: + backendRefs: + description: "BackendRefs defines the backend(s) where matching + requests should be sent. \n Failure behavior here depends + on how many BackendRefs are specified and how many are invalid. + \n If *all* entries in BackendRefs are invalid, and there + are also no filters specified in this route rule, *all* traffic + which matches this rule MUST receive an `UNAVAILABLE` status. + \n See the GRPCBackendRef definition for the rules about what + makes a single GRPCBackendRef invalid. \n When a GRPCBackendRef + is invalid, `UNAVAILABLE` statuses MUST be returned for requests + that would have otherwise been routed to an invalid backend. + If multiple backends are specified, and some are invalid, + the proportion of requests that would otherwise have been + routed to an invalid backend MUST receive an `UNAVAILABLE` + status. \n For example, if two backends are specified with + equal weights, and one is invalid, 50 percent of traffic MUST + receive an `UNAVAILABLE` status. Implementations may choose + how that 50 percent is determined. \n Support: Core for Kubernetes + Service \n Support: Implementation-specific for any other + resource \n Support for weight: Core" + items: + description: GRPCBackendRef defines how a GRPCRoute forwards + a gRPC request. + properties: + filters: + description: "Filters defined at this level MUST be executed + if and only if the request is being forwarded to the + backend defined here. \n Support: Implementation-specific + (For broader support of filters, use the Filters field + in GRPCRouteRule.)" + items: + description: GRPCRouteFilter defines processing steps + that must be completed during the request or response + lifecycle. GRPCRouteFilters are meant as an extension + point to express processing that may be done in Gateway + implementations. Some examples include request or + response modification, implementing authentication + strategies, rate-limiting, and traffic shaping. API + guarantee/conformance is defined based on the type + of the filter. + properties: + extensionRef: + description: "ExtensionRef is an optional, implementation-specific + extension to the \"filter\" behavior. For example, + resource \"myroutefilter\" in group \"networking.example.net\"). + ExtensionRef MUST NOT be used for core and extended + filters. \n Support: Implementation-specific" + properties: + group: + description: Group is the group of the referent. + For example, "gateway.networking.k8s.io". + When unspecified or empty string, core API + group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is kind of the referent. For + example "HTTPRoute" or "Service". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + required: + - group + - kind + - name + type: object + requestHeaderModifier: + description: "RequestHeaderModifier defines a schema + for a filter that modifies request headers. \n + Support: Core" + properties: + add: + description: "Add adds the given header(s) (name, + value) to the request before the action. It + appends to any existing values associated + with the header name. \n Input: GET /foo HTTP/1.1 + my-header: foo \n Config: add: - name: \"my-header\" + value: \"bar,baz\" \n Output: GET /foo HTTP/1.1 + my-header: foo,bar,baz" + items: + description: HTTPHeader represents an HTTP + Header name and value as defined by RFC + 7230. + properties: + name: + description: "Name is the name of the + HTTP Header to be matched. Name matching + MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + \n If multiple entries specify equivalent + header names, the first entry with an + equivalent name MUST be considered for + a match. Subsequent entries with an + equivalent header name MUST be ignored. + Due to the case-insensitivity of header + names, \"foo\" and \"Foo\" are considered + equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP + Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: "Remove the given header(s) from + the HTTP request before the action. The value + of Remove is a list of HTTP header names. + Note that the header names are case-insensitive + (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + \n Input: GET /foo HTTP/1.1 my-header1: foo + my-header2: bar my-header3: baz \n Config: + remove: [\"my-header1\", \"my-header3\"] \n + Output: GET /foo HTTP/1.1 my-header2: bar" + items: + type: string + maxItems: 16 + type: array + set: + description: "Set overwrites the request with + the given header (name, value) before the + action. \n Input: GET /foo HTTP/1.1 my-header: + foo \n Config: set: - name: \"my-header\" + value: \"bar\" \n Output: GET /foo HTTP/1.1 + my-header: bar" + items: + description: HTTPHeader represents an HTTP + Header name and value as defined by RFC + 7230. + properties: + name: + description: "Name is the name of the + HTTP Header to be matched. Name matching + MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + \n If multiple entries specify equivalent + header names, the first entry with an + equivalent name MUST be considered for + a match. Subsequent entries with an + equivalent header name MUST be ignored. + Due to the case-insensitivity of header + names, \"foo\" and \"Foo\" are considered + equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP + Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + requestMirror: + description: "RequestMirror defines a schema for + a filter that mirrors requests. Requests are sent + to the specified destination, but responses from + that destination are ignored. \n Support: Extended" + properties: + backendRef: + description: "BackendRef references a resource + where mirrored requests are sent. \n If the + referent cannot be found, this BackendRef + is invalid and must be dropped from the Gateway. + The controller must ensure the \"ResolvedRefs\" + condition on the Route status is set to `status: + False` and not configure this backend in the + underlying implementation. \n If there is + a cross-namespace reference to an *existing* + object that is not allowed by a ReferenceGrant, + the controller must ensure the \"ResolvedRefs\" + \ condition on the Route is set to `status: + False`, with the \"RefNotPermitted\" reason + and not configure this backend in the underlying + implementation. \n In either error case, the + Message of the `ResolvedRefs` Condition should + be used to provide more detail about the problem. + \n Support: Extended for Kubernetes Service + \n Support: Implementation-specific for any + other resource" + properties: + group: + default: "" + description: Group is the group of the referent. + For example, "gateway.networking.k8s.io". + When unspecified or empty string, core + API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: "Kind is the Kubernetes resource + kind of the referent. For example \"Service\". + \n Defaults to \"Service\" when not specified. + \n ExternalName services can refer to + CNAME DNS records that may live outside + of the cluster and as such are difficult + to reason about in terms of conformance. + They also may not be safe to forward to + (see CVE-2021-25740 for more information). + Implementations SHOULD NOT support ExternalName + Services. \n Support: Core (Services with + a type other than ExternalName) \n Support: + Implementation-specific (Services with + type ExternalName)" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace + of the backend. When unspecified, the + local namespace is inferred. \n Note that + when a namespace different than the local + namespace is specified, a ReferenceGrant + object is required in the referent namespace + to allow that namespace's owner to accept + the reference. See the ReferenceGrant + documentation for details. \n Support: + Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: Port specifies the destination + port number to use for this resource. + Port is required when the referent is + a Kubernetes Service. In this case, the + port number is the service port number, + not the target port. For other resources, + destination port might be derived from + the referent resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + required: + - name + type: object + required: + - backendRef + type: object + responseHeaderModifier: + description: "ResponseHeaderModifier defines a schema + for a filter that modifies response headers. \n + Support: Extended" + properties: + add: + description: "Add adds the given header(s) (name, + value) to the request before the action. It + appends to any existing values associated + with the header name. \n Input: GET /foo HTTP/1.1 + my-header: foo \n Config: add: - name: \"my-header\" + value: \"bar,baz\" \n Output: GET /foo HTTP/1.1 + my-header: foo,bar,baz" + items: + description: HTTPHeader represents an HTTP + Header name and value as defined by RFC + 7230. + properties: + name: + description: "Name is the name of the + HTTP Header to be matched. Name matching + MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + \n If multiple entries specify equivalent + header names, the first entry with an + equivalent name MUST be considered for + a match. Subsequent entries with an + equivalent header name MUST be ignored. + Due to the case-insensitivity of header + names, \"foo\" and \"Foo\" are considered + equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP + Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: "Remove the given header(s) from + the HTTP request before the action. The value + of Remove is a list of HTTP header names. + Note that the header names are case-insensitive + (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + \n Input: GET /foo HTTP/1.1 my-header1: foo + my-header2: bar my-header3: baz \n Config: + remove: [\"my-header1\", \"my-header3\"] \n + Output: GET /foo HTTP/1.1 my-header2: bar" + items: + type: string + maxItems: 16 + type: array + set: + description: "Set overwrites the request with + the given header (name, value) before the + action. \n Input: GET /foo HTTP/1.1 my-header: + foo \n Config: set: - name: \"my-header\" + value: \"bar\" \n Output: GET /foo HTTP/1.1 + my-header: bar" + items: + description: HTTPHeader represents an HTTP + Header name and value as defined by RFC + 7230. + properties: + name: + description: "Name is the name of the + HTTP Header to be matched. Name matching + MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + \n If multiple entries specify equivalent + header names, the first entry with an + equivalent name MUST be considered for + a match. Subsequent entries with an + equivalent header name MUST be ignored. + Due to the case-insensitivity of header + names, \"foo\" and \"Foo\" are considered + equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP + Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + type: + description: "Type identifies the type of filter + to apply. As with other API fields, types are + classified into three conformance levels: \n - + Core: Filter types and their corresponding configuration + defined by \"Support: Core\" in this package, + e.g. \"RequestHeaderModifier\". All implementations + supporting GRPCRoute MUST support core filters. + \n - Extended: Filter types and their corresponding + configuration defined by \"Support: Extended\" + in this package, e.g. \"RequestMirror\". Implementers + are encouraged to support extended filters. \n + - Implementation-specific: Filters that are defined + and supported by specific vendors. In the future, + filters showing convergence in behavior across + multiple implementations will be considered for + inclusion in extended or core conformance levels. + Filter-specific configuration for such filters + is specified using the ExtensionRef field. `Type` + MUST be set to \"ExtensionRef\" for custom filters. + \n Implementers are encouraged to define custom + implementation types to extend the core API with + implementation-specific behavior. \n If a reference + to a custom filter type cannot be resolved, the + filter MUST NOT be skipped. Instead, requests + that would have been processed by that filter + MUST receive a HTTP error response. \n " + enum: + - ResponseHeaderModifier + - RequestHeaderModifier + - RequestMirror + - ExtensionRef + type: string + required: + - type + type: object + maxItems: 16 + type: array + group: + default: "" + description: Group is the group of the referent. For example, + "gateway.networking.k8s.io". When unspecified or empty + string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: "Kind is the Kubernetes resource kind of + the referent. For example \"Service\". \n Defaults to + \"Service\" when not specified. \n ExternalName services + can refer to CNAME DNS records that may live outside + of the cluster and as such are difficult to reason about + in terms of conformance. They also may not be safe to + forward to (see CVE-2021-25740 for more information). + Implementations SHOULD NOT support ExternalName Services. + \n Support: Core (Services with a type other than ExternalName) + \n Support: Implementation-specific (Services with type + ExternalName)" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the backend. + When unspecified, the local namespace is inferred. \n + Note that when a namespace different than the local + namespace is specified, a ReferenceGrant object is required + in the referent namespace to allow that namespace's + owner to accept the reference. See the ReferenceGrant + documentation for details. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: Port specifies the destination port number + to use for this resource. Port is required when the + referent is a Kubernetes Service. In this case, the + port number is the service port number, not the target + port. For other resources, destination port might be + derived from the referent resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + weight: + default: 1 + description: "Weight specifies the proportion of requests + forwarded to the referenced backend. This is computed + as weight/(sum of all weights in this BackendRefs list). + For non-zero values, there may be some epsilon from + the exact proportion defined here depending on the precision + an implementation supports. Weight is not a percentage + and the sum of weights does not need to equal 100. \n + If only one backend is specified and it has a weight + greater than 0, 100% of the traffic is forwarded to + that backend. If weight is set to 0, no traffic should + be forwarded for this entry. If unspecified, weight + defaults to 1. \n Support for this field varies based + on the context where used." + format: int32 + maximum: 1000000 + minimum: 0 + type: integer + required: + - name + type: object + maxItems: 16 + type: array + filters: + description: "Filters define the filters that are applied to + requests that match this rule. \n The effects of ordering + of multiple behaviors are currently unspecified. This can + change in the future based on feedback during the alpha stage. + \n Conformance-levels at this level are defined based on the + type of filter: \n - ALL core filters MUST be supported by + all implementations that support GRPCRoute. - Implementers + are encouraged to support extended filters. - Implementation-specific + custom filters have no API guarantees across implementations. + \n Specifying a core filter multiple times has unspecified + or implementation-specific conformance. Support: Core" + items: + description: GRPCRouteFilter defines processing steps that + must be completed during the request or response lifecycle. + GRPCRouteFilters are meant as an extension point to express + processing that may be done in Gateway implementations. + Some examples include request or response modification, + implementing authentication strategies, rate-limiting, and + traffic shaping. API guarantee/conformance is defined based + on the type of the filter. + properties: + extensionRef: + description: "ExtensionRef is an optional, implementation-specific + extension to the \"filter\" behavior. For example, + resource \"myroutefilter\" in group \"networking.example.net\"). + ExtensionRef MUST NOT be used for core and extended + filters. \n Support: Implementation-specific" + properties: + group: + description: Group is the group of the referent. For + example, "gateway.networking.k8s.io". When unspecified + or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is kind of the referent. For example + "HTTPRoute" or "Service". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + required: + - group + - kind + - name + type: object + requestHeaderModifier: + description: "RequestHeaderModifier defines a schema for + a filter that modifies request headers. \n Support: + Core" + properties: + add: + description: "Add adds the given header(s) (name, + value) to the request before the action. It appends + to any existing values associated with the header + name. \n Input: GET /foo HTTP/1.1 my-header: foo + \n Config: add: - name: \"my-header\" value: \"bar,baz\" + \n Output: GET /foo HTTP/1.1 my-header: foo,bar,baz" + items: + description: HTTPHeader represents an HTTP Header + name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header + to be matched. Name matching MUST be case + insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + \n If multiple entries specify equivalent + header names, the first entry with an equivalent + name MUST be considered for a match. Subsequent + entries with an equivalent header name MUST + be ignored. Due to the case-insensitivity + of header names, \"foo\" and \"Foo\" are considered + equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header + to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: "Remove the given header(s) from the + HTTP request before the action. The value of Remove + is a list of HTTP header names. Note that the header + names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + \n Input: GET /foo HTTP/1.1 my-header1: foo my-header2: + bar my-header3: baz \n Config: remove: [\"my-header1\", + \"my-header3\"] \n Output: GET /foo HTTP/1.1 my-header2: + bar" + items: + type: string + maxItems: 16 + type: array + set: + description: "Set overwrites the request with the + given header (name, value) before the action. \n + Input: GET /foo HTTP/1.1 my-header: foo \n Config: + set: - name: \"my-header\" value: \"bar\" \n Output: + GET /foo HTTP/1.1 my-header: bar" + items: + description: HTTPHeader represents an HTTP Header + name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header + to be matched. Name matching MUST be case + insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + \n If multiple entries specify equivalent + header names, the first entry with an equivalent + name MUST be considered for a match. Subsequent + entries with an equivalent header name MUST + be ignored. Due to the case-insensitivity + of header names, \"foo\" and \"Foo\" are considered + equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header + to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + requestMirror: + description: "RequestMirror defines a schema for a filter + that mirrors requests. Requests are sent to the specified + destination, but responses from that destination are + ignored. \n Support: Extended" + properties: + backendRef: + description: "BackendRef references a resource where + mirrored requests are sent. \n If the referent cannot + be found, this BackendRef is invalid and must be + dropped from the Gateway. The controller must ensure + the \"ResolvedRefs\" condition on the Route status + is set to `status: False` and not configure this + backend in the underlying implementation. \n If + there is a cross-namespace reference to an *existing* + object that is not allowed by a ReferenceGrant, + the controller must ensure the \"ResolvedRefs\" + \ condition on the Route is set to `status: False`, + with the \"RefNotPermitted\" reason and not configure + this backend in the underlying implementation. \n + In either error case, the Message of the `ResolvedRefs` + Condition should be used to provide more detail + about the problem. \n Support: Extended for Kubernetes + Service \n Support: Implementation-specific for + any other resource" + properties: + group: + default: "" + description: Group is the group of the referent. + For example, "gateway.networking.k8s.io". When + unspecified or empty string, core API group + is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: "Kind is the Kubernetes resource + kind of the referent. For example \"Service\". + \n Defaults to \"Service\" when not specified. + \n ExternalName services can refer to CNAME + DNS records that may live outside of the cluster + and as such are difficult to reason about in + terms of conformance. They also may not be safe + to forward to (see CVE-2021-25740 for more information). + Implementations SHOULD NOT support ExternalName + Services. \n Support: Core (Services with a + type other than ExternalName) \n Support: Implementation-specific + (Services with type ExternalName)" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the + backend. When unspecified, the local namespace + is inferred. \n Note that when a namespace different + than the local namespace is specified, a ReferenceGrant + object is required in the referent namespace + to allow that namespace's owner to accept the + reference. See the ReferenceGrant documentation + for details. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: Port specifies the destination port + number to use for this resource. Port is required + when the referent is a Kubernetes Service. In + this case, the port number is the service port + number, not the target port. For other resources, + destination port might be derived from the referent + resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + required: + - name + type: object + required: + - backendRef + type: object + responseHeaderModifier: + description: "ResponseHeaderModifier defines a schema + for a filter that modifies response headers. \n Support: + Extended" + properties: + add: + description: "Add adds the given header(s) (name, + value) to the request before the action. It appends + to any existing values associated with the header + name. \n Input: GET /foo HTTP/1.1 my-header: foo + \n Config: add: - name: \"my-header\" value: \"bar,baz\" + \n Output: GET /foo HTTP/1.1 my-header: foo,bar,baz" + items: + description: HTTPHeader represents an HTTP Header + name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header + to be matched. Name matching MUST be case + insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + \n If multiple entries specify equivalent + header names, the first entry with an equivalent + name MUST be considered for a match. Subsequent + entries with an equivalent header name MUST + be ignored. Due to the case-insensitivity + of header names, \"foo\" and \"Foo\" are considered + equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header + to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: "Remove the given header(s) from the + HTTP request before the action. The value of Remove + is a list of HTTP header names. Note that the header + names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + \n Input: GET /foo HTTP/1.1 my-header1: foo my-header2: + bar my-header3: baz \n Config: remove: [\"my-header1\", + \"my-header3\"] \n Output: GET /foo HTTP/1.1 my-header2: + bar" + items: + type: string + maxItems: 16 + type: array + set: + description: "Set overwrites the request with the + given header (name, value) before the action. \n + Input: GET /foo HTTP/1.1 my-header: foo \n Config: + set: - name: \"my-header\" value: \"bar\" \n Output: + GET /foo HTTP/1.1 my-header: bar" + items: + description: HTTPHeader represents an HTTP Header + name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header + to be matched. Name matching MUST be case + insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + \n If multiple entries specify equivalent + header names, the first entry with an equivalent + name MUST be considered for a match. Subsequent + entries with an equivalent header name MUST + be ignored. Due to the case-insensitivity + of header names, \"foo\" and \"Foo\" are considered + equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header + to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + type: + description: "Type identifies the type of filter to apply. + As with other API fields, types are classified into + three conformance levels: \n - Core: Filter types and + their corresponding configuration defined by \"Support: + Core\" in this package, e.g. \"RequestHeaderModifier\". + All implementations supporting GRPCRoute MUST support + core filters. \n - Extended: Filter types and their + corresponding configuration defined by \"Support: Extended\" + in this package, e.g. \"RequestMirror\". Implementers + are encouraged to support extended filters. \n - Implementation-specific: + Filters that are defined and supported by specific vendors. + In the future, filters showing convergence in behavior + across multiple implementations will be considered for + inclusion in extended or core conformance levels. Filter-specific + configuration for such filters is specified using the + ExtensionRef field. `Type` MUST be set to \"ExtensionRef\" + for custom filters. \n Implementers are encouraged to + define custom implementation types to extend the core + API with implementation-specific behavior. \n If a reference + to a custom filter type cannot be resolved, the filter + MUST NOT be skipped. Instead, requests that would have + been processed by that filter MUST receive a HTTP error + response. \n " + enum: + - ResponseHeaderModifier + - RequestHeaderModifier + - RequestMirror + - ExtensionRef + type: string + required: + - type + type: object + maxItems: 16 + type: array + matches: + description: "Matches define conditions used for matching the + rule against incoming gRPC requests. Each match is independent, + i.e. this rule will be matched if **any** one of the matches + is satisfied. \n For example, take the following matches configuration: + \n ``` matches: - method: service: foo.bar headers: values: + version: 2 - method: service: foo.bar.v2 ``` \n For a request + to match against this rule, it MUST satisfy EITHER of the + two conditions: \n - service of foo.bar AND contains the header + `version: 2` - service of foo.bar.v2 \n See the documentation + for GRPCRouteMatch on how to specify multiple match conditions + to be ANDed together. \n If no matches are specified, the + implementation MUST match every gRPC request. \n Proxy or + Load Balancer routing configuration generated from GRPCRoutes + MUST prioritize rules based on the following criteria, continuing + on ties. Merging MUST not be done between GRPCRoutes and HTTPRoutes. + Precedence MUST be given to the rule with the largest number + of: \n * Characters in a matching non-wildcard hostname. * + Characters in a matching hostname. * Characters in a matching + service. * Characters in a matching method. * Header matches. + \n If ties still exist across multiple Routes, matching precedence + MUST be determined in order of the following criteria, continuing + on ties: \n * The oldest Route based on creation timestamp. + * The Route appearing first in alphabetical order by \"{namespace}/{name}\". + \n If ties still exist within the Route that has been given + precedence, matching precedence MUST be granted to the first + matching rule meeting the above criteria." + items: + description: "GRPCRouteMatch defines the predicate used to + match requests to a given action. Multiple match types are + ANDed together, i.e. the match will evaluate to true only + if all conditions are satisfied. \n For example, the match + below will match a gRPC request only if its service is `foo` + AND it contains the `version: v1` header: \n ``` matches: + - method: type: Exact service: \"foo\" headers: - name: + \"version\" value \"v1\" \n ```" + properties: + headers: + description: Headers specifies gRPC request header matchers. + Multiple match values are ANDed together, meaning, a + request MUST match all the specified headers to select + the route. + items: + description: GRPCHeaderMatch describes how to select + a gRPC route by matching gRPC request headers. + properties: + name: + description: "Name is the name of the gRPC Header + to be matched. \n If multiple entries specify + equivalent header names, only the first entry + with an equivalent name MUST be considered for + a match. Subsequent entries with an equivalent + header name MUST be ignored. Due to the case-insensitivity + of header names, \"foo\" and \"Foo\" are considered + equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + type: + default: Exact + description: Type specifies how to match against + the value of the header. + enum: + - Exact + - RegularExpression + type: string + value: + description: Value is the value of the gRPC Header + to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + method: + description: Method specifies a gRPC request service/method + matcher. If this field is not specified, all services + and methods will match. + properties: + method: + description: "Value of the method to match against. + If left empty or omitted, will match all services. + \n At least one of Service and Method MUST be a + non-empty string." + maxLength: 1024 + type: string + service: + description: "Value of the service to match against. + If left empty or omitted, will match any service. + \n At least one of Service and Method MUST be a + non-empty string." + maxLength: 1024 + type: string + type: + default: Exact + description: "Type specifies how to match against + the service and/or method. Support: Core (Exact + with service and method specified) \n Support: Implementation-specific + (Exact with method specified but no service specified) + \n Support: Implementation-specific (RegularExpression)" + enum: + - Exact + - RegularExpression + type: string + type: object + type: object + maxItems: 8 + type: array + type: object + maxItems: 16 + type: array + type: object + status: + description: Status defines the current state of GRPCRoute. + properties: + parents: + description: "Parents is a list of parent resources (usually Gateways) + that are associated with the route, and the status of the route + with respect to each parent. When this route attaches to a parent, + the controller that manages the parent must add an entry to this + list when the controller first sees the route and should update + the entry as appropriate when the route or gateway is modified. + \n Note that parent references that cannot be resolved by an implementation + of this API will not be added to this list. Implementations of this + API can only populate Route status for the Gateways/parent resources + they are responsible for. \n A maximum of 32 Gateways will be represented + in this list. An empty list means the route has not been attached + to any Gateway." + items: + description: RouteParentStatus describes the status of a route with + respect to an associated Parent. + properties: + conditions: + description: "Conditions describes the status of the route with + respect to the Gateway. Note that the route's availability + is also subject to the Gateway's own status conditions and + listener status. \n If the Route's ParentRef specifies an + existing Gateway that supports Routes of this kind AND that + Gateway's controller has sufficient access, then that Gateway's + controller MUST set the \"Accepted\" condition on the Route, + to indicate whether the route has been accepted or rejected + by the Gateway, and why. \n A Route MUST be considered \"Accepted\" + if at least one of the Route's rules is implemented by the + Gateway. \n There are a number of cases where the \"Accepted\" + condition may not be set due to lack of controller visibility, + that includes when: \n * The Route refers to a non-existent + parent. * The Route is of a type that the controller does + not support. * The Route is in a namespace the controller + does not have access to." + items: + description: "Condition contains details for one aspect of + the current state of this API Resource. --- This struct + is intended for direct use as an array at the field path + .status.conditions. For example, \n type FooStatus struct{ + // Represents the observations of a foo's current state. + // Known .status.conditions.type are: \"Available\", \"Progressing\", + and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge + // +listType=map // +listMapKey=type Conditions []metav1.Condition + `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" + protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields + }" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition + transitioned from one status to another. This should + be when the underlying condition changed. If that is + not known, then using the time when the API field changed + is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating + details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation + that the condition was set based upon. For instance, + if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration + is 9, the condition is out of date with respect to the + current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier + indicating the reason for the condition's last transition. + Producers of specific condition types may define expected + values and meanings for this field, and whether the + values are considered a guaranteed API. The value should + be a CamelCase string. This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, + Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + --- Many .condition.type values are consistent across + resources like Available, but because arbitrary conditions + can be useful (see .node.status.conditions), the ability + to deconflict is important. The regex it matches is + (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + controllerName: + description: "ControllerName is a domain/path string that indicates + the name of the controller that wrote this status. This corresponds + with the controllerName field on GatewayClass. \n Example: + \"example.net/gateway-controller\". \n The format of this + field is DOMAIN \"/\" PATH, where DOMAIN and PATH are valid + Kubernetes names (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). + \n Controllers MUST populate this field when writing status. + Controllers should ensure that entries to status populated + with their ControllerName are cleaned up when they are no + longer necessary." + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + parentRef: + description: ParentRef corresponds with a ParentRef in the spec + that this RouteParentStatus struct describes the status of. + properties: + group: + default: gateway.networking.k8s.io + description: "Group is the group of the referent. When unspecified, + \"gateway.networking.k8s.io\" is inferred. To set the + core API group (such as for a \"Service\" kind referent), + Group must be explicitly set to \"\" (empty string). \n + Support: Core" + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: "Kind is kind of the referent. \n Support: + Core (Gateway) \n Support: Implementation-specific (Other + Resources)" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: "Name is the name of the referent. \n Support: + Core" + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the referent. + When unspecified, this refers to the local namespace of + the Route. \n Note that there are specific rules for ParentRefs + which cross namespace boundaries. Cross-namespace references + are only valid if they are explicitly allowed by something + in the namespace they are referring to. For example: Gateway + has the AllowedRoutes field, and ReferenceGrant provides + a generic way to enable any other kind of cross-namespace + reference. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: "Port is the network port this Route targets. + It can be interpreted differently based on the type of + parent resource. \n When the parent resource is a Gateway, + this targets all listeners listening on the specified + port that also support this kind of Route(and select this + Route). It's not recommended to set `Port` unless the + networking behaviors specified in a Route must apply to + a specific port as opposed to a listener(s) whose port(s) + may be changed. When both Port and SectionName are specified, + the name and port of the selected listener must match + both specified values. \n Implementations MAY choose to + support other parent resources. Implementations supporting + other types of parent resources MUST clearly document + how/if Port is interpreted. \n For the purpose of status, + an attachment is considered successful as long as the + parent resource accepts it partially. For example, Gateway + listeners can restrict which Routes can attach to them + by Route kind, namespace, or hostname. If 1 of 2 Gateway + listeners accept attachment from the referencing Route, + the Route MUST be considered successfully attached. If + no Gateway listeners accept attachment from this Route, + the Route MUST be considered detached from the Gateway. + \n Support: Extended \n " + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: "SectionName is the name of a section within + the target resource. In the following resources, SectionName + is interpreted as the following: \n * Gateway: Listener + Name. When both Port (experimental) and SectionName are + specified, the name and port of the selected listener + must match both specified values. \n Implementations MAY + choose to support attaching Routes to other resources. + If that is the case, they MUST clearly document how SectionName + is interpreted. \n When unspecified (empty string), this + will reference the entire resource. For the purpose of + status, an attachment is considered successful if at least + one section in the parent resource accepts it. For example, + Gateway listeners can restrict which Routes can attach + to them by Route kind, namespace, or hostname. If 1 of + 2 Gateway listeners accept attachment from the referencing + Route, the Route MUST be considered successfully attached. + If no Gateway listeners accept attachment from this Route, + the Route MUST be considered detached from the Gateway. + \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + required: + - controllerName + - parentRef + type: object + maxItems: 32 + type: array + required: + - parents + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: null + storedVersions: null +{{- end }} + diff --git a/charts/linkerd/linkerd-crds/2024.8.3/templates/gateway.networking.k8s.io_httproutes.yaml b/charts/linkerd/linkerd-crds/2024.8.3/templates/gateway.networking.k8s.io_httproutes.yaml new file mode 100644 index 000000000..b695c51d5 --- /dev/null +++ b/charts/linkerd/linkerd-crds/2024.8.3/templates/gateway.networking.k8s.io_httproutes.yaml @@ -0,0 +1,3881 @@ +{{- if .Values.enableHttpRoutes }} +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.kubernetes.io: https://github.com/kubernetes-sigs/gateway-api/pull/1923 + gateway.networking.k8s.io/bundle-version: v0.7.1 + gateway.networking.k8s.io/channel: experimental + {{ include "partials.annotations.created-by" . }} + labels: + helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + linkerd.io/control-plane-ns: {{.Release.Namespace}} + creationTimestamp: null + name: httproutes.gateway.networking.k8s.io +spec: + group: gateway.networking.k8s.io + names: + categories: + - gateway-api + kind: HTTPRoute + listKind: HTTPRouteList + plural: httproutes + singular: httproute + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .spec.hostnames + name: Hostnames + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + deprecated: true + deprecationWarning: The v1alpha2 version of HTTPRoute has been deprecated and + will be removed in a future release of the API. Please upgrade to v1beta1. + name: v1alpha2 + schema: + openAPIV3Schema: + description: HTTPRoute provides a way to route HTTP requests. This includes + the capability to match requests by hostname, path, header, or query param. + Filters can be used to specify additional processing steps. Backends specify + where matching requests should be routed. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of HTTPRoute. + properties: + hostnames: + description: "Hostnames defines a set of hostname that should match + against the HTTP Host header to select a HTTPRoute used to process + the request. Implementations MUST ignore any port value specified + in the HTTP Host header while performing a match. \n Valid values + for Hostnames are determined by RFC 1123 definition of a hostname + with 2 notable exceptions: \n 1. IPs are not allowed. 2. A hostname + may be prefixed with a wildcard label (`*.`). The wildcard label + must appear by itself as the first label. \n If a hostname is specified + by both the Listener and HTTPRoute, there must be at least one intersecting + hostname for the HTTPRoute to be attached to the Listener. For example: + \n * A Listener with `test.example.com` as the hostname matches + HTTPRoutes that have either not specified any hostnames, or have + specified at least one of `test.example.com` or `*.example.com`. + * A Listener with `*.example.com` as the hostname matches HTTPRoutes + that have either not specified any hostnames or have specified at + least one hostname that matches the Listener hostname. For example, + `*.example.com`, `test.example.com`, and `foo.test.example.com` + would all match. On the other hand, `example.com` and `test.example.net` + would not match. \n Hostnames that are prefixed with a wildcard + label (`*.`) are interpreted as a suffix match. That means that + a match for `*.example.com` would match both `test.example.com`, + and `foo.test.example.com`, but not `example.com`. \n If both the + Listener and HTTPRoute have specified hostnames, any HTTPRoute hostnames + that do not match the Listener hostname MUST be ignored. For example, + if a Listener specified `*.example.com`, and the HTTPRoute specified + `test.example.com` and `test.example.net`, `test.example.net` must + not be considered for a match. \n If both the Listener and HTTPRoute + have specified hostnames, and none match with the criteria above, + then the HTTPRoute is not accepted. The implementation must raise + an 'Accepted' Condition with a status of `False` in the corresponding + RouteParentStatus. \n In the event that multiple HTTPRoutes specify + intersecting hostnames (e.g. overlapping wildcard matching and exact + matching hostnames), precedence must be given to rules from the + HTTPRoute with the largest number of: \n * Characters in a matching + non-wildcard hostname. * Characters in a matching hostname. \n If + ties exist across multiple Routes, the matching precedence rules + for HTTPRouteMatches takes over. \n Support: Core" + items: + description: "Hostname is the fully qualified domain name of a network + host. This matches the RFC 1123 definition of a hostname with + 2 notable exceptions: \n 1. IPs are not allowed. 2. A hostname + may be prefixed with a wildcard label (`*.`). The wildcard label + must appear by itself as the first label. \n Hostname can be \"precise\" + which is a domain name without the terminating dot of a network + host (e.g. \"foo.example.com\") or \"wildcard\", which is a domain + name prefixed with a single wildcard label (e.g. `*.example.com`). + \n Note that as per RFC1035 and RFC1123, a *label* must consist + of lower case alphanumeric characters or '-', and must start and + end with an alphanumeric character. No other punctuation is allowed." + maxLength: 253 + minLength: 1 + pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + maxItems: 16 + type: array + parentRefs: + description: "ParentRefs references the resources (usually Gateways) + that a Route wants to be attached to. Note that the referenced parent + resource needs to allow this for the attachment to be complete. + For Gateways, that means the Gateway needs to allow attachment from + Routes of this kind and namespace. \n The only kind of parent resource + with \"Core\" support is Gateway. This API may be extended in the + future to support additional kinds of parent resources such as one + of the route kinds. \n It is invalid to reference an identical parent + more than once. It is valid to reference multiple distinct sections + within the same parent resource, such as 2 Listeners within a Gateway. + \n It is possible to separately reference multiple distinct objects + that may be collapsed by an implementation. For example, some implementations + may choose to merge compatible Gateway Listeners together. If that + is the case, the list of routes attached to those resources should + also be merged. \n Note that for ParentRefs that cross namespace + boundaries, there are specific rules. Cross-namespace references + are only valid if they are explicitly allowed by something in the + namespace they are referring to. For example, Gateway has the AllowedRoutes + field, and ReferenceGrant provides a generic way to enable any other + kind of cross-namespace reference." + items: + description: "ParentReference identifies an API object (usually + a Gateway) that can be considered a parent of this resource (usually + a route). The only kind of parent resource with \"Core\" support + is Gateway. This API may be extended in the future to support + additional kinds of parent resources, such as HTTPRoute. \n The + API object must be valid in the cluster; the Group and Kind must + be registered in the cluster for this reference to be valid." + properties: + group: + default: gateway.networking.k8s.io + description: "Group is the group of the referent. When unspecified, + \"gateway.networking.k8s.io\" is inferred. To set the core + API group (such as for a \"Service\" kind referent), Group + must be explicitly set to \"\" (empty string). \n Support: + Core" + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: "Kind is kind of the referent. \n Support: Core + (Gateway) \n Support: Implementation-specific (Other Resources)" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: "Name is the name of the referent. \n Support: + Core" + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the referent. When + unspecified, this refers to the local namespace of the Route. + \n Note that there are specific rules for ParentRefs which + cross namespace boundaries. Cross-namespace references are + only valid if they are explicitly allowed by something in + the namespace they are referring to. For example: Gateway + has the AllowedRoutes field, and ReferenceGrant provides a + generic way to enable any other kind of cross-namespace reference. + \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: "Port is the network port this Route targets. It + can be interpreted differently based on the type of parent + resource. \n When the parent resource is a Gateway, this targets + all listeners listening on the specified port that also support + this kind of Route(and select this Route). It's not recommended + to set `Port` unless the networking behaviors specified in + a Route must apply to a specific port as opposed to a listener(s) + whose port(s) may be changed. When both Port and SectionName + are specified, the name and port of the selected listener + must match both specified values. \n Implementations MAY choose + to support other parent resources. Implementations supporting + other types of parent resources MUST clearly document how/if + Port is interpreted. \n For the purpose of status, an attachment + is considered successful as long as the parent resource accepts + it partially. For example, Gateway listeners can restrict + which Routes can attach to them by Route kind, namespace, + or hostname. If 1 of 2 Gateway listeners accept attachment + from the referencing Route, the Route MUST be considered successfully + attached. If no Gateway listeners accept attachment from this + Route, the Route MUST be considered detached from the Gateway. + \n Support: Extended \n " + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: "SectionName is the name of a section within the + target resource. In the following resources, SectionName is + interpreted as the following: \n * Gateway: Listener Name. + When both Port (experimental) and SectionName are specified, + the name and port of the selected listener must match both + specified values. \n Implementations MAY choose to support + attaching Routes to other resources. If that is the case, + they MUST clearly document how SectionName is interpreted. + \n When unspecified (empty string), this will reference the + entire resource. For the purpose of status, an attachment + is considered successful if at least one section in the parent + resource accepts it. For example, Gateway listeners can restrict + which Routes can attach to them by Route kind, namespace, + or hostname. If 1 of 2 Gateway listeners accept attachment + from the referencing Route, the Route MUST be considered successfully + attached. If no Gateway listeners accept attachment from this + Route, the Route MUST be considered detached from the Gateway. + \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + maxItems: 32 + type: array + rules: + default: + - matches: + - path: + type: PathPrefix + value: / + description: Rules are a list of HTTP matchers, filters and actions. + items: + description: HTTPRouteRule defines semantics for matching an HTTP + request based on conditions (matches), processing it (filters), + and forwarding the request to an API object (backendRefs). + properties: + backendRefs: + description: "BackendRefs defines the backend(s) where matching + requests should be sent. \n Failure behavior here depends + on how many BackendRefs are specified and how many are invalid. + \n If *all* entries in BackendRefs are invalid, and there + are also no filters specified in this route rule, *all* traffic + which matches this rule MUST receive a 500 status code. \n + See the HTTPBackendRef definition for the rules about what + makes a single HTTPBackendRef invalid. \n When a HTTPBackendRef + is invalid, 500 status codes MUST be returned for requests + that would have otherwise been routed to an invalid backend. + If multiple backends are specified, and some are invalid, + the proportion of requests that would otherwise have been + routed to an invalid backend MUST receive a 500 status code. + \n For example, if two backends are specified with equal weights, + and one is invalid, 50 percent of traffic must receive a 500. + Implementations may choose how that 50 percent is determined. + \n Support: Core for Kubernetes Service \n Support: Extended + for Kubernetes ServiceImport \n Support: Implementation-specific + for any other resource \n Support for weight: Core" + items: + description: HTTPBackendRef defines how a HTTPRoute should + forward an HTTP request. + properties: + filters: + description: "Filters defined at this level should be + executed if and only if the request is being forwarded + to the backend defined here. \n Support: Implementation-specific + (For broader support of filters, use the Filters field + in HTTPRouteRule.)" + items: + description: HTTPRouteFilter defines processing steps + that must be completed during the request or response + lifecycle. HTTPRouteFilters are meant as an extension + point to express processing that may be done in Gateway + implementations. Some examples include request or + response modification, implementing authentication + strategies, rate-limiting, and traffic shaping. API + guarantee/conformance is defined based on the type + of the filter. + properties: + extensionRef: + description: "ExtensionRef is an optional, implementation-specific + extension to the \"filter\" behavior. For example, + resource \"myroutefilter\" in group \"networking.example.net\"). + ExtensionRef MUST NOT be used for core and extended + filters. \n Support: Implementation-specific" + properties: + group: + description: Group is the group of the referent. + For example, "gateway.networking.k8s.io". + When unspecified or empty string, core API + group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is kind of the referent. For + example "HTTPRoute" or "Service". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + required: + - group + - kind + - name + type: object + requestHeaderModifier: + description: "RequestHeaderModifier defines a schema + for a filter that modifies request headers. \n + Support: Core" + properties: + add: + description: "Add adds the given header(s) (name, + value) to the request before the action. It + appends to any existing values associated + with the header name. \n Input: GET /foo HTTP/1.1 + my-header: foo \n Config: add: - name: \"my-header\" + value: \"bar,baz\" \n Output: GET /foo HTTP/1.1 + my-header: foo,bar,baz" + items: + description: HTTPHeader represents an HTTP + Header name and value as defined by RFC + 7230. + properties: + name: + description: "Name is the name of the + HTTP Header to be matched. Name matching + MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + \n If multiple entries specify equivalent + header names, the first entry with an + equivalent name MUST be considered for + a match. Subsequent entries with an + equivalent header name MUST be ignored. + Due to the case-insensitivity of header + names, \"foo\" and \"Foo\" are considered + equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP + Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: "Remove the given header(s) from + the HTTP request before the action. The value + of Remove is a list of HTTP header names. + Note that the header names are case-insensitive + (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + \n Input: GET /foo HTTP/1.1 my-header1: foo + my-header2: bar my-header3: baz \n Config: + remove: [\"my-header1\", \"my-header3\"] \n + Output: GET /foo HTTP/1.1 my-header2: bar" + items: + type: string + maxItems: 16 + type: array + set: + description: "Set overwrites the request with + the given header (name, value) before the + action. \n Input: GET /foo HTTP/1.1 my-header: + foo \n Config: set: - name: \"my-header\" + value: \"bar\" \n Output: GET /foo HTTP/1.1 + my-header: bar" + items: + description: HTTPHeader represents an HTTP + Header name and value as defined by RFC + 7230. + properties: + name: + description: "Name is the name of the + HTTP Header to be matched. Name matching + MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + \n If multiple entries specify equivalent + header names, the first entry with an + equivalent name MUST be considered for + a match. Subsequent entries with an + equivalent header name MUST be ignored. + Due to the case-insensitivity of header + names, \"foo\" and \"Foo\" are considered + equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP + Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + requestMirror: + description: "RequestMirror defines a schema for + a filter that mirrors requests. Requests are sent + to the specified destination, but responses from + that destination are ignored. \n Support: Extended" + properties: + backendRef: + description: "BackendRef references a resource + where mirrored requests are sent. \n If the + referent cannot be found, this BackendRef + is invalid and must be dropped from the Gateway. + The controller must ensure the \"ResolvedRefs\" + condition on the Route status is set to `status: + False` and not configure this backend in the + underlying implementation. \n If there is + a cross-namespace reference to an *existing* + object that is not allowed by a ReferenceGrant, + the controller must ensure the \"ResolvedRefs\" + \ condition on the Route is set to `status: + False`, with the \"RefNotPermitted\" reason + and not configure this backend in the underlying + implementation. \n In either error case, the + Message of the `ResolvedRefs` Condition should + be used to provide more detail about the problem. + \n Support: Extended for Kubernetes Service + \n Support: Implementation-specific for any + other resource" + properties: + group: + default: "" + description: Group is the group of the referent. + For example, "gateway.networking.k8s.io". + When unspecified or empty string, core + API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: "Kind is the Kubernetes resource + kind of the referent. For example \"Service\". + \n Defaults to \"Service\" when not specified. + \n ExternalName services can refer to + CNAME DNS records that may live outside + of the cluster and as such are difficult + to reason about in terms of conformance. + They also may not be safe to forward to + (see CVE-2021-25740 for more information). + Implementations SHOULD NOT support ExternalName + Services. \n Support: Core (Services with + a type other than ExternalName) \n Support: + Implementation-specific (Services with + type ExternalName)" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace + of the backend. When unspecified, the + local namespace is inferred. \n Note that + when a namespace different than the local + namespace is specified, a ReferenceGrant + object is required in the referent namespace + to allow that namespace's owner to accept + the reference. See the ReferenceGrant + documentation for details. \n Support: + Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: Port specifies the destination + port number to use for this resource. + Port is required when the referent is + a Kubernetes Service. In this case, the + port number is the service port number, + not the target port. For other resources, + destination port might be derived from + the referent resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + required: + - name + type: object + required: + - backendRef + type: object + requestRedirect: + description: "RequestRedirect defines a schema for + a filter that responds to the request with an + HTTP redirection. \n Support: Core" + properties: + hostname: + description: "Hostname is the hostname to be + used in the value of the `Location` header + in the response. When empty, the hostname + in the `Host` header of the request is used. + \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + path: + description: "Path defines parameters used to + modify the path of the incoming request. The + modified path is then used to construct the + `Location` header. When empty, the request + path is used as-is. \n Support: Extended" + properties: + replaceFullPath: + description: ReplaceFullPath specifies the + value with which to replace the full path + of a request during a rewrite or redirect. + maxLength: 1024 + type: string + replacePrefixMatch: + description: "ReplacePrefixMatch specifies + the value with which to replace the prefix + match of a request during a rewrite or + redirect. For example, a request to \"/foo/bar\" + with a prefix match of \"/foo\" would + be modified to \"/bar\". \n Note that + this matches the behavior of the PathPrefix + match type. This matches full path elements. + A path element refers to the list of labels + in the path split by the `/` separator. + When specified, a trailing `/` is ignored. + For example, the paths `/abc`, `/abc/`, + and `/abc/def` would all match the prefix + `/abc`, but the path `/abcd` would not." + maxLength: 1024 + type: string + type: + description: "Type defines the type of path + modifier. Additional types may be added + in a future release of the API. \n Note + that values may be added to this enum, + implementations must ensure that unknown + values will not cause a crash. \n Unknown + values here must result in the implementation + setting the Accepted Condition for the + Route to `status: False`, with a Reason + of `UnsupportedValue`." + enum: + - ReplaceFullPath + - ReplacePrefixMatch + type: string + required: + - type + type: object + port: + description: "Port is the port to be used in + the value of the `Location` header in the + response. \n If no port is specified, the + redirect port MUST be derived using the following + rules: \n * If redirect scheme is not-empty, + the redirect port MUST be the well-known port + associated with the redirect scheme. Specifically + \"http\" to port 80 and \"https\" to port + 443. If the redirect scheme does not have + a well-known port, the listener port of the + Gateway SHOULD be used. * If redirect scheme + is empty, the redirect port MUST be the Gateway + Listener port. \n Implementations SHOULD NOT + add the port number in the 'Location' header + in the following cases: \n * A Location header + that will use HTTP (whether that is determined + via the Listener protocol or the Scheme field) + _and_ use port 80. * A Location header that + will use HTTPS (whether that is determined + via the Listener protocol or the Scheme field) + _and_ use port 443. \n Support: Extended" + format: int32 + maximum: 65535 + minimum: 1 + type: integer + scheme: + description: "Scheme is the scheme to be used + in the value of the `Location` header in the + response. When empty, the scheme of the request + is used. \n Scheme redirects can affect the + port of the redirect, for more information, + refer to the documentation for the port field + of this filter. \n Note that values may be + added to this enum, implementations must ensure + that unknown values will not cause a crash. + \n Unknown values here must result in the + implementation setting the Accepted Condition + for the Route to `status: False`, with a Reason + of `UnsupportedValue`. \n Support: Extended" + enum: + - http + - https + type: string + statusCode: + default: 302 + description: "StatusCode is the HTTP status + code to be used in response. \n Note that + values may be added to this enum, implementations + must ensure that unknown values will not cause + a crash. \n Unknown values here must result + in the implementation setting the Accepted + Condition for the Route to `status: False`, + with a Reason of `UnsupportedValue`. \n Support: + Core" + enum: + - 301 + - 302 + type: integer + type: object + responseHeaderModifier: + description: "ResponseHeaderModifier defines a schema + for a filter that modifies response headers. \n + Support: Extended" + properties: + add: + description: "Add adds the given header(s) (name, + value) to the request before the action. It + appends to any existing values associated + with the header name. \n Input: GET /foo HTTP/1.1 + my-header: foo \n Config: add: - name: \"my-header\" + value: \"bar,baz\" \n Output: GET /foo HTTP/1.1 + my-header: foo,bar,baz" + items: + description: HTTPHeader represents an HTTP + Header name and value as defined by RFC + 7230. + properties: + name: + description: "Name is the name of the + HTTP Header to be matched. Name matching + MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + \n If multiple entries specify equivalent + header names, the first entry with an + equivalent name MUST be considered for + a match. Subsequent entries with an + equivalent header name MUST be ignored. + Due to the case-insensitivity of header + names, \"foo\" and \"Foo\" are considered + equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP + Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: "Remove the given header(s) from + the HTTP request before the action. The value + of Remove is a list of HTTP header names. + Note that the header names are case-insensitive + (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + \n Input: GET /foo HTTP/1.1 my-header1: foo + my-header2: bar my-header3: baz \n Config: + remove: [\"my-header1\", \"my-header3\"] \n + Output: GET /foo HTTP/1.1 my-header2: bar" + items: + type: string + maxItems: 16 + type: array + set: + description: "Set overwrites the request with + the given header (name, value) before the + action. \n Input: GET /foo HTTP/1.1 my-header: + foo \n Config: set: - name: \"my-header\" + value: \"bar\" \n Output: GET /foo HTTP/1.1 + my-header: bar" + items: + description: HTTPHeader represents an HTTP + Header name and value as defined by RFC + 7230. + properties: + name: + description: "Name is the name of the + HTTP Header to be matched. Name matching + MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + \n If multiple entries specify equivalent + header names, the first entry with an + equivalent name MUST be considered for + a match. Subsequent entries with an + equivalent header name MUST be ignored. + Due to the case-insensitivity of header + names, \"foo\" and \"Foo\" are considered + equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP + Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + type: + description: "Type identifies the type of filter + to apply. As with other API fields, types are + classified into three conformance levels: \n - + Core: Filter types and their corresponding configuration + defined by \"Support: Core\" in this package, + e.g. \"RequestHeaderModifier\". All implementations + must support core filters. \n - Extended: Filter + types and their corresponding configuration defined + by \"Support: Extended\" in this package, e.g. + \"RequestMirror\". Implementers are encouraged + to support extended filters. \n - Implementation-specific: + Filters that are defined and supported by specific + vendors. In the future, filters showing convergence + in behavior across multiple implementations will + be considered for inclusion in extended or core + conformance levels. Filter-specific configuration + for such filters is specified using the ExtensionRef + field. `Type` should be set to \"ExtensionRef\" + for custom filters. \n Implementers are encouraged + to define custom implementation types to extend + the core API with implementation-specific behavior. + \n If a reference to a custom filter type cannot + be resolved, the filter MUST NOT be skipped. Instead, + requests that would have been processed by that + filter MUST receive a HTTP error response. \n + Note that values may be added to this enum, implementations + must ensure that unknown values will not cause + a crash. \n Unknown values here must result in + the implementation setting the Accepted Condition + for the Route to `status: False`, with a Reason + of `UnsupportedValue`." + enum: + - RequestHeaderModifier + - ResponseHeaderModifier + - RequestMirror + - RequestRedirect + - URLRewrite + - ExtensionRef + type: string + urlRewrite: + description: "URLRewrite defines a schema for a + filter that modifies a request during forwarding. + \n Support: Extended" + properties: + hostname: + description: "Hostname is the value to be used + to replace the Host header value during forwarding. + \n Support: Extended" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + path: + description: "Path defines a path rewrite. \n + Support: Extended" + properties: + replaceFullPath: + description: ReplaceFullPath specifies the + value with which to replace the full path + of a request during a rewrite or redirect. + maxLength: 1024 + type: string + replacePrefixMatch: + description: "ReplacePrefixMatch specifies + the value with which to replace the prefix + match of a request during a rewrite or + redirect. For example, a request to \"/foo/bar\" + with a prefix match of \"/foo\" would + be modified to \"/bar\". \n Note that + this matches the behavior of the PathPrefix + match type. This matches full path elements. + A path element refers to the list of labels + in the path split by the `/` separator. + When specified, a trailing `/` is ignored. + For example, the paths `/abc`, `/abc/`, + and `/abc/def` would all match the prefix + `/abc`, but the path `/abcd` would not." + maxLength: 1024 + type: string + type: + description: "Type defines the type of path + modifier. Additional types may be added + in a future release of the API. \n Note + that values may be added to this enum, + implementations must ensure that unknown + values will not cause a crash. \n Unknown + values here must result in the implementation + setting the Accepted Condition for the + Route to `status: False`, with a Reason + of `UnsupportedValue`." + enum: + - ReplaceFullPath + - ReplacePrefixMatch + type: string + required: + - type + type: object + type: object + required: + - type + type: object + maxItems: 16 + type: array + group: + default: "" + description: Group is the group of the referent. For example, + "gateway.networking.k8s.io". When unspecified or empty + string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: "Kind is the Kubernetes resource kind of + the referent. For example \"Service\". \n Defaults to + \"Service\" when not specified. \n ExternalName services + can refer to CNAME DNS records that may live outside + of the cluster and as such are difficult to reason about + in terms of conformance. They also may not be safe to + forward to (see CVE-2021-25740 for more information). + Implementations SHOULD NOT support ExternalName Services. + \n Support: Core (Services with a type other than ExternalName) + \n Support: Implementation-specific (Services with type + ExternalName)" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the backend. + When unspecified, the local namespace is inferred. \n + Note that when a namespace different than the local + namespace is specified, a ReferenceGrant object is required + in the referent namespace to allow that namespace's + owner to accept the reference. See the ReferenceGrant + documentation for details. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: Port specifies the destination port number + to use for this resource. Port is required when the + referent is a Kubernetes Service. In this case, the + port number is the service port number, not the target + port. For other resources, destination port might be + derived from the referent resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + weight: + default: 1 + description: "Weight specifies the proportion of requests + forwarded to the referenced backend. This is computed + as weight/(sum of all weights in this BackendRefs list). + For non-zero values, there may be some epsilon from + the exact proportion defined here depending on the precision + an implementation supports. Weight is not a percentage + and the sum of weights does not need to equal 100. \n + If only one backend is specified and it has a weight + greater than 0, 100% of the traffic is forwarded to + that backend. If weight is set to 0, no traffic should + be forwarded for this entry. If unspecified, weight + defaults to 1. \n Support for this field varies based + on the context where used." + format: int32 + maximum: 1000000 + minimum: 0 + type: integer + required: + - name + type: object + maxItems: 16 + type: array + filters: + description: "Filters define the filters that are applied to + requests that match this rule. \n The effects of ordering + of multiple behaviors are currently unspecified. This can + change in the future based on feedback during the alpha stage. + \n Conformance-levels at this level are defined based on the + type of filter: \n - ALL core filters MUST be supported by + all implementations. - Implementers are encouraged to support + extended filters. - Implementation-specific custom filters + have no API guarantees across implementations. \n Specifying + a core filter multiple times has unspecified or implementation-specific + conformance. \n All filters are expected to be compatible + with each other except for the URLRewrite and RequestRedirect + filters, which may not be combined. If an implementation can + not support other combinations of filters, they must clearly + document that limitation. In all cases where incompatible + or unsupported filters are specified, implementations MUST + add a warning condition to status. \n Support: Core" + items: + description: HTTPRouteFilter defines processing steps that + must be completed during the request or response lifecycle. + HTTPRouteFilters are meant as an extension point to express + processing that may be done in Gateway implementations. + Some examples include request or response modification, + implementing authentication strategies, rate-limiting, and + traffic shaping. API guarantee/conformance is defined based + on the type of the filter. + properties: + extensionRef: + description: "ExtensionRef is an optional, implementation-specific + extension to the \"filter\" behavior. For example, + resource \"myroutefilter\" in group \"networking.example.net\"). + ExtensionRef MUST NOT be used for core and extended + filters. \n Support: Implementation-specific" + properties: + group: + description: Group is the group of the referent. For + example, "gateway.networking.k8s.io". When unspecified + or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is kind of the referent. For example + "HTTPRoute" or "Service". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + required: + - group + - kind + - name + type: object + requestHeaderModifier: + description: "RequestHeaderModifier defines a schema for + a filter that modifies request headers. \n Support: + Core" + properties: + add: + description: "Add adds the given header(s) (name, + value) to the request before the action. It appends + to any existing values associated with the header + name. \n Input: GET /foo HTTP/1.1 my-header: foo + \n Config: add: - name: \"my-header\" value: \"bar,baz\" + \n Output: GET /foo HTTP/1.1 my-header: foo,bar,baz" + items: + description: HTTPHeader represents an HTTP Header + name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header + to be matched. Name matching MUST be case + insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + \n If multiple entries specify equivalent + header names, the first entry with an equivalent + name MUST be considered for a match. Subsequent + entries with an equivalent header name MUST + be ignored. Due to the case-insensitivity + of header names, \"foo\" and \"Foo\" are considered + equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header + to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: "Remove the given header(s) from the + HTTP request before the action. The value of Remove + is a list of HTTP header names. Note that the header + names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + \n Input: GET /foo HTTP/1.1 my-header1: foo my-header2: + bar my-header3: baz \n Config: remove: [\"my-header1\", + \"my-header3\"] \n Output: GET /foo HTTP/1.1 my-header2: + bar" + items: + type: string + maxItems: 16 + type: array + set: + description: "Set overwrites the request with the + given header (name, value) before the action. \n + Input: GET /foo HTTP/1.1 my-header: foo \n Config: + set: - name: \"my-header\" value: \"bar\" \n Output: + GET /foo HTTP/1.1 my-header: bar" + items: + description: HTTPHeader represents an HTTP Header + name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header + to be matched. Name matching MUST be case + insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + \n If multiple entries specify equivalent + header names, the first entry with an equivalent + name MUST be considered for a match. Subsequent + entries with an equivalent header name MUST + be ignored. Due to the case-insensitivity + of header names, \"foo\" and \"Foo\" are considered + equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header + to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + requestMirror: + description: "RequestMirror defines a schema for a filter + that mirrors requests. Requests are sent to the specified + destination, but responses from that destination are + ignored. \n Support: Extended" + properties: + backendRef: + description: "BackendRef references a resource where + mirrored requests are sent. \n If the referent cannot + be found, this BackendRef is invalid and must be + dropped from the Gateway. The controller must ensure + the \"ResolvedRefs\" condition on the Route status + is set to `status: False` and not configure this + backend in the underlying implementation. \n If + there is a cross-namespace reference to an *existing* + object that is not allowed by a ReferenceGrant, + the controller must ensure the \"ResolvedRefs\" + \ condition on the Route is set to `status: False`, + with the \"RefNotPermitted\" reason and not configure + this backend in the underlying implementation. \n + In either error case, the Message of the `ResolvedRefs` + Condition should be used to provide more detail + about the problem. \n Support: Extended for Kubernetes + Service \n Support: Implementation-specific for + any other resource" + properties: + group: + default: "" + description: Group is the group of the referent. + For example, "gateway.networking.k8s.io". When + unspecified or empty string, core API group + is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: "Kind is the Kubernetes resource + kind of the referent. For example \"Service\". + \n Defaults to \"Service\" when not specified. + \n ExternalName services can refer to CNAME + DNS records that may live outside of the cluster + and as such are difficult to reason about in + terms of conformance. They also may not be safe + to forward to (see CVE-2021-25740 for more information). + Implementations SHOULD NOT support ExternalName + Services. \n Support: Core (Services with a + type other than ExternalName) \n Support: Implementation-specific + (Services with type ExternalName)" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the + backend. When unspecified, the local namespace + is inferred. \n Note that when a namespace different + than the local namespace is specified, a ReferenceGrant + object is required in the referent namespace + to allow that namespace's owner to accept the + reference. See the ReferenceGrant documentation + for details. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: Port specifies the destination port + number to use for this resource. Port is required + when the referent is a Kubernetes Service. In + this case, the port number is the service port + number, not the target port. For other resources, + destination port might be derived from the referent + resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + required: + - name + type: object + required: + - backendRef + type: object + requestRedirect: + description: "RequestRedirect defines a schema for a filter + that responds to the request with an HTTP redirection. + \n Support: Core" + properties: + hostname: + description: "Hostname is the hostname to be used + in the value of the `Location` header in the response. + When empty, the hostname in the `Host` header of + the request is used. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + path: + description: "Path defines parameters used to modify + the path of the incoming request. The modified path + is then used to construct the `Location` header. + When empty, the request path is used as-is. \n Support: + Extended" + properties: + replaceFullPath: + description: ReplaceFullPath specifies the value + with which to replace the full path of a request + during a rewrite or redirect. + maxLength: 1024 + type: string + replacePrefixMatch: + description: "ReplacePrefixMatch specifies the + value with which to replace the prefix match + of a request during a rewrite or redirect. For + example, a request to \"/foo/bar\" with a prefix + match of \"/foo\" would be modified to \"/bar\". + \n Note that this matches the behavior of the + PathPrefix match type. This matches full path + elements. A path element refers to the list + of labels in the path split by the `/` separator. + When specified, a trailing `/` is ignored. For + example, the paths `/abc`, `/abc/`, and `/abc/def` + would all match the prefix `/abc`, but the path + `/abcd` would not." + maxLength: 1024 + type: string + type: + description: "Type defines the type of path modifier. + Additional types may be added in a future release + of the API. \n Note that values may be added + to this enum, implementations must ensure that + unknown values will not cause a crash. \n Unknown + values here must result in the implementation + setting the Accepted Condition for the Route + to `status: False`, with a Reason of `UnsupportedValue`." + enum: + - ReplaceFullPath + - ReplacePrefixMatch + type: string + required: + - type + type: object + port: + description: "Port is the port to be used in the value + of the `Location` header in the response. \n If + no port is specified, the redirect port MUST be + derived using the following rules: \n * If redirect + scheme is not-empty, the redirect port MUST be the + well-known port associated with the redirect scheme. + Specifically \"http\" to port 80 and \"https\" to + port 443. If the redirect scheme does not have a + well-known port, the listener port of the Gateway + SHOULD be used. * If redirect scheme is empty, the + redirect port MUST be the Gateway Listener port. + \n Implementations SHOULD NOT add the port number + in the 'Location' header in the following cases: + \n * A Location header that will use HTTP (whether + that is determined via the Listener protocol or + the Scheme field) _and_ use port 80. * A Location + header that will use HTTPS (whether that is determined + via the Listener protocol or the Scheme field) _and_ + use port 443. \n Support: Extended" + format: int32 + maximum: 65535 + minimum: 1 + type: integer + scheme: + description: "Scheme is the scheme to be used in the + value of the `Location` header in the response. + When empty, the scheme of the request is used. \n + Scheme redirects can affect the port of the redirect, + for more information, refer to the documentation + for the port field of this filter. \n Note that + values may be added to this enum, implementations + must ensure that unknown values will not cause a + crash. \n Unknown values here must result in the + implementation setting the Accepted Condition for + the Route to `status: False`, with a Reason of `UnsupportedValue`. + \n Support: Extended" + enum: + - http + - https + type: string + statusCode: + default: 302 + description: "StatusCode is the HTTP status code to + be used in response. \n Note that values may be + added to this enum, implementations must ensure + that unknown values will not cause a crash. \n Unknown + values here must result in the implementation setting + the Accepted Condition for the Route to `status: + False`, with a Reason of `UnsupportedValue`. \n + Support: Core" + enum: + - 301 + - 302 + type: integer + type: object + responseHeaderModifier: + description: "ResponseHeaderModifier defines a schema + for a filter that modifies response headers. \n Support: + Extended" + properties: + add: + description: "Add adds the given header(s) (name, + value) to the request before the action. It appends + to any existing values associated with the header + name. \n Input: GET /foo HTTP/1.1 my-header: foo + \n Config: add: - name: \"my-header\" value: \"bar,baz\" + \n Output: GET /foo HTTP/1.1 my-header: foo,bar,baz" + items: + description: HTTPHeader represents an HTTP Header + name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header + to be matched. Name matching MUST be case + insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + \n If multiple entries specify equivalent + header names, the first entry with an equivalent + name MUST be considered for a match. Subsequent + entries with an equivalent header name MUST + be ignored. Due to the case-insensitivity + of header names, \"foo\" and \"Foo\" are considered + equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header + to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: "Remove the given header(s) from the + HTTP request before the action. The value of Remove + is a list of HTTP header names. Note that the header + names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + \n Input: GET /foo HTTP/1.1 my-header1: foo my-header2: + bar my-header3: baz \n Config: remove: [\"my-header1\", + \"my-header3\"] \n Output: GET /foo HTTP/1.1 my-header2: + bar" + items: + type: string + maxItems: 16 + type: array + set: + description: "Set overwrites the request with the + given header (name, value) before the action. \n + Input: GET /foo HTTP/1.1 my-header: foo \n Config: + set: - name: \"my-header\" value: \"bar\" \n Output: + GET /foo HTTP/1.1 my-header: bar" + items: + description: HTTPHeader represents an HTTP Header + name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header + to be matched. Name matching MUST be case + insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + \n If multiple entries specify equivalent + header names, the first entry with an equivalent + name MUST be considered for a match. Subsequent + entries with an equivalent header name MUST + be ignored. Due to the case-insensitivity + of header names, \"foo\" and \"Foo\" are considered + equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header + to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + type: + description: "Type identifies the type of filter to apply. + As with other API fields, types are classified into + three conformance levels: \n - Core: Filter types and + their corresponding configuration defined by \"Support: + Core\" in this package, e.g. \"RequestHeaderModifier\". + All implementations must support core filters. \n - + Extended: Filter types and their corresponding configuration + defined by \"Support: Extended\" in this package, e.g. + \"RequestMirror\". Implementers are encouraged to support + extended filters. \n - Implementation-specific: Filters + that are defined and supported by specific vendors. + In the future, filters showing convergence in behavior + across multiple implementations will be considered for + inclusion in extended or core conformance levels. Filter-specific + configuration for such filters is specified using the + ExtensionRef field. `Type` should be set to \"ExtensionRef\" + for custom filters. \n Implementers are encouraged to + define custom implementation types to extend the core + API with implementation-specific behavior. \n If a reference + to a custom filter type cannot be resolved, the filter + MUST NOT be skipped. Instead, requests that would have + been processed by that filter MUST receive a HTTP error + response. \n Note that values may be added to this enum, + implementations must ensure that unknown values will + not cause a crash. \n Unknown values here must result + in the implementation setting the Accepted Condition + for the Route to `status: False`, with a Reason of `UnsupportedValue`." + enum: + - RequestHeaderModifier + - ResponseHeaderModifier + - RequestMirror + - RequestRedirect + - URLRewrite + - ExtensionRef + type: string + urlRewrite: + description: "URLRewrite defines a schema for a filter + that modifies a request during forwarding. \n Support: + Extended" + properties: + hostname: + description: "Hostname is the value to be used to + replace the Host header value during forwarding. + \n Support: Extended" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + path: + description: "Path defines a path rewrite. \n Support: + Extended" + properties: + replaceFullPath: + description: ReplaceFullPath specifies the value + with which to replace the full path of a request + during a rewrite or redirect. + maxLength: 1024 + type: string + replacePrefixMatch: + description: "ReplacePrefixMatch specifies the + value with which to replace the prefix match + of a request during a rewrite or redirect. For + example, a request to \"/foo/bar\" with a prefix + match of \"/foo\" would be modified to \"/bar\". + \n Note that this matches the behavior of the + PathPrefix match type. This matches full path + elements. A path element refers to the list + of labels in the path split by the `/` separator. + When specified, a trailing `/` is ignored. For + example, the paths `/abc`, `/abc/`, and `/abc/def` + would all match the prefix `/abc`, but the path + `/abcd` would not." + maxLength: 1024 + type: string + type: + description: "Type defines the type of path modifier. + Additional types may be added in a future release + of the API. \n Note that values may be added + to this enum, implementations must ensure that + unknown values will not cause a crash. \n Unknown + values here must result in the implementation + setting the Accepted Condition for the Route + to `status: False`, with a Reason of `UnsupportedValue`." + enum: + - ReplaceFullPath + - ReplacePrefixMatch + type: string + required: + - type + type: object + type: object + required: + - type + type: object + maxItems: 16 + type: array + matches: + default: + - path: + type: PathPrefix + value: / + description: "Matches define conditions used for matching the + rule against incoming HTTP requests. Each match is independent, + i.e. this rule will be matched if **any** one of the matches + is satisfied. \n For example, take the following matches configuration: + \n ``` matches: - path: value: \"/foo\" headers: - name: \"version\" + value: \"v2\" - path: value: \"/v2/foo\" ``` \n For a request + to match against this rule, a request must satisfy EITHER + of the two conditions: \n - path prefixed with `/foo` AND + contains the header `version: v2` - path prefix of `/v2/foo` + \n See the documentation for HTTPRouteMatch on how to specify + multiple match conditions that should be ANDed together. \n + If no matches are specified, the default is a prefix path + match on \"/\", which has the effect of matching every HTTP + request. \n Proxy or Load Balancer routing configuration generated + from HTTPRoutes MUST prioritize matches based on the following + criteria, continuing on ties. Across all rules specified on + applicable Routes, precedence must be given to the match having: + \n * \"Exact\" path match. * \"Prefix\" path match with largest + number of characters. * Method match. * Largest number of + header matches. * Largest number of query param matches. \n + Note: The precedence of RegularExpression path matches are + implementation-specific. \n If ties still exist across multiple + Routes, matching precedence MUST be determined in order of + the following criteria, continuing on ties: \n * The oldest + Route based on creation timestamp. * The Route appearing first + in alphabetical order by \"{namespace}/{name}\". \n If ties + still exist within an HTTPRoute, matching precedence MUST + be granted to the FIRST matching rule (in list order) with + a match meeting the above criteria. \n When no rules matching + a request have been successfully attached to the parent a + request is coming from, a HTTP 404 status code MUST be returned." + items: + description: "HTTPRouteMatch defines the predicate used to + match requests to a given action. Multiple match types are + ANDed together, i.e. the match will evaluate to true only + if all conditions are satisfied. \n For example, the match + below will match a HTTP request only if its path starts + with `/foo` AND it contains the `version: v1` header: \n + ``` match: \n path: value: \"/foo\" headers: - name: \"version\" + value \"v1\" \n ```" + properties: + headers: + description: Headers specifies HTTP request header matchers. + Multiple match values are ANDed together, meaning, a + request must match all the specified headers to select + the route. + items: + description: HTTPHeaderMatch describes how to select + a HTTP route by matching HTTP request headers. + properties: + name: + description: "Name is the name of the HTTP Header + to be matched. Name matching MUST be case insensitive. + (See https://tools.ietf.org/html/rfc7230#section-3.2). + \n If multiple entries specify equivalent header + names, only the first entry with an equivalent + name MUST be considered for a match. Subsequent + entries with an equivalent header name MUST be + ignored. Due to the case-insensitivity of header + names, \"foo\" and \"Foo\" are considered equivalent. + \n When a header is repeated in an HTTP request, + it is implementation-specific behavior as to how + this is represented. Generally, proxies should + follow the guidance from the RFC: https://www.rfc-editor.org/rfc/rfc7230.html#section-3.2.2 + regarding processing a repeated header, with special + handling for \"Set-Cookie\"." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + type: + default: Exact + description: "Type specifies how to match against + the value of the header. \n Support: Core (Exact) + \n Support: Implementation-specific (RegularExpression) + \n Since RegularExpression HeaderMatchType has + implementation-specific conformance, implementations + can support POSIX, PCRE or any other dialects + of regular expressions. Please read the implementation's + documentation to determine the supported dialect." + enum: + - Exact + - RegularExpression + type: string + value: + description: Value is the value of HTTP Header to + be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + method: + description: "Method specifies HTTP method matcher. When + specified, this route will be matched only if the request + has the specified method. \n Support: Extended" + enum: + - GET + - HEAD + - POST + - PUT + - DELETE + - CONNECT + - OPTIONS + - TRACE + - PATCH + type: string + path: + default: + type: PathPrefix + value: / + description: Path specifies a HTTP request path matcher. + If this field is not specified, a default prefix match + on the "/" path is provided. + properties: + type: + default: PathPrefix + description: "Type specifies how to match against + the path Value. \n Support: Core (Exact, PathPrefix) + \n Support: Implementation-specific (RegularExpression)" + enum: + - Exact + - PathPrefix + - RegularExpression + type: string + value: + default: / + description: Value of the HTTP path to match against. + maxLength: 1024 + type: string + type: object + queryParams: + description: "QueryParams specifies HTTP query parameter + matchers. Multiple match values are ANDed together, + meaning, a request must match all the specified query + parameters to select the route. \n Support: Extended" + items: + description: HTTPQueryParamMatch describes how to select + a HTTP route by matching HTTP query parameters. + properties: + name: + description: "Name is the name of the HTTP query + param to be matched. This must be an exact string + match. (See https://tools.ietf.org/html/rfc7230#section-2.7.3). + \n If multiple entries specify equivalent query + param names, only the first entry with an equivalent + name MUST be considered for a match. Subsequent + entries with an equivalent query param name MUST + be ignored. \n If a query param is repeated in + an HTTP request, the behavior is purposely left + undefined, since different data planes have different + capabilities. However, it is *recommended* that + implementations should match against the first + value of the param if the data plane supports + it, as this behavior is expected in other load + balancing contexts outside of the Gateway API. + \n Users SHOULD NOT route traffic based on repeated + query params to guard themselves against potential + differences in the implementations." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + type: + default: Exact + description: "Type specifies how to match against + the value of the query parameter. \n Support: + Extended (Exact) \n Support: Implementation-specific + (RegularExpression) \n Since RegularExpression + QueryParamMatchType has Implementation-specific + conformance, implementations can support POSIX, + PCRE or any other dialects of regular expressions. + Please read the implementation's documentation + to determine the supported dialect." + enum: + - Exact + - RegularExpression + type: string + value: + description: Value is the value of HTTP query param + to be matched. + maxLength: 1024 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + maxItems: 8 + type: array + type: object + maxItems: 16 + type: array + type: object + status: + description: Status defines the current state of HTTPRoute. + properties: + parents: + description: "Parents is a list of parent resources (usually Gateways) + that are associated with the route, and the status of the route + with respect to each parent. When this route attaches to a parent, + the controller that manages the parent must add an entry to this + list when the controller first sees the route and should update + the entry as appropriate when the route or gateway is modified. + \n Note that parent references that cannot be resolved by an implementation + of this API will not be added to this list. Implementations of this + API can only populate Route status for the Gateways/parent resources + they are responsible for. \n A maximum of 32 Gateways will be represented + in this list. An empty list means the route has not been attached + to any Gateway." + items: + description: RouteParentStatus describes the status of a route with + respect to an associated Parent. + properties: + conditions: + description: "Conditions describes the status of the route with + respect to the Gateway. Note that the route's availability + is also subject to the Gateway's own status conditions and + listener status. \n If the Route's ParentRef specifies an + existing Gateway that supports Routes of this kind AND that + Gateway's controller has sufficient access, then that Gateway's + controller MUST set the \"Accepted\" condition on the Route, + to indicate whether the route has been accepted or rejected + by the Gateway, and why. \n A Route MUST be considered \"Accepted\" + if at least one of the Route's rules is implemented by the + Gateway. \n There are a number of cases where the \"Accepted\" + condition may not be set due to lack of controller visibility, + that includes when: \n * The Route refers to a non-existent + parent. * The Route is of a type that the controller does + not support. * The Route is in a namespace the controller + does not have access to." + items: + description: "Condition contains details for one aspect of + the current state of this API Resource. --- This struct + is intended for direct use as an array at the field path + .status.conditions. For example, \n type FooStatus struct{ + // Represents the observations of a foo's current state. + // Known .status.conditions.type are: \"Available\", \"Progressing\", + and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge + // +listType=map // +listMapKey=type Conditions []metav1.Condition + `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" + protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields + }" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition + transitioned from one status to another. This should + be when the underlying condition changed. If that is + not known, then using the time when the API field changed + is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating + details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation + that the condition was set based upon. For instance, + if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration + is 9, the condition is out of date with respect to the + current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier + indicating the reason for the condition's last transition. + Producers of specific condition types may define expected + values and meanings for this field, and whether the + values are considered a guaranteed API. The value should + be a CamelCase string. This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, + Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + --- Many .condition.type values are consistent across + resources like Available, but because arbitrary conditions + can be useful (see .node.status.conditions), the ability + to deconflict is important. The regex it matches is + (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + controllerName: + description: "ControllerName is a domain/path string that indicates + the name of the controller that wrote this status. This corresponds + with the controllerName field on GatewayClass. \n Example: + \"example.net/gateway-controller\". \n The format of this + field is DOMAIN \"/\" PATH, where DOMAIN and PATH are valid + Kubernetes names (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). + \n Controllers MUST populate this field when writing status. + Controllers should ensure that entries to status populated + with their ControllerName are cleaned up when they are no + longer necessary." + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + parentRef: + description: ParentRef corresponds with a ParentRef in the spec + that this RouteParentStatus struct describes the status of. + properties: + group: + default: gateway.networking.k8s.io + description: "Group is the group of the referent. When unspecified, + \"gateway.networking.k8s.io\" is inferred. To set the + core API group (such as for a \"Service\" kind referent), + Group must be explicitly set to \"\" (empty string). \n + Support: Core" + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: "Kind is kind of the referent. \n Support: + Core (Gateway) \n Support: Implementation-specific (Other + Resources)" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: "Name is the name of the referent. \n Support: + Core" + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the referent. + When unspecified, this refers to the local namespace of + the Route. \n Note that there are specific rules for ParentRefs + which cross namespace boundaries. Cross-namespace references + are only valid if they are explicitly allowed by something + in the namespace they are referring to. For example: Gateway + has the AllowedRoutes field, and ReferenceGrant provides + a generic way to enable any other kind of cross-namespace + reference. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: "Port is the network port this Route targets. + It can be interpreted differently based on the type of + parent resource. \n When the parent resource is a Gateway, + this targets all listeners listening on the specified + port that also support this kind of Route(and select this + Route). It's not recommended to set `Port` unless the + networking behaviors specified in a Route must apply to + a specific port as opposed to a listener(s) whose port(s) + may be changed. When both Port and SectionName are specified, + the name and port of the selected listener must match + both specified values. \n Implementations MAY choose to + support other parent resources. Implementations supporting + other types of parent resources MUST clearly document + how/if Port is interpreted. \n For the purpose of status, + an attachment is considered successful as long as the + parent resource accepts it partially. For example, Gateway + listeners can restrict which Routes can attach to them + by Route kind, namespace, or hostname. If 1 of 2 Gateway + listeners accept attachment from the referencing Route, + the Route MUST be considered successfully attached. If + no Gateway listeners accept attachment from this Route, + the Route MUST be considered detached from the Gateway. + \n Support: Extended \n " + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: "SectionName is the name of a section within + the target resource. In the following resources, SectionName + is interpreted as the following: \n * Gateway: Listener + Name. When both Port (experimental) and SectionName are + specified, the name and port of the selected listener + must match both specified values. \n Implementations MAY + choose to support attaching Routes to other resources. + If that is the case, they MUST clearly document how SectionName + is interpreted. \n When unspecified (empty string), this + will reference the entire resource. For the purpose of + status, an attachment is considered successful if at least + one section in the parent resource accepts it. For example, + Gateway listeners can restrict which Routes can attach + to them by Route kind, namespace, or hostname. If 1 of + 2 Gateway listeners accept attachment from the referencing + Route, the Route MUST be considered successfully attached. + If no Gateway listeners accept attachment from this Route, + the Route MUST be considered detached from the Gateway. + \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + required: + - controllerName + - parentRef + type: object + maxItems: 32 + type: array + required: + - parents + type: object + required: + - spec + type: object + served: true + storage: false + subresources: + status: {} + - additionalPrinterColumns: + - jsonPath: .spec.hostnames + name: Hostnames + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + schema: + openAPIV3Schema: + description: HTTPRoute provides a way to route HTTP requests. This includes + the capability to match requests by hostname, path, header, or query param. + Filters can be used to specify additional processing steps. Backends specify + where matching requests should be routed. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of HTTPRoute. + properties: + hostnames: + description: "Hostnames defines a set of hostname that should match + against the HTTP Host header to select a HTTPRoute used to process + the request. Implementations MUST ignore any port value specified + in the HTTP Host header while performing a match. \n Valid values + for Hostnames are determined by RFC 1123 definition of a hostname + with 2 notable exceptions: \n 1. IPs are not allowed. 2. A hostname + may be prefixed with a wildcard label (`*.`). The wildcard label + must appear by itself as the first label. \n If a hostname is specified + by both the Listener and HTTPRoute, there must be at least one intersecting + hostname for the HTTPRoute to be attached to the Listener. For example: + \n * A Listener with `test.example.com` as the hostname matches + HTTPRoutes that have either not specified any hostnames, or have + specified at least one of `test.example.com` or `*.example.com`. + * A Listener with `*.example.com` as the hostname matches HTTPRoutes + that have either not specified any hostnames or have specified at + least one hostname that matches the Listener hostname. For example, + `*.example.com`, `test.example.com`, and `foo.test.example.com` + would all match. On the other hand, `example.com` and `test.example.net` + would not match. \n Hostnames that are prefixed with a wildcard + label (`*.`) are interpreted as a suffix match. That means that + a match for `*.example.com` would match both `test.example.com`, + and `foo.test.example.com`, but not `example.com`. \n If both the + Listener and HTTPRoute have specified hostnames, any HTTPRoute hostnames + that do not match the Listener hostname MUST be ignored. For example, + if a Listener specified `*.example.com`, and the HTTPRoute specified + `test.example.com` and `test.example.net`, `test.example.net` must + not be considered for a match. \n If both the Listener and HTTPRoute + have specified hostnames, and none match with the criteria above, + then the HTTPRoute is not accepted. The implementation must raise + an 'Accepted' Condition with a status of `False` in the corresponding + RouteParentStatus. \n In the event that multiple HTTPRoutes specify + intersecting hostnames (e.g. overlapping wildcard matching and exact + matching hostnames), precedence must be given to rules from the + HTTPRoute with the largest number of: \n * Characters in a matching + non-wildcard hostname. * Characters in a matching hostname. \n If + ties exist across multiple Routes, the matching precedence rules + for HTTPRouteMatches takes over. \n Support: Core" + items: + description: "Hostname is the fully qualified domain name of a network + host. This matches the RFC 1123 definition of a hostname with + 2 notable exceptions: \n 1. IPs are not allowed. 2. A hostname + may be prefixed with a wildcard label (`*.`). The wildcard label + must appear by itself as the first label. \n Hostname can be \"precise\" + which is a domain name without the terminating dot of a network + host (e.g. \"foo.example.com\") or \"wildcard\", which is a domain + name prefixed with a single wildcard label (e.g. `*.example.com`). + \n Note that as per RFC1035 and RFC1123, a *label* must consist + of lower case alphanumeric characters or '-', and must start and + end with an alphanumeric character. No other punctuation is allowed." + maxLength: 253 + minLength: 1 + pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + maxItems: 16 + type: array + parentRefs: + description: "ParentRefs references the resources (usually Gateways) + that a Route wants to be attached to. Note that the referenced parent + resource needs to allow this for the attachment to be complete. + For Gateways, that means the Gateway needs to allow attachment from + Routes of this kind and namespace. \n The only kind of parent resource + with \"Core\" support is Gateway. This API may be extended in the + future to support additional kinds of parent resources such as one + of the route kinds. \n It is invalid to reference an identical parent + more than once. It is valid to reference multiple distinct sections + within the same parent resource, such as 2 Listeners within a Gateway. + \n It is possible to separately reference multiple distinct objects + that may be collapsed by an implementation. For example, some implementations + may choose to merge compatible Gateway Listeners together. If that + is the case, the list of routes attached to those resources should + also be merged. \n Note that for ParentRefs that cross namespace + boundaries, there are specific rules. Cross-namespace references + are only valid if they are explicitly allowed by something in the + namespace they are referring to. For example, Gateway has the AllowedRoutes + field, and ReferenceGrant provides a generic way to enable any other + kind of cross-namespace reference." + items: + description: "ParentReference identifies an API object (usually + a Gateway) that can be considered a parent of this resource (usually + a route). The only kind of parent resource with \"Core\" support + is Gateway. This API may be extended in the future to support + additional kinds of parent resources, such as HTTPRoute. \n The + API object must be valid in the cluster; the Group and Kind must + be registered in the cluster for this reference to be valid." + properties: + group: + default: gateway.networking.k8s.io + description: "Group is the group of the referent. When unspecified, + \"gateway.networking.k8s.io\" is inferred. To set the core + API group (such as for a \"Service\" kind referent), Group + must be explicitly set to \"\" (empty string). \n Support: + Core" + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: "Kind is kind of the referent. \n Support: Core + (Gateway) \n Support: Implementation-specific (Other Resources)" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: "Name is the name of the referent. \n Support: + Core" + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the referent. When + unspecified, this refers to the local namespace of the Route. + \n Note that there are specific rules for ParentRefs which + cross namespace boundaries. Cross-namespace references are + only valid if they are explicitly allowed by something in + the namespace they are referring to. For example: Gateway + has the AllowedRoutes field, and ReferenceGrant provides a + generic way to enable any other kind of cross-namespace reference. + \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: "Port is the network port this Route targets. It + can be interpreted differently based on the type of parent + resource. \n When the parent resource is a Gateway, this targets + all listeners listening on the specified port that also support + this kind of Route(and select this Route). It's not recommended + to set `Port` unless the networking behaviors specified in + a Route must apply to a specific port as opposed to a listener(s) + whose port(s) may be changed. When both Port and SectionName + are specified, the name and port of the selected listener + must match both specified values. \n Implementations MAY choose + to support other parent resources. Implementations supporting + other types of parent resources MUST clearly document how/if + Port is interpreted. \n For the purpose of status, an attachment + is considered successful as long as the parent resource accepts + it partially. For example, Gateway listeners can restrict + which Routes can attach to them by Route kind, namespace, + or hostname. If 1 of 2 Gateway listeners accept attachment + from the referencing Route, the Route MUST be considered successfully + attached. If no Gateway listeners accept attachment from this + Route, the Route MUST be considered detached from the Gateway. + \n Support: Extended \n " + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: "SectionName is the name of a section within the + target resource. In the following resources, SectionName is + interpreted as the following: \n * Gateway: Listener Name. + When both Port (experimental) and SectionName are specified, + the name and port of the selected listener must match both + specified values. \n Implementations MAY choose to support + attaching Routes to other resources. If that is the case, + they MUST clearly document how SectionName is interpreted. + \n When unspecified (empty string), this will reference the + entire resource. For the purpose of status, an attachment + is considered successful if at least one section in the parent + resource accepts it. For example, Gateway listeners can restrict + which Routes can attach to them by Route kind, namespace, + or hostname. If 1 of 2 Gateway listeners accept attachment + from the referencing Route, the Route MUST be considered successfully + attached. If no Gateway listeners accept attachment from this + Route, the Route MUST be considered detached from the Gateway. + \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + maxItems: 32 + type: array + rules: + default: + - matches: + - path: + type: PathPrefix + value: / + description: Rules are a list of HTTP matchers, filters and actions. + items: + description: HTTPRouteRule defines semantics for matching an HTTP + request based on conditions (matches), processing it (filters), + and forwarding the request to an API object (backendRefs). + properties: + backendRefs: + description: "BackendRefs defines the backend(s) where matching + requests should be sent. \n Failure behavior here depends + on how many BackendRefs are specified and how many are invalid. + \n If *all* entries in BackendRefs are invalid, and there + are also no filters specified in this route rule, *all* traffic + which matches this rule MUST receive a 500 status code. \n + See the HTTPBackendRef definition for the rules about what + makes a single HTTPBackendRef invalid. \n When a HTTPBackendRef + is invalid, 500 status codes MUST be returned for requests + that would have otherwise been routed to an invalid backend. + If multiple backends are specified, and some are invalid, + the proportion of requests that would otherwise have been + routed to an invalid backend MUST receive a 500 status code. + \n For example, if two backends are specified with equal weights, + and one is invalid, 50 percent of traffic must receive a 500. + Implementations may choose how that 50 percent is determined. + \n Support: Core for Kubernetes Service \n Support: Extended + for Kubernetes ServiceImport \n Support: Implementation-specific + for any other resource \n Support for weight: Core" + items: + description: HTTPBackendRef defines how a HTTPRoute should + forward an HTTP request. + properties: + filters: + description: "Filters defined at this level should be + executed if and only if the request is being forwarded + to the backend defined here. \n Support: Implementation-specific + (For broader support of filters, use the Filters field + in HTTPRouteRule.)" + items: + description: HTTPRouteFilter defines processing steps + that must be completed during the request or response + lifecycle. HTTPRouteFilters are meant as an extension + point to express processing that may be done in Gateway + implementations. Some examples include request or + response modification, implementing authentication + strategies, rate-limiting, and traffic shaping. API + guarantee/conformance is defined based on the type + of the filter. + properties: + extensionRef: + description: "ExtensionRef is an optional, implementation-specific + extension to the \"filter\" behavior. For example, + resource \"myroutefilter\" in group \"networking.example.net\"). + ExtensionRef MUST NOT be used for core and extended + filters. \n Support: Implementation-specific" + properties: + group: + description: Group is the group of the referent. + For example, "gateway.networking.k8s.io". + When unspecified or empty string, core API + group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is kind of the referent. For + example "HTTPRoute" or "Service". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + required: + - group + - kind + - name + type: object + requestHeaderModifier: + description: "RequestHeaderModifier defines a schema + for a filter that modifies request headers. \n + Support: Core" + properties: + add: + description: "Add adds the given header(s) (name, + value) to the request before the action. It + appends to any existing values associated + with the header name. \n Input: GET /foo HTTP/1.1 + my-header: foo \n Config: add: - name: \"my-header\" + value: \"bar,baz\" \n Output: GET /foo HTTP/1.1 + my-header: foo,bar,baz" + items: + description: HTTPHeader represents an HTTP + Header name and value as defined by RFC + 7230. + properties: + name: + description: "Name is the name of the + HTTP Header to be matched. Name matching + MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + \n If multiple entries specify equivalent + header names, the first entry with an + equivalent name MUST be considered for + a match. Subsequent entries with an + equivalent header name MUST be ignored. + Due to the case-insensitivity of header + names, \"foo\" and \"Foo\" are considered + equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP + Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: "Remove the given header(s) from + the HTTP request before the action. The value + of Remove is a list of HTTP header names. + Note that the header names are case-insensitive + (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + \n Input: GET /foo HTTP/1.1 my-header1: foo + my-header2: bar my-header3: baz \n Config: + remove: [\"my-header1\", \"my-header3\"] \n + Output: GET /foo HTTP/1.1 my-header2: bar" + items: + type: string + maxItems: 16 + type: array + set: + description: "Set overwrites the request with + the given header (name, value) before the + action. \n Input: GET /foo HTTP/1.1 my-header: + foo \n Config: set: - name: \"my-header\" + value: \"bar\" \n Output: GET /foo HTTP/1.1 + my-header: bar" + items: + description: HTTPHeader represents an HTTP + Header name and value as defined by RFC + 7230. + properties: + name: + description: "Name is the name of the + HTTP Header to be matched. Name matching + MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + \n If multiple entries specify equivalent + header names, the first entry with an + equivalent name MUST be considered for + a match. Subsequent entries with an + equivalent header name MUST be ignored. + Due to the case-insensitivity of header + names, \"foo\" and \"Foo\" are considered + equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP + Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + requestMirror: + description: "RequestMirror defines a schema for + a filter that mirrors requests. Requests are sent + to the specified destination, but responses from + that destination are ignored. \n Support: Extended" + properties: + backendRef: + description: "BackendRef references a resource + where mirrored requests are sent. \n If the + referent cannot be found, this BackendRef + is invalid and must be dropped from the Gateway. + The controller must ensure the \"ResolvedRefs\" + condition on the Route status is set to `status: + False` and not configure this backend in the + underlying implementation. \n If there is + a cross-namespace reference to an *existing* + object that is not allowed by a ReferenceGrant, + the controller must ensure the \"ResolvedRefs\" + \ condition on the Route is set to `status: + False`, with the \"RefNotPermitted\" reason + and not configure this backend in the underlying + implementation. \n In either error case, the + Message of the `ResolvedRefs` Condition should + be used to provide more detail about the problem. + \n Support: Extended for Kubernetes Service + \n Support: Implementation-specific for any + other resource" + properties: + group: + default: "" + description: Group is the group of the referent. + For example, "gateway.networking.k8s.io". + When unspecified or empty string, core + API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: "Kind is the Kubernetes resource + kind of the referent. For example \"Service\". + \n Defaults to \"Service\" when not specified. + \n ExternalName services can refer to + CNAME DNS records that may live outside + of the cluster and as such are difficult + to reason about in terms of conformance. + They also may not be safe to forward to + (see CVE-2021-25740 for more information). + Implementations SHOULD NOT support ExternalName + Services. \n Support: Core (Services with + a type other than ExternalName) \n Support: + Implementation-specific (Services with + type ExternalName)" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace + of the backend. When unspecified, the + local namespace is inferred. \n Note that + when a namespace different than the local + namespace is specified, a ReferenceGrant + object is required in the referent namespace + to allow that namespace's owner to accept + the reference. See the ReferenceGrant + documentation for details. \n Support: + Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: Port specifies the destination + port number to use for this resource. + Port is required when the referent is + a Kubernetes Service. In this case, the + port number is the service port number, + not the target port. For other resources, + destination port might be derived from + the referent resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + required: + - name + type: object + required: + - backendRef + type: object + requestRedirect: + description: "RequestRedirect defines a schema for + a filter that responds to the request with an + HTTP redirection. \n Support: Core" + properties: + hostname: + description: "Hostname is the hostname to be + used in the value of the `Location` header + in the response. When empty, the hostname + in the `Host` header of the request is used. + \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + path: + description: "Path defines parameters used to + modify the path of the incoming request. The + modified path is then used to construct the + `Location` header. When empty, the request + path is used as-is. \n Support: Extended" + properties: + replaceFullPath: + description: ReplaceFullPath specifies the + value with which to replace the full path + of a request during a rewrite or redirect. + maxLength: 1024 + type: string + replacePrefixMatch: + description: "ReplacePrefixMatch specifies + the value with which to replace the prefix + match of a request during a rewrite or + redirect. For example, a request to \"/foo/bar\" + with a prefix match of \"/foo\" would + be modified to \"/bar\". \n Note that + this matches the behavior of the PathPrefix + match type. This matches full path elements. + A path element refers to the list of labels + in the path split by the `/` separator. + When specified, a trailing `/` is ignored. + For example, the paths `/abc`, `/abc/`, + and `/abc/def` would all match the prefix + `/abc`, but the path `/abcd` would not." + maxLength: 1024 + type: string + type: + description: "Type defines the type of path + modifier. Additional types may be added + in a future release of the API. \n Note + that values may be added to this enum, + implementations must ensure that unknown + values will not cause a crash. \n Unknown + values here must result in the implementation + setting the Accepted Condition for the + Route to `status: False`, with a Reason + of `UnsupportedValue`." + enum: + - ReplaceFullPath + - ReplacePrefixMatch + type: string + required: + - type + type: object + port: + description: "Port is the port to be used in + the value of the `Location` header in the + response. \n If no port is specified, the + redirect port MUST be derived using the following + rules: \n * If redirect scheme is not-empty, + the redirect port MUST be the well-known port + associated with the redirect scheme. Specifically + \"http\" to port 80 and \"https\" to port + 443. If the redirect scheme does not have + a well-known port, the listener port of the + Gateway SHOULD be used. * If redirect scheme + is empty, the redirect port MUST be the Gateway + Listener port. \n Implementations SHOULD NOT + add the port number in the 'Location' header + in the following cases: \n * A Location header + that will use HTTP (whether that is determined + via the Listener protocol or the Scheme field) + _and_ use port 80. * A Location header that + will use HTTPS (whether that is determined + via the Listener protocol or the Scheme field) + _and_ use port 443. \n Support: Extended" + format: int32 + maximum: 65535 + minimum: 1 + type: integer + scheme: + description: "Scheme is the scheme to be used + in the value of the `Location` header in the + response. When empty, the scheme of the request + is used. \n Scheme redirects can affect the + port of the redirect, for more information, + refer to the documentation for the port field + of this filter. \n Note that values may be + added to this enum, implementations must ensure + that unknown values will not cause a crash. + \n Unknown values here must result in the + implementation setting the Accepted Condition + for the Route to `status: False`, with a Reason + of `UnsupportedValue`. \n Support: Extended" + enum: + - http + - https + type: string + statusCode: + default: 302 + description: "StatusCode is the HTTP status + code to be used in response. \n Note that + values may be added to this enum, implementations + must ensure that unknown values will not cause + a crash. \n Unknown values here must result + in the implementation setting the Accepted + Condition for the Route to `status: False`, + with a Reason of `UnsupportedValue`. \n Support: + Core" + enum: + - 301 + - 302 + type: integer + type: object + responseHeaderModifier: + description: "ResponseHeaderModifier defines a schema + for a filter that modifies response headers. \n + Support: Extended" + properties: + add: + description: "Add adds the given header(s) (name, + value) to the request before the action. It + appends to any existing values associated + with the header name. \n Input: GET /foo HTTP/1.1 + my-header: foo \n Config: add: - name: \"my-header\" + value: \"bar,baz\" \n Output: GET /foo HTTP/1.1 + my-header: foo,bar,baz" + items: + description: HTTPHeader represents an HTTP + Header name and value as defined by RFC + 7230. + properties: + name: + description: "Name is the name of the + HTTP Header to be matched. Name matching + MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + \n If multiple entries specify equivalent + header names, the first entry with an + equivalent name MUST be considered for + a match. Subsequent entries with an + equivalent header name MUST be ignored. + Due to the case-insensitivity of header + names, \"foo\" and \"Foo\" are considered + equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP + Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: "Remove the given header(s) from + the HTTP request before the action. The value + of Remove is a list of HTTP header names. + Note that the header names are case-insensitive + (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + \n Input: GET /foo HTTP/1.1 my-header1: foo + my-header2: bar my-header3: baz \n Config: + remove: [\"my-header1\", \"my-header3\"] \n + Output: GET /foo HTTP/1.1 my-header2: bar" + items: + type: string + maxItems: 16 + type: array + set: + description: "Set overwrites the request with + the given header (name, value) before the + action. \n Input: GET /foo HTTP/1.1 my-header: + foo \n Config: set: - name: \"my-header\" + value: \"bar\" \n Output: GET /foo HTTP/1.1 + my-header: bar" + items: + description: HTTPHeader represents an HTTP + Header name and value as defined by RFC + 7230. + properties: + name: + description: "Name is the name of the + HTTP Header to be matched. Name matching + MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + \n If multiple entries specify equivalent + header names, the first entry with an + equivalent name MUST be considered for + a match. Subsequent entries with an + equivalent header name MUST be ignored. + Due to the case-insensitivity of header + names, \"foo\" and \"Foo\" are considered + equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP + Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + type: + description: "Type identifies the type of filter + to apply. As with other API fields, types are + classified into three conformance levels: \n - + Core: Filter types and their corresponding configuration + defined by \"Support: Core\" in this package, + e.g. \"RequestHeaderModifier\". All implementations + must support core filters. \n - Extended: Filter + types and their corresponding configuration defined + by \"Support: Extended\" in this package, e.g. + \"RequestMirror\". Implementers are encouraged + to support extended filters. \n - Implementation-specific: + Filters that are defined and supported by specific + vendors. In the future, filters showing convergence + in behavior across multiple implementations will + be considered for inclusion in extended or core + conformance levels. Filter-specific configuration + for such filters is specified using the ExtensionRef + field. `Type` should be set to \"ExtensionRef\" + for custom filters. \n Implementers are encouraged + to define custom implementation types to extend + the core API with implementation-specific behavior. + \n If a reference to a custom filter type cannot + be resolved, the filter MUST NOT be skipped. Instead, + requests that would have been processed by that + filter MUST receive a HTTP error response. \n + Note that values may be added to this enum, implementations + must ensure that unknown values will not cause + a crash. \n Unknown values here must result in + the implementation setting the Accepted Condition + for the Route to `status: False`, with a Reason + of `UnsupportedValue`." + enum: + - RequestHeaderModifier + - ResponseHeaderModifier + - RequestMirror + - RequestRedirect + - URLRewrite + - ExtensionRef + type: string + urlRewrite: + description: "URLRewrite defines a schema for a + filter that modifies a request during forwarding. + \n Support: Extended" + properties: + hostname: + description: "Hostname is the value to be used + to replace the Host header value during forwarding. + \n Support: Extended" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + path: + description: "Path defines a path rewrite. \n + Support: Extended" + properties: + replaceFullPath: + description: ReplaceFullPath specifies the + value with which to replace the full path + of a request during a rewrite or redirect. + maxLength: 1024 + type: string + replacePrefixMatch: + description: "ReplacePrefixMatch specifies + the value with which to replace the prefix + match of a request during a rewrite or + redirect. For example, a request to \"/foo/bar\" + with a prefix match of \"/foo\" would + be modified to \"/bar\". \n Note that + this matches the behavior of the PathPrefix + match type. This matches full path elements. + A path element refers to the list of labels + in the path split by the `/` separator. + When specified, a trailing `/` is ignored. + For example, the paths `/abc`, `/abc/`, + and `/abc/def` would all match the prefix + `/abc`, but the path `/abcd` would not." + maxLength: 1024 + type: string + type: + description: "Type defines the type of path + modifier. Additional types may be added + in a future release of the API. \n Note + that values may be added to this enum, + implementations must ensure that unknown + values will not cause a crash. \n Unknown + values here must result in the implementation + setting the Accepted Condition for the + Route to `status: False`, with a Reason + of `UnsupportedValue`." + enum: + - ReplaceFullPath + - ReplacePrefixMatch + type: string + required: + - type + type: object + type: object + required: + - type + type: object + maxItems: 16 + type: array + group: + default: "" + description: Group is the group of the referent. For example, + "gateway.networking.k8s.io". When unspecified or empty + string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: "Kind is the Kubernetes resource kind of + the referent. For example \"Service\". \n Defaults to + \"Service\" when not specified. \n ExternalName services + can refer to CNAME DNS records that may live outside + of the cluster and as such are difficult to reason about + in terms of conformance. They also may not be safe to + forward to (see CVE-2021-25740 for more information). + Implementations SHOULD NOT support ExternalName Services. + \n Support: Core (Services with a type other than ExternalName) + \n Support: Implementation-specific (Services with type + ExternalName)" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the backend. + When unspecified, the local namespace is inferred. \n + Note that when a namespace different than the local + namespace is specified, a ReferenceGrant object is required + in the referent namespace to allow that namespace's + owner to accept the reference. See the ReferenceGrant + documentation for details. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: Port specifies the destination port number + to use for this resource. Port is required when the + referent is a Kubernetes Service. In this case, the + port number is the service port number, not the target + port. For other resources, destination port might be + derived from the referent resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + weight: + default: 1 + description: "Weight specifies the proportion of requests + forwarded to the referenced backend. This is computed + as weight/(sum of all weights in this BackendRefs list). + For non-zero values, there may be some epsilon from + the exact proportion defined here depending on the precision + an implementation supports. Weight is not a percentage + and the sum of weights does not need to equal 100. \n + If only one backend is specified and it has a weight + greater than 0, 100% of the traffic is forwarded to + that backend. If weight is set to 0, no traffic should + be forwarded for this entry. If unspecified, weight + defaults to 1. \n Support for this field varies based + on the context where used." + format: int32 + maximum: 1000000 + minimum: 0 + type: integer + required: + - name + type: object + maxItems: 16 + type: array + filters: + description: "Filters define the filters that are applied to + requests that match this rule. \n The effects of ordering + of multiple behaviors are currently unspecified. This can + change in the future based on feedback during the alpha stage. + \n Conformance-levels at this level are defined based on the + type of filter: \n - ALL core filters MUST be supported by + all implementations. - Implementers are encouraged to support + extended filters. - Implementation-specific custom filters + have no API guarantees across implementations. \n Specifying + a core filter multiple times has unspecified or implementation-specific + conformance. \n All filters are expected to be compatible + with each other except for the URLRewrite and RequestRedirect + filters, which may not be combined. If an implementation can + not support other combinations of filters, they must clearly + document that limitation. In all cases where incompatible + or unsupported filters are specified, implementations MUST + add a warning condition to status. \n Support: Core" + items: + description: HTTPRouteFilter defines processing steps that + must be completed during the request or response lifecycle. + HTTPRouteFilters are meant as an extension point to express + processing that may be done in Gateway implementations. + Some examples include request or response modification, + implementing authentication strategies, rate-limiting, and + traffic shaping. API guarantee/conformance is defined based + on the type of the filter. + properties: + extensionRef: + description: "ExtensionRef is an optional, implementation-specific + extension to the \"filter\" behavior. For example, + resource \"myroutefilter\" in group \"networking.example.net\"). + ExtensionRef MUST NOT be used for core and extended + filters. \n Support: Implementation-specific" + properties: + group: + description: Group is the group of the referent. For + example, "gateway.networking.k8s.io". When unspecified + or empty string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: Kind is kind of the referent. For example + "HTTPRoute" or "Service". + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + required: + - group + - kind + - name + type: object + requestHeaderModifier: + description: "RequestHeaderModifier defines a schema for + a filter that modifies request headers. \n Support: + Core" + properties: + add: + description: "Add adds the given header(s) (name, + value) to the request before the action. It appends + to any existing values associated with the header + name. \n Input: GET /foo HTTP/1.1 my-header: foo + \n Config: add: - name: \"my-header\" value: \"bar,baz\" + \n Output: GET /foo HTTP/1.1 my-header: foo,bar,baz" + items: + description: HTTPHeader represents an HTTP Header + name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header + to be matched. Name matching MUST be case + insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + \n If multiple entries specify equivalent + header names, the first entry with an equivalent + name MUST be considered for a match. Subsequent + entries with an equivalent header name MUST + be ignored. Due to the case-insensitivity + of header names, \"foo\" and \"Foo\" are considered + equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header + to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: "Remove the given header(s) from the + HTTP request before the action. The value of Remove + is a list of HTTP header names. Note that the header + names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + \n Input: GET /foo HTTP/1.1 my-header1: foo my-header2: + bar my-header3: baz \n Config: remove: [\"my-header1\", + \"my-header3\"] \n Output: GET /foo HTTP/1.1 my-header2: + bar" + items: + type: string + maxItems: 16 + type: array + set: + description: "Set overwrites the request with the + given header (name, value) before the action. \n + Input: GET /foo HTTP/1.1 my-header: foo \n Config: + set: - name: \"my-header\" value: \"bar\" \n Output: + GET /foo HTTP/1.1 my-header: bar" + items: + description: HTTPHeader represents an HTTP Header + name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header + to be matched. Name matching MUST be case + insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + \n If multiple entries specify equivalent + header names, the first entry with an equivalent + name MUST be considered for a match. Subsequent + entries with an equivalent header name MUST + be ignored. Due to the case-insensitivity + of header names, \"foo\" and \"Foo\" are considered + equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header + to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + requestMirror: + description: "RequestMirror defines a schema for a filter + that mirrors requests. Requests are sent to the specified + destination, but responses from that destination are + ignored. \n Support: Extended" + properties: + backendRef: + description: "BackendRef references a resource where + mirrored requests are sent. \n If the referent cannot + be found, this BackendRef is invalid and must be + dropped from the Gateway. The controller must ensure + the \"ResolvedRefs\" condition on the Route status + is set to `status: False` and not configure this + backend in the underlying implementation. \n If + there is a cross-namespace reference to an *existing* + object that is not allowed by a ReferenceGrant, + the controller must ensure the \"ResolvedRefs\" + \ condition on the Route is set to `status: False`, + with the \"RefNotPermitted\" reason and not configure + this backend in the underlying implementation. \n + In either error case, the Message of the `ResolvedRefs` + Condition should be used to provide more detail + about the problem. \n Support: Extended for Kubernetes + Service \n Support: Implementation-specific for + any other resource" + properties: + group: + default: "" + description: Group is the group of the referent. + For example, "gateway.networking.k8s.io". When + unspecified or empty string, core API group + is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: "Kind is the Kubernetes resource + kind of the referent. For example \"Service\". + \n Defaults to \"Service\" when not specified. + \n ExternalName services can refer to CNAME + DNS records that may live outside of the cluster + and as such are difficult to reason about in + terms of conformance. They also may not be safe + to forward to (see CVE-2021-25740 for more information). + Implementations SHOULD NOT support ExternalName + Services. \n Support: Core (Services with a + type other than ExternalName) \n Support: Implementation-specific + (Services with type ExternalName)" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the + backend. When unspecified, the local namespace + is inferred. \n Note that when a namespace different + than the local namespace is specified, a ReferenceGrant + object is required in the referent namespace + to allow that namespace's owner to accept the + reference. See the ReferenceGrant documentation + for details. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: Port specifies the destination port + number to use for this resource. Port is required + when the referent is a Kubernetes Service. In + this case, the port number is the service port + number, not the target port. For other resources, + destination port might be derived from the referent + resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + required: + - name + type: object + required: + - backendRef + type: object + requestRedirect: + description: "RequestRedirect defines a schema for a filter + that responds to the request with an HTTP redirection. + \n Support: Core" + properties: + hostname: + description: "Hostname is the hostname to be used + in the value of the `Location` header in the response. + When empty, the hostname in the `Host` header of + the request is used. \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + path: + description: "Path defines parameters used to modify + the path of the incoming request. The modified path + is then used to construct the `Location` header. + When empty, the request path is used as-is. \n Support: + Extended" + properties: + replaceFullPath: + description: ReplaceFullPath specifies the value + with which to replace the full path of a request + during a rewrite or redirect. + maxLength: 1024 + type: string + replacePrefixMatch: + description: "ReplacePrefixMatch specifies the + value with which to replace the prefix match + of a request during a rewrite or redirect. For + example, a request to \"/foo/bar\" with a prefix + match of \"/foo\" would be modified to \"/bar\". + \n Note that this matches the behavior of the + PathPrefix match type. This matches full path + elements. A path element refers to the list + of labels in the path split by the `/` separator. + When specified, a trailing `/` is ignored. For + example, the paths `/abc`, `/abc/`, and `/abc/def` + would all match the prefix `/abc`, but the path + `/abcd` would not." + maxLength: 1024 + type: string + type: + description: "Type defines the type of path modifier. + Additional types may be added in a future release + of the API. \n Note that values may be added + to this enum, implementations must ensure that + unknown values will not cause a crash. \n Unknown + values here must result in the implementation + setting the Accepted Condition for the Route + to `status: False`, with a Reason of `UnsupportedValue`." + enum: + - ReplaceFullPath + - ReplacePrefixMatch + type: string + required: + - type + type: object + port: + description: "Port is the port to be used in the value + of the `Location` header in the response. \n If + no port is specified, the redirect port MUST be + derived using the following rules: \n * If redirect + scheme is not-empty, the redirect port MUST be the + well-known port associated with the redirect scheme. + Specifically \"http\" to port 80 and \"https\" to + port 443. If the redirect scheme does not have a + well-known port, the listener port of the Gateway + SHOULD be used. * If redirect scheme is empty, the + redirect port MUST be the Gateway Listener port. + \n Implementations SHOULD NOT add the port number + in the 'Location' header in the following cases: + \n * A Location header that will use HTTP (whether + that is determined via the Listener protocol or + the Scheme field) _and_ use port 80. * A Location + header that will use HTTPS (whether that is determined + via the Listener protocol or the Scheme field) _and_ + use port 443. \n Support: Extended" + format: int32 + maximum: 65535 + minimum: 1 + type: integer + scheme: + description: "Scheme is the scheme to be used in the + value of the `Location` header in the response. + When empty, the scheme of the request is used. \n + Scheme redirects can affect the port of the redirect, + for more information, refer to the documentation + for the port field of this filter. \n Note that + values may be added to this enum, implementations + must ensure that unknown values will not cause a + crash. \n Unknown values here must result in the + implementation setting the Accepted Condition for + the Route to `status: False`, with a Reason of `UnsupportedValue`. + \n Support: Extended" + enum: + - http + - https + type: string + statusCode: + default: 302 + description: "StatusCode is the HTTP status code to + be used in response. \n Note that values may be + added to this enum, implementations must ensure + that unknown values will not cause a crash. \n Unknown + values here must result in the implementation setting + the Accepted Condition for the Route to `status: + False`, with a Reason of `UnsupportedValue`. \n + Support: Core" + enum: + - 301 + - 302 + type: integer + type: object + responseHeaderModifier: + description: "ResponseHeaderModifier defines a schema + for a filter that modifies response headers. \n Support: + Extended" + properties: + add: + description: "Add adds the given header(s) (name, + value) to the request before the action. It appends + to any existing values associated with the header + name. \n Input: GET /foo HTTP/1.1 my-header: foo + \n Config: add: - name: \"my-header\" value: \"bar,baz\" + \n Output: GET /foo HTTP/1.1 my-header: foo,bar,baz" + items: + description: HTTPHeader represents an HTTP Header + name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header + to be matched. Name matching MUST be case + insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + \n If multiple entries specify equivalent + header names, the first entry with an equivalent + name MUST be considered for a match. Subsequent + entries with an equivalent header name MUST + be ignored. Due to the case-insensitivity + of header names, \"foo\" and \"Foo\" are considered + equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header + to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: "Remove the given header(s) from the + HTTP request before the action. The value of Remove + is a list of HTTP header names. Note that the header + names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + \n Input: GET /foo HTTP/1.1 my-header1: foo my-header2: + bar my-header3: baz \n Config: remove: [\"my-header1\", + \"my-header3\"] \n Output: GET /foo HTTP/1.1 my-header2: + bar" + items: + type: string + maxItems: 16 + type: array + set: + description: "Set overwrites the request with the + given header (name, value) before the action. \n + Input: GET /foo HTTP/1.1 my-header: foo \n Config: + set: - name: \"my-header\" value: \"bar\" \n Output: + GET /foo HTTP/1.1 my-header: bar" + items: + description: HTTPHeader represents an HTTP Header + name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header + to be matched. Name matching MUST be case + insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + \n If multiple entries specify equivalent + header names, the first entry with an equivalent + name MUST be considered for a match. Subsequent + entries with an equivalent header name MUST + be ignored. Due to the case-insensitivity + of header names, \"foo\" and \"Foo\" are considered + equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header + to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + type: + description: "Type identifies the type of filter to apply. + As with other API fields, types are classified into + three conformance levels: \n - Core: Filter types and + their corresponding configuration defined by \"Support: + Core\" in this package, e.g. \"RequestHeaderModifier\". + All implementations must support core filters. \n - + Extended: Filter types and their corresponding configuration + defined by \"Support: Extended\" in this package, e.g. + \"RequestMirror\". Implementers are encouraged to support + extended filters. \n - Implementation-specific: Filters + that are defined and supported by specific vendors. + In the future, filters showing convergence in behavior + across multiple implementations will be considered for + inclusion in extended or core conformance levels. Filter-specific + configuration for such filters is specified using the + ExtensionRef field. `Type` should be set to \"ExtensionRef\" + for custom filters. \n Implementers are encouraged to + define custom implementation types to extend the core + API with implementation-specific behavior. \n If a reference + to a custom filter type cannot be resolved, the filter + MUST NOT be skipped. Instead, requests that would have + been processed by that filter MUST receive a HTTP error + response. \n Note that values may be added to this enum, + implementations must ensure that unknown values will + not cause a crash. \n Unknown values here must result + in the implementation setting the Accepted Condition + for the Route to `status: False`, with a Reason of `UnsupportedValue`." + enum: + - RequestHeaderModifier + - ResponseHeaderModifier + - RequestMirror + - RequestRedirect + - URLRewrite + - ExtensionRef + type: string + urlRewrite: + description: "URLRewrite defines a schema for a filter + that modifies a request during forwarding. \n Support: + Extended" + properties: + hostname: + description: "Hostname is the value to be used to + replace the Host header value during forwarding. + \n Support: Extended" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + path: + description: "Path defines a path rewrite. \n Support: + Extended" + properties: + replaceFullPath: + description: ReplaceFullPath specifies the value + with which to replace the full path of a request + during a rewrite or redirect. + maxLength: 1024 + type: string + replacePrefixMatch: + description: "ReplacePrefixMatch specifies the + value with which to replace the prefix match + of a request during a rewrite or redirect. For + example, a request to \"/foo/bar\" with a prefix + match of \"/foo\" would be modified to \"/bar\". + \n Note that this matches the behavior of the + PathPrefix match type. This matches full path + elements. A path element refers to the list + of labels in the path split by the `/` separator. + When specified, a trailing `/` is ignored. For + example, the paths `/abc`, `/abc/`, and `/abc/def` + would all match the prefix `/abc`, but the path + `/abcd` would not." + maxLength: 1024 + type: string + type: + description: "Type defines the type of path modifier. + Additional types may be added in a future release + of the API. \n Note that values may be added + to this enum, implementations must ensure that + unknown values will not cause a crash. \n Unknown + values here must result in the implementation + setting the Accepted Condition for the Route + to `status: False`, with a Reason of `UnsupportedValue`." + enum: + - ReplaceFullPath + - ReplacePrefixMatch + type: string + required: + - type + type: object + type: object + required: + - type + type: object + maxItems: 16 + type: array + matches: + default: + - path: + type: PathPrefix + value: / + description: "Matches define conditions used for matching the + rule against incoming HTTP requests. Each match is independent, + i.e. this rule will be matched if **any** one of the matches + is satisfied. \n For example, take the following matches configuration: + \n ``` matches: - path: value: \"/foo\" headers: - name: \"version\" + value: \"v2\" - path: value: \"/v2/foo\" ``` \n For a request + to match against this rule, a request must satisfy EITHER + of the two conditions: \n - path prefixed with `/foo` AND + contains the header `version: v2` - path prefix of `/v2/foo` + \n See the documentation for HTTPRouteMatch on how to specify + multiple match conditions that should be ANDed together. \n + If no matches are specified, the default is a prefix path + match on \"/\", which has the effect of matching every HTTP + request. \n Proxy or Load Balancer routing configuration generated + from HTTPRoutes MUST prioritize matches based on the following + criteria, continuing on ties. Across all rules specified on + applicable Routes, precedence must be given to the match having: + \n * \"Exact\" path match. * \"Prefix\" path match with largest + number of characters. * Method match. * Largest number of + header matches. * Largest number of query param matches. \n + Note: The precedence of RegularExpression path matches are + implementation-specific. \n If ties still exist across multiple + Routes, matching precedence MUST be determined in order of + the following criteria, continuing on ties: \n * The oldest + Route based on creation timestamp. * The Route appearing first + in alphabetical order by \"{namespace}/{name}\". \n If ties + still exist within an HTTPRoute, matching precedence MUST + be granted to the FIRST matching rule (in list order) with + a match meeting the above criteria. \n When no rules matching + a request have been successfully attached to the parent a + request is coming from, a HTTP 404 status code MUST be returned." + items: + description: "HTTPRouteMatch defines the predicate used to + match requests to a given action. Multiple match types are + ANDed together, i.e. the match will evaluate to true only + if all conditions are satisfied. \n For example, the match + below will match a HTTP request only if its path starts + with `/foo` AND it contains the `version: v1` header: \n + ``` match: \n path: value: \"/foo\" headers: - name: \"version\" + value \"v1\" \n ```" + properties: + headers: + description: Headers specifies HTTP request header matchers. + Multiple match values are ANDed together, meaning, a + request must match all the specified headers to select + the route. + items: + description: HTTPHeaderMatch describes how to select + a HTTP route by matching HTTP request headers. + properties: + name: + description: "Name is the name of the HTTP Header + to be matched. Name matching MUST be case insensitive. + (See https://tools.ietf.org/html/rfc7230#section-3.2). + \n If multiple entries specify equivalent header + names, only the first entry with an equivalent + name MUST be considered for a match. Subsequent + entries with an equivalent header name MUST be + ignored. Due to the case-insensitivity of header + names, \"foo\" and \"Foo\" are considered equivalent. + \n When a header is repeated in an HTTP request, + it is implementation-specific behavior as to how + this is represented. Generally, proxies should + follow the guidance from the RFC: https://www.rfc-editor.org/rfc/rfc7230.html#section-3.2.2 + regarding processing a repeated header, with special + handling for \"Set-Cookie\"." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + type: + default: Exact + description: "Type specifies how to match against + the value of the header. \n Support: Core (Exact) + \n Support: Implementation-specific (RegularExpression) + \n Since RegularExpression HeaderMatchType has + implementation-specific conformance, implementations + can support POSIX, PCRE or any other dialects + of regular expressions. Please read the implementation's + documentation to determine the supported dialect." + enum: + - Exact + - RegularExpression + type: string + value: + description: Value is the value of HTTP Header to + be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + method: + description: "Method specifies HTTP method matcher. When + specified, this route will be matched only if the request + has the specified method. \n Support: Extended" + enum: + - GET + - HEAD + - POST + - PUT + - DELETE + - CONNECT + - OPTIONS + - TRACE + - PATCH + type: string + path: + default: + type: PathPrefix + value: / + description: Path specifies a HTTP request path matcher. + If this field is not specified, a default prefix match + on the "/" path is provided. + properties: + type: + default: PathPrefix + description: "Type specifies how to match against + the path Value. \n Support: Core (Exact, PathPrefix) + \n Support: Implementation-specific (RegularExpression)" + enum: + - Exact + - PathPrefix + - RegularExpression + type: string + value: + default: / + description: Value of the HTTP path to match against. + maxLength: 1024 + type: string + type: object + queryParams: + description: "QueryParams specifies HTTP query parameter + matchers. Multiple match values are ANDed together, + meaning, a request must match all the specified query + parameters to select the route. \n Support: Extended" + items: + description: HTTPQueryParamMatch describes how to select + a HTTP route by matching HTTP query parameters. + properties: + name: + description: "Name is the name of the HTTP query + param to be matched. This must be an exact string + match. (See https://tools.ietf.org/html/rfc7230#section-2.7.3). + \n If multiple entries specify equivalent query + param names, only the first entry with an equivalent + name MUST be considered for a match. Subsequent + entries with an equivalent query param name MUST + be ignored. \n If a query param is repeated in + an HTTP request, the behavior is purposely left + undefined, since different data planes have different + capabilities. However, it is *recommended* that + implementations should match against the first + value of the param if the data plane supports + it, as this behavior is expected in other load + balancing contexts outside of the Gateway API. + \n Users SHOULD NOT route traffic based on repeated + query params to guard themselves against potential + differences in the implementations." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + type: + default: Exact + description: "Type specifies how to match against + the value of the query parameter. \n Support: + Extended (Exact) \n Support: Implementation-specific + (RegularExpression) \n Since RegularExpression + QueryParamMatchType has Implementation-specific + conformance, implementations can support POSIX, + PCRE or any other dialects of regular expressions. + Please read the implementation's documentation + to determine the supported dialect." + enum: + - Exact + - RegularExpression + type: string + value: + description: Value is the value of HTTP query param + to be matched. + maxLength: 1024 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + maxItems: 8 + type: array + type: object + maxItems: 16 + type: array + type: object + status: + description: Status defines the current state of HTTPRoute. + properties: + parents: + description: "Parents is a list of parent resources (usually Gateways) + that are associated with the route, and the status of the route + with respect to each parent. When this route attaches to a parent, + the controller that manages the parent must add an entry to this + list when the controller first sees the route and should update + the entry as appropriate when the route or gateway is modified. + \n Note that parent references that cannot be resolved by an implementation + of this API will not be added to this list. Implementations of this + API can only populate Route status for the Gateways/parent resources + they are responsible for. \n A maximum of 32 Gateways will be represented + in this list. An empty list means the route has not been attached + to any Gateway." + items: + description: RouteParentStatus describes the status of a route with + respect to an associated Parent. + properties: + conditions: + description: "Conditions describes the status of the route with + respect to the Gateway. Note that the route's availability + is also subject to the Gateway's own status conditions and + listener status. \n If the Route's ParentRef specifies an + existing Gateway that supports Routes of this kind AND that + Gateway's controller has sufficient access, then that Gateway's + controller MUST set the \"Accepted\" condition on the Route, + to indicate whether the route has been accepted or rejected + by the Gateway, and why. \n A Route MUST be considered \"Accepted\" + if at least one of the Route's rules is implemented by the + Gateway. \n There are a number of cases where the \"Accepted\" + condition may not be set due to lack of controller visibility, + that includes when: \n * The Route refers to a non-existent + parent. * The Route is of a type that the controller does + not support. * The Route is in a namespace the controller + does not have access to." + items: + description: "Condition contains details for one aspect of + the current state of this API Resource. --- This struct + is intended for direct use as an array at the field path + .status.conditions. For example, \n type FooStatus struct{ + // Represents the observations of a foo's current state. + // Known .status.conditions.type are: \"Available\", \"Progressing\", + and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge + // +listType=map // +listMapKey=type Conditions []metav1.Condition + `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" + protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields + }" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition + transitioned from one status to another. This should + be when the underlying condition changed. If that is + not known, then using the time when the API field changed + is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating + details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation + that the condition was set based upon. For instance, + if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration + is 9, the condition is out of date with respect to the + current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier + indicating the reason for the condition's last transition. + Producers of specific condition types may define expected + values and meanings for this field, and whether the + values are considered a guaranteed API. The value should + be a CamelCase string. This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, + Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + --- Many .condition.type values are consistent across + resources like Available, but because arbitrary conditions + can be useful (see .node.status.conditions), the ability + to deconflict is important. The regex it matches is + (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + controllerName: + description: "ControllerName is a domain/path string that indicates + the name of the controller that wrote this status. This corresponds + with the controllerName field on GatewayClass. \n Example: + \"example.net/gateway-controller\". \n The format of this + field is DOMAIN \"/\" PATH, where DOMAIN and PATH are valid + Kubernetes names (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). + \n Controllers MUST populate this field when writing status. + Controllers should ensure that entries to status populated + with their ControllerName are cleaned up when they are no + longer necessary." + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + parentRef: + description: ParentRef corresponds with a ParentRef in the spec + that this RouteParentStatus struct describes the status of. + properties: + group: + default: gateway.networking.k8s.io + description: "Group is the group of the referent. When unspecified, + \"gateway.networking.k8s.io\" is inferred. To set the + core API group (such as for a \"Service\" kind referent), + Group must be explicitly set to \"\" (empty string). \n + Support: Core" + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: "Kind is kind of the referent. \n Support: + Core (Gateway) \n Support: Implementation-specific (Other + Resources)" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: "Name is the name of the referent. \n Support: + Core" + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the referent. + When unspecified, this refers to the local namespace of + the Route. \n Note that there are specific rules for ParentRefs + which cross namespace boundaries. Cross-namespace references + are only valid if they are explicitly allowed by something + in the namespace they are referring to. For example: Gateway + has the AllowedRoutes field, and ReferenceGrant provides + a generic way to enable any other kind of cross-namespace + reference. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: "Port is the network port this Route targets. + It can be interpreted differently based on the type of + parent resource. \n When the parent resource is a Gateway, + this targets all listeners listening on the specified + port that also support this kind of Route(and select this + Route). It's not recommended to set `Port` unless the + networking behaviors specified in a Route must apply to + a specific port as opposed to a listener(s) whose port(s) + may be changed. When both Port and SectionName are specified, + the name and port of the selected listener must match + both specified values. \n Implementations MAY choose to + support other parent resources. Implementations supporting + other types of parent resources MUST clearly document + how/if Port is interpreted. \n For the purpose of status, + an attachment is considered successful as long as the + parent resource accepts it partially. For example, Gateway + listeners can restrict which Routes can attach to them + by Route kind, namespace, or hostname. If 1 of 2 Gateway + listeners accept attachment from the referencing Route, + the Route MUST be considered successfully attached. If + no Gateway listeners accept attachment from this Route, + the Route MUST be considered detached from the Gateway. + \n Support: Extended \n " + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: "SectionName is the name of a section within + the target resource. In the following resources, SectionName + is interpreted as the following: \n * Gateway: Listener + Name. When both Port (experimental) and SectionName are + specified, the name and port of the selected listener + must match both specified values. \n Implementations MAY + choose to support attaching Routes to other resources. + If that is the case, they MUST clearly document how SectionName + is interpreted. \n When unspecified (empty string), this + will reference the entire resource. For the purpose of + status, an attachment is considered successful if at least + one section in the parent resource accepts it. For example, + Gateway listeners can restrict which Routes can attach + to them by Route kind, namespace, or hostname. If 1 of + 2 Gateway listeners accept attachment from the referencing + Route, the Route MUST be considered successfully attached. + If no Gateway listeners accept attachment from this Route, + the Route MUST be considered detached from the Gateway. + \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + required: + - controllerName + - parentRef + type: object + maxItems: 32 + type: array + required: + - parents + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: null + storedVersions: null +{{- end }} + diff --git a/charts/linkerd/linkerd-crds/2024.8.3/templates/policy/authorization-policy.yaml b/charts/linkerd/linkerd-crds/2024.8.3/templates/policy/authorization-policy.yaml new file mode 100644 index 000000000..7d86520e2 --- /dev/null +++ b/charts/linkerd/linkerd-crds/2024.8.3/templates/policy/authorization-policy.yaml @@ -0,0 +1,99 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: authorizationpolicies.policy.linkerd.io + annotations: + {{ include "partials.annotations.created-by" . }} + labels: + helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + linkerd.io/control-plane-ns: {{.Release.Namespace}} +spec: + group: policy.linkerd.io + scope: Namespaced + names: + kind: AuthorizationPolicy + plural: authorizationpolicies + singular: authorizationpolicy + shortNames: [authzpolicy] + versions: + - name: v1alpha1 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + required: [spec] + properties: + spec: + description: >- + Authorizes clients to communicate with Linkerd-proxied server + resources. + type: object + required: [targetRef, requiredAuthenticationRefs] + properties: + targetRef: + description: >- + TargetRef references a resource to which the authorization + policy applies. + type: object + required: [kind, name] + # Modified from the gateway API. + # Copyright 2020 The Kubernetes Authors + properties: + group: + description: >- + Group is the group of the referent. When empty, the + Kubernetes core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: >- + Kind is the kind of the referent. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + requiredAuthenticationRefs: + description: >- + RequiredAuthenticationRefs enumerates a set of required + authentications. ALL authentications must be satisfied for + the authorization to apply. If any of the referred objects + cannot be found, the authorization will be ignored. + type: array + items: + type: object + required: [kind, name] + properties: + group: + description: >- + Group is the group of the referent. When empty, the + Kubernetes core API group is inferred." + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: >- + Kind is the kind of the referent. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: >- + Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: >- + Name is the name of the referent. When unspecified, + this authentication refers to the local namespace. + maxLength: 253 + type: string diff --git a/charts/linkerd/linkerd-crds/2024.8.3/templates/policy/httproute.yaml b/charts/linkerd/linkerd-crds/2024.8.3/templates/policy/httproute.yaml new file mode 100644 index 000000000..6d2e8b07e --- /dev/null +++ b/charts/linkerd/linkerd-crds/2024.8.3/templates/policy/httproute.yaml @@ -0,0 +1,5328 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: httproutes.policy.linkerd.io + annotations: + {{ include "partials.annotations.created-by" . }} + labels: + helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + linkerd.io/control-plane-ns: {{.Release.Namespace}} +spec: + group: policy.linkerd.io + names: + kind: HTTPRoute + listKind: HTTPRouteList + plural: httproutes + singular: httproute + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .spec.hostnames + name: Hostnames + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: HTTPRoute provides a way to route HTTP requests. This includes + the capability to match requests by hostname, path, header, or query param. + Filters can be used to specify additional processing steps. Backends specify + where matching requests should be routed. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of HTTPRoute. + properties: + hostnames: + description: "Hostnames defines a set of hostname that should match + against the HTTP Host header to select a HTTPRoute to process the + request. This matches the RFC 1123 definition of a hostname with + 2 notable exceptions: \n 1. IPs are not allowed. 2. A hostname may + be prefixed with a wildcard label (`*.`). The wildcard label + must appear by itself as the first label. \n If a hostname is specified + by both the Listener and HTTPRoute, there must be at least one intersecting + hostname for the HTTPRoute to be attached to the Listener. For example: + \n * A Listener with `test.example.com` as the hostname matches + HTTPRoutes that have either not specified any hostnames, or have + specified at least one of `test.example.com` or `*.example.com`. + * A Listener with `*.example.com` as the hostname matches HTTPRoutes + \ that have either not specified any hostnames or have specified + at least one hostname that matches the Listener hostname. For + example, `*.example.com`, `test.example.com`, and `foo.test.example.com` + would all match. On the other hand, `example.com` and `test.example.net` + would not match. \n Hostnames that are prefixed with a wildcard + label (`*.`) are interpreted as a suffix match. That means that + a match for `*.example.com` would match both `test.example.com`, + and `foo.test.example.com`, but not `example.com`. \n If both the + Listener and HTTPRoute have specified hostnames, any HTTPRoute hostnames + that do not match the Listener hostname MUST be ignored. For example, + if a Listener specified `*.example.com`, and the HTTPRoute specified + `test.example.com` and `test.example.net`, `test.example.net` must + not be considered for a match. \n If both the Listener and HTTPRoute + have specified hostnames, and none match with the criteria above, + then the HTTPRoute is not accepted. The implementation must raise + an 'Accepted' Condition with a status of `False` in the corresponding + RouteParentStatus. \n Support: Core" + items: + description: "Hostname is the fully qualified domain name of a network + host. This matches the RFC 1123 definition of a hostname with + 2 notable exceptions: \n 1. IPs are not allowed. 2. A hostname + may be prefixed with a wildcard label (`*.`). The wildcard label + must appear by itself as the first label. \n Hostname can be \"precise\" + which is a domain name without the terminating dot of a network + host (e.g. \"foo.example.com\") or \"wildcard\", which is a domain + name prefixed with a single wildcard label (e.g. `*.example.com`). + \n Note that as per RFC1035 and RFC1123, a *label* must consist + of lower case alphanumeric characters or '-', and must start and + end with an alphanumeric character. No other punctuation is allowed." + maxLength: 253 + minLength: 1 + pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + maxItems: 16 + type: array + parentRefs: + description: "ParentRefs references the resources (usually Gateways) + that a Route wants to be attached to. Note that the referenced parent + resource needs to allow this for the attachment to be complete. + For Gateways, that means the Gateway needs to allow attachment from + Routes of this kind and namespace. \n The only kind of parent resource + with \"Core\" support is Gateway. This API may be extended in the + future to support additional kinds of parent resources such as one + of the route kinds. \n It is invalid to reference an identical parent + more than once. It is valid to reference multiple distinct sections + within the same parent resource, such as 2 Listeners within a Gateway. + \n It is possible to separately reference multiple distinct objects + that may be collapsed by an implementation. For example, some implementations + may choose to merge compatible Gateway Listeners together. If that + is the case, the list of routes attached to those resources should + also be merged." + items: + description: "ParentReference identifies an API object (usually + a Gateway) that can be considered a parent of this resource (usually + a route). The only kind of parent resource with \"Core\" support + is Gateway. This API may be extended in the future to support + additional kinds of parent resources, such as HTTPRoute. \n The + API object must be valid in the cluster; the Group and Kind must + be registered in the cluster for this reference to be valid." + properties: + group: + default: policy.linkerd.io + description: "Group is the group of the referent. \n Support: + Core" + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: "Kind is kind of the referent. \n Support: Core + (Gateway) Support: Custom (Other Resources)" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: "Name is the name of the referent. \n Support: + Core" + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the referent. When + unspecified (or empty string), this refers to the local namespace + of the Route. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: "port" + type: integer + sectionName: + description: "SectionName is the name of a section within the + target resource. In the following resources, SectionName is + interpreted as the following: \n * Gateway: Listener Name. + When both Port (experimental) and SectionName are specified, + the name and port of the selected listener must match both + specified values. \n Implementations MAY choose to support + attaching Routes to other resources. If that is the case, + they MUST clearly document how SectionName is interpreted. + \n When unspecified (empty string), this will reference the + entire resource. For the purpose of status, an attachment + is considered successful if at least one section in the parent + resource accepts it. For example, Gateway listeners can restrict + which Routes can attach to them by Route kind, namespace, + or hostname. If 1 of 2 Gateway listeners accept attachment + from the referencing Route, the Route MUST be considered successfully + attached. If no Gateway listeners accept attachment from this + Route, the Route MUST be considered detached from the Gateway. + \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + maxItems: 32 + type: array + rules: + default: + - matches: + - path: + type: PathPrefix + value: / + description: Rules are a list of HTTP matchers, filters and actions. + items: + description: HTTPRouteRule defines semantics for matching an HTTP + request based on conditions (matches) and processing it (filters). + properties: + backendRefs: + type: array + items: + type: object + properties: + name: + type: string + port: + type: integer + namespace: + type: string + default: "default" + filters: + description: "Filters defined at this level should be + executed if and only if the request is being forwarded + to the backend defined here. \n Support: Implementation-specific + (For broader support of filters, use the Filters field + in HTTPRouteRule.)" + items: + description: HTTPRouteFilter defines processing steps + that must be completed during the request or response + lifecycle. HTTPRouteFilters are meant as an extension + point to express processing that may be done in Gateway + implementations. Some examples include request or + response modification, implementing authentication + strategies, rate-limiting, and traffic shaping. API + guarantee/conformance is defined based on the type + of the filter. + properties: + requestHeaderModifier: + description: "RequestHeaderModifier defines a schema + for a filter that modifies request headers. \n + Support: Core" + properties: + add: + description: "Add adds the given header(s) (name, + value) to the request before the action. It + appends to any existing values associated + with the header name. \n Input: GET /foo HTTP/1.1 + my-header: foo \n Config: add: - name: \"my-header\" + value: \"bar,baz\" \n Output: GET /foo HTTP/1.1 + my-header: foo,bar,baz" + items: + description: HTTPHeader represents an HTTP + Header name and value as defined by RFC + 7230. + properties: + name: + description: "Name is the name of the + HTTP Header to be matched. Name matching + MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + \n If multiple entries specify equivalent + header names, the first entry with an + equivalent name MUST be considered for + a match. Subsequent entries with an + equivalent header name MUST be ignored. + Due to the case-insensitivity of header + names, \"foo\" and \"Foo\" are considered + equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP + Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: "Remove the given header(s) from + the HTTP request before the action. The value + of Remove is a list of HTTP header names. + Note that the header names are case-insensitive + (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + \n Input: GET /foo HTTP/1.1 my-header1: foo + my-header2: bar my-header3: baz \n Config: + remove: [\"my-header1\", \"my-header3\"] \n + Output: GET /foo HTTP/1.1 my-header2: bar" + items: + type: string + maxItems: 16 + type: array + set: + description: "Set overwrites the request with + the given header (name, value) before the + action. \n Input: GET /foo HTTP/1.1 my-header: + foo \n Config: set: - name: \"my-header\" + value: \"bar\" \n Output: GET /foo HTTP/1.1 + my-header: bar" + items: + description: HTTPHeader represents an HTTP + Header name and value as defined by RFC + 7230. + properties: + name: + description: "Name is the name of the + HTTP Header to be matched. Name matching + MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + \n If multiple entries specify equivalent + header names, the first entry with an + equivalent name MUST be considered for + a match. Subsequent entries with an + equivalent header name MUST be ignored. + Due to the case-insensitivity of header + names, \"foo\" and \"Foo\" are considered + equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP + Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + requestRedirect: + description: "RequestRedirect defines a schema for + a filter that responds to the request with an + HTTP redirection. \n Support: Core" + properties: + hostname: + description: "Hostname is the hostname to be + used in the value of the `Location` header + in the response. When empty, the hostname + in the `Host` header of the request is used. + \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + path: + description: "Path defines parameters used to + modify the path of the incoming request. The + modified path is then used to construct the + `Location` header. When empty, the request + path is used as-is. \n Support: Extended" + properties: + replaceFullPath: + description: ReplaceFullPath specifies the + value with which to replace the full path + of a request during a rewrite or redirect. + maxLength: 1024 + type: string + replacePrefixMatch: + description: "ReplacePrefixMatch specifies + the value with which to replace the prefix + match of a request during a rewrite or + redirect. For example, a request to \"/foo/bar\" + with a prefix match of \"/foo\" and a + ReplacePrefixMatch of \"/xyz\" would be + modified to \"/xyz/bar\". \n Note that + this matches the behavior of the PathPrefix + match type. This matches full path elements. + A path element refers to the list of labels + in the path split by the `/` separator. + When specified, a trailing `/` is ignored. + For example, the paths `/abc`, `/abc/`, + and `/abc/def` would all match the prefix + `/abc`, but the path `/abcd` would not. + \n Request Path | Prefix Match | Replace + Prefix | Modified Path -------------|--------------|----------------|---------- + /foo/bar | /foo | /xyz | + /xyz/bar /foo/bar | /foo | + /xyz/ | /xyz/bar /foo/bar | + /foo/ | /xyz | /xyz/bar + /foo/bar | /foo/ | /xyz/ | + /xyz/bar /foo | /foo | + /xyz | /xyz /foo/ | /foo + \ | /xyz | /xyz/ /foo/bar + \ | /foo | | + /bar /foo/ | /foo | | / /foo | /foo | + | / /foo/ | /foo + \ | / | / /foo | + /foo | / | /" + maxLength: 1024 + type: string + type: + description: "Type defines the type of path + modifier. Additional types may be added + in a future release of the API. \n Note + that values may be added to this enum, + implementations must ensure that unknown + values will not cause a crash. \n Unknown + values here must result in the implementation + setting the Accepted Condition for the + Route to `status: False`, with a Reason + of `UnsupportedValue`." + enum: + - ReplaceFullPath + - ReplacePrefixMatch + type: string + required: + - type + type: object + port: + description: "Port is the port to be used in + the value of the `Location` header in the + response. \n If no port is specified, the + redirect port MUST be derived using the following + rules: \n * If redirect scheme is not-empty, + the redirect port MUST be the well-known port + associated with the redirect scheme. Specifically + \"http\" to port 80 and \"https\" to port + 443. If the redirect scheme does not have + a well-known port, the listener port of the + Gateway SHOULD be used. * If redirect scheme + is empty, the redirect port MUST be the Gateway + Listener port. \n Implementations SHOULD NOT + add the port number in the 'Location' header + in the following cases: \n * A Location header + that will use HTTP (whether that is determined + via the Listener protocol or the Scheme field) + _and_ use port 80. * A Location header that + will use HTTPS (whether that is determined + via the Listener protocol or the Scheme field) + _and_ use port 443. \n Support: Extended" + format: int32 + maximum: 65535 + minimum: 1 + type: integer + scheme: + description: "Scheme is the scheme to be used + in the value of the `Location` header in the + response. When empty, the scheme of the request + is used. \n Scheme redirects can affect the + port of the redirect, for more information, + refer to the documentation for the port field + of this filter. \n Note that values may be + added to this enum, implementations must ensure + that unknown values will not cause a crash. + \n Unknown values here must result in the + implementation setting the Accepted Condition + for the Route to `status: False`, with a Reason + of `UnsupportedValue`. \n Support: Extended" + enum: + - http + - https + type: string + statusCode: + default: 302 + description: "StatusCode is the HTTP status + code to be used in response. \n Note that + values may be added to this enum, implementations + must ensure that unknown values will not cause + a crash. \n Unknown values here must result + in the implementation setting the Accepted + Condition for the Route to `status: False`, + with a Reason of `UnsupportedValue`. \n Support: + Core" + enum: + - 301 + - 302 + type: integer + type: object + responseHeaderModifier: + description: "ResponseHeaderModifier defines a schema + for a filter that modifies response headers. \n + Support: Extended" + properties: + add: + description: "Add adds the given header(s) (name, + value) to the request before the action. It + appends to any existing values associated + with the header name. \n Input: GET /foo HTTP/1.1 + my-header: foo \n Config: add: - name: \"my-header\" + value: \"bar,baz\" \n Output: GET /foo HTTP/1.1 + my-header: foo,bar,baz" + items: + description: HTTPHeader represents an HTTP + Header name and value as defined by RFC + 7230. + properties: + name: + description: "Name is the name of the + HTTP Header to be matched. Name matching + MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + \n If multiple entries specify equivalent + header names, the first entry with an + equivalent name MUST be considered for + a match. Subsequent entries with an + equivalent header name MUST be ignored. + Due to the case-insensitivity of header + names, \"foo\" and \"Foo\" are considered + equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP + Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: "Remove the given header(s) from + the HTTP request before the action. The value + of Remove is a list of HTTP header names. + Note that the header names are case-insensitive + (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + \n Input: GET /foo HTTP/1.1 my-header1: foo + my-header2: bar my-header3: baz \n Config: + remove: [\"my-header1\", \"my-header3\"] \n + Output: GET /foo HTTP/1.1 my-header2: bar" + items: + type: string + maxItems: 16 + type: array + set: + description: "Set overwrites the request with + the given header (name, value) before the + action. \n Input: GET /foo HTTP/1.1 my-header: + foo \n Config: set: - name: \"my-header\" + value: \"bar\" \n Output: GET /foo HTTP/1.1 + my-header: bar" + items: + description: HTTPHeader represents an HTTP + Header name and value as defined by RFC + 7230. + properties: + name: + description: "Name is the name of the + HTTP Header to be matched. Name matching + MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + \n If multiple entries specify equivalent + header names, the first entry with an + equivalent name MUST be considered for + a match. Subsequent entries with an + equivalent header name MUST be ignored. + Due to the case-insensitivity of header + names, \"foo\" and \"Foo\" are considered + equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP + Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + type: + description: "Type identifies the type of filter + to apply. As with other API fields, types are + classified into three conformance levels: \n - + Core: Filter types and their corresponding configuration + defined by \"Support: Core\" in this package, + e.g. \"RequestHeaderModifier\". All implementations + must support core filters. \n - Extended: Filter + types and their corresponding configuration defined + by \"Support: Extended\" in this package, e.g. + \"RequestMirror\". Implementers are encouraged + to support extended filters. \n - Implementation-specific: + Filters that are defined and supported by specific + vendors. In the future, filters showing convergence + in behavior across multiple implementations will + be considered for inclusion in extended or core + conformance levels. Filter-specific configuration + for such filters is specified using the ExtensionRef + field. `Type` should be set to \"ExtensionRef\" + for custom filters. \n Implementers are encouraged + to define custom implementation types to extend + the core API with implementation-specific behavior. + \n If a reference to a custom filter type cannot + be resolved, the filter MUST NOT be skipped. Instead, + requests that would have been processed by that + filter MUST receive a HTTP error response. \n + Note that values may be added to this enum, implementations + must ensure that unknown values will not cause + a crash. \n Unknown values here must result in + the implementation setting the Accepted Condition + for the Route to `status: False`, with a Reason + of `UnsupportedValue`." + enum: + - RequestHeaderModifier + - ResponseHeaderModifier + - RequestRedirect + type: string + required: + - type + type: object + maxItems: 16 + type: array + filters: + description: "Filters define the filters that are applied to + requests that match this rule. \n The effects of ordering + of multiple behaviors are currently unspecified. This can + change in the future based on feedback during the alpha stage. + \n Conformance-levels at this level are defined based on the + type of filter: \n - ALL core filters MUST be supported by + all implementations. - Implementers are encouraged to support + extended filters. - Implementation-specific custom filters + have no API guarantees across implementations. \n Specifying + a core filter multiple times has unspecified or custom conformance. + \n All filters are expected to be compatible with each other + except for the URLRewrite and RequestRedirect filters, which + may not be combined. If an implementation can not support + other combinations of filters, they must clearly document + that limitation. In all cases where incompatible or unsupported + filters are specified, implementations MUST add a warning + condition to status. \n Support: Core" + items: + description: HTTPRouteFilter defines processing steps that + must be completed during the request or response lifecycle. + HTTPRouteFilters are meant as an extension point to express + processing that may be done in Gateway implementations. + Some examples include request or response modification, + implementing authentication strategies, rate-limiting, and + traffic shaping. API guarantee/conformance is defined based + on the type of the filter. + properties: + requestHeaderModifier: + description: "RequestHeaderModifier defines a schema for + a filter that modifies request headers. \n Support: + Core" + properties: + add: + description: "Add adds the given header(s) (name, + value) to the request before the action. It appends + to any existing values associated with the header + name. \n Input: GET /foo HTTP/1.1 my-header: + foo \n Config: add: - name: \"my-header\" value: + \"bar\" \n Output: GET /foo HTTP/1.1 my-header: + foo my-header: bar" + items: + description: HTTPHeader represents an HTTP Header + name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header + to be matched. Name matching MUST be case + insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + \n If multiple entries specify equivalent + header names, the first entry with an equivalent + name MUST be considered for a match. Subsequent + entries with an equivalent header name MUST + be ignored. Due to the case-insensitivity + of header names, \"foo\" and \"Foo\" are considered + equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header + to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: "Remove the given header(s) from the + HTTP request before the action. The value of Remove + is a list of HTTP header names. Note that the header + names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + \n Input: GET /foo HTTP/1.1 my-header1: foo + \ my-header2: bar my-header3: baz \n Config: + \ remove: [\"my-header1\", \"my-header3\"] \n Output: + \ GET /foo HTTP/1.1 my-header2: bar" + items: + type: string + maxItems: 16 + type: array + set: + description: "Set overwrites the request with the + given header (name, value) before the action. \n + Input: GET /foo HTTP/1.1 my-header: foo \n Config: + \ set: - name: \"my-header\" value: \"bar\" + \n Output: GET /foo HTTP/1.1 my-header: bar" + items: + description: HTTPHeader represents an HTTP Header + name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header + to be matched. Name matching MUST be case + insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + \n If multiple entries specify equivalent + header names, the first entry with an equivalent + name MUST be considered for a match. Subsequent + entries with an equivalent header name MUST + be ignored. Due to the case-insensitivity + of header names, \"foo\" and \"Foo\" are considered + equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header + to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + requestRedirect: + description: "RequestRedirect defines a schema for a filter + that responds to the request with an HTTP redirection. + \n Support: Core" + properties: + hostname: + description: "Hostname is the hostname to be used + in the value of the `Location` header in the response. + When empty, the hostname of the request is used. + \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + path: + description: "Path defines parameters used to + modify the path of the incoming request. The + modified path is then used to construct the + `Location` header. When empty, the request + path is used as-is. \n Support: Extended" + properties: + replaceFullPath: + description: ReplaceFullPath specifies the + value with which to replace the full path + of a request during a rewrite or redirect. + maxLength: 1024 + type: string + replacePrefixMatch: + description: "ReplacePrefixMatch specifies + the value with which to replace the prefix + match of a request during a rewrite or + redirect. For example, a request to \"/foo/bar\" + with a prefix match of \"/foo\" and a + ReplacePrefixMatch of \"/xyz\" would be + modified to \"/xyz/bar\". \n Note that + this matches the behavior of the PathPrefix + match type. This matches full path elements. + A path element refers to the list of labels + in the path split by the `/` separator. + When specified, a trailing `/` is ignored. + For example, the paths `/abc`, `/abc/`, + and `/abc/def` would all match the prefix + `/abc`, but the path `/abcd` would not. + \n Request Path | Prefix Match | Replace + Prefix | Modified Path -------------|--------------|----------------|---------- + /foo/bar | /foo | /xyz | + /xyz/bar /foo/bar | /foo | + /xyz/ | /xyz/bar /foo/bar | + /foo/ | /xyz | /xyz/bar + /foo/bar | /foo/ | /xyz/ | + /xyz/bar /foo | /foo | + /xyz | /xyz /foo/ | /foo + \ | /xyz | /xyz/ /foo/bar + \ | /foo | | + /bar /foo/ | /foo | | / /foo | /foo | + | / /foo/ | /foo + \ | / | / /foo | + /foo | / | /" + maxLength: 1024 + type: string + type: + description: "Type defines the type of path + modifier. Additional types may be added + in a future release of the API. \n Note + that values may be added to this enum, + implementations must ensure that unknown + values will not cause a crash. \n Unknown + values here must result in the implementation + setting the Accepted Condition for the + Route to `status: False`, with a Reason + of `UnsupportedValue`." + enum: + - ReplaceFullPath + - ReplacePrefixMatch + type: string + required: + - type + type: object + port: + description: "Port is the port to be used in the value + of the `Location` header in the response. When empty, + port (if specified) of the request is used. \n Support: + Extended" + format: int32 + maximum: 65535 + minimum: 1 + type: integer + scheme: + description: "Scheme is the scheme to be used in the + value of the `Location` header in the response. + When empty, the scheme of the request is used. \n + Support: Extended" + enum: + - http + - https + type: string + statusCode: + default: 302 + description: "StatusCode is the HTTP status code to + be used in response. \n Support: Core" + enum: + - 301 + - 302 + type: integer + type: object + type: + description: "Type identifies the type of filter to apply. + As with other API fields, types are classified into + three conformance levels: \n - Core: Filter types and + their corresponding configuration defined by \"Support: + Core\" in this package, e.g. \"RequestHeaderModifier\". + All implementations must support core filters. \n\n " + enum: + - RequestHeaderModifier + - RequestRedirect + type: string + required: + - type + type: object + maxItems: 16 + type: array + matches: + default: + - path: + type: PathPrefix + value: / + description: "Matches define conditions used for matching the + rule against incoming HTTP requests. Each match is independent, + i.e. this rule will be matched if **any** one of the matches + is satisfied. \n For example, take the following matches configuration: + \n ``` matches: - path: value: \"/foo\" headers: - + name: \"version\" value: \"v2\" - path: value: \"/v2/foo\" + ``` \n For a request to match against this rule, a request + must satisfy EITHER of the two conditions: \n - path prefixed + with `/foo` AND contains the header `version: v2` - path prefix + of `/v2/foo` \n See the documentation for HTTPRouteMatch on + how to specify multiple match conditions that should be ANDed + together. \n If no matches are specified, the default is a + prefix path match on \"/\", which has the effect of matching + every HTTP request. \n Proxy or Load Balancer routing configuration + generated from HTTPRoutes MUST prioritize rules based on the + following criteria, continuing on ties. Precedence must be + given to the the Rule with the largest number of: \n * Characters + in a matching non-wildcard hostname. * Characters in a matching + hostname. * Characters in a matching path. * Header matches. + * Query param matches. \n If ties still exist across multiple + Routes, matching precedence MUST be determined in order of + the following criteria, continuing on ties: \n * The oldest + Route based on creation timestamp. * The Route appearing first + in alphabetical order by \"{namespace}/{name}\". \n If ties + still exist within the Route that has been given precedence, + matching precedence MUST be granted to the first matching + rule meeting the above criteria. \n When no rules matching + a request have been successfully attached to the parent a + request is coming from, a HTTP 404 status code MUST be returned." + items: + description: "HTTPRouteMatch defines the predicate used to + match requests to a given action. Multiple match types are + ANDed together, i.e. the match will evaluate to true only + if all conditions are satisfied. \n For example, the match + below will match a HTTP request only if its path starts + with `/foo` AND it contains the `version: v1` header: \n + ``` match: path: value: \"/foo\" headers: - name: + \"version\" value \"v1\" ```" + properties: + headers: + description: Headers specifies HTTP request header matchers. + Multiple match values are ANDed together, meaning, a + request must match all the specified headers to select + the route. + items: + description: HTTPHeaderMatch describes how to select + a HTTP route by matching HTTP request headers. + properties: + name: + description: "Name is the name of the HTTP Header + to be matched. Name matching MUST be case insensitive. + (See https://tools.ietf.org/html/rfc7230#section-3.2). + \n If multiple entries specify equivalent header + names, only the first entry with an equivalent + name MUST be considered for a match. Subsequent + entries with an equivalent header name MUST be + ignored. Due to the case-insensitivity of header + names, \"foo\" and \"Foo\" are considered equivalent. + \n When a header is repeated in an HTTP request, + it is implementation-specific behavior as to how + this is represented. Generally, proxies should + follow the guidance from the RFC: https://www.rfc-editor.org/rfc/rfc7230.html#section-3.2.2 + regarding processing a repeated header, with special + handling for \"Set-Cookie\"." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + type: + default: Exact + description: "Type specifies how to match against + the value of the header. \n Support: Core (Exact) + \n Support: Custom (RegularExpression) \n Since + RegularExpression HeaderMatchType has custom conformance, + implementations can support POSIX, PCRE or any + other dialects of regular expressions. Please + read the implementation's documentation to determine + the supported dialect." + enum: + - Exact + - RegularExpression + type: string + value: + description: Value is the value of HTTP Header to + be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + method: + description: "Method specifies HTTP method matcher. When + specified, this route will be matched only if the request + has the specified method. \n Support: Extended" + enum: + - GET + - HEAD + - POST + - PUT + - DELETE + - CONNECT + - OPTIONS + - TRACE + - PATCH + type: string + path: + default: + type: PathPrefix + value: / + description: Path specifies a HTTP request path matcher. + If this field is not specified, a default prefix match + on the "/" path is provided. + properties: + type: + default: PathPrefix + description: "Type specifies how to match against + the path Value. \n Support: Core (Exact, PathPrefix) + \n Support: Custom (RegularExpression)" + enum: + - Exact + - PathPrefix + - RegularExpression + type: string + value: + default: / + description: Value of the HTTP path to match against. + maxLength: 1024 + type: string + type: object + queryParams: + description: QueryParams specifies HTTP query parameter + matchers. Multiple match values are ANDed together, + meaning, a request must match all the specified query + parameters to select the route. + items: + description: HTTPQueryParamMatch describes how to select + a HTTP route by matching HTTP query parameters. + properties: + name: + description: Name is the name of the HTTP query + param to be matched. This must be an exact string + match. (See https://tools.ietf.org/html/rfc7230#section-2.7.3). + maxLength: 256 + minLength: 1 + type: string + type: + default: Exact + description: "Type specifies how to match against + the value of the query parameter. \n Support: + Extended (Exact) \n Support: Custom (RegularExpression) + \n Since RegularExpression QueryParamMatchType + has custom conformance, implementations can support + POSIX, PCRE or any other dialects of regular expressions. + Please read the implementation's documentation + to determine the supported dialect." + enum: + - Exact + - RegularExpression + type: string + value: + description: Value is the value of HTTP query param + to be matched. + maxLength: 1024 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + maxItems: 8 + type: array + type: object + maxItems: 16 + type: array + type: object + status: + description: Status defines the current state of HTTPRoute. + properties: + parents: + description: "Parents is a list of parent resources (usually Gateways) + that are associated with the route, and the status of the route + with respect to each parent. When this route attaches to a parent, + the controller that manages the parent must add an entry to this + list when the controller first sees the route and should update + the entry as appropriate when the route or gateway is modified. + \n Note that parent references that cannot be resolved by an implementation + of this API will not be added to this list. Implementations of this + API can only populate Route status for the Gateways/parent resources + they are responsible for. \n A maximum of 32 Gateways will be represented + in this list. An empty list means the route has not been attached + to any Gateway." + items: + description: RouteParentStatus describes the status of a route with + respect to an associated Parent. + properties: + conditions: + description: "Conditions describes the status of the route with + respect to the Gateway. Note that the route's availability + is also subject to the Gateway's own status conditions and + listener status. \n If the Route's ParentRef specifies an + existing Gateway that supports Routes of this kind AND that + Gateway's controller has sufficient access, then that Gateway's + controller MUST set the \"Accepted\" condition on the Route, + to indicate whether the route has been accepted or rejected + by the Gateway, and why. \n A Route MUST be considered \"Accepted\" + if at least one of the Route's rules is implemented by the + Gateway. \n There are a number of cases where the \"Accepted\" + condition may not be set due to lack of controller visibility, + that includes when: \n * The Route refers to a non-existent + parent. * The Route is of a type that the controller does + not support. * The Route is in a namespace the the controller + does not have access to." + items: + description: "Condition contains details for one aspect of + the current state of this API Resource. --- This struct + is intended for direct use as an array at the field path + .status.conditions. For example, type FooStatus struct{ + \ // Represents the observations of a foo's current state. + \ // Known .status.conditions.type are: \"Available\", + \"Progressing\", and \"Degraded\" // +patchMergeKey=type + \ // +patchStrategy=merge // +listType=map // + +listMapKey=type Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` + \n // other fields }" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition + transitioned from one status to another. This should + be when the underlying condition changed. If that is + not known, then using the time when the API field changed + is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating + details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation + that the condition was set based upon. For instance, + if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration + is 9, the condition is out of date with respect to the + current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier + indicating the reason for the condition's last transition. + Producers of specific condition types may define expected + values and meanings for this field, and whether the + values are considered a guaranteed API. The value should + be a CamelCase string. This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, + Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + --- Many .condition.type values are consistent across + resources like Available, but because arbitrary conditions + can be useful (see .node.status.conditions), the ability + to deconflict is important. The regex it matches is + (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + controllerName: + description: "ControllerName is a domain/path string that indicates + the name of the controller that wrote this status. This corresponds + with the controllerName field on GatewayClass. \n Example: + \"example.net/gateway-controller\". \n The format of this + field is DOMAIN \"/\" PATH, where DOMAIN and PATH are valid + Kubernetes names (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). + \n Controllers MUST populate this field when writing status. + Controllers should ensure that entries to status populated + with their ControllerName are cleaned up when they are no + longer necessary." + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + parentRef: + description: ParentRef corresponds with a ParentRef in the spec + that this RouteParentStatus struct describes the status of. + properties: + group: + default: policy.linkerd.io + description: "Group is the group of the referent. \n Support: + Core" + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: "Kind is kind of the referent. \n Support: + Core (Gateway) Support: Custom (Other Resources)" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: "Name is the name of the referent. \n Support: + Core" + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the referent. + When unspecified (or empty string), this refers to the + local namespace of the Route. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: "Port is the network port this Route targets. + It can be interpreted differently based on the type of + parent resource. \n When the parent resource is a Gateway, + this targets all listeners listening on the specified + port that also support this kind of Route(and select this + Route). It's not recommended to set `Port` unless the + networking behaviors specified in a Route must apply to + a specific port as opposed to a listener(s) whose port(s) + may be changed. When both Port and SectionName are specified, + the name and port of the selected listener must match + both specified values. \n Implementations MAY choose to + support other parent resources. Implementations supporting + other types of parent resources MUST clearly document + how/if Port is interpreted. \n For the purpose of status, + an attachment is considered successful as long as the + parent resource accepts it partially. For example, Gateway + listeners can restrict which Routes can attach to them + by Route kind, namespace, or hostname. If 1 of 2 Gateway + listeners accept attachment from the referencing Route, + the Route MUST be considered successfully attached. If + no Gateway listeners accept attachment from this Route, + the Route MUST be considered detached from the Gateway. + \n Support: Extended \n " + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: "SectionName is the name of a section within + the target resource. In the following resources, SectionName + is interpreted as the following: \n * Gateway: Listener + Name. When both Port (experimental) and SectionName are + specified, the name and port of the selected listener + must match both specified values. \n Implementations MAY + choose to support attaching Routes to other resources. + If that is the case, they MUST clearly document how SectionName + is interpreted. \n When unspecified (empty string), this + will reference the entire resource. For the purpose of + status, an attachment is considered successful if at least + one section in the parent resource accepts it. For example, + Gateway listeners can restrict which Routes can attach + to them by Route kind, namespace, or hostname. If 1 of + 2 Gateway listeners accept attachment from the referencing + Route, the Route MUST be considered successfully attached. + If no Gateway listeners accept attachment from this Route, + the Route MUST be considered detached from the Gateway. + \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + required: + - controllerName + - parentRef + type: object + maxItems: 32 + type: array + required: + - parents + type: object + required: + - spec + type: object + served: true + storage: false + subresources: + status: {} + - additionalPrinterColumns: + - jsonPath: .spec.hostnames + name: Hostnames + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + schema: + openAPIV3Schema: + description: HTTPRoute provides a way to route HTTP requests. This includes + the capability to match requests by hostname, path, header, or query param. + Filters can be used to specify additional processing steps. Backends specify + where matching requests should be routed. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of HTTPRoute. + properties: + hostnames: + description: "Hostnames defines a set of hostname that should match + against the HTTP Host header to select a HTTPRoute to process the + request. This matches the RFC 1123 definition of a hostname with + 2 notable exceptions: \n 1. IPs are not allowed. 2. A hostname may + be prefixed with a wildcard label (`*.`). The wildcard label + must appear by itself as the first label. \n If a hostname is specified + by both the Listener and HTTPRoute, there must be at least one intersecting + hostname for the HTTPRoute to be attached to the Listener. For example: + \n * A Listener with `test.example.com` as the hostname matches + HTTPRoutes that have either not specified any hostnames, or have + specified at least one of `test.example.com` or `*.example.com`. + * A Listener with `*.example.com` as the hostname matches HTTPRoutes + \ that have either not specified any hostnames or have specified + at least one hostname that matches the Listener hostname. For + example, `*.example.com`, `test.example.com`, and `foo.test.example.com` + would all match. On the other hand, `example.com` and `test.example.net` + would not match. \n Hostnames that are prefixed with a wildcard + label (`*.`) are interpreted as a suffix match. That means that + a match for `*.example.com` would match both `test.example.com`, + and `foo.test.example.com`, but not `example.com`. \n If both the + Listener and HTTPRoute have specified hostnames, any HTTPRoute hostnames + that do not match the Listener hostname MUST be ignored. For example, + if a Listener specified `*.example.com`, and the HTTPRoute specified + `test.example.com` and `test.example.net`, `test.example.net` must + not be considered for a match. \n If both the Listener and HTTPRoute + have specified hostnames, and none match with the criteria above, + then the HTTPRoute is not accepted. The implementation must raise + an 'Accepted' Condition with a status of `False` in the corresponding + RouteParentStatus. \n Support: Core" + items: + description: "Hostname is the fully qualified domain name of a network + host. This matches the RFC 1123 definition of a hostname with + 2 notable exceptions: \n 1. IPs are not allowed. 2. A hostname + may be prefixed with a wildcard label (`*.`). The wildcard label + must appear by itself as the first label. \n Hostname can be \"precise\" + which is a domain name without the terminating dot of a network + host (e.g. \"foo.example.com\") or \"wildcard\", which is a domain + name prefixed with a single wildcard label (e.g. `*.example.com`). + \n Note that as per RFC1035 and RFC1123, a *label* must consist + of lower case alphanumeric characters or '-', and must start and + end with an alphanumeric character. No other punctuation is allowed." + maxLength: 253 + minLength: 1 + pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + maxItems: 16 + type: array + parentRefs: + description: "ParentRefs references the resources (usually Gateways) + that a Route wants to be attached to. Note that the referenced parent + resource needs to allow this for the attachment to be complete. + For Gateways, that means the Gateway needs to allow attachment from + Routes of this kind and namespace. \n The only kind of parent resource + with \"Core\" support is Gateway. This API may be extended in the + future to support additional kinds of parent resources such as one + of the route kinds. \n It is invalid to reference an identical parent + more than once. It is valid to reference multiple distinct sections + within the same parent resource, such as 2 Listeners within a Gateway. + \n It is possible to separately reference multiple distinct objects + that may be collapsed by an implementation. For example, some implementations + may choose to merge compatible Gateway Listeners together. If that + is the case, the list of routes attached to those resources should + also be merged." + items: + description: "ParentReference identifies an API object (usually + a Gateway) that can be considered a parent of this resource (usually + a route). The only kind of parent resource with \"Core\" support + is Gateway. This API may be extended in the future to support + additional kinds of parent resources, such as HTTPRoute. \n The + API object must be valid in the cluster; the Group and Kind must + be registered in the cluster for this reference to be valid." + properties: + group: + default: policy.linkerd.io + description: "Group is the group of the referent. \n Support: + Core" + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: "Kind is kind of the referent. \n Support: Core + (Gateway) Support: Custom (Other Resources)" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: "Name is the name of the referent. \n Support: + Core" + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the referent. When + unspecified (or empty string), this refers to the local namespace + of the Route. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: "port" + type: integer + sectionName: + description: "SectionName is the name of a section within the + target resource. In the following resources, SectionName is + interpreted as the following: \n * Gateway: Listener Name. + When both Port (experimental) and SectionName are specified, + the name and port of the selected listener must match both + specified values. \n Implementations MAY choose to support + attaching Routes to other resources. If that is the case, + they MUST clearly document how SectionName is interpreted. + \n When unspecified (empty string), this will reference the + entire resource. For the purpose of status, an attachment + is considered successful if at least one section in the parent + resource accepts it. For example, Gateway listeners can restrict + which Routes can attach to them by Route kind, namespace, + or hostname. If 1 of 2 Gateway listeners accept attachment + from the referencing Route, the Route MUST be considered successfully + attached. If no Gateway listeners accept attachment from this + Route, the Route MUST be considered detached from the Gateway. + \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + maxItems: 32 + type: array + rules: + default: + - matches: + - path: + type: PathPrefix + value: / + description: Rules are a list of HTTP matchers, filters and actions. + items: + description: HTTPRouteRule defines semantics for matching an HTTP + request based on conditions (matches) and processing it (filters). + properties: + backendRefs: + type: array + items: + type: object + properties: + name: + type: string + port: + type: integer + namespace: + type: string + default: "default" + filters: + description: "Filters defined at this level should be + executed if and only if the request is being forwarded + to the backend defined here. \n Support: Implementation-specific + (For broader support of filters, use the Filters field + in HTTPRouteRule.)" + items: + description: HTTPRouteFilter defines processing steps + that must be completed during the request or response + lifecycle. HTTPRouteFilters are meant as an extension + point to express processing that may be done in Gateway + implementations. Some examples include request or + response modification, implementing authentication + strategies, rate-limiting, and traffic shaping. API + guarantee/conformance is defined based on the type + of the filter. + properties: + requestHeaderModifier: + description: "RequestHeaderModifier defines a schema + for a filter that modifies request headers. \n + Support: Core" + properties: + add: + description: "Add adds the given header(s) (name, + value) to the request before the action. It + appends to any existing values associated + with the header name. \n Input: GET /foo HTTP/1.1 + my-header: foo \n Config: add: - name: \"my-header\" + value: \"bar,baz\" \n Output: GET /foo HTTP/1.1 + my-header: foo,bar,baz" + items: + description: HTTPHeader represents an HTTP + Header name and value as defined by RFC + 7230. + properties: + name: + description: "Name is the name of the + HTTP Header to be matched. Name matching + MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + \n If multiple entries specify equivalent + header names, the first entry with an + equivalent name MUST be considered for + a match. Subsequent entries with an + equivalent header name MUST be ignored. + Due to the case-insensitivity of header + names, \"foo\" and \"Foo\" are considered + equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP + Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: "Remove the given header(s) from + the HTTP request before the action. The value + of Remove is a list of HTTP header names. + Note that the header names are case-insensitive + (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + \n Input: GET /foo HTTP/1.1 my-header1: foo + my-header2: bar my-header3: baz \n Config: + remove: [\"my-header1\", \"my-header3\"] \n + Output: GET /foo HTTP/1.1 my-header2: bar" + items: + type: string + maxItems: 16 + type: array + set: + description: "Set overwrites the request with + the given header (name, value) before the + action. \n Input: GET /foo HTTP/1.1 my-header: + foo \n Config: set: - name: \"my-header\" + value: \"bar\" \n Output: GET /foo HTTP/1.1 + my-header: bar" + items: + description: HTTPHeader represents an HTTP + Header name and value as defined by RFC + 7230. + properties: + name: + description: "Name is the name of the + HTTP Header to be matched. Name matching + MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + \n If multiple entries specify equivalent + header names, the first entry with an + equivalent name MUST be considered for + a match. Subsequent entries with an + equivalent header name MUST be ignored. + Due to the case-insensitivity of header + names, \"foo\" and \"Foo\" are considered + equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP + Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + requestRedirect: + description: "RequestRedirect defines a schema for + a filter that responds to the request with an + HTTP redirection. \n Support: Core" + properties: + hostname: + description: "Hostname is the hostname to be + used in the value of the `Location` header + in the response. When empty, the hostname + in the `Host` header of the request is used. + \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + path: + description: "Path defines parameters used to + modify the path of the incoming request. The + modified path is then used to construct the + `Location` header. When empty, the request + path is used as-is. \n Support: Extended" + properties: + replaceFullPath: + description: ReplaceFullPath specifies the + value with which to replace the full path + of a request during a rewrite or redirect. + maxLength: 1024 + type: string + replacePrefixMatch: + description: "ReplacePrefixMatch specifies + the value with which to replace the prefix + match of a request during a rewrite or + redirect. For example, a request to \"/foo/bar\" + with a prefix match of \"/foo\" and a + ReplacePrefixMatch of \"/xyz\" would be + modified to \"/xyz/bar\". \n Note that + this matches the behavior of the PathPrefix + match type. This matches full path elements. + A path element refers to the list of labels + in the path split by the `/` separator. + When specified, a trailing `/` is ignored. + For example, the paths `/abc`, `/abc/`, + and `/abc/def` would all match the prefix + `/abc`, but the path `/abcd` would not. + \n Request Path | Prefix Match | Replace + Prefix | Modified Path -------------|--------------|----------------|---------- + /foo/bar | /foo | /xyz | + /xyz/bar /foo/bar | /foo | + /xyz/ | /xyz/bar /foo/bar | + /foo/ | /xyz | /xyz/bar + /foo/bar | /foo/ | /xyz/ | + /xyz/bar /foo | /foo | + /xyz | /xyz /foo/ | /foo + \ | /xyz | /xyz/ /foo/bar + \ | /foo | | + /bar /foo/ | /foo | | / /foo | /foo | + | / /foo/ | /foo + \ | / | / /foo | + /foo | / | /" + maxLength: 1024 + type: string + type: + description: "Type defines the type of path + modifier. Additional types may be added + in a future release of the API. \n Note + that values may be added to this enum, + implementations must ensure that unknown + values will not cause a crash. \n Unknown + values here must result in the implementation + setting the Accepted Condition for the + Route to `status: False`, with a Reason + of `UnsupportedValue`." + enum: + - ReplaceFullPath + - ReplacePrefixMatch + type: string + required: + - type + type: object + port: + description: "Port is the port to be used in + the value of the `Location` header in the + response. \n If no port is specified, the + redirect port MUST be derived using the following + rules: \n * If redirect scheme is not-empty, + the redirect port MUST be the well-known port + associated with the redirect scheme. Specifically + \"http\" to port 80 and \"https\" to port + 443. If the redirect scheme does not have + a well-known port, the listener port of the + Gateway SHOULD be used. * If redirect scheme + is empty, the redirect port MUST be the Gateway + Listener port. \n Implementations SHOULD NOT + add the port number in the 'Location' header + in the following cases: \n * A Location header + that will use HTTP (whether that is determined + via the Listener protocol or the Scheme field) + _and_ use port 80. * A Location header that + will use HTTPS (whether that is determined + via the Listener protocol or the Scheme field) + _and_ use port 443. \n Support: Extended" + format: int32 + maximum: 65535 + minimum: 1 + type: integer + scheme: + description: "Scheme is the scheme to be used + in the value of the `Location` header in the + response. When empty, the scheme of the request + is used. \n Scheme redirects can affect the + port of the redirect, for more information, + refer to the documentation for the port field + of this filter. \n Note that values may be + added to this enum, implementations must ensure + that unknown values will not cause a crash. + \n Unknown values here must result in the + implementation setting the Accepted Condition + for the Route to `status: False`, with a Reason + of `UnsupportedValue`. \n Support: Extended" + enum: + - http + - https + type: string + statusCode: + default: 302 + description: "StatusCode is the HTTP status + code to be used in response. \n Note that + values may be added to this enum, implementations + must ensure that unknown values will not cause + a crash. \n Unknown values here must result + in the implementation setting the Accepted + Condition for the Route to `status: False`, + with a Reason of `UnsupportedValue`. \n Support: + Core" + enum: + - 301 + - 302 + type: integer + type: object + responseHeaderModifier: + description: "ResponseHeaderModifier defines a schema + for a filter that modifies response headers. \n + Support: Extended" + properties: + add: + description: "Add adds the given header(s) (name, + value) to the request before the action. It + appends to any existing values associated + with the header name. \n Input: GET /foo HTTP/1.1 + my-header: foo \n Config: add: - name: \"my-header\" + value: \"bar,baz\" \n Output: GET /foo HTTP/1.1 + my-header: foo,bar,baz" + items: + description: HTTPHeader represents an HTTP + Header name and value as defined by RFC + 7230. + properties: + name: + description: "Name is the name of the + HTTP Header to be matched. Name matching + MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + \n If multiple entries specify equivalent + header names, the first entry with an + equivalent name MUST be considered for + a match. Subsequent entries with an + equivalent header name MUST be ignored. + Due to the case-insensitivity of header + names, \"foo\" and \"Foo\" are considered + equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP + Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: "Remove the given header(s) from + the HTTP request before the action. The value + of Remove is a list of HTTP header names. + Note that the header names are case-insensitive + (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + \n Input: GET /foo HTTP/1.1 my-header1: foo + my-header2: bar my-header3: baz \n Config: + remove: [\"my-header1\", \"my-header3\"] \n + Output: GET /foo HTTP/1.1 my-header2: bar" + items: + type: string + maxItems: 16 + type: array + set: + description: "Set overwrites the request with + the given header (name, value) before the + action. \n Input: GET /foo HTTP/1.1 my-header: + foo \n Config: set: - name: \"my-header\" + value: \"bar\" \n Output: GET /foo HTTP/1.1 + my-header: bar" + items: + description: HTTPHeader represents an HTTP + Header name and value as defined by RFC + 7230. + properties: + name: + description: "Name is the name of the + HTTP Header to be matched. Name matching + MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + \n If multiple entries specify equivalent + header names, the first entry with an + equivalent name MUST be considered for + a match. Subsequent entries with an + equivalent header name MUST be ignored. + Due to the case-insensitivity of header + names, \"foo\" and \"Foo\" are considered + equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP + Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + type: + description: "Type identifies the type of filter + to apply. As with other API fields, types are + classified into three conformance levels: \n - + Core: Filter types and their corresponding configuration + defined by \"Support: Core\" in this package, + e.g. \"RequestHeaderModifier\". All implementations + must support core filters. \n - Extended: Filter + types and their corresponding configuration defined + by \"Support: Extended\" in this package, e.g. + \"RequestMirror\". Implementers are encouraged + to support extended filters. \n - Implementation-specific: + Filters that are defined and supported by specific + vendors. In the future, filters showing convergence + in behavior across multiple implementations will + be considered for inclusion in extended or core + conformance levels. Filter-specific configuration + for such filters is specified using the ExtensionRef + field. `Type` should be set to \"ExtensionRef\" + for custom filters. \n Implementers are encouraged + to define custom implementation types to extend + the core API with implementation-specific behavior. + \n If a reference to a custom filter type cannot + be resolved, the filter MUST NOT be skipped. Instead, + requests that would have been processed by that + filter MUST receive a HTTP error response. \n + Note that values may be added to this enum, implementations + must ensure that unknown values will not cause + a crash. \n Unknown values here must result in + the implementation setting the Accepted Condition + for the Route to `status: False`, with a Reason + of `UnsupportedValue`." + enum: + - RequestHeaderModifier + - ResponseHeaderModifier + - RequestRedirect + type: string + required: + - type + type: object + maxItems: 16 + type: array + filters: + description: "Filters define the filters that are applied to + requests that match this rule. \n The effects of ordering + of multiple behaviors are currently unspecified. This can + change in the future based on feedback during the alpha stage. + \n Conformance-levels at this level are defined based on the + type of filter: \n - ALL core filters MUST be supported by + all implementations. - Implementers are encouraged to support + extended filters. - Implementation-specific custom filters + have no API guarantees across implementations. \n Specifying + a core filter multiple times has unspecified or custom conformance. + \n All filters are expected to be compatible with each other + except for the URLRewrite and RequestRedirect filters, which + may not be combined. If an implementation can not support + other combinations of filters, they must clearly document + that limitation. In all cases where incompatible or unsupported + filters are specified, implementations MUST add a warning + condition to status. \n Support: Core" + items: + description: HTTPRouteFilter defines processing steps that + must be completed during the request or response lifecycle. + HTTPRouteFilters are meant as an extension point to express + processing that may be done in Gateway implementations. + Some examples include request or response modification, + implementing authentication strategies, rate-limiting, and + traffic shaping. API guarantee/conformance is defined based + on the type of the filter. + properties: + requestHeaderModifier: + description: "RequestHeaderModifier defines a schema for + a filter that modifies request headers. \n Support: + Core" + properties: + add: + description: "Add adds the given header(s) (name, + value) to the request before the action. It appends + to any existing values associated with the header + name. \n Input: GET /foo HTTP/1.1 my-header: + foo \n Config: add: - name: \"my-header\" value: + \"bar\" \n Output: GET /foo HTTP/1.1 my-header: + foo my-header: bar" + items: + description: HTTPHeader represents an HTTP Header + name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header + to be matched. Name matching MUST be case + insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + \n If multiple entries specify equivalent + header names, the first entry with an equivalent + name MUST be considered for a match. Subsequent + entries with an equivalent header name MUST + be ignored. Due to the case-insensitivity + of header names, \"foo\" and \"Foo\" are considered + equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header + to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: "Remove the given header(s) from the + HTTP request before the action. The value of Remove + is a list of HTTP header names. Note that the header + names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + \n Input: GET /foo HTTP/1.1 my-header1: foo + \ my-header2: bar my-header3: baz \n Config: + \ remove: [\"my-header1\", \"my-header3\"] \n Output: + \ GET /foo HTTP/1.1 my-header2: bar" + items: + type: string + maxItems: 16 + type: array + set: + description: "Set overwrites the request with the + given header (name, value) before the action. \n + Input: GET /foo HTTP/1.1 my-header: foo \n Config: + \ set: - name: \"my-header\" value: \"bar\" + \n Output: GET /foo HTTP/1.1 my-header: bar" + items: + description: HTTPHeader represents an HTTP Header + name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header + to be matched. Name matching MUST be case + insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + \n If multiple entries specify equivalent + header names, the first entry with an equivalent + name MUST be considered for a match. Subsequent + entries with an equivalent header name MUST + be ignored. Due to the case-insensitivity + of header names, \"foo\" and \"Foo\" are considered + equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header + to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + requestRedirect: + description: "RequestRedirect defines a schema for a filter + that responds to the request with an HTTP redirection. + \n Support: Core" + properties: + hostname: + description: "Hostname is the hostname to be used + in the value of the `Location` header in the response. + When empty, the hostname of the request is used. + \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + path: + description: "Path defines parameters used to + modify the path of the incoming request. The + modified path is then used to construct the + `Location` header. When empty, the request + path is used as-is. \n Support: Extended" + properties: + replaceFullPath: + description: ReplaceFullPath specifies the + value with which to replace the full path + of a request during a rewrite or redirect. + maxLength: 1024 + type: string + replacePrefixMatch: + description: "ReplacePrefixMatch specifies + the value with which to replace the prefix + match of a request during a rewrite or + redirect. For example, a request to \"/foo/bar\" + with a prefix match of \"/foo\" and a + ReplacePrefixMatch of \"/xyz\" would be + modified to \"/xyz/bar\". \n Note that + this matches the behavior of the PathPrefix + match type. This matches full path elements. + A path element refers to the list of labels + in the path split by the `/` separator. + When specified, a trailing `/` is ignored. + For example, the paths `/abc`, `/abc/`, + and `/abc/def` would all match the prefix + `/abc`, but the path `/abcd` would not. + \n Request Path | Prefix Match | Replace + Prefix | Modified Path -------------|--------------|----------------|---------- + /foo/bar | /foo | /xyz | + /xyz/bar /foo/bar | /foo | + /xyz/ | /xyz/bar /foo/bar | + /foo/ | /xyz | /xyz/bar + /foo/bar | /foo/ | /xyz/ | + /xyz/bar /foo | /foo | + /xyz | /xyz /foo/ | /foo + \ | /xyz | /xyz/ /foo/bar + \ | /foo | | + /bar /foo/ | /foo | | / /foo | /foo | + | / /foo/ | /foo + \ | / | / /foo | + /foo | / | /" + maxLength: 1024 + type: string + type: + description: "Type defines the type of path + modifier. Additional types may be added + in a future release of the API. \n Note + that values may be added to this enum, + implementations must ensure that unknown + values will not cause a crash. \n Unknown + values here must result in the implementation + setting the Accepted Condition for the + Route to `status: False`, with a Reason + of `UnsupportedValue`." + enum: + - ReplaceFullPath + - ReplacePrefixMatch + type: string + required: + - type + type: object + port: + description: "Port is the port to be used in the value + of the `Location` header in the response. When empty, + port (if specified) of the request is used. \n Support: + Extended" + format: int32 + maximum: 65535 + minimum: 1 + type: integer + scheme: + description: "Scheme is the scheme to be used in the + value of the `Location` header in the response. + When empty, the scheme of the request is used. \n + Support: Extended" + enum: + - http + - https + type: string + statusCode: + default: 302 + description: "StatusCode is the HTTP status code to + be used in response. \n Support: Core" + enum: + - 301 + - 302 + type: integer + type: object + type: + description: "Type identifies the type of filter to apply. + As with other API fields, types are classified into + three conformance levels: \n - Core: Filter types and + their corresponding configuration defined by \"Support: + Core\" in this package, e.g. \"RequestHeaderModifier\"." + enum: + - RequestHeaderModifier + - RequestRedirect + type: string + required: + - type + type: object + maxItems: 16 + type: array + matches: + default: + - path: + type: PathPrefix + value: / + description: "Matches define conditions used for matching the + rule against incoming HTTP requests. Each match is independent, + i.e. this rule will be matched if **any** one of the matches + is satisfied. \n For example, take the following matches configuration: + \n ``` matches: - path: value: \"/foo\" headers: - + name: \"version\" value: \"v2\" - path: value: \"/v2/foo\" + ``` \n For a request to match against this rule, a request + must satisfy EITHER of the two conditions: \n - path prefixed + with `/foo` AND contains the header `version: v2` - path prefix + of `/v2/foo` \n See the documentation for HTTPRouteMatch on + how to specify multiple match conditions that should be ANDed + together. \n If no matches are specified, the default is a + prefix path match on \"/\", which has the effect of matching + every HTTP request. \n Proxy or Load Balancer routing configuration + generated from HTTPRoutes MUST prioritize rules based on the + following criteria, continuing on ties. Precedence must be + given to the the Rule with the largest number of: \n * Characters + in a matching non-wildcard hostname. * Characters in a matching + hostname. * Characters in a matching path. * Header matches. + * Query param matches. \n If ties still exist across multiple + Routes, matching precedence MUST be determined in order of + the following criteria, continuing on ties: \n * The oldest + Route based on creation timestamp. * The Route appearing first + in alphabetical order by \"{namespace}/{name}\". \n If ties + still exist within the Route that has been given precedence, + matching precedence MUST be granted to the first matching + rule meeting the above criteria. \n When no rules matching + a request have been successfully attached to the parent a + request is coming from, a HTTP 404 status code MUST be returned." + items: + description: "HTTPRouteMatch defines the predicate used to + match requests to a given action. Multiple match types are + ANDed together, i.e. the match will evaluate to true only + if all conditions are satisfied. \n For example, the match + below will match a HTTP request only if its path starts + with `/foo` AND it contains the `version: v1` header: \n + ``` match: path: value: \"/foo\" headers: - name: + \"version\" value \"v1\" ```" + properties: + headers: + description: Headers specifies HTTP request header matchers. + Multiple match values are ANDed together, meaning, a + request must match all the specified headers to select + the route. + items: + description: HTTPHeaderMatch describes how to select + a HTTP route by matching HTTP request headers. + properties: + name: + description: "Name is the name of the HTTP Header + to be matched. Name matching MUST be case insensitive. + (See https://tools.ietf.org/html/rfc7230#section-3.2). + \n If multiple entries specify equivalent header + names, only the first entry with an equivalent + name MUST be considered for a match. Subsequent + entries with an equivalent header name MUST be + ignored. Due to the case-insensitivity of header + names, \"foo\" and \"Foo\" are considered equivalent. + \n When a header is repeated in an HTTP request, + it is implementation-specific behavior as to how + this is represented. Generally, proxies should + follow the guidance from the RFC: https://www.rfc-editor.org/rfc/rfc7230.html#section-3.2.2 + regarding processing a repeated header, with special + handling for \"Set-Cookie\"." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + type: + default: Exact + description: "Type specifies how to match against + the value of the header. \n Support: Core (Exact) + \n Support: Custom (RegularExpression) \n Since + RegularExpression HeaderMatchType has custom conformance, + implementations can support POSIX, PCRE or any + other dialects of regular expressions. Please + read the implementation's documentation to determine + the supported dialect." + enum: + - Exact + - RegularExpression + type: string + value: + description: Value is the value of HTTP Header to + be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + method: + description: "Method specifies HTTP method matcher. When + specified, this route will be matched only if the request + has the specified method. \n Support: Extended" + enum: + - GET + - HEAD + - POST + - PUT + - DELETE + - CONNECT + - OPTIONS + - TRACE + - PATCH + type: string + path: + default: + type: PathPrefix + value: / + description: Path specifies a HTTP request path matcher. + If this field is not specified, a default prefix match + on the "/" path is provided. + properties: + type: + default: PathPrefix + description: "Type specifies how to match against + the path Value. \n Support: Core (Exact, PathPrefix) + \n Support: Custom (RegularExpression)" + enum: + - Exact + - PathPrefix + - RegularExpression + type: string + value: + default: / + description: Value of the HTTP path to match against. + maxLength: 1024 + type: string + type: object + queryParams: + description: QueryParams specifies HTTP query parameter + matchers. Multiple match values are ANDed together, + meaning, a request must match all the specified query + parameters to select the route. + items: + description: HTTPQueryParamMatch describes how to select + a HTTP route by matching HTTP query parameters. + properties: + name: + description: Name is the name of the HTTP query + param to be matched. This must be an exact string + match. (See https://tools.ietf.org/html/rfc7230#section-2.7.3). + maxLength: 256 + minLength: 1 + type: string + type: + default: Exact + description: "Type specifies how to match against + the value of the query parameter. \n Support: + Extended (Exact) \n Support: Custom (RegularExpression) + \n Since RegularExpression QueryParamMatchType + has custom conformance, implementations can support + POSIX, PCRE or any other dialects of regular expressions. + Please read the implementation's documentation + to determine the supported dialect." + enum: + - Exact + - RegularExpression + type: string + value: + description: Value is the value of HTTP query param + to be matched. + maxLength: 1024 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + maxItems: 8 + type: array + type: object + maxItems: 16 + type: array + type: object + status: + description: Status defines the current state of HTTPRoute. + properties: + parents: + description: "Parents is a list of parent resources (usually Gateways) + that are associated with the route, and the status of the route + with respect to each parent. When this route attaches to a parent, + the controller that manages the parent must add an entry to this + list when the controller first sees the route and should update + the entry as appropriate when the route or gateway is modified. + \n Note that parent references that cannot be resolved by an implementation + of this API will not be added to this list. Implementations of this + API can only populate Route status for the Gateways/parent resources + they are responsible for. \n A maximum of 32 Gateways will be represented + in this list. An empty list means the route has not been attached + to any Gateway." + items: + description: RouteParentStatus describes the status of a route with + respect to an associated Parent. + properties: + conditions: + description: "Conditions describes the status of the route with + respect to the Gateway. Note that the route's availability + is also subject to the Gateway's own status conditions and + listener status. \n If the Route's ParentRef specifies an + existing Gateway that supports Routes of this kind AND that + Gateway's controller has sufficient access, then that Gateway's + controller MUST set the \"Accepted\" condition on the Route, + to indicate whether the route has been accepted or rejected + by the Gateway, and why. \n A Route MUST be considered \"Accepted\" + if at least one of the Route's rules is implemented by the + Gateway. \n There are a number of cases where the \"Accepted\" + condition may not be set due to lack of controller visibility, + that includes when: \n * The Route refers to a non-existent + parent. * The Route is of a type that the controller does + not support. * The Route is in a namespace the the controller + does not have access to." + items: + description: "Condition contains details for one aspect of + the current state of this API Resource. --- This struct + is intended for direct use as an array at the field path + .status.conditions. For example, type FooStatus struct{ + \ // Represents the observations of a foo's current state. + \ // Known .status.conditions.type are: \"Available\", + \"Progressing\", and \"Degraded\" // +patchMergeKey=type + \ // +patchStrategy=merge // +listType=map // + +listMapKey=type Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` + \n // other fields }" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition + transitioned from one status to another. This should + be when the underlying condition changed. If that is + not known, then using the time when the API field changed + is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating + details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation + that the condition was set based upon. For instance, + if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration + is 9, the condition is out of date with respect to the + current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier + indicating the reason for the condition's last transition. + Producers of specific condition types may define expected + values and meanings for this field, and whether the + values are considered a guaranteed API. The value should + be a CamelCase string. This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, + Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + --- Many .condition.type values are consistent across + resources like Available, but because arbitrary conditions + can be useful (see .node.status.conditions), the ability + to deconflict is important. The regex it matches is + (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + controllerName: + description: "ControllerName is a domain/path string that indicates + the name of the controller that wrote this status. This corresponds + with the controllerName field on GatewayClass. \n Example: + \"example.net/gateway-controller\". \n The format of this + field is DOMAIN \"/\" PATH, where DOMAIN and PATH are valid + Kubernetes names (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). + \n Controllers MUST populate this field when writing status. + Controllers should ensure that entries to status populated + with their ControllerName are cleaned up when they are no + longer necessary." + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + parentRef: + description: ParentRef corresponds with a ParentRef in the spec + that this RouteParentStatus struct describes the status of. + properties: + group: + default: policy.linkerd.io + description: "Group is the group of the referent. \n Support: + Core" + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: "Kind is kind of the referent. \n Support: + Core (Gateway) Support: Custom (Other Resources)" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: "Name is the name of the referent. \n Support: + Core" + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the referent. + When unspecified (or empty string), this refers to the + local namespace of the Route. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: "Port is the network port this Route targets. + It can be interpreted differently based on the type of + parent resource. \n When the parent resource is a Gateway, + this targets all listeners listening on the specified + port that also support this kind of Route(and select this + Route). It's not recommended to set `Port` unless the + networking behaviors specified in a Route must apply to + a specific port as opposed to a listener(s) whose port(s) + may be changed. When both Port and SectionName are specified, + the name and port of the selected listener must match + both specified values. \n Implementations MAY choose to + support other parent resources. Implementations supporting + other types of parent resources MUST clearly document + how/if Port is interpreted. \n For the purpose of status, + an attachment is considered successful as long as the + parent resource accepts it partially. For example, Gateway + listeners can restrict which Routes can attach to them + by Route kind, namespace, or hostname. If 1 of 2 Gateway + listeners accept attachment from the referencing Route, + the Route MUST be considered successfully attached. If + no Gateway listeners accept attachment from this Route, + the Route MUST be considered detached from the Gateway. + \n Support: Extended \n " + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: "SectionName is the name of a section within + the target resource. In the following resources, SectionName + is interpreted as the following: \n * Gateway: Listener + Name. When both Port (experimental) and SectionName are + specified, the name and port of the selected listener + must match both specified values. \n Implementations MAY + choose to support attaching Routes to other resources. + If that is the case, they MUST clearly document how SectionName + is interpreted. \n When unspecified (empty string), this + will reference the entire resource. For the purpose of + status, an attachment is considered successful if at least + one section in the parent resource accepts it. For example, + Gateway listeners can restrict which Routes can attach + to them by Route kind, namespace, or hostname. If 1 of + 2 Gateway listeners accept attachment from the referencing + Route, the Route MUST be considered successfully attached. + If no Gateway listeners accept attachment from this Route, + the Route MUST be considered detached from the Gateway. + \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + required: + - controllerName + - parentRef + type: object + maxItems: 32 + type: array + required: + - parents + type: object + required: + - spec + type: object + served: true + storage: false + subresources: + status: {} + - additionalPrinterColumns: + - jsonPath: .spec.hostnames + name: Hostnames + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta2 + schema: + openAPIV3Schema: + description: HTTPRoute provides a way to route HTTP requests. This includes + the capability to match requests by hostname, path, header, or query param. + Filters can be used to specify additional processing steps. Backends specify + where matching requests should be routed. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of HTTPRoute. + properties: + hostnames: + description: "Hostnames defines a set of hostname that should match + against the HTTP Host header to select a HTTPRoute to process the + request. This matches the RFC 1123 definition of a hostname with + 2 notable exceptions: \n 1. IPs are not allowed. 2. A hostname may + be prefixed with a wildcard label (`*.`). The wildcard label + must appear by itself as the first label. \n If a hostname is specified + by both the Listener and HTTPRoute, there must be at least one intersecting + hostname for the HTTPRoute to be attached to the Listener. For example: + \n * A Listener with `test.example.com` as the hostname matches + HTTPRoutes that have either not specified any hostnames, or have + specified at least one of `test.example.com` or `*.example.com`. + * A Listener with `*.example.com` as the hostname matches HTTPRoutes + \ that have either not specified any hostnames or have specified + at least one hostname that matches the Listener hostname. For + example, `*.example.com`, `test.example.com`, and `foo.test.example.com` + would all match. On the other hand, `example.com` and `test.example.net` + would not match. \n Hostnames that are prefixed with a wildcard + label (`*.`) are interpreted as a suffix match. That means that + a match for `*.example.com` would match both `test.example.com`, + and `foo.test.example.com`, but not `example.com`. \n If both the + Listener and HTTPRoute have specified hostnames, any HTTPRoute hostnames + that do not match the Listener hostname MUST be ignored. For example, + if a Listener specified `*.example.com`, and the HTTPRoute specified + `test.example.com` and `test.example.net`, `test.example.net` must + not be considered for a match. \n If both the Listener and HTTPRoute + have specified hostnames, and none match with the criteria above, + then the HTTPRoute is not accepted. The implementation must raise + an 'Accepted' Condition with a status of `False` in the corresponding + RouteParentStatus. \n Support: Core" + items: + description: "Hostname is the fully qualified domain name of a network + host. This matches the RFC 1123 definition of a hostname with + 2 notable exceptions: \n 1. IPs are not allowed. 2. A hostname + may be prefixed with a wildcard label (`*.`). The wildcard label + must appear by itself as the first label. \n Hostname can be \"precise\" + which is a domain name without the terminating dot of a network + host (e.g. \"foo.example.com\") or \"wildcard\", which is a domain + name prefixed with a single wildcard label (e.g. `*.example.com`). + \n Note that as per RFC1035 and RFC1123, a *label* must consist + of lower case alphanumeric characters or '-', and must start and + end with an alphanumeric character. No other punctuation is allowed." + maxLength: 253 + minLength: 1 + pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + maxItems: 16 + type: array + parentRefs: + description: "ParentRefs references the resources (usually Gateways) + that a Route wants to be attached to. Note that the referenced parent + resource needs to allow this for the attachment to be complete. + For Gateways, that means the Gateway needs to allow attachment from + Routes of this kind and namespace. \n The only kind of parent resource + with \"Core\" support is Gateway. This API may be extended in the + future to support additional kinds of parent resources such as one + of the route kinds. \n It is invalid to reference an identical parent + more than once. It is valid to reference multiple distinct sections + within the same parent resource, such as 2 Listeners within a Gateway. + \n It is possible to separately reference multiple distinct objects + that may be collapsed by an implementation. For example, some implementations + may choose to merge compatible Gateway Listeners together. If that + is the case, the list of routes attached to those resources should + also be merged." + items: + description: "ParentReference identifies an API object (usually + a Gateway) that can be considered a parent of this resource (usually + a route). The only kind of parent resource with \"Core\" support + is Gateway. This API may be extended in the future to support + additional kinds of parent resources, such as HTTPRoute. \n The + API object must be valid in the cluster; the Group and Kind must + be registered in the cluster for this reference to be valid." + properties: + group: + default: policy.linkerd.io + description: "Group is the group of the referent. \n Support: + Core" + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: "Kind is kind of the referent. \n Support: Core + (Gateway) Support: Custom (Other Resources)" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: "Name is the name of the referent. \n Support: + Core" + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the referent. When + unspecified (or empty string), this refers to the local namespace + of the Route. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: "Port specifies the destination + port number to use for this resource. + Port is required when the referent is + a Kubernetes Service. In this case, the + port number is the service port number, + not the target port. For other resources, + destination port might be derived from + the referent resource or this field. \n Support: Extended" + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: "SectionName is the name of a section within the + target resource. In the following resources, SectionName is + interpreted as the following: \n * Gateway: Listener Name. + When both Port (experimental) and SectionName are specified, + the name and port of the selected listener must match both + specified values. \n Implementations MAY choose to support + attaching Routes to other resources. If that is the case, + they MUST clearly document how SectionName is interpreted. + \n When unspecified (empty string), this will reference the + entire resource. For the purpose of status, an attachment + is considered successful if at least one section in the parent + resource accepts it. For example, Gateway listeners can restrict + which Routes can attach to them by Route kind, namespace, + or hostname. If 1 of 2 Gateway listeners accept attachment + from the referencing Route, the Route MUST be considered successfully + attached. If no Gateway listeners accept attachment from this + Route, the Route MUST be considered detached from the Gateway. + \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + maxItems: 32 + type: array + rules: + default: + - matches: + - path: + type: PathPrefix + value: / + description: Rules are a list of HTTP matchers, filters and actions. + items: + description: HTTPRouteRule defines semantics for matching an HTTP + request based on conditions (matches) and processing it (filters). + properties: + backendRefs: + description: "BackendRefs defines the backend(s) where matching + requests should be sent. \n Failure behavior here depends + on how many BackendRefs are specified and how many are invalid. + \n If *all* entries in BackendRefs are invalid, and there + are also no filters specified in this route rule, *all* traffic + which matches this rule MUST receive a 500 status code. \n + See the HTTPBackendRef definition for the rules about what + makes a single HTTPBackendRef invalid. \n When a HTTPBackendRef + is invalid, 500 status codes MUST be returned for requests + that would have otherwise been routed to an invalid backend. + If multiple backends are specified, and some are invalid, + the proportion of requests that would otherwise have been + routed to an invalid backend MUST receive a 500 status code. + \n For example, if two backends are specified with equal weights, + and one is invalid, 50 percent of traffic must receive a 500. + Implementations may choose how that 50 percent is determined. + \n Support: Core for Kubernetes Service \n Support: Implementation-specific + for any other resource \n Support for weight: Core" + items: + description: HTTPBackendRef defines how a HTTPRoute should + forward an HTTP request. + properties: + group: + default: "" + description: Group is the group of the referent. For example, + "gateway.networking.k8s.io". When unspecified or empty + string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: Kind is kind of the referent. For example + "HTTPRoute" or "Service". Defaults to "Service" when + not specified. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the backend. + When unspecified, the local namespace is inferred. \n + Note that when a namespace is specified, a ReferenceGrant + object is required in the referent namespace to allow + that namespace's owner to accept the reference. See + the ReferenceGrant documentation for details. \n Support: + Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: Port specifies the destination port number + to use for this resource. Port is required when the + referent is a Kubernetes Service. In this case, the + port number is the service port number, not the target + port. For other resources, destination port might be + derived from the referent resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + weight: + default: 1 + description: "Weight specifies the proportion of requests + forwarded to the referenced backend. This is computed + as weight/(sum of all weights in this BackendRefs list). + For non-zero values, there may be some epsilon from + the exact proportion defined here depending on the precision + an implementation supports. Weight is not a percentage + and the sum of weights does not need to equal 100. \n + If only one backend is specified and it has a weight + greater than 0, 100% of the traffic is forwarded to + that backend. If weight is set to 0, no traffic should + be forwarded for this entry. If unspecified, weight + defaults to 1. \n Support for this field varies based + on the context where used." + format: int32 + maximum: 1000000 + minimum: 0 + type: integer + filters: + description: "Filters defined at this level should be + executed if and only if the request is being forwarded + to the backend defined here. \n Support: Implementation-specific + (For broader support of filters, use the Filters field + in HTTPRouteRule.)" + items: + description: HTTPRouteFilter defines processing steps + that must be completed during the request or response + lifecycle. HTTPRouteFilters are meant as an extension + point to express processing that may be done in Gateway + implementations. Some examples include request or + response modification, implementing authentication + strategies, rate-limiting, and traffic shaping. API + guarantee/conformance is defined based on the type + of the filter. + properties: + requestHeaderModifier: + description: "RequestHeaderModifier defines a schema + for a filter that modifies request headers. \n + Support: Core" + properties: + add: + description: "Add adds the given header(s) (name, + value) to the request before the action. It + appends to any existing values associated + with the header name. \n Input: GET /foo HTTP/1.1 + my-header: foo \n Config: add: - name: \"my-header\" + value: \"bar,baz\" \n Output: GET /foo HTTP/1.1 + my-header: foo,bar,baz" + items: + description: HTTPHeader represents an HTTP + Header name and value as defined by RFC + 7230. + properties: + name: + description: "Name is the name of the + HTTP Header to be matched. Name matching + MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + \n If multiple entries specify equivalent + header names, the first entry with an + equivalent name MUST be considered for + a match. Subsequent entries with an + equivalent header name MUST be ignored. + Due to the case-insensitivity of header + names, \"foo\" and \"Foo\" are considered + equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP + Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: "Remove the given header(s) from + the HTTP request before the action. The value + of Remove is a list of HTTP header names. + Note that the header names are case-insensitive + (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + \n Input: GET /foo HTTP/1.1 my-header1: foo + my-header2: bar my-header3: baz \n Config: + remove: [\"my-header1\", \"my-header3\"] \n + Output: GET /foo HTTP/1.1 my-header2: bar" + items: + type: string + maxItems: 16 + type: array + set: + description: "Set overwrites the request with + the given header (name, value) before the + action. \n Input: GET /foo HTTP/1.1 my-header: + foo \n Config: set: - name: \"my-header\" + value: \"bar\" \n Output: GET /foo HTTP/1.1 + my-header: bar" + items: + description: HTTPHeader represents an HTTP + Header name and value as defined by RFC + 7230. + properties: + name: + description: "Name is the name of the + HTTP Header to be matched. Name matching + MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + \n If multiple entries specify equivalent + header names, the first entry with an + equivalent name MUST be considered for + a match. Subsequent entries with an + equivalent header name MUST be ignored. + Due to the case-insensitivity of header + names, \"foo\" and \"Foo\" are considered + equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP + Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + requestRedirect: + description: "RequestRedirect defines a schema for + a filter that responds to the request with an + HTTP redirection. \n Support: Core" + properties: + hostname: + description: "Hostname is the hostname to be + used in the value of the `Location` header + in the response. When empty, the hostname + in the `Host` header of the request is used. + \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + path: + description: "Path defines parameters used to + modify the path of the incoming request. The + modified path is then used to construct the + `Location` header. When empty, the request + path is used as-is. \n Support: Extended" + properties: + replaceFullPath: + description: ReplaceFullPath specifies the + value with which to replace the full path + of a request during a rewrite or redirect. + maxLength: 1024 + type: string + replacePrefixMatch: + description: "ReplacePrefixMatch specifies + the value with which to replace the prefix + match of a request during a rewrite or + redirect. For example, a request to \"/foo/bar\" + with a prefix match of \"/foo\" and a + ReplacePrefixMatch of \"/xyz\" would be + modified to \"/xyz/bar\". \n Note that + this matches the behavior of the PathPrefix + match type. This matches full path elements. + A path element refers to the list of labels + in the path split by the `/` separator. + When specified, a trailing `/` is ignored. + For example, the paths `/abc`, `/abc/`, + and `/abc/def` would all match the prefix + `/abc`, but the path `/abcd` would not. + \n Request Path | Prefix Match | Replace + Prefix | Modified Path -------------|--------------|----------------|---------- + /foo/bar | /foo | /xyz | + /xyz/bar /foo/bar | /foo | + /xyz/ | /xyz/bar /foo/bar | + /foo/ | /xyz | /xyz/bar + /foo/bar | /foo/ | /xyz/ | + /xyz/bar /foo | /foo | + /xyz | /xyz /foo/ | /foo + \ | /xyz | /xyz/ /foo/bar + \ | /foo | | + /bar /foo/ | /foo | | / /foo | /foo | + | / /foo/ | /foo + \ | / | / /foo | + /foo | / | /" + maxLength: 1024 + type: string + type: + description: "Type defines the type of path + modifier. Additional types may be added + in a future release of the API. \n Note + that values may be added to this enum, + implementations must ensure that unknown + values will not cause a crash. \n Unknown + values here must result in the implementation + setting the Accepted Condition for the + Route to `status: False`, with a Reason + of `UnsupportedValue`." + enum: + - ReplaceFullPath + - ReplacePrefixMatch + type: string + required: + - type + type: object + port: + description: "Port is the port to be used in + the value of the `Location` header in the + response. \n If no port is specified, the + redirect port MUST be derived using the following + rules: \n * If redirect scheme is not-empty, + the redirect port MUST be the well-known port + associated with the redirect scheme. Specifically + \"http\" to port 80 and \"https\" to port + 443. If the redirect scheme does not have + a well-known port, the listener port of the + Gateway SHOULD be used. * If redirect scheme + is empty, the redirect port MUST be the Gateway + Listener port. \n Implementations SHOULD NOT + add the port number in the 'Location' header + in the following cases: \n * A Location header + that will use HTTP (whether that is determined + via the Listener protocol or the Scheme field) + _and_ use port 80. * A Location header that + will use HTTPS (whether that is determined + via the Listener protocol or the Scheme field) + _and_ use port 443. \n Support: Extended" + format: int32 + maximum: 65535 + minimum: 1 + type: integer + scheme: + description: "Scheme is the scheme to be used + in the value of the `Location` header in the + response. When empty, the scheme of the request + is used. \n Scheme redirects can affect the + port of the redirect, for more information, + refer to the documentation for the port field + of this filter. \n Note that values may be + added to this enum, implementations must ensure + that unknown values will not cause a crash. + \n Unknown values here must result in the + implementation setting the Accepted Condition + for the Route to `status: False`, with a Reason + of `UnsupportedValue`. \n Support: Extended" + enum: + - http + - https + type: string + statusCode: + default: 302 + description: "StatusCode is the HTTP status + code to be used in response. \n Note that + values may be added to this enum, implementations + must ensure that unknown values will not cause + a crash. \n Unknown values here must result + in the implementation setting the Accepted + Condition for the Route to `status: False`, + with a Reason of `UnsupportedValue`. \n Support: + Core" + enum: + - 301 + - 302 + type: integer + type: object + responseHeaderModifier: + description: "ResponseHeaderModifier defines a schema + for a filter that modifies response headers. \n + Support: Extended" + properties: + add: + description: "Add adds the given header(s) (name, + value) to the request before the action. It + appends to any existing values associated + with the header name. \n Input: GET /foo HTTP/1.1 + my-header: foo \n Config: add: - name: \"my-header\" + value: \"bar,baz\" \n Output: GET /foo HTTP/1.1 + my-header: foo,bar,baz" + items: + description: HTTPHeader represents an HTTP + Header name and value as defined by RFC + 7230. + properties: + name: + description: "Name is the name of the + HTTP Header to be matched. Name matching + MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + \n If multiple entries specify equivalent + header names, the first entry with an + equivalent name MUST be considered for + a match. Subsequent entries with an + equivalent header name MUST be ignored. + Due to the case-insensitivity of header + names, \"foo\" and \"Foo\" are considered + equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP + Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: "Remove the given header(s) from + the HTTP request before the action. The value + of Remove is a list of HTTP header names. + Note that the header names are case-insensitive + (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + \n Input: GET /foo HTTP/1.1 my-header1: foo + my-header2: bar my-header3: baz \n Config: + remove: [\"my-header1\", \"my-header3\"] \n + Output: GET /foo HTTP/1.1 my-header2: bar" + items: + type: string + maxItems: 16 + type: array + set: + description: "Set overwrites the request with + the given header (name, value) before the + action. \n Input: GET /foo HTTP/1.1 my-header: + foo \n Config: set: - name: \"my-header\" + value: \"bar\" \n Output: GET /foo HTTP/1.1 + my-header: bar" + items: + description: HTTPHeader represents an HTTP + Header name and value as defined by RFC + 7230. + properties: + name: + description: "Name is the name of the + HTTP Header to be matched. Name matching + MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + \n If multiple entries specify equivalent + header names, the first entry with an + equivalent name MUST be considered for + a match. Subsequent entries with an + equivalent header name MUST be ignored. + Due to the case-insensitivity of header + names, \"foo\" and \"Foo\" are considered + equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP + Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + type: + description: "Type identifies the type of filter + to apply. As with other API fields, types are + classified into three conformance levels: \n - + Core: Filter types and their corresponding configuration + defined by \"Support: Core\" in this package, + e.g. \"RequestHeaderModifier\". All implementations + must support core filters. \n - Extended: Filter + types and their corresponding configuration defined + by \"Support: Extended\" in this package, e.g. + \"RequestMirror\". Implementers are encouraged + to support extended filters. \n - Implementation-specific: + Filters that are defined and supported by specific + vendors. In the future, filters showing convergence + in behavior across multiple implementations will + be considered for inclusion in extended or core + conformance levels. Filter-specific configuration + for such filters is specified using the ExtensionRef + field. `Type` should be set to \"ExtensionRef\" + for custom filters. \n Implementers are encouraged + to define custom implementation types to extend + the core API with implementation-specific behavior. + \n If a reference to a custom filter type cannot + be resolved, the filter MUST NOT be skipped. Instead, + requests that would have been processed by that + filter MUST receive a HTTP error response. \n + Note that values may be added to this enum, implementations + must ensure that unknown values will not cause + a crash. \n Unknown values here must result in + the implementation setting the Accepted Condition + for the Route to `status: False`, with a Reason + of `UnsupportedValue`." + enum: + - RequestHeaderModifier + - ResponseHeaderModifier + - RequestRedirect + type: string + required: + - type + type: object + maxItems: 16 + type: array + required: + - name + type: object + maxItems: 16 + type: array + filters: + description: "Filters define the filters that are applied to + requests that match this rule. \n The effects of ordering + of multiple behaviors are currently unspecified. This can + change in the future based on feedback during the alpha stage. + \n Conformance-levels at this level are defined based on the + type of filter: \n - ALL core filters MUST be supported by + all implementations. - Implementers are encouraged to support + extended filters. - Implementation-specific custom filters + have no API guarantees across implementations. \n Specifying + a core filter multiple times has unspecified or custom conformance. + \n All filters are expected to be compatible with each other + except for the URLRewrite and RequestRedirect filters, which + may not be combined. If an implementation can not support + other combinations of filters, they must clearly document + that limitation. In all cases where incompatible or unsupported + filters are specified, implementations MUST add a warning + condition to status. \n Support: Core" + items: + description: HTTPRouteFilter defines processing steps that + must be completed during the request or response lifecycle. + HTTPRouteFilters are meant as an extension point to express + processing that may be done in Gateway implementations. + Some examples include request or response modification, + implementing authentication strategies, rate-limiting, and + traffic shaping. API guarantee/conformance is defined based + on the type of the filter. + properties: + requestHeaderModifier: + description: "RequestHeaderModifier defines a schema for + a filter that modifies request headers. \n Support: + Core" + properties: + add: + description: "Add adds the given header(s) (name, + value) to the request before the action. It appends + to any existing values associated with the header + name. \n Input: GET /foo HTTP/1.1 my-header: + foo \n Config: add: - name: \"my-header\" value: + \"bar\" \n Output: GET /foo HTTP/1.1 my-header: + foo my-header: bar" + items: + description: HTTPHeader represents an HTTP Header + name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header + to be matched. Name matching MUST be case + insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + \n If multiple entries specify equivalent + header names, the first entry with an equivalent + name MUST be considered for a match. Subsequent + entries with an equivalent header name MUST + be ignored. Due to the case-insensitivity + of header names, \"foo\" and \"Foo\" are considered + equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header + to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: "Remove the given header(s) from the + HTTP request before the action. The value of Remove + is a list of HTTP header names. Note that the header + names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + \n Input: GET /foo HTTP/1.1 my-header1: foo + \ my-header2: bar my-header3: baz \n Config: + \ remove: [\"my-header1\", \"my-header3\"] \n Output: + \ GET /foo HTTP/1.1 my-header2: bar" + items: + type: string + maxItems: 16 + type: array + set: + description: "Set overwrites the request with the + given header (name, value) before the action. \n + Input: GET /foo HTTP/1.1 my-header: foo \n Config: + \ set: - name: \"my-header\" value: \"bar\" + \n Output: GET /foo HTTP/1.1 my-header: bar" + items: + description: HTTPHeader represents an HTTP Header + name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header + to be matched. Name matching MUST be case + insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + \n If multiple entries specify equivalent + header names, the first entry with an equivalent + name MUST be considered for a match. Subsequent + entries with an equivalent header name MUST + be ignored. Due to the case-insensitivity + of header names, \"foo\" and \"Foo\" are considered + equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header + to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + requestRedirect: + description: "RequestRedirect defines a schema for a filter + that responds to the request with an HTTP redirection. + \n Support: Core" + properties: + hostname: + description: "Hostname is the hostname to be used + in the value of the `Location` header in the response. + When empty, the hostname of the request is used. + \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + path: + description: "Path defines parameters used to + modify the path of the incoming request. The + modified path is then used to construct the + `Location` header. When empty, the request + path is used as-is. \n Support: Extended" + properties: + replaceFullPath: + description: ReplaceFullPath specifies the + value with which to replace the full path + of a request during a rewrite or redirect. + maxLength: 1024 + type: string + replacePrefixMatch: + description: "ReplacePrefixMatch specifies + the value with which to replace the prefix + match of a request during a rewrite or + redirect. For example, a request to \"/foo/bar\" + with a prefix match of \"/foo\" and a + ReplacePrefixMatch of \"/xyz\" would be + modified to \"/xyz/bar\". \n Note that + this matches the behavior of the PathPrefix + match type. This matches full path elements. + A path element refers to the list of labels + in the path split by the `/` separator. + When specified, a trailing `/` is ignored. + For example, the paths `/abc`, `/abc/`, + and `/abc/def` would all match the prefix + `/abc`, but the path `/abcd` would not. + \n Request Path | Prefix Match | Replace + Prefix | Modified Path -------------|--------------|----------------|---------- + /foo/bar | /foo | /xyz | + /xyz/bar /foo/bar | /foo | + /xyz/ | /xyz/bar /foo/bar | + /foo/ | /xyz | /xyz/bar + /foo/bar | /foo/ | /xyz/ | + /xyz/bar /foo | /foo | + /xyz | /xyz /foo/ | /foo + \ | /xyz | /xyz/ /foo/bar + \ | /foo | | + /bar /foo/ | /foo | | / /foo | /foo | + | / /foo/ | /foo + \ | / | / /foo | + /foo | / | /" + maxLength: 1024 + type: string + type: + description: "Type defines the type of path + modifier. Additional types may be added + in a future release of the API. \n Note + that values may be added to this enum, + implementations must ensure that unknown + values will not cause a crash. \n Unknown + values here must result in the implementation + setting the Accepted Condition for the + Route to `status: False`, with a Reason + of `UnsupportedValue`." + enum: + - ReplaceFullPath + - ReplacePrefixMatch + type: string + required: + - type + type: object + port: + description: "Port is the port to be used in the value + of the `Location` header in the response. When empty, + port (if specified) of the request is used. \n Support: + Extended" + format: int32 + maximum: 65535 + minimum: 1 + type: integer + scheme: + description: "Scheme is the scheme to be used in the + value of the `Location` header in the response. + When empty, the scheme of the request is used. \n + Support: Extended" + enum: + - http + - https + type: string + statusCode: + default: 302 + description: "StatusCode is the HTTP status code to + be used in response. \n Support: Core" + enum: + - 301 + - 302 + type: integer + type: object + type: + description: "Type identifies the type of filter to apply. + As with other API fields, types are classified into + three conformance levels: \n - Core: Filter types and + their corresponding configuration defined by \"Support: + Core\" in this package, e.g. \"RequestHeaderModifier\"." + enum: + - RequestHeaderModifier + - RequestRedirect + type: string + required: + - type + type: object + maxItems: 16 + type: array + matches: + default: + - path: + type: PathPrefix + value: / + description: "Matches define conditions used for matching the + rule against incoming HTTP requests. Each match is independent, + i.e. this rule will be matched if **any** one of the matches + is satisfied. \n For example, take the following matches configuration: + \n ``` matches: - path: value: \"/foo\" headers: - + name: \"version\" value: \"v2\" - path: value: \"/v2/foo\" + ``` \n For a request to match against this rule, a request + must satisfy EITHER of the two conditions: \n - path prefixed + with `/foo` AND contains the header `version: v2` - path prefix + of `/v2/foo` \n See the documentation for HTTPRouteMatch on + how to specify multiple match conditions that should be ANDed + together. \n If no matches are specified, the default is a + prefix path match on \"/\", which has the effect of matching + every HTTP request. \n Proxy or Load Balancer routing configuration + generated from HTTPRoutes MUST prioritize rules based on the + following criteria, continuing on ties. Precedence must be + given to the the Rule with the largest number of: \n * Characters + in a matching non-wildcard hostname. * Characters in a matching + hostname. * Characters in a matching path. * Header matches. + * Query param matches. \n If ties still exist across multiple + Routes, matching precedence MUST be determined in order of + the following criteria, continuing on ties: \n * The oldest + Route based on creation timestamp. * The Route appearing first + in alphabetical order by \"{namespace}/{name}\". \n If ties + still exist within the Route that has been given precedence, + matching precedence MUST be granted to the first matching + rule meeting the above criteria. \n When no rules matching + a request have been successfully attached to the parent a + request is coming from, a HTTP 404 status code MUST be returned." + items: + description: "HTTPRouteMatch defines the predicate used to + match requests to a given action. Multiple match types are + ANDed together, i.e. the match will evaluate to true only + if all conditions are satisfied. \n For example, the match + below will match a HTTP request only if its path starts + with `/foo` AND it contains the `version: v1` header: \n + ``` match: path: value: \"/foo\" headers: - name: + \"version\" value \"v1\" ```" + properties: + headers: + description: Headers specifies HTTP request header matchers. + Multiple match values are ANDed together, meaning, a + request must match all the specified headers to select + the route. + items: + description: HTTPHeaderMatch describes how to select + a HTTP route by matching HTTP request headers. + properties: + name: + description: "Name is the name of the HTTP Header + to be matched. Name matching MUST be case insensitive. + (See https://tools.ietf.org/html/rfc7230#section-3.2). + \n If multiple entries specify equivalent header + names, only the first entry with an equivalent + name MUST be considered for a match. Subsequent + entries with an equivalent header name MUST be + ignored. Due to the case-insensitivity of header + names, \"foo\" and \"Foo\" are considered equivalent. + \n When a header is repeated in an HTTP request, + it is implementation-specific behavior as to how + this is represented. Generally, proxies should + follow the guidance from the RFC: https://www.rfc-editor.org/rfc/rfc7230.html#section-3.2.2 + regarding processing a repeated header, with special + handling for \"Set-Cookie\"." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + type: + default: Exact + description: "Type specifies how to match against + the value of the header. \n Support: Core (Exact) + \n Support: Custom (RegularExpression) \n Since + RegularExpression HeaderMatchType has custom conformance, + implementations can support POSIX, PCRE or any + other dialects of regular expressions. Please + read the implementation's documentation to determine + the supported dialect." + enum: + - Exact + - RegularExpression + type: string + value: + description: Value is the value of HTTP Header to + be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + method: + description: "Method specifies HTTP method matcher. When + specified, this route will be matched only if the request + has the specified method. \n Support: Extended" + enum: + - GET + - HEAD + - POST + - PUT + - DELETE + - CONNECT + - OPTIONS + - TRACE + - PATCH + type: string + path: + default: + type: PathPrefix + value: / + description: Path specifies a HTTP request path matcher. + If this field is not specified, a default prefix match + on the "/" path is provided. + properties: + type: + default: PathPrefix + description: "Type specifies how to match against + the path Value. \n Support: Core (Exact, PathPrefix) + \n Support: Custom (RegularExpression)" + enum: + - Exact + - PathPrefix + - RegularExpression + type: string + value: + default: / + description: Value of the HTTP path to match against. + maxLength: 1024 + type: string + type: object + queryParams: + description: QueryParams specifies HTTP query parameter + matchers. Multiple match values are ANDed together, + meaning, a request must match all the specified query + parameters to select the route. + items: + description: HTTPQueryParamMatch describes how to select + a HTTP route by matching HTTP query parameters. + properties: + name: + description: Name is the name of the HTTP query + param to be matched. This must be an exact string + match. (See https://tools.ietf.org/html/rfc7230#section-2.7.3). + maxLength: 256 + minLength: 1 + type: string + type: + default: Exact + description: "Type specifies how to match against + the value of the query parameter. \n Support: + Extended (Exact) \n Support: Custom (RegularExpression) + \n Since RegularExpression QueryParamMatchType + has custom conformance, implementations can support + POSIX, PCRE or any other dialects of regular expressions. + Please read the implementation's documentation + to determine the supported dialect." + enum: + - Exact + - RegularExpression + type: string + value: + description: Value is the value of HTTP query param + to be matched. + maxLength: 1024 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + maxItems: 8 + type: array + type: object + maxItems: 16 + type: array + type: object + status: + description: Status defines the current state of HTTPRoute. + properties: + parents: + description: "Parents is a list of parent resources (usually Gateways) + that are associated with the route, and the status of the route + with respect to each parent. When this route attaches to a parent, + the controller that manages the parent must add an entry to this + list when the controller first sees the route and should update + the entry as appropriate when the route or gateway is modified. + \n Note that parent references that cannot be resolved by an implementation + of this API will not be added to this list. Implementations of this + API can only populate Route status for the Gateways/parent resources + they are responsible for. \n A maximum of 32 Gateways will be represented + in this list. An empty list means the route has not been attached + to any Gateway." + items: + description: RouteParentStatus describes the status of a route with + respect to an associated Parent. + properties: + conditions: + description: "Conditions describes the status of the route with + respect to the Gateway. Note that the route's availability + is also subject to the Gateway's own status conditions and + listener status. \n If the Route's ParentRef specifies an + existing Gateway that supports Routes of this kind AND that + Gateway's controller has sufficient access, then that Gateway's + controller MUST set the \"Accepted\" condition on the Route, + to indicate whether the route has been accepted or rejected + by the Gateway, and why. \n A Route MUST be considered \"Accepted\" + if at least one of the Route's rules is implemented by the + Gateway. \n There are a number of cases where the \"Accepted\" + condition may not be set due to lack of controller visibility, + that includes when: \n * The Route refers to a non-existent + parent. * The Route is of a type that the controller does + not support. * The Route is in a namespace the the controller + does not have access to." + items: + description: "Condition contains details for one aspect of + the current state of this API Resource. --- This struct + is intended for direct use as an array at the field path + .status.conditions. For example, type FooStatus struct{ + \ // Represents the observations of a foo's current state. + \ // Known .status.conditions.type are: \"Available\", + \"Progressing\", and \"Degraded\" // +patchMergeKey=type + \ // +patchStrategy=merge // +listType=map // + +listMapKey=type Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` + \n // other fields }" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition + transitioned from one status to another. This should + be when the underlying condition changed. If that is + not known, then using the time when the API field changed + is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating + details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation + that the condition was set based upon. For instance, + if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration + is 9, the condition is out of date with respect to the + current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier + indicating the reason for the condition's last transition. + Producers of specific condition types may define expected + values and meanings for this field, and whether the + values are considered a guaranteed API. The value should + be a CamelCase string. This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, + Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + --- Many .condition.type values are consistent across + resources like Available, but because arbitrary conditions + can be useful (see .node.status.conditions), the ability + to deconflict is important. The regex it matches is + (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + controllerName: + description: "ControllerName is a domain/path string that indicates + the name of the controller that wrote this status. This corresponds + with the controllerName field on GatewayClass. \n Example: + \"example.net/gateway-controller\". \n The format of this + field is DOMAIN \"/\" PATH, where DOMAIN and PATH are valid + Kubernetes names (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). + \n Controllers MUST populate this field when writing status. + Controllers should ensure that entries to status populated + with their ControllerName are cleaned up when they are no + longer necessary." + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + parentRef: + description: ParentRef corresponds with a ParentRef in the spec + that this RouteParentStatus struct describes the status of. + properties: + group: + default: policy.linkerd.io + description: "Group is the group of the referent. \n Support: + Core" + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: "Kind is kind of the referent. \n Support: + Core (Gateway) Support: Custom (Other Resources)" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: "Name is the name of the referent. \n Support: + Core" + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the referent. + When unspecified (or empty string), this refers to the + local namespace of the Route. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: "Port is the network port this Route targets. + It can be interpreted differently based on the type of + parent resource. \n When the parent resource is a Gateway, + this targets all listeners listening on the specified + port that also support this kind of Route(and select this + Route). It's not recommended to set `Port` unless the + networking behaviors specified in a Route must apply to + a specific port as opposed to a listener(s) whose port(s) + may be changed. When both Port and SectionName are specified, + the name and port of the selected listener must match + both specified values. \n Implementations MAY choose to + support other parent resources. Implementations supporting + other types of parent resources MUST clearly document + how/if Port is interpreted. \n For the purpose of status, + an attachment is considered successful as long as the + parent resource accepts it partially. For example, Gateway + listeners can restrict which Routes can attach to them + by Route kind, namespace, or hostname. If 1 of 2 Gateway + listeners accept attachment from the referencing Route, + the Route MUST be considered successfully attached. If + no Gateway listeners accept attachment from this Route, + the Route MUST be considered detached from the Gateway. + \n Support: Extended \n " + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: "SectionName is the name of a section within + the target resource. In the following resources, SectionName + is interpreted as the following: \n * Gateway: Listener + Name. When both Port (experimental) and SectionName are + specified, the name and port of the selected listener + must match both specified values. \n Implementations MAY + choose to support attaching Routes to other resources. + If that is the case, they MUST clearly document how SectionName + is interpreted. \n When unspecified (empty string), this + will reference the entire resource. For the purpose of + status, an attachment is considered successful if at least + one section in the parent resource accepts it. For example, + Gateway listeners can restrict which Routes can attach + to them by Route kind, namespace, or hostname. If 1 of + 2 Gateway listeners accept attachment from the referencing + Route, the Route MUST be considered successfully attached. + If no Gateway listeners accept attachment from this Route, + the Route MUST be considered detached from the Gateway. + \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + required: + - controllerName + - parentRef + type: object + maxItems: 32 + type: array + required: + - parents + type: object + required: + - spec + type: object + served: true + storage: false + subresources: + status: {} + - additionalPrinterColumns: + - jsonPath: .spec.hostnames + name: Hostnames + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta3 + schema: + openAPIV3Schema: + description: HTTPRoute provides a way to route HTTP requests. This includes + the capability to match requests by hostname, path, header, or query param. + Filters can be used to specify additional processing steps. Backends specify + where matching requests should be routed. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec defines the desired state of HTTPRoute. + properties: + hostnames: + description: "Hostnames defines a set of hostname that should match + against the HTTP Host header to select a HTTPRoute to process the + request. This matches the RFC 1123 definition of a hostname with + 2 notable exceptions: \n 1. IPs are not allowed. 2. A hostname may + be prefixed with a wildcard label (`*.`). The wildcard label + must appear by itself as the first label. \n If a hostname is specified + by both the Listener and HTTPRoute, there must be at least one intersecting + hostname for the HTTPRoute to be attached to the Listener. For example: + \n * A Listener with `test.example.com` as the hostname matches + HTTPRoutes that have either not specified any hostnames, or have + specified at least one of `test.example.com` or `*.example.com`. + * A Listener with `*.example.com` as the hostname matches HTTPRoutes + \ that have either not specified any hostnames or have specified + at least one hostname that matches the Listener hostname. For + example, `*.example.com`, `test.example.com`, and `foo.test.example.com` + would all match. On the other hand, `example.com` and `test.example.net` + would not match. \n Hostnames that are prefixed with a wildcard + label (`*.`) are interpreted as a suffix match. That means that + a match for `*.example.com` would match both `test.example.com`, + and `foo.test.example.com`, but not `example.com`. \n If both the + Listener and HTTPRoute have specified hostnames, any HTTPRoute hostnames + that do not match the Listener hostname MUST be ignored. For example, + if a Listener specified `*.example.com`, and the HTTPRoute specified + `test.example.com` and `test.example.net`, `test.example.net` must + not be considered for a match. \n If both the Listener and HTTPRoute + have specified hostnames, and none match with the criteria above, + then the HTTPRoute is not accepted. The implementation must raise + an 'Accepted' Condition with a status of `False` in the corresponding + RouteParentStatus. \n Support: Core" + items: + description: "Hostname is the fully qualified domain name of a network + host. This matches the RFC 1123 definition of a hostname with + 2 notable exceptions: \n 1. IPs are not allowed. 2. A hostname + may be prefixed with a wildcard label (`*.`). The wildcard label + must appear by itself as the first label. \n Hostname can be \"precise\" + which is a domain name without the terminating dot of a network + host (e.g. \"foo.example.com\") or \"wildcard\", which is a domain + name prefixed with a single wildcard label (e.g. `*.example.com`). + \n Note that as per RFC1035 and RFC1123, a *label* must consist + of lower case alphanumeric characters or '-', and must start and + end with an alphanumeric character. No other punctuation is allowed." + maxLength: 253 + minLength: 1 + pattern: ^(\*\.)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + maxItems: 16 + type: array + parentRefs: + description: "ParentRefs references the resources (usually Gateways) + that a Route wants to be attached to. Note that the referenced parent + resource needs to allow this for the attachment to be complete. + For Gateways, that means the Gateway needs to allow attachment from + Routes of this kind and namespace. \n The only kind of parent resource + with \"Core\" support is Gateway. This API may be extended in the + future to support additional kinds of parent resources such as one + of the route kinds. \n It is invalid to reference an identical parent + more than once. It is valid to reference multiple distinct sections + within the same parent resource, such as 2 Listeners within a Gateway. + \n It is possible to separately reference multiple distinct objects + that may be collapsed by an implementation. For example, some implementations + may choose to merge compatible Gateway Listeners together. If that + is the case, the list of routes attached to those resources should + also be merged." + items: + description: "ParentReference identifies an API object (usually + a Gateway) that can be considered a parent of this resource (usually + a route). The only kind of parent resource with \"Core\" support + is Gateway. This API may be extended in the future to support + additional kinds of parent resources, such as HTTPRoute. \n The + API object must be valid in the cluster; the Group and Kind must + be registered in the cluster for this reference to be valid." + properties: + group: + default: policy.linkerd.io + description: "Group is the group of the referent. \n Support: + Core" + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: "Kind is kind of the referent. \n Support: Core + (Gateway) Support: Custom (Other Resources)" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: "Name is the name of the referent. \n Support: + Core" + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the referent. When + unspecified (or empty string), this refers to the local namespace + of the Route. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: "Port specifies the destination + port number to use for this resource. + Port is required when the referent is + a Kubernetes Service. In this case, the + port number is the service port number, + not the target port. For other resources, + destination port might be derived from + the referent resource or this field. \n Support: Extended" + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: "SectionName is the name of a section within the + target resource. In the following resources, SectionName is + interpreted as the following: \n * Gateway: Listener Name. + When both Port (experimental) and SectionName are specified, + the name and port of the selected listener must match both + specified values. \n Implementations MAY choose to support + attaching Routes to other resources. If that is the case, + they MUST clearly document how SectionName is interpreted. + \n When unspecified (empty string), this will reference the + entire resource. For the purpose of status, an attachment + is considered successful if at least one section in the parent + resource accepts it. For example, Gateway listeners can restrict + which Routes can attach to them by Route kind, namespace, + or hostname. If 1 of 2 Gateway listeners accept attachment + from the referencing Route, the Route MUST be considered successfully + attached. If no Gateway listeners accept attachment from this + Route, the Route MUST be considered detached from the Gateway. + \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + maxItems: 32 + type: array + rules: + default: + - matches: + - path: + type: PathPrefix + value: / + description: Rules are a list of HTTP matchers, filters and actions. + items: + description: HTTPRouteRule defines semantics for matching an HTTP + request based on conditions (matches) and processing it (filters). + properties: + backendRefs: + description: "BackendRefs defines the backend(s) where matching + requests should be sent. \n Failure behavior here depends + on how many BackendRefs are specified and how many are invalid. + \n If *all* entries in BackendRefs are invalid, and there + are also no filters specified in this route rule, *all* traffic + which matches this rule MUST receive a 500 status code. \n + See the HTTPBackendRef definition for the rules about what + makes a single HTTPBackendRef invalid. \n When a HTTPBackendRef + is invalid, 500 status codes MUST be returned for requests + that would have otherwise been routed to an invalid backend. + If multiple backends are specified, and some are invalid, + the proportion of requests that would otherwise have been + routed to an invalid backend MUST receive a 500 status code. + \n For example, if two backends are specified with equal weights, + and one is invalid, 50 percent of traffic must receive a 500. + Implementations may choose how that 50 percent is determined. + \n Support: Core for Kubernetes Service \n Support: Implementation-specific + for any other resource \n Support for weight: Core" + items: + description: HTTPBackendRef defines how a HTTPRoute should + forward an HTTP request. + properties: + group: + default: "" + description: Group is the group of the referent. For example, + "gateway.networking.k8s.io". When unspecified or empty + string, core API group is inferred. + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Service + description: Kind is kind of the referent. For example + "HTTPRoute" or "Service". Defaults to "Service" when + not specified. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: Name is the name of the referent. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the backend. + When unspecified, the local namespace is inferred. \n + Note that when a namespace is specified, a ReferenceGrant + object is required in the referent namespace to allow + that namespace's owner to accept the reference. See + the ReferenceGrant documentation for details. \n Support: + Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: Port specifies the destination port number + to use for this resource. Port is required when the + referent is a Kubernetes Service. In this case, the + port number is the service port number, not the target + port. For other resources, destination port might be + derived from the referent resource or this field. + format: int32 + maximum: 65535 + minimum: 1 + type: integer + weight: + default: 1 + description: "Weight specifies the proportion of requests + forwarded to the referenced backend. This is computed + as weight/(sum of all weights in this BackendRefs list). + For non-zero values, there may be some epsilon from + the exact proportion defined here depending on the precision + an implementation supports. Weight is not a percentage + and the sum of weights does not need to equal 100. \n + If only one backend is specified and it has a weight + greater than 0, 100% of the traffic is forwarded to + that backend. If weight is set to 0, no traffic should + be forwarded for this entry. If unspecified, weight + defaults to 1. \n Support for this field varies based + on the context where used." + format: int32 + maximum: 1000000 + minimum: 0 + type: integer + filters: + description: "Filters defined at this level should be + executed if and only if the request is being forwarded + to the backend defined here. \n Support: Implementation-specific + (For broader support of filters, use the Filters field + in HTTPRouteRule.)" + items: + description: HTTPRouteFilter defines processing steps + that must be completed during the request or response + lifecycle. HTTPRouteFilters are meant as an extension + point to express processing that may be done in Gateway + implementations. Some examples include request or + response modification, implementing authentication + strategies, rate-limiting, and traffic shaping. API + guarantee/conformance is defined based on the type + of the filter. + properties: + requestHeaderModifier: + description: "RequestHeaderModifier defines a schema + for a filter that modifies request headers. \n + Support: Core" + properties: + add: + description: "Add adds the given header(s) (name, + value) to the request before the action. It + appends to any existing values associated + with the header name. \n Input: GET /foo HTTP/1.1 + my-header: foo \n Config: add: - name: \"my-header\" + value: \"bar,baz\" \n Output: GET /foo HTTP/1.1 + my-header: foo,bar,baz" + items: + description: HTTPHeader represents an HTTP + Header name and value as defined by RFC + 7230. + properties: + name: + description: "Name is the name of the + HTTP Header to be matched. Name matching + MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + \n If multiple entries specify equivalent + header names, the first entry with an + equivalent name MUST be considered for + a match. Subsequent entries with an + equivalent header name MUST be ignored. + Due to the case-insensitivity of header + names, \"foo\" and \"Foo\" are considered + equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP + Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: "Remove the given header(s) from + the HTTP request before the action. The value + of Remove is a list of HTTP header names. + Note that the header names are case-insensitive + (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + \n Input: GET /foo HTTP/1.1 my-header1: foo + my-header2: bar my-header3: baz \n Config: + remove: [\"my-header1\", \"my-header3\"] \n + Output: GET /foo HTTP/1.1 my-header2: bar" + items: + type: string + maxItems: 16 + type: array + set: + description: "Set overwrites the request with + the given header (name, value) before the + action. \n Input: GET /foo HTTP/1.1 my-header: + foo \n Config: set: - name: \"my-header\" + value: \"bar\" \n Output: GET /foo HTTP/1.1 + my-header: bar" + items: + description: HTTPHeader represents an HTTP + Header name and value as defined by RFC + 7230. + properties: + name: + description: "Name is the name of the + HTTP Header to be matched. Name matching + MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + \n If multiple entries specify equivalent + header names, the first entry with an + equivalent name MUST be considered for + a match. Subsequent entries with an + equivalent header name MUST be ignored. + Due to the case-insensitivity of header + names, \"foo\" and \"Foo\" are considered + equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP + Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + requestRedirect: + description: "RequestRedirect defines a schema for + a filter that responds to the request with an + HTTP redirection. \n Support: Core" + properties: + hostname: + description: "Hostname is the hostname to be + used in the value of the `Location` header + in the response. When empty, the hostname + in the `Host` header of the request is used. + \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + path: + description: "Path defines parameters used to + modify the path of the incoming request. The + modified path is then used to construct the + `Location` header. When empty, the request + path is used as-is. \n Support: Extended" + properties: + replaceFullPath: + description: ReplaceFullPath specifies the + value with which to replace the full path + of a request during a rewrite or redirect. + maxLength: 1024 + type: string + replacePrefixMatch: + description: "ReplacePrefixMatch specifies + the value with which to replace the prefix + match of a request during a rewrite or + redirect. For example, a request to \"/foo/bar\" + with a prefix match of \"/foo\" and a + ReplacePrefixMatch of \"/xyz\" would be + modified to \"/xyz/bar\". \n Note that + this matches the behavior of the PathPrefix + match type. This matches full path elements. + A path element refers to the list of labels + in the path split by the `/` separator. + When specified, a trailing `/` is ignored. + For example, the paths `/abc`, `/abc/`, + and `/abc/def` would all match the prefix + `/abc`, but the path `/abcd` would not. + \n Request Path | Prefix Match | Replace + Prefix | Modified Path -------------|--------------|----------------|---------- + /foo/bar | /foo | /xyz | + /xyz/bar /foo/bar | /foo | + /xyz/ | /xyz/bar /foo/bar | + /foo/ | /xyz | /xyz/bar + /foo/bar | /foo/ | /xyz/ | + /xyz/bar /foo | /foo | + /xyz | /xyz /foo/ | /foo + \ | /xyz | /xyz/ /foo/bar + \ | /foo | | + /bar /foo/ | /foo | | / /foo | /foo | + | / /foo/ | /foo + \ | / | / /foo | + /foo | / | /" + maxLength: 1024 + type: string + type: + description: "Type defines the type of path + modifier. Additional types may be added + in a future release of the API. \n Note + that values may be added to this enum, + implementations must ensure that unknown + values will not cause a crash. \n Unknown + values here must result in the implementation + setting the Accepted Condition for the + Route to `status: False`, with a Reason + of `UnsupportedValue`." + enum: + - ReplaceFullPath + - ReplacePrefixMatch + type: string + required: + - type + type: object + port: + description: "Port is the port to be used in + the value of the `Location` header in the + response. \n If no port is specified, the + redirect port MUST be derived using the following + rules: \n * If redirect scheme is not-empty, + the redirect port MUST be the well-known port + associated with the redirect scheme. Specifically + \"http\" to port 80 and \"https\" to port + 443. If the redirect scheme does not have + a well-known port, the listener port of the + Gateway SHOULD be used. * If redirect scheme + is empty, the redirect port MUST be the Gateway + Listener port. \n Implementations SHOULD NOT + add the port number in the 'Location' header + in the following cases: \n * A Location header + that will use HTTP (whether that is determined + via the Listener protocol or the Scheme field) + _and_ use port 80. * A Location header that + will use HTTPS (whether that is determined + via the Listener protocol or the Scheme field) + _and_ use port 443. \n Support: Extended" + format: int32 + maximum: 65535 + minimum: 1 + type: integer + scheme: + description: "Scheme is the scheme to be used + in the value of the `Location` header in the + response. When empty, the scheme of the request + is used. \n Scheme redirects can affect the + port of the redirect, for more information, + refer to the documentation for the port field + of this filter. \n Note that values may be + added to this enum, implementations must ensure + that unknown values will not cause a crash. + \n Unknown values here must result in the + implementation setting the Accepted Condition + for the Route to `status: False`, with a Reason + of `UnsupportedValue`. \n Support: Extended" + enum: + - http + - https + type: string + statusCode: + default: 302 + description: "StatusCode is the HTTP status + code to be used in response. \n Note that + values may be added to this enum, implementations + must ensure that unknown values will not cause + a crash. \n Unknown values here must result + in the implementation setting the Accepted + Condition for the Route to `status: False`, + with a Reason of `UnsupportedValue`. \n Support: + Core" + enum: + - 301 + - 302 + type: integer + type: object + responseHeaderModifier: + description: "ResponseHeaderModifier defines a schema + for a filter that modifies response headers. \n + Support: Extended" + properties: + add: + description: "Add adds the given header(s) (name, + value) to the request before the action. It + appends to any existing values associated + with the header name. \n Input: GET /foo HTTP/1.1 + my-header: foo \n Config: add: - name: \"my-header\" + value: \"bar,baz\" \n Output: GET /foo HTTP/1.1 + my-header: foo,bar,baz" + items: + description: HTTPHeader represents an HTTP + Header name and value as defined by RFC + 7230. + properties: + name: + description: "Name is the name of the + HTTP Header to be matched. Name matching + MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + \n If multiple entries specify equivalent + header names, the first entry with an + equivalent name MUST be considered for + a match. Subsequent entries with an + equivalent header name MUST be ignored. + Due to the case-insensitivity of header + names, \"foo\" and \"Foo\" are considered + equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP + Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: "Remove the given header(s) from + the HTTP request before the action. The value + of Remove is a list of HTTP header names. + Note that the header names are case-insensitive + (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + \n Input: GET /foo HTTP/1.1 my-header1: foo + my-header2: bar my-header3: baz \n Config: + remove: [\"my-header1\", \"my-header3\"] \n + Output: GET /foo HTTP/1.1 my-header2: bar" + items: + type: string + maxItems: 16 + type: array + set: + description: "Set overwrites the request with + the given header (name, value) before the + action. \n Input: GET /foo HTTP/1.1 my-header: + foo \n Config: set: - name: \"my-header\" + value: \"bar\" \n Output: GET /foo HTTP/1.1 + my-header: bar" + items: + description: HTTPHeader represents an HTTP + Header name and value as defined by RFC + 7230. + properties: + name: + description: "Name is the name of the + HTTP Header to be matched. Name matching + MUST be case insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + \n If multiple entries specify equivalent + header names, the first entry with an + equivalent name MUST be considered for + a match. Subsequent entries with an + equivalent header name MUST be ignored. + Due to the case-insensitivity of header + names, \"foo\" and \"Foo\" are considered + equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP + Header to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + type: + description: "Type identifies the type of filter + to apply. As with other API fields, types are + classified into three conformance levels: \n - + Core: Filter types and their corresponding configuration + defined by \"Support: Core\" in this package, + e.g. \"RequestHeaderModifier\". All implementations + must support core filters. \n - Extended: Filter + types and their corresponding configuration defined + by \"Support: Extended\" in this package, e.g. + \"RequestMirror\". Implementers are encouraged + to support extended filters. \n - Implementation-specific: + Filters that are defined and supported by specific + vendors. In the future, filters showing convergence + in behavior across multiple implementations will + be considered for inclusion in extended or core + conformance levels. Filter-specific configuration + for such filters is specified using the ExtensionRef + field. `Type` should be set to \"ExtensionRef\" + for custom filters. \n Implementers are encouraged + to define custom implementation types to extend + the core API with implementation-specific behavior. + \n If a reference to a custom filter type cannot + be resolved, the filter MUST NOT be skipped. Instead, + requests that would have been processed by that + filter MUST receive a HTTP error response. \n + Note that values may be added to this enum, implementations + must ensure that unknown values will not cause + a crash. \n Unknown values here must result in + the implementation setting the Accepted Condition + for the Route to `status: False`, with a Reason + of `UnsupportedValue`." + enum: + - RequestHeaderModifier + - ResponseHeaderModifier + - RequestRedirect + type: string + required: + - type + type: object + maxItems: 16 + type: array + required: + - name + type: object + maxItems: 16 + type: array + filters: + description: "Filters define the filters that are applied to + requests that match this rule. \n The effects of ordering + of multiple behaviors are currently unspecified. This can + change in the future based on feedback during the alpha stage. + \n Conformance-levels at this level are defined based on the + type of filter: \n - ALL core filters MUST be supported by + all implementations. - Implementers are encouraged to support + extended filters. - Implementation-specific custom filters + have no API guarantees across implementations. \n Specifying + a core filter multiple times has unspecified or custom conformance. + \n All filters are expected to be compatible with each other + except for the URLRewrite and RequestRedirect filters, which + may not be combined. If an implementation can not support + other combinations of filters, they must clearly document + that limitation. In all cases where incompatible or unsupported + filters are specified, implementations MUST add a warning + condition to status. \n Support: Core" + items: + description: HTTPRouteFilter defines processing steps that + must be completed during the request or response lifecycle. + HTTPRouteFilters are meant as an extension point to express + processing that may be done in Gateway implementations. + Some examples include request or response modification, + implementing authentication strategies, rate-limiting, and + traffic shaping. API guarantee/conformance is defined based + on the type of the filter. + properties: + requestHeaderModifier: + description: "RequestHeaderModifier defines a schema for + a filter that modifies request headers. \n Support: + Core" + properties: + add: + description: "Add adds the given header(s) (name, + value) to the request before the action. It appends + to any existing values associated with the header + name. \n Input: GET /foo HTTP/1.1 my-header: + foo \n Config: add: - name: \"my-header\" value: + \"bar\" \n Output: GET /foo HTTP/1.1 my-header: + foo my-header: bar" + items: + description: HTTPHeader represents an HTTP Header + name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header + to be matched. Name matching MUST be case + insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + \n If multiple entries specify equivalent + header names, the first entry with an equivalent + name MUST be considered for a match. Subsequent + entries with an equivalent header name MUST + be ignored. Due to the case-insensitivity + of header names, \"foo\" and \"Foo\" are considered + equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header + to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + remove: + description: "Remove the given header(s) from the + HTTP request before the action. The value of Remove + is a list of HTTP header names. Note that the header + names are case-insensitive (see https://datatracker.ietf.org/doc/html/rfc2616#section-4.2). + \n Input: GET /foo HTTP/1.1 my-header1: foo + \ my-header2: bar my-header3: baz \n Config: + \ remove: [\"my-header1\", \"my-header3\"] \n Output: + \ GET /foo HTTP/1.1 my-header2: bar" + items: + type: string + maxItems: 16 + type: array + set: + description: "Set overwrites the request with the + given header (name, value) before the action. \n + Input: GET /foo HTTP/1.1 my-header: foo \n Config: + \ set: - name: \"my-header\" value: \"bar\" + \n Output: GET /foo HTTP/1.1 my-header: bar" + items: + description: HTTPHeader represents an HTTP Header + name and value as defined by RFC 7230. + properties: + name: + description: "Name is the name of the HTTP Header + to be matched. Name matching MUST be case + insensitive. (See https://tools.ietf.org/html/rfc7230#section-3.2). + \n If multiple entries specify equivalent + header names, the first entry with an equivalent + name MUST be considered for a match. Subsequent + entries with an equivalent header name MUST + be ignored. Due to the case-insensitivity + of header names, \"foo\" and \"Foo\" are considered + equivalent." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + value: + description: Value is the value of HTTP Header + to be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + requestRedirect: + description: "RequestRedirect defines a schema for a filter + that responds to the request with an HTTP redirection. + \n Support: Core" + properties: + hostname: + description: "Hostname is the hostname to be used + in the value of the `Location` header in the response. + When empty, the hostname of the request is used. + \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + path: + description: "Path defines parameters used to + modify the path of the incoming request. The + modified path is then used to construct the + `Location` header. When empty, the request + path is used as-is. \n Support: Extended" + properties: + replaceFullPath: + description: ReplaceFullPath specifies the + value with which to replace the full path + of a request during a rewrite or redirect. + maxLength: 1024 + type: string + replacePrefixMatch: + description: "ReplacePrefixMatch specifies + the value with which to replace the prefix + match of a request during a rewrite or + redirect. For example, a request to \"/foo/bar\" + with a prefix match of \"/foo\" and a + ReplacePrefixMatch of \"/xyz\" would be + modified to \"/xyz/bar\". \n Note that + this matches the behavior of the PathPrefix + match type. This matches full path elements. + A path element refers to the list of labels + in the path split by the `/` separator. + When specified, a trailing `/` is ignored. + For example, the paths `/abc`, `/abc/`, + and `/abc/def` would all match the prefix + `/abc`, but the path `/abcd` would not. + \n Request Path | Prefix Match | Replace + Prefix | Modified Path -------------|--------------|----------------|---------- + /foo/bar | /foo | /xyz | + /xyz/bar /foo/bar | /foo | + /xyz/ | /xyz/bar /foo/bar | + /foo/ | /xyz | /xyz/bar + /foo/bar | /foo/ | /xyz/ | + /xyz/bar /foo | /foo | + /xyz | /xyz /foo/ | /foo + \ | /xyz | /xyz/ /foo/bar + \ | /foo | | + /bar /foo/ | /foo | | / /foo | /foo | + | / /foo/ | /foo + \ | / | / /foo | + /foo | / | /" + maxLength: 1024 + type: string + type: + description: "Type defines the type of path + modifier. Additional types may be added + in a future release of the API. \n Note + that values may be added to this enum, + implementations must ensure that unknown + values will not cause a crash. \n Unknown + values here must result in the implementation + setting the Accepted Condition for the + Route to `status: False`, with a Reason + of `UnsupportedValue`." + enum: + - ReplaceFullPath + - ReplacePrefixMatch + type: string + required: + - type + type: object + port: + description: "Port is the port to be used in the value + of the `Location` header in the response. When empty, + port (if specified) of the request is used. \n Support: + Extended" + format: int32 + maximum: 65535 + minimum: 1 + type: integer + scheme: + description: "Scheme is the scheme to be used in the + value of the `Location` header in the response. + When empty, the scheme of the request is used. \n + Support: Extended" + enum: + - http + - https + type: string + statusCode: + default: 302 + description: "StatusCode is the HTTP status code to + be used in response. \n Support: Core" + enum: + - 301 + - 302 + type: integer + type: object + type: + description: "Type identifies the type of filter to apply. + As with other API fields, types are classified into + three conformance levels: \n - Core: Filter types and + their corresponding configuration defined by \"Support: + Core\" in this package, e.g. \"RequestHeaderModifier\"." + enum: + - RequestHeaderModifier + - RequestRedirect + type: string + required: + - type + type: object + maxItems: 16 + type: array + matches: + default: + - path: + type: PathPrefix + value: / + description: "Matches define conditions used for matching the + rule against incoming HTTP requests. Each match is independent, + i.e. this rule will be matched if **any** one of the matches + is satisfied. \n For example, take the following matches configuration: + \n ``` matches: - path: value: \"/foo\" headers: - + name: \"version\" value: \"v2\" - path: value: \"/v2/foo\" + ``` \n For a request to match against this rule, a request + must satisfy EITHER of the two conditions: \n - path prefixed + with `/foo` AND contains the header `version: v2` - path prefix + of `/v2/foo` \n See the documentation for HTTPRouteMatch on + how to specify multiple match conditions that should be ANDed + together. \n If no matches are specified, the default is a + prefix path match on \"/\", which has the effect of matching + every HTTP request. \n Proxy or Load Balancer routing configuration + generated from HTTPRoutes MUST prioritize rules based on the + following criteria, continuing on ties. Precedence must be + given to the the Rule with the largest number of: \n * Characters + in a matching non-wildcard hostname. * Characters in a matching + hostname. * Characters in a matching path. * Header matches. + * Query param matches. \n If ties still exist across multiple + Routes, matching precedence MUST be determined in order of + the following criteria, continuing on ties: \n * The oldest + Route based on creation timestamp. * The Route appearing first + in alphabetical order by \"{namespace}/{name}\". \n If ties + still exist within the Route that has been given precedence, + matching precedence MUST be granted to the first matching + rule meeting the above criteria. \n When no rules matching + a request have been successfully attached to the parent a + request is coming from, a HTTP 404 status code MUST be returned." + items: + description: "HTTPRouteMatch defines the predicate used to + match requests to a given action. Multiple match types are + ANDed together, i.e. the match will evaluate to true only + if all conditions are satisfied. \n For example, the match + below will match a HTTP request only if its path starts + with `/foo` AND it contains the `version: v1` header: \n + ``` match: path: value: \"/foo\" headers: - name: + \"version\" value \"v1\" ```" + properties: + headers: + description: Headers specifies HTTP request header matchers. + Multiple match values are ANDed together, meaning, a + request must match all the specified headers to select + the route. + items: + description: HTTPHeaderMatch describes how to select + a HTTP route by matching HTTP request headers. + properties: + name: + description: "Name is the name of the HTTP Header + to be matched. Name matching MUST be case insensitive. + (See https://tools.ietf.org/html/rfc7230#section-3.2). + \n If multiple entries specify equivalent header + names, only the first entry with an equivalent + name MUST be considered for a match. Subsequent + entries with an equivalent header name MUST be + ignored. Due to the case-insensitivity of header + names, \"foo\" and \"Foo\" are considered equivalent. + \n When a header is repeated in an HTTP request, + it is implementation-specific behavior as to how + this is represented. Generally, proxies should + follow the guidance from the RFC: https://www.rfc-editor.org/rfc/rfc7230.html#section-3.2.2 + regarding processing a repeated header, with special + handling for \"Set-Cookie\"." + maxLength: 256 + minLength: 1 + pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ + type: string + type: + default: Exact + description: "Type specifies how to match against + the value of the header. \n Support: Core (Exact) + \n Support: Custom (RegularExpression) \n Since + RegularExpression HeaderMatchType has custom conformance, + implementations can support POSIX, PCRE or any + other dialects of regular expressions. Please + read the implementation's documentation to determine + the supported dialect." + enum: + - Exact + - RegularExpression + type: string + value: + description: Value is the value of HTTP Header to + be matched. + maxLength: 4096 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + method: + description: "Method specifies HTTP method matcher. When + specified, this route will be matched only if the request + has the specified method. \n Support: Extended" + enum: + - GET + - HEAD + - POST + - PUT + - DELETE + - CONNECT + - OPTIONS + - TRACE + - PATCH + type: string + path: + default: + type: PathPrefix + value: / + description: Path specifies a HTTP request path matcher. + If this field is not specified, a default prefix match + on the "/" path is provided. + properties: + type: + default: PathPrefix + description: "Type specifies how to match against + the path Value. \n Support: Core (Exact, PathPrefix) + \n Support: Custom (RegularExpression)" + enum: + - Exact + - PathPrefix + - RegularExpression + type: string + value: + default: / + description: Value of the HTTP path to match against. + maxLength: 1024 + type: string + type: object + queryParams: + description: QueryParams specifies HTTP query parameter + matchers. Multiple match values are ANDed together, + meaning, a request must match all the specified query + parameters to select the route. + items: + description: HTTPQueryParamMatch describes how to select + a HTTP route by matching HTTP query parameters. + properties: + name: + description: Name is the name of the HTTP query + param to be matched. This must be an exact string + match. (See https://tools.ietf.org/html/rfc7230#section-2.7.3). + maxLength: 256 + minLength: 1 + type: string + type: + default: Exact + description: "Type specifies how to match against + the value of the query parameter. \n Support: + Extended (Exact) \n Support: Custom (RegularExpression) + \n Since RegularExpression QueryParamMatchType + has custom conformance, implementations can support + POSIX, PCRE or any other dialects of regular expressions. + Please read the implementation's documentation + to determine the supported dialect." + enum: + - Exact + - RegularExpression + type: string + value: + description: Value is the value of HTTP query param + to be matched. + maxLength: 1024 + minLength: 1 + type: string + required: + - name + - value + type: object + maxItems: 16 + type: array + x-kubernetes-list-map-keys: + - name + x-kubernetes-list-type: map + type: object + maxItems: 8 + type: array + timeouts: + description: "Timeouts defines the timeouts that can be configured + for an HTTP request. \n Support: Core \n " + properties: + backendRequest: + description: "BackendRequest specifies a timeout for an + individual request from the gateway to a backend service. + Typically used in conjunction with automatic retries, + if supported by an implementation. Default is the value + of Request timeout. \n Support: Extended" + format: duration + type: string + request: + description: "Request specifies a timeout for responding + to client HTTP requests, disabled by default. \n For example, + the following rule will timeout if a client request is + taking longer than 10 seconds to complete: \n ``` rules: + - timeouts: request: 10s backendRefs: ... ``` \n Support: + Core" + format: duration + type: string + type: object + type: object + maxItems: 16 + type: array + type: object + status: + description: Status defines the current state of HTTPRoute. + properties: + parents: + description: "Parents is a list of parent resources (usually Gateways) + that are associated with the route, and the status of the route + with respect to each parent. When this route attaches to a parent, + the controller that manages the parent must add an entry to this + list when the controller first sees the route and should update + the entry as appropriate when the route or gateway is modified. + \n Note that parent references that cannot be resolved by an implementation + of this API will not be added to this list. Implementations of this + API can only populate Route status for the Gateways/parent resources + they are responsible for. \n A maximum of 32 Gateways will be represented + in this list. An empty list means the route has not been attached + to any Gateway." + items: + description: RouteParentStatus describes the status of a route with + respect to an associated Parent. + properties: + conditions: + description: "Conditions describes the status of the route with + respect to the Gateway. Note that the route's availability + is also subject to the Gateway's own status conditions and + listener status. \n If the Route's ParentRef specifies an + existing Gateway that supports Routes of this kind AND that + Gateway's controller has sufficient access, then that Gateway's + controller MUST set the \"Accepted\" condition on the Route, + to indicate whether the route has been accepted or rejected + by the Gateway, and why. \n A Route MUST be considered \"Accepted\" + if at least one of the Route's rules is implemented by the + Gateway. \n There are a number of cases where the \"Accepted\" + condition may not be set due to lack of controller visibility, + that includes when: \n * The Route refers to a non-existent + parent. * The Route is of a type that the controller does + not support. * The Route is in a namespace the the controller + does not have access to." + items: + description: "Condition contains details for one aspect of + the current state of this API Resource. --- This struct + is intended for direct use as an array at the field path + .status.conditions. For example, type FooStatus struct{ + \ // Represents the observations of a foo's current state. + \ // Known .status.conditions.type are: \"Available\", + \"Progressing\", and \"Degraded\" // +patchMergeKey=type + \ // +patchStrategy=merge // +listType=map // + +listMapKey=type Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"` + \n // other fields }" + properties: + lastTransitionTime: + description: lastTransitionTime is the last time the condition + transitioned from one status to another. This should + be when the underlying condition changed. If that is + not known, then using the time when the API field changed + is acceptable. + format: date-time + type: string + message: + description: message is a human readable message indicating + details about the transition. This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: observedGeneration represents the .metadata.generation + that the condition was set based upon. For instance, + if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration + is 9, the condition is out of date with respect to the + current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: reason contains a programmatic identifier + indicating the reason for the condition's last transition. + Producers of specific condition types may define expected + values and meanings for this field, and whether the + values are considered a guaranteed API. The value should + be a CamelCase string. This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, + Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + --- Many .condition.type values are consistent across + resources like Available, but because arbitrary conditions + can be useful (see .node.status.conditions), the ability + to deconflict is important. The regex it matches is + (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + maxItems: 8 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + controllerName: + description: "ControllerName is a domain/path string that indicates + the name of the controller that wrote this status. This corresponds + with the controllerName field on GatewayClass. \n Example: + \"example.net/gateway-controller\". \n The format of this + field is DOMAIN \"/\" PATH, where DOMAIN and PATH are valid + Kubernetes names (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). + \n Controllers MUST populate this field when writing status. + Controllers should ensure that entries to status populated + with their ControllerName are cleaned up when they are no + longer necessary." + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ + type: string + parentRef: + description: ParentRef corresponds with a ParentRef in the spec + that this RouteParentStatus struct describes the status of. + properties: + group: + default: policy.linkerd.io + description: "Group is the group of the referent. \n Support: + Core" + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + default: Gateway + description: "Kind is kind of the referent. \n Support: + Core (Gateway) Support: Custom (Other Resources)" + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: "Name is the name of the referent. \n Support: + Core" + maxLength: 253 + minLength: 1 + type: string + namespace: + description: "Namespace is the namespace of the referent. + When unspecified (or empty string), this refers to the + local namespace of the Route. \n Support: Core" + maxLength: 63 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ + type: string + port: + description: "Port is the network port this Route targets. + It can be interpreted differently based on the type of + parent resource. \n When the parent resource is a Gateway, + this targets all listeners listening on the specified + port that also support this kind of Route(and select this + Route). It's not recommended to set `Port` unless the + networking behaviors specified in a Route must apply to + a specific port as opposed to a listener(s) whose port(s) + may be changed. When both Port and SectionName are specified, + the name and port of the selected listener must match + both specified values. \n Implementations MAY choose to + support other parent resources. Implementations supporting + other types of parent resources MUST clearly document + how/if Port is interpreted. \n For the purpose of status, + an attachment is considered successful as long as the + parent resource accepts it partially. For example, Gateway + listeners can restrict which Routes can attach to them + by Route kind, namespace, or hostname. If 1 of 2 Gateway + listeners accept attachment from the referencing Route, + the Route MUST be considered successfully attached. If + no Gateway listeners accept attachment from this Route, + the Route MUST be considered detached from the Gateway. + \n Support: Extended \n " + format: int32 + maximum: 65535 + minimum: 1 + type: integer + sectionName: + description: "SectionName is the name of a section within + the target resource. In the following resources, SectionName + is interpreted as the following: \n * Gateway: Listener + Name. When both Port (experimental) and SectionName are + specified, the name and port of the selected listener + must match both specified values. \n Implementations MAY + choose to support attaching Routes to other resources. + If that is the case, they MUST clearly document how SectionName + is interpreted. \n When unspecified (empty string), this + will reference the entire resource. For the purpose of + status, an attachment is considered successful if at least + one section in the parent resource accepts it. For example, + Gateway listeners can restrict which Routes can attach + to them by Route kind, namespace, or hostname. If 1 of + 2 Gateway listeners accept attachment from the referencing + Route, the Route MUST be considered successfully attached. + If no Gateway listeners accept attachment from this Route, + the Route MUST be considered detached from the Gateway. + \n Support: Core" + maxLength: 253 + minLength: 1 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + required: + - name + type: object + required: + - controllerName + - parentRef + type: object + maxItems: 32 + type: array + required: + - parents + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] diff --git a/charts/linkerd/linkerd-crds/2024.8.3/templates/policy/meshtls-authentication.yaml b/charts/linkerd/linkerd-crds/2024.8.3/templates/policy/meshtls-authentication.yaml new file mode 100644 index 000000000..58ee815f5 --- /dev/null +++ b/charts/linkerd/linkerd-crds/2024.8.3/templates/policy/meshtls-authentication.yaml @@ -0,0 +1,87 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: meshtlsauthentications.policy.linkerd.io + annotations: + {{ include "partials.annotations.created-by" . }} + labels: + helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + linkerd.io/control-plane-ns: {{.Release.Namespace}} +spec: + group: policy.linkerd.io + scope: Namespaced + names: + kind: MeshTLSAuthentication + plural: meshtlsauthentications + singular: meshtlsauthentication + shortNames: [meshtlsauthn] + versions: + - name: v1alpha1 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + required: [spec] + properties: + spec: + description: >- + MeshTLSAuthentication defines a list of authenticated client IDs + to be referenced by an `AuthorizationPolicy`. If a client + connection has the mutually-authenticated identity that matches + ANY of the of the provided identities, the connection is + considered authenticated. + type: object + oneOf: + - required: [identities] + - required: [identityRefs] + properties: + identities: + description: >- + Authorizes clients with the provided proxy identity strings + (as provided via MTLS) + + The `*` prefix can be used to match all identities in + a domain. An identity string of `*` indicates that + all authentication clients are authorized. + type: array + minItems: 1 + items: + type: string + identityRefs: + type: array + minItems: 1 + items: + type: object + required: + - kind + properties: + group: + description: >- + Group is the group of the referent. When empty, the + Kubernetes core API group is inferred." + maxLength: 253 + pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + kind: + description: >- + Kind is the kind of the referent. + maxLength: 63 + minLength: 1 + pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ + type: string + name: + description: >- + Name is the name of the referent. When unspecified, + this refers to all resources of the specified Group + and Kind in the specified namespace. + maxLength: 253 + minLength: 1 + type: string + namespace: + description: >- + Name is the name of the referent. When unspecified, + this authentication refers to the local namespace. + maxLength: 253 + type: string diff --git a/charts/linkerd/linkerd-crds/2024.8.3/templates/policy/network-authentication.yaml b/charts/linkerd/linkerd-crds/2024.8.3/templates/policy/network-authentication.yaml new file mode 100644 index 000000000..cef15d3c4 --- /dev/null +++ b/charts/linkerd/linkerd-crds/2024.8.3/templates/policy/network-authentication.yaml @@ -0,0 +1,53 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: networkauthentications.policy.linkerd.io + annotations: + {{ include "partials.annotations.created-by" . }} + labels: + helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + linkerd.io/control-plane-ns: {{.Release.Namespace}} +spec: + group: policy.linkerd.io + scope: Namespaced + names: + kind: NetworkAuthentication + plural: networkauthentications + singular: networkauthentication + shortNames: [netauthn, networkauthn] + versions: + - name: v1alpha1 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + required: [spec] + properties: + spec: + description: >- + NetworkAuthentication defines a list of authenticated client + networks to be referenced by an `AuthorizationPolicy`. If a + client connection originates from ANY of the of the provided + networks, the connection is considered authenticated. + type: object + required: [networks] + properties: + networks: + type: array + items: + type: object + required: [cidr] + properties: + cidr: + description: >- + The CIDR of the network to be authorized. + type: string + except: + description: >- + A list of IP networks/addresses not to be included in + the above `cidr`. + type: array + items: + type: string diff --git a/charts/linkerd/linkerd-crds/2024.8.3/templates/policy/server-authorization.yaml b/charts/linkerd/linkerd-crds/2024.8.3/templates/policy/server-authorization.yaml new file mode 100644 index 000000000..33fb65900 --- /dev/null +++ b/charts/linkerd/linkerd-crds/2024.8.3/templates/policy/server-authorization.yaml @@ -0,0 +1,266 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: serverauthorizations.policy.linkerd.io + annotations: + {{ include "partials.annotations.created-by" . }} + labels: + helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + linkerd.io/control-plane-ns: {{.Release.Namespace}} +spec: + group: policy.linkerd.io + scope: Namespaced + names: + kind: ServerAuthorization + plural: serverauthorizations + singular: serverauthorization + shortNames: [saz, serverauthz, srvauthz] + versions: + - name: v1alpha1 + served: true + storage: false + deprecated: true + deprecationWarning: "policy.linkerd.io/v1alpha1 ServerAuthorization is deprecated; use policy.linkerd.io/v1beta1 ServerAuthorization" + schema: + openAPIV3Schema: + type: object + required: [spec] + properties: + spec: + description: >- + Authorizes clients to communicate with Linkerd-proxied servers. + type: object + required: [server, client] + properties: + server: + description: >- + Identifies servers in the same namespace for which this + authorization applies. + + Only one of `name` or `selector` may be specified. + type: object + oneOf: + - required: [name] + - required: [selector] + properties: + name: + description: References a `Server` instance by name + type: string + pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$' + selector: + description: >- + A label query over servers on which this authorization applies. + type: object + properties: + matchLabels: + type: object + x-kubernetes-preserve-unknown-fields: true + matchExpressions: + type: array + items: + type: object + required: [key, operator] + properties: + key: + type: string + operator: + type: string + enum: [In, NotIn, Exists, DoesNotExist] + values: + type: array + items: + type: string + client: + description: Describes clients authorized to access a server. + type: object + properties: + networks: + description: >- + Limits the client IP addresses to which this + authorization applies. If unset, the server chooses a + default (typically, all IPs or the cluster's pod + network). + type: array + items: + type: object + required: [cidr] + properties: + cidr: + type: string + except: + type: array + items: + type: string + unauthenticated: + description: >- + Authorizes unauthenticated clients to access a server. + type: boolean + meshTLS: + type: object + properties: + unauthenticatedTLS: + type: boolean + description: >- + Indicates that no client identity is required for + communication. + + This is mostly important for the identity + controller, which must terminate TLS connections + from clients that do not yet have a certificate. + identities: + description: >- + Authorizes clients with the provided proxy identity + strings (as provided via MTLS) + + The `*` prefix can be used to match all identities in + a domain. An identity string of `*` indicates that + all authentication clients are authorized. + type: array + items: + type: string + pattern: '^(\*|[a-z0-9]([-a-z0-9]*[a-z0-9])?)(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$' + serviceAccounts: + description: >- + Authorizes clients with the provided proxy identity + service accounts (as provided via MTLS) + type: array + items: + type: object + required: [name] + properties: + name: + description: The ServiceAccount's name. + type: string + pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$' + namespace: + description: >- + The ServiceAccount's namespace. If unset, the + authorization's namespace is used. + type: string + pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$' + - name: v1beta1 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + required: [spec] + properties: + spec: + description: >- + Authorizes clients to communicate with Linkerd-proxied servers. + type: object + required: [server, client] + properties: + server: + description: >- + Identifies servers in the same namespace for which this + authorization applies. + + Only one of `name` or `selector` may be specified. + type: object + oneOf: + - required: [name] + - required: [selector] + properties: + name: + description: References a `Server` instance by name + type: string + pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$' + selector: + description: >- + A label query over servers on which this authorization applies. + type: object + properties: + matchLabels: + type: object + x-kubernetes-preserve-unknown-fields: true + matchExpressions: + type: array + items: + type: object + required: [key, operator] + properties: + key: + type: string + operator: + type: string + enum: [In, NotIn, Exists, DoesNotExist] + values: + type: array + items: + type: string + client: + description: Describes clients authorized to access a server. + type: object + properties: + networks: + description: >- + Limits the client IP addresses to which this + authorization applies. If unset, the server chooses a + default (typically, all IPs or the cluster's pod + network). + type: array + items: + type: object + required: [cidr] + properties: + cidr: + type: string + except: + type: array + items: + type: string + unauthenticated: + description: >- + Authorizes unauthenticated clients to access a server. + type: boolean + meshTLS: + type: object + properties: + unauthenticatedTLS: + type: boolean + description: >- + Indicates that no client identity is required for + communication. + + This is mostly important for the identity + controller, which must terminate TLS connections + from clients that do not yet have a certificate. + identities: + description: >- + Authorizes clients with the provided proxy identity + strings (as provided via MTLS) + + The `*` prefix can be used to match all identities in + a domain. An identity string of `*` indicates that + all authentication clients are authorized. + type: array + items: + type: string + pattern: '^(\*|[a-z0-9]([-a-z0-9]*[a-z0-9])?)(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$' + serviceAccounts: + description: >- + Authorizes clients with the provided proxy identity + service accounts (as provided via MTLS) + type: array + items: + type: object + required: [name] + properties: + name: + description: The ServiceAccount's name. + type: string + pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$' + namespace: + description: >- + The ServiceAccount's namespace. If unset, the + authorization's namespace is used. + type: string + pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$' + additionalPrinterColumns: + - name: Server + type: string + description: The server that this grants access to + jsonPath: .spec.server.name diff --git a/charts/linkerd/linkerd-crds/2024.8.3/templates/policy/server.yaml b/charts/linkerd/linkerd-crds/2024.8.3/templates/policy/server.yaml new file mode 100644 index 000000000..0af41224a --- /dev/null +++ b/charts/linkerd/linkerd-crds/2024.8.3/templates/policy/server.yaml @@ -0,0 +1,319 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: servers.policy.linkerd.io + annotations: + {{ include "partials.annotations.created-by" . }} + labels: + helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + linkerd.io/control-plane-ns: {{.Release.Namespace}} +spec: + group: policy.linkerd.io + names: + kind: Server + plural: servers + singular: server + shortNames: [srv] + scope: Namespaced + versions: + - name: v1alpha1 + served: true + storage: false + deprecated: true + deprecationWarning: "policy.linkerd.io/v1alpha1 Server is deprecated; use policy.linkerd.io/v1beta1 Server" + schema: + openAPIV3Schema: + type: object + required: [spec] + properties: + spec: + type: object + required: + - podSelector + - port + properties: + podSelector: + type: object + description: >- + Selects pods in the same namespace. + oneOf: + - required: [matchExpressions] + - required: [matchLabels] + properties: + matchLabels: + type: object + x-kubernetes-preserve-unknown-fields: true + matchExpressions: + type: array + items: + type: object + required: [key, operator] + properties: + key: + type: string + operator: + type: string + enum: [In, NotIn, Exists, DoesNotExist] + values: + type: array + items: + type: string + port: + description: >- + A port name or number. Must exist in a pod spec. + x-kubernetes-int-or-string: true + proxyProtocol: + description: >- + Configures protocol discovery for inbound connections. + + Supersedes the `config.linkerd.io/opaque-ports` annotation. + type: string + default: unknown + - name: v1beta1 + served: true + storage: false + deprecated: true + deprecationWarning: "policy.linkerd.io/v1alpha1 Server is deprecated; use policy.linkerd.io/v1beta3 Server" + schema: + openAPIV3Schema: + type: object + required: [spec] + properties: + spec: + type: object + required: + - podSelector + - port + properties: + podSelector: + type: object + description: >- + Selects pods in the same namespace. + + The result of matchLabels and matchExpressions are ANDed. + Selects all if empty. + properties: + matchLabels: + type: object + x-kubernetes-preserve-unknown-fields: true + matchExpressions: + type: array + items: + type: object + required: [key, operator] + properties: + key: + type: string + operator: + type: string + enum: [In, NotIn, Exists, DoesNotExist] + values: + type: array + items: + type: string + port: + description: >- + A port name or number. Must exist in a pod spec. + x-kubernetes-int-or-string: true + proxyProtocol: + description: >- + Configures protocol discovery for inbound connections. + + Supersedes the `config.linkerd.io/opaque-ports` annotation. + type: string + default: unknown + additionalPrinterColumns: + - name: Port + type: string + description: The port the server is listening on + jsonPath: .spec.port + - name: Protocol + type: string + description: The protocol of the server + jsonPath: .spec.proxyProtocol + - name: v1beta2 + served: true + storage: false + schema: + openAPIV3Schema: + type: object + required: [spec] + properties: + spec: + type: object + required: + - port + oneOf: + - required: [podSelector] + - required: [externalWorkloadSelector] + properties: + podSelector: + type: object + description: >- + Selects pods in the same namespace. + + The result of matchLabels and matchExpressions are ANDed. + Selects all if empty. + properties: + matchLabels: + type: object + x-kubernetes-preserve-unknown-fields: true + matchExpressions: + type: array + items: + type: object + required: [key, operator] + properties: + key: + type: string + operator: + type: string + enum: [In, NotIn, Exists, DoesNotExist] + values: + type: array + items: + type: string + externalWorkloadSelector: + type: object + description: >- + Selects ExternalWorkloads in the same namespace. + + The result of matchLabels and matchExpressions are ANDed. + Selects all if empty. + properties: + matchLabels: + type: object + x-kubernetes-preserve-unknown-fields: true + matchExpressions: + type: array + items: + type: object + required: [key, operator] + properties: + key: + type: string + operator: + type: string + enum: [In, NotIn, Exists, DoesNotExist] + values: + type: array + items: + type: string + port: + description: >- + A port name or number. Must exist in a pod spec. + x-kubernetes-int-or-string: true + proxyProtocol: + description: >- + Configures protocol discovery for inbound connections. + + Supersedes the `config.linkerd.io/opaque-ports` annotation. + type: string + default: unknown + additionalPrinterColumns: + - name: Port + type: string + description: The port the server is listening on + jsonPath: .spec.port + - name: Protocol + type: string + description: The protocol of the server + jsonPath: .spec.proxyProtocol + - name: v1beta3 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + required: [spec] + properties: + spec: + type: object + required: + - port + oneOf: + - required: [podSelector] + - required: [externalWorkloadSelector] + properties: + accessPolicy: + type: string + default: deny + description: >- + Default access policy to apply when the traffic doesn't match any of the policy rules. + podSelector: + type: object + description: >- + Selects pods in the same namespace. + + The result of matchLabels and matchExpressions are ANDed. + Selects all if empty. + properties: + matchLabels: + type: object + x-kubernetes-preserve-unknown-fields: true + matchExpressions: + type: array + items: + type: object + required: [key, operator] + properties: + key: + type: string + operator: + type: string + enum: [In, NotIn, Exists, DoesNotExist] + values: + type: array + items: + type: string + externalWorkloadSelector: + type: object + description: >- + Selects ExternalWorkloads in the same namespace. + + The result of matchLabels and matchExpressions are ANDed. + Selects all if empty. + properties: + matchLabels: + type: object + x-kubernetes-preserve-unknown-fields: true + matchExpressions: + type: array + items: + type: object + required: [key, operator] + properties: + key: + type: string + operator: + type: string + enum: [In, NotIn, Exists, DoesNotExist] + values: + type: array + items: + type: string + port: + description: >- + A port name or number. Must exist in a pod spec. + x-kubernetes-int-or-string: true + proxyProtocol: + description: >- + Configures protocol discovery for inbound connections. + + Supersedes the `config.linkerd.io/opaque-ports` annotation. + type: string + default: unknown + additionalPrinterColumns: + - name: Port + type: string + description: The port the server is listening on + jsonPath: .spec.port + - name: Protocol + type: string + description: The protocol of the server + jsonPath: .spec.proxyProtocol + - name: Access Policy + type: string + description: The default access policy applied when the traffic doesn't match any of the policy rules + jsonPath: .spec.accessPolicy diff --git a/charts/linkerd/linkerd-crds/2024.8.3/templates/serviceprofile.yaml b/charts/linkerd/linkerd-crds/2024.8.3/templates/serviceprofile.yaml new file mode 100644 index 000000000..ad12c96a3 --- /dev/null +++ b/charts/linkerd/linkerd-crds/2024.8.3/templates/serviceprofile.yaml @@ -0,0 +1,274 @@ +--- +### +### Service Profile CRD +### +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: serviceprofiles.linkerd.io + annotations: + {{ include "partials.annotations.created-by" . }} + labels: + helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + linkerd.io/control-plane-ns: {{.Release.Namespace}} +spec: + group: linkerd.io + versions: + - name: v1alpha1 + served: true + storage: false + schema: + openAPIV3Schema: + type: object + properties: + spec: + type: object + description: Spec is the custom resource spec + required: + - routes + properties: + dstOverrides: + type: array + required: + - authority + - weight + items: + type: object + description: WeightedDst is a weighted alternate destination. + properties: + authority: + type: string + weight: + x-kubernetes-int-or-string: true + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + opaquePorts: + type: array + items: + type: string + retryBudget: + type: object + required: + - minRetriesPerSecond + - retryRatio + - ttl + description: RetryBudget describes the maximum number of retries that should be issued to this service. + properties: + minRetriesPerSecond: + format: int32 + type: integer + retryRatio: + type: number + format: float + ttl: + type: string + routes: + type: array + items: + type: object + description: RouteSpec specifies a Route resource. + required: + - condition + - name + properties: + condition: + type: object + description: RequestMatch describes the conditions under which to match a Route. + properties: + pathRegex: + type: string + method: + type: string + all: + type: array + items: + type: object + x-kubernetes-preserve-unknown-fields: true + any: + type: array + items: + type: object + x-kubernetes-preserve-unknown-fields: true + not: + type: array + items: + type: object + x-kubernetes-preserve-unknown-fields: true + isRetryable: + type: boolean + name: + type: string + timeout: + type: string + responseClasses: + type: array + items: + type: object + required: + - condition + description: ResponseClass describes how to classify a response (e.g. success or failures). + properties: + condition: + type: object + description: ResponseMatch describes the conditions under + which to classify a response. + properties: + all: + type: array + items: + type: object + x-kubernetes-preserve-unknown-fields: true + any: + type: array + items: + type: object + x-kubernetes-preserve-unknown-fields: true + not: + type: object + x-kubernetes-preserve-unknown-fields: true + status: + type: object + description: Range describes a range of integers (e.g. status codes). + properties: + max: + format: int32 + type: integer + min: + format: int32 + type: integer + isFailure: + type: boolean + - name: v1alpha2 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + properties: + spec: + type: object + description: Spec is the custom resource spec + properties: + dstOverrides: + type: array + required: + - authority + - weight + items: + type: object + description: WeightedDst is a weighted alternate destination. + properties: + authority: + type: string + weight: + x-kubernetes-int-or-string: true + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + opaquePorts: + type: array + items: + type: string + retryBudget: + type: object + required: + - minRetriesPerSecond + - retryRatio + - ttl + description: RetryBudget describes the maximum number of retries that should be issued to this service. + properties: + minRetriesPerSecond: + format: int32 + type: integer + retryRatio: + type: number + format: float + ttl: + type: string + routes: + type: array + items: + type: object + description: RouteSpec specifies a Route resource. + required: + - condition + - name + properties: + condition: + type: object + description: RequestMatch describes the conditions under which to match a Route. + properties: + pathRegex: + type: string + method: + type: string + all: + type: array + items: + type: object + x-kubernetes-preserve-unknown-fields: true + any: + type: array + items: + type: object + x-kubernetes-preserve-unknown-fields: true + not: + type: array + items: + type: object + x-kubernetes-preserve-unknown-fields: true + isRetryable: + type: boolean + name: + type: string + timeout: + type: string + responseClasses: + type: array + items: + type: object + required: + - condition + description: ResponseClass describes how to classify a response (e.g. success or failures). + properties: + condition: + type: object + description: ResponseMatch describes the conditions under + which to classify a response. + properties: + all: + type: array + items: + type: object + x-kubernetes-preserve-unknown-fields: true + any: + type: array + items: + type: object + x-kubernetes-preserve-unknown-fields: true + not: + type: object + x-kubernetes-preserve-unknown-fields: true + status: + type: object + description: Range describes a range of integers (e.g. status codes). + properties: + max: + format: int32 + type: integer + min: + format: int32 + type: integer + isFailure: + type: boolean + scope: Namespaced + preserveUnknownFields: false + names: + plural: serviceprofiles + singular: serviceprofile + kind: ServiceProfile + shortNames: + - sp diff --git a/charts/linkerd/linkerd-crds/2024.8.3/templates/workload/external-workload.yaml b/charts/linkerd/linkerd-crds/2024.8.3/templates/workload/external-workload.yaml new file mode 100644 index 000000000..715e779aa --- /dev/null +++ b/charts/linkerd/linkerd-crds/2024.8.3/templates/workload/external-workload.yaml @@ -0,0 +1,303 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: externalworkloads.workload.linkerd.io + annotations: + {{ include "partials.annotations.created-by" . }} + labels: + helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }} + linkerd.io/control-plane-ns: {{.Release.Namespace}} +spec: + group: workload.linkerd.io + names: + categories: + - external + kind: ExternalWorkload + listKind: ExternalWorkloadList + plural: externalworkloads + singular: externalworkload + scope: Namespaced + versions: + - name: v1alpha1 + served: true + storage: false + schema: + openAPIV3Schema: + description: >- + An ExternalWorkload describes a single workload (i.e. a deployable unit) external + to the cluster that should be enrolled in the mesh. + type: object + required: [spec] + properties: + apiVerson: + type: string + kind: + type: string + metadata: + type: object + spec: + properties: + meshTls: + description: meshTls describes TLS settings associated with an + external workload. + properties: + identity: + type: string + description: identity of the workload. Corresponds to the + identity used in the workload's certificate. It is used + by peers to perform verification in the mTLS handshake. + minLength: 1 + maxLength: 253 + serverName: + type: string + description: serverName is the name of the workload in DNS + format. It is used by the workload to terminate TLS using + SNI. + minLength: 1 + maxLength: 253 + type: object + required: + - identity + - serverName + ports: + type: array + description: ports describes a list of ports exposed by the + workload + items: + properties: + name: + type: string + description: name must be an IANA_SVC_NAME and unique + within the ports set. Each named port can be referred + to by services. + port: + format: int32 + maximum: 65535 + minimum: 1 + type: integer + protocol: + description: protocol exposed by the port. Must be UDP or + TCP. Defaults to TCP. + type: string + default: "TCP" + type: object + required: + - port + workloadIPs: + type: array + description: workloadIPs contains a list of IP addresses that + can be used to send traffic to the workload. + items: + type: object + properties: + ip: + type: string + # TODO: relax this in the future when ipv6 is supported + # an external workload (like a pod) should only + # support 2 interfaces + maxItems: 1 + type: object + required: + - meshTls + status: + type: object + properties: + conditions: + type: array + items: + type: object + properties: + lastProbeTime: + description: lastProbeTime is the last time the + healthcheck endpoint was probed. + format: date-time + type: string + lastTransitionTime: + description: lastTransitionTime is the last time the + condition transitioned from one status to another. + format: date-time + type: string + status: + description: status of the condition (one of True, False, Unknown) + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of the condition in CamelCase or in + foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + reason: + description: reason contains a programmatic identifier + indicating the reason for the condition's last + transition. Producers of specific condition types may + define expected values and meanings for this field, and + whether the values are considered a guaranteed API. The + value should be a CamelCase string. This field may not + be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + message: + description: message is a human readable message + indicating details about the transition. This may be an + empty string. + maxLength: 32768 + type: string + required: + - status + - type + additionalPrinterColumns: + - jsonPath: .spec.meshTls.identity + name: Identity + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + - name: v1beta1 + served: true + storage: true + subresources: + status: {} + schema: + openAPIV3Schema: + description: >- + An ExternalWorkload describes a single workload (i.e. a deployable unit) external + to the cluster that should be enrolled in the mesh. + type: object + required: [spec] + properties: + apiVerson: + type: string + kind: + type: string + metadata: + type: object + spec: + properties: + meshTLS: + description: meshTLS describes TLS settings associated with an + external workload. + properties: + identity: + type: string + description: identity of the workload. Corresponds to the + identity used in the workload's certificate. It is used + by peers to perform verification in the mTLS handshake. + minLength: 1 + maxLength: 253 + serverName: + type: string + description: serverName is the name of the workload in DNS + format. It is used by the workload to terminate TLS using + SNI. + minLength: 1 + maxLength: 253 + type: object + required: + - identity + - serverName + ports: + type: array + description: ports describes a list of ports exposed by the + workload + items: + properties: + name: + type: string + description: name must be an IANA_SVC_NAME and unique + within the ports set. Each named port can be referred + to by services. + port: + format: int32 + maximum: 65535 + minimum: 1 + type: integer + protocol: + description: protocol exposed by the port. Must be UDP or + TCP. Defaults to TCP. + type: string + default: "TCP" + type: object + required: + - port + workloadIPs: + type: array + description: workloadIPs contains a list of IP addresses that + can be used to send traffic to the workload. + items: + type: object + properties: + ip: + type: string + # TODO: relax this in the future when ipv6 is supported + # an external workload (like a pod) should only + # support 2 interfaces + maxItems: 1 + type: object + required: + - meshTLS + status: + type: object + properties: + conditions: + type: array + items: + type: object + properties: + lastProbeTime: + description: lastProbeTime is the last time the + healthcheck endpoint was probed. + format: date-time + type: string + lastTransitionTime: + description: lastTransitionTime is the last time the + condition transitioned from one status to another. + format: date-time + type: string + status: + description: status of the condition (one of True, False, Unknown) + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of the condition in CamelCase or in + foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + reason: + description: reason contains a programmatic identifier + indicating the reason for the condition's last + transition. Producers of specific condition types may + define expected values and meanings for this field, and + whether the values are considered a guaranteed API. The + value should be a CamelCase string. This field may not + be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + message: + description: message is a human readable message + indicating details about the transition. This may be an + empty string. + maxLength: 32768 + type: string + required: + - status + - type + additionalPrinterColumns: + - jsonPath: .spec.meshTLS.identity + name: Identity + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date diff --git a/charts/linkerd/linkerd-crds/2024.8.3/values.yaml b/charts/linkerd/linkerd-crds/2024.8.3/values.yaml new file mode 100644 index 000000000..362145168 --- /dev/null +++ b/charts/linkerd/linkerd-crds/2024.8.3/values.yaml @@ -0,0 +1 @@ +enableHttpRoutes: true diff --git a/charts/redpanda/redpanda/5.9.2/.helmignore b/charts/redpanda/redpanda/5.9.2/.helmignore new file mode 100644 index 000000000..d5bb5e6ba --- /dev/null +++ b/charts/redpanda/redpanda/5.9.2/.helmignore @@ -0,0 +1,28 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +README.md.gotmpl +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ + +*.go +testdata/ +ci/ diff --git a/charts/redpanda/redpanda/5.9.2/Chart.lock b/charts/redpanda/redpanda/5.9.2/Chart.lock new file mode 100644 index 000000000..7ef309e93 --- /dev/null +++ b/charts/redpanda/redpanda/5.9.2/Chart.lock @@ -0,0 +1,9 @@ +dependencies: +- name: console + repository: https://charts.redpanda.com + version: 0.7.29 +- name: connectors + repository: https://charts.redpanda.com + version: 0.1.12 +digest: sha256:ed0641d28d6174d865544a5948fdaddb3b766a27473b07b0cca979efc6c3c024 +generated: "2024-08-28T15:46:40.176857+02:00" diff --git a/charts/redpanda/redpanda/5.9.2/Chart.yaml b/charts/redpanda/redpanda/5.9.2/Chart.yaml new file mode 100644 index 000000000..89bae8a05 --- /dev/null +++ b/charts/redpanda/redpanda/5.9.2/Chart.yaml @@ -0,0 +1,40 @@ +annotations: + artifacthub.io/images: | + - name: redpanda + image: docker.redpanda.com/redpandadata/redpanda:v24.2.3 + - name: busybox + image: busybox:latest + - name: mintel/docker-alpine-bash-curl-jq + image: mintel/docker-alpine-bash-curl-jq:latest + artifacthub.io/license: Apache-2.0 + artifacthub.io/links: | + - name: Documentation + url: https://docs.redpanda.com + - name: "Helm (>= 3.10.0)" + url: https://helm.sh/docs/intro/install/ + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Redpanda + catalog.cattle.io/kube-version: '>=1.21-0' + catalog.cattle.io/release-name: redpanda +apiVersion: v2 +appVersion: v24.2.3 +dependencies: +- condition: console.enabled + name: console + repository: file://./charts/console + version: '>=0.5 <1.0' +- condition: connectors.enabled + name: connectors + repository: file://./charts/connectors + version: '>=0.1.2 <1.0' +description: Redpanda is the real-time engine for modern apps. +icon: file://assets/icons/redpanda.svg +kubeVersion: '>=1.21-0' +maintainers: +- name: redpanda-data + url: https://github.com/orgs/redpanda-data/people +name: redpanda +sources: +- https://github.com/redpanda-data/helm-charts +type: application +version: 5.9.2 diff --git a/charts/redpanda/redpanda/5.9.2/LICENSE b/charts/redpanda/redpanda/5.9.2/LICENSE new file mode 100644 index 000000000..261eeb9e9 --- /dev/null +++ b/charts/redpanda/redpanda/5.9.2/LICENSE @@ -0,0 +1,201 @@ + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "[]" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright [yyyy] [name of copyright owner] + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. diff --git a/charts/redpanda/redpanda/5.9.2/README.md b/charts/redpanda/redpanda/5.9.2/README.md new file mode 100644 index 000000000..a4678a0e0 --- /dev/null +++ b/charts/redpanda/redpanda/5.9.2/README.md @@ -0,0 +1,1300 @@ +# Redpanda Helm Chart Specification +--- +description: Find the default values and descriptions of settings in the Redpanda Helm chart. +--- + +![Version: 5.9.2](https://img.shields.io/badge/Version-5.9.2-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v24.2.3](https://img.shields.io/badge/AppVersion-v24.2.3-informational?style=flat-square) + +This page describes the official Redpanda Helm Chart. In particular, this page describes the contents of the chart’s [`values.yaml` file](https://github.com/redpanda-data/helm-charts/blob/main/charts/redpanda/values.yaml). Each of the settings is listed and described on this page, along with any default values. + +For instructions on how to install and use the chart, including how to override and customize the chart’s values, refer to the [deployment documentation](https://docs.redpanda.com/docs/deploy/deployment-option/self-hosted/kubernetes/kubernetes-deploy/). + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.13.1](https://github.com/norwoodj/helm-docs/releases/v1.13.1) + +## Source Code + +* + +## Requirements + +Kubernetes: `^1.21.0-0` + +| Repository | Name | Version | +|------------|------|---------| +| https://charts.redpanda.com | connectors | >=0.1.2 <1.0 | +| https://charts.redpanda.com | console | >=0.5 <1.0 | + +## Settings + +### [affinity](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=affinity) + +Affinity constraints for scheduling Pods, can override this for StatefulSets and Jobs. For details, see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity). + +**Default:** `{}` + +### [auditLogging](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=auditLogging) + +Audit logging for a redpanda cluster, must have enabled sasl and have one kafka listener supporting sasl authentication for audit logging to work. Note this feature is only available for redpanda versions >= v23.3.0. + +**Default:** + +``` +{"clientMaxBufferSize":16777216,"enabled":false,"enabledEventTypes":null,"excludedPrincipals":null,"excludedTopics":null,"listener":"internal","partitions":12,"queueDrainIntervalMs":500,"queueMaxBufferSizePerShard":1048576,"replicationFactor":null} +``` + +### [auditLogging.clientMaxBufferSize](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=auditLogging.clientMaxBufferSize) + +Defines the number of bytes (in bytes) allocated by the internal audit client for audit messages. + +**Default:** `16777216` + +### [auditLogging.enabled](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=auditLogging.enabled) + +Enable or disable audit logging, for production clusters we suggest you enable, however, this will only work if you also enable sasl and a listener with sasl enabled. + +**Default:** `false` + +### [auditLogging.enabledEventTypes](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=auditLogging.enabledEventTypes) + +Event types that should be captured by audit logs, default is [`admin`, `authenticate`, `management`]. + +**Default:** `nil` + +### [auditLogging.excludedPrincipals](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=auditLogging.excludedPrincipals) + +List of principals to exclude from auditing, default is null. + +**Default:** `nil` + +### [auditLogging.excludedTopics](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=auditLogging.excludedTopics) + +List of topics to exclude from auditing, default is null. + +**Default:** `nil` + +### [auditLogging.listener](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=auditLogging.listener) + +Kafka listener name, note that it must have `authenticationMethod` set to `sasl`. For external listeners, use the external listener name, such as `default`. + +**Default:** `"internal"` + +### [auditLogging.partitions](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=auditLogging.partitions) + +Integer value defining the number of partitions used by a newly created audit topic. + +**Default:** `12` + +### [auditLogging.queueDrainIntervalMs](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=auditLogging.queueDrainIntervalMs) + +In ms, frequency in which per shard audit logs are batched to client for write to audit log. + +**Default:** `500` + +### [auditLogging.queueMaxBufferSizePerShard](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=auditLogging.queueMaxBufferSizePerShard) + +Defines the maximum amount of memory used (in bytes) by the audit buffer in each shard. + +**Default:** `1048576` + +### [auditLogging.replicationFactor](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=auditLogging.replicationFactor) + +Defines the replication factor for a newly created audit log topic. This configuration applies only to the audit log topic and may be different from the cluster or other topic configurations. This cannot be altered for existing audit log topics. Setting this value is optional. If a value is not provided, Redpanda will use the `internal_topic_replication_factor cluster` config value. Default is `null` + +**Default:** `nil` + +### [auth](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=auth) + +Authentication settings. For details, see the [SASL documentation](https://docs.redpanda.com/docs/manage/kubernetes/security/sasl-kubernetes/). + +**Default:** + +``` +{"sasl":{"enabled":false,"mechanism":"SCRAM-SHA-512","secretRef":"redpanda-users","users":[]}} +``` + +### [auth.sasl.enabled](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=auth.sasl.enabled) + +Enable SASL authentication. If you enable SASL authentication, you must provide a Secret in `auth.sasl.secretRef`. + +**Default:** `false` + +### [auth.sasl.mechanism](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=auth.sasl.mechanism) + +The authentication mechanism to use for the superuser. Options are `SCRAM-SHA-256` and `SCRAM-SHA-512`. + +**Default:** `"SCRAM-SHA-512"` + +### [auth.sasl.secretRef](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=auth.sasl.secretRef) + +A Secret that contains your superuser credentials. For details, see the [SASL documentation](https://docs.redpanda.com/docs/manage/kubernetes/security/sasl-kubernetes/#use-secrets). + +**Default:** `"redpanda-users"` + +### [auth.sasl.users](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=auth.sasl.users) + +Optional list of superusers. These superusers will be created in the Secret whose name is defined in `auth.sasl.secretRef`. If this list is empty, the Secret in `auth.sasl.secretRef` must already exist in the cluster before you deploy the chart. Uncomment the sample list if you wish to try adding sample sasl users or override to use your own. + +**Default:** `[]` + +### [clusterDomain](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=clusterDomain) + +Default Kubernetes cluster domain. + +**Default:** `"cluster.local"` + +### [commonLabels](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=commonLabels) + +Additional labels to add to all Kubernetes objects. For example, `my.k8s.service: redpanda`. + +**Default:** `{}` + +### [config](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=config) + +This section contains various settings supported by Redpanda that may not work correctly in a Kubernetes cluster. Changing these settings comes with some risk. Use these settings to customize various Redpanda configurations that are not covered in other sections. These values have no impact on the configuration or behavior of the Kubernetes objects deployed by Helm, and therefore should not be modified for the purpose of configuring those objects. Instead, these settings get passed directly to the Redpanda binary at startup. For descriptions of these properties, see the [configuration documentation](https://docs.redpanda.com/docs/cluster-administration/configuration/). + +**Default:** + +``` +{"cluster":{"default_topic_replications":3},"node":{"crash_loop_limit":5},"pandaproxy_client":{},"rpk":{},"schema_registry_client":{},"tunable":{"compacted_log_segment_size":67108864,"group_topic_partitions":16,"kafka_batch_max_bytes":1048576,"kafka_connection_rate_limit":1000,"log_segment_size":134217728,"log_segment_size_max":268435456,"log_segment_size_min":16777216,"max_compacted_log_segment_size":536870912,"topic_partitions_per_shard":1000}} +``` + +### [config.node](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=config.node) + +Node (broker) properties. See the [property reference documentation](https://docs.redpanda.com/docs/reference/node-properties/). + +**Default:** `{"crash_loop_limit":5}` + +### [config.node.crash_loop_limit](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=config.node.crash_loop_limit) + +Crash loop limit A limit on the number of consecutive times a broker can crash within one hour before its crash-tracking logic is reset. This limit prevents a broker from getting stuck in an infinite cycle of crashes. User can disable this crash loop limit check by the following action: * One hour elapses since the last crash * The node configuration file, redpanda.yaml, is updated via config.cluster or config.node or config.tunable objects * The startup_log file in the node’s data_directory is manually deleted Default to 5 REF: https://docs.redpanda.com/current/reference/node-properties/#crash_loop_limit + +**Default:** `5` + +### [config.tunable](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=config.tunable) + +Tunable cluster properties. + +**Default:** + +``` +{"compacted_log_segment_size":67108864,"group_topic_partitions":16,"kafka_batch_max_bytes":1048576,"kafka_connection_rate_limit":1000,"log_segment_size":134217728,"log_segment_size_max":268435456,"log_segment_size_min":16777216,"max_compacted_log_segment_size":536870912,"topic_partitions_per_shard":1000} +``` + +### [config.tunable.compacted_log_segment_size](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=config.tunable.compacted_log_segment_size) + +See the [property reference documentation](https://docs.redpanda.com/docs/reference/tunable-properties/#compacted_log_segment_size). + +**Default:** `67108864` + +### [config.tunable.group_topic_partitions](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=config.tunable.group_topic_partitions) + +See the [property reference documentation](https://docs.redpanda.com/docs/reference/tunable-properties/#group_topic_partitions). + +**Default:** `16` + +### [config.tunable.kafka_batch_max_bytes](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=config.tunable.kafka_batch_max_bytes) + +See the [property reference documentation](https://docs.redpanda.com/docs/reference/tunable-properties/#kafka_batch_max_bytes). + +**Default:** `1048576` + +### [config.tunable.kafka_connection_rate_limit](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=config.tunable.kafka_connection_rate_limit) + +See the [property reference documentation](https://docs.redpanda.com/docs/reference/cluster-properties/#kafka_connection_rate_limit). + +**Default:** `1000` + +### [config.tunable.log_segment_size](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=config.tunable.log_segment_size) + +See the [property reference documentation](https://docs.redpanda.com/docs/reference/tunable-properties/#log_segment_size). + +**Default:** `134217728` + +### [config.tunable.log_segment_size_max](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=config.tunable.log_segment_size_max) + +See the [property reference documentation](https://docs.redpanda.com/docs/reference/tunable-properties/#log_segment_size_max). + +**Default:** `268435456` + +### [config.tunable.log_segment_size_min](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=config.tunable.log_segment_size_min) + +See the [property reference documentation](https://docs.redpanda.com/docs/reference/tunable-properties/#log_segment_size_min). + +**Default:** `16777216` + +### [config.tunable.max_compacted_log_segment_size](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=config.tunable.max_compacted_log_segment_size) + +See the [property reference documentation](https://docs.redpanda.com/docs/reference/tunable-properties/#max_compacted_log_segment_size). + +**Default:** `536870912` + +### [config.tunable.topic_partitions_per_shard](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=config.tunable.topic_partitions_per_shard) + +See the [property reference documentation](https://docs.redpanda.com/docs/reference/tunable-properties/#topic_partitions_per_shard). + +**Default:** `1000` + +### [connectors](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=connectors) + +Redpanda Managed Connectors settings For a reference of configuration settings, see the [Redpanda Connectors documentation](https://docs.redpanda.com/docs/deploy/deployment-option/cloud/managed-connectors/). + +**Default:** + +``` +{"deployment":{"create":false},"enabled":false,"test":{"create":false}} +``` + +### [console](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=console) + +Redpanda Console settings. For a reference of configuration settings, see the [Redpanda Console documentation](https://docs.redpanda.com/docs/reference/console/config/). + +**Default:** + +``` +{"config":{},"configmap":{"create":false},"deployment":{"create":false},"enabled":true,"secret":{"create":false}} +``` + +### [enterprise](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=enterprise) + +Enterprise (optional) For details, see the [License documentation](https://docs.redpanda.com/docs/get-started/licenses/?platform=kubernetes#redpanda-enterprise-edition). + +**Default:** + +``` +{"license":"","licenseSecretRef":{}} +``` + +### [enterprise.license](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=enterprise.license) + +license (optional). + +**Default:** `""` + +### [enterprise.licenseSecretRef](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=enterprise.licenseSecretRef) + +Secret name and key where the license key is stored. + +**Default:** `{}` + +### [external](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=external) + +External access settings. For details, see the [Networking and Connectivity documentation](https://docs.redpanda.com/docs/manage/kubernetes/networking/networking-and-connectivity/). + +**Default:** + +``` +{"enabled":true,"service":{"enabled":true},"type":"NodePort"} +``` + +### [external.enabled](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=external.enabled) + +Enable external access for each Service. You can toggle external access for each listener in `listeners..external..enabled`. + +**Default:** `true` + +### [external.service](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=external.service) + +Service allows you to manage the creation of an external kubernetes service object + +**Default:** `{"enabled":true}` + +### [external.service.enabled](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=external.service.enabled) + +Enabled if set to false will not create the external service type You can still set your cluster with external access but not create the supporting service (NodePort/LoadBalander). Set this to false if you rather manage your own service. + +**Default:** `true` + +### [external.type](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=external.type) + +External access type. Only `NodePort` and `LoadBalancer` are supported. If undefined, then advertised listeners will be configured in Redpanda, but the helm chart will not create a Service. You must create a Service manually. Warning: If you use LoadBalancers, you will likely experience higher latency and increased packet loss. NodePort is recommended in cases where latency is a priority. + +**Default:** `"NodePort"` + +### [fullnameOverride](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=fullnameOverride) + +Override `redpanda.fullname` template. + +**Default:** `""` + +### [image](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=image) + +Redpanda Docker image settings. + +**Default:** + +``` +{"pullPolicy":"IfNotPresent","repository":"docker.redpanda.com/redpandadata/redpanda","tag":""} +``` + +### [image.pullPolicy](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=image.pullPolicy) + +The imagePullPolicy. If `image.tag` is 'latest', the default is `Always`. + +**Default:** `"IfNotPresent"` + +### [image.repository](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=image.repository) + +Docker repository from which to pull the Redpanda Docker image. + +**Default:** + +``` +"docker.redpanda.com/redpandadata/redpanda" +``` + +### [image.tag](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=image.tag) + +The Redpanda version. See DockerHub for: [All stable versions](https://hub.docker.com/r/redpandadata/redpanda/tags) and [all unstable versions](https://hub.docker.com/r/redpandadata/redpanda-unstable/tags). + +**Default:** `Chart.appVersion`. + +### [imagePullSecrets](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=imagePullSecrets) + +Pull secrets may be used to provide credentials to image repositories See the [Kubernetes documentation](https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/). + +**Default:** `[]` + +### [license_key](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=license_key) + +DEPRECATED Enterprise license key (optional). For details, see the [License documentation](https://docs.redpanda.com/docs/get-started/licenses/?platform=kubernetes#redpanda-enterprise-edition). + +**Default:** `""` + +### [license_secret_ref](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=license_secret_ref) + +DEPRECATED Secret name and secret key where the license key is stored. + +**Default:** `{}` + +### [listeners](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=listeners) + +Listener settings. Override global settings configured above for individual listeners. For details, see the [listeners documentation](https://docs.redpanda.com/docs/manage/kubernetes/networking/configure-listeners/). + +**Default:** + +``` +{"admin":{"external":{"default":{"advertisedPorts":[31644],"port":9645,"tls":{"cert":"external"}}},"port":9644,"tls":{"cert":"default","requireClientAuth":false}},"http":{"authenticationMethod":null,"enabled":true,"external":{"default":{"advertisedPorts":[30082],"authenticationMethod":null,"port":8083,"tls":{"cert":"external","requireClientAuth":false}}},"kafkaEndpoint":"default","port":8082,"tls":{"cert":"default","requireClientAuth":false}},"kafka":{"authenticationMethod":null,"external":{"default":{"advertisedPorts":[31092],"authenticationMethod":null,"port":9094,"tls":{"cert":"external"}}},"port":9093,"tls":{"cert":"default","requireClientAuth":false}},"rpc":{"port":33145,"tls":{"cert":"default","requireClientAuth":false}},"schemaRegistry":{"authenticationMethod":null,"enabled":true,"external":{"default":{"advertisedPorts":[30081],"authenticationMethod":null,"port":8084,"tls":{"cert":"external","requireClientAuth":false}}},"kafkaEndpoint":"default","port":8081,"tls":{"cert":"default","requireClientAuth":false}}} +``` + +### [listeners.admin](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=listeners.admin) + +Admin API listener (only one). + +**Default:** + +``` +{"external":{"default":{"advertisedPorts":[31644],"port":9645,"tls":{"cert":"external"}}},"port":9644,"tls":{"cert":"default","requireClientAuth":false}} +``` + +### [listeners.admin.external](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=listeners.admin.external) + +Optional external access settings. + +**Default:** + +``` +{"default":{"advertisedPorts":[31644],"port":9645,"tls":{"cert":"external"}}} +``` + +### [listeners.admin.external.default](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=listeners.admin.external.default) + +Name of the external listener. + +**Default:** + +``` +{"advertisedPorts":[31644],"port":9645,"tls":{"cert":"external"}} +``` + +### [listeners.admin.external.default.tls](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=listeners.admin.external.default.tls) + +The port advertised to this listener's external clients. List one port if you want to use the same port for each broker (would be the case when using NodePort service). Otherwise, list the port you want to use for each broker in order of StatefulSet replicas. If undefined, `listeners.admin.port` is used. + +**Default:** `{"cert":"external"}` + +### [listeners.admin.port](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=listeners.admin.port) + +The port for both internal and external connections to the Admin API. + +**Default:** `9644` + +### [listeners.admin.tls](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=listeners.admin.tls) + +Optional TLS section (required if global TLS is enabled) + +**Default:** + +``` +{"cert":"default","requireClientAuth":false} +``` + +### [listeners.admin.tls.cert](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=listeners.admin.tls.cert) + +Name of the Certificate used for TLS (must match a Certificate name that is registered in tls.certs). + +**Default:** `"default"` + +### [listeners.admin.tls.requireClientAuth](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=listeners.admin.tls.requireClientAuth) + +If true, the truststore file for this listener is included in the ConfigMap. + +**Default:** `false` + +### [listeners.http](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=listeners.http) + +HTTP API listeners (aka PandaProxy). + +**Default:** + +``` +{"authenticationMethod":null,"enabled":true,"external":{"default":{"advertisedPorts":[30082],"authenticationMethod":null,"port":8083,"tls":{"cert":"external","requireClientAuth":false}}},"kafkaEndpoint":"default","port":8082,"tls":{"cert":"default","requireClientAuth":false}} +``` + +### [listeners.kafka](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=listeners.kafka) + +Kafka API listeners. + +**Default:** + +``` +{"authenticationMethod":null,"external":{"default":{"advertisedPorts":[31092],"authenticationMethod":null,"port":9094,"tls":{"cert":"external"}}},"port":9093,"tls":{"cert":"default","requireClientAuth":false}} +``` + +### [listeners.kafka.external.default.advertisedPorts](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=listeners.kafka.external.default.advertisedPorts) + +If undefined, `listeners.kafka.external.default.port` is used. + +**Default:** `[31092]` + +### [listeners.kafka.external.default.port](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=listeners.kafka.external.default.port) + +The port used for external client connections. + +**Default:** `9094` + +### [listeners.kafka.port](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=listeners.kafka.port) + +The port for internal client connections. + +**Default:** `9093` + +### [listeners.rpc](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=listeners.rpc) + +RPC listener (this is never externally accessible). + +**Default:** + +``` +{"port":33145,"tls":{"cert":"default","requireClientAuth":false}} +``` + +### [listeners.schemaRegistry](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=listeners.schemaRegistry) + +Schema registry listeners. + +**Default:** + +``` +{"authenticationMethod":null,"enabled":true,"external":{"default":{"advertisedPorts":[30081],"authenticationMethod":null,"port":8084,"tls":{"cert":"external","requireClientAuth":false}}},"kafkaEndpoint":"default","port":8081,"tls":{"cert":"default","requireClientAuth":false}} +``` + +### [logging](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=logging) + +Log-level settings. + +**Default:** + +``` +{"logLevel":"info","usageStats":{"enabled":true}} +``` + +### [logging.logLevel](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=logging.logLevel) + +Log level Valid values (from least to most verbose) are: `warn`, `info`, `debug`, and `trace`. + +**Default:** `"info"` + +### [logging.usageStats](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=logging.usageStats) + +Send usage statistics back to Redpanda Data. For details, see the [stats reporting documentation](https://docs.redpanda.com/docs/cluster-administration/monitoring/#stats-reporting). + +**Default:** `{"enabled":true}` + +### [monitoring](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=monitoring) + +Monitoring. This will create a ServiceMonitor that can be used by Prometheus-Operator or VictoriaMetrics-Operator to scrape the metrics. + +**Default:** + +``` +{"enabled":false,"labels":{},"scrapeInterval":"30s"} +``` + +### [nameOverride](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=nameOverride) + +Override `redpanda.name` template. + +**Default:** `""` + +### [nodeSelector](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=nodeSelector) + +Node selection constraints for scheduling Pods, can override this for StatefulSets. For details, see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector). + +**Default:** `{}` + +### [post_install_job.affinity](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=post_install_job.affinity) + +**Default:** `{}` + +### [post_install_job.enabled](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=post_install_job.enabled) + +**Default:** `true` + +### [post_install_job.podTemplate.annotations](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=post_install_job.podTemplate.annotations) + +Additional annotations to apply to the Pods of this Job. + +**Default:** `{}` + +### [post_install_job.podTemplate.labels](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=post_install_job.podTemplate.labels) + +Additional labels to apply to the Pods of this Job. + +**Default:** `{}` + +### [post_install_job.podTemplate.spec](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=post_install_job.podTemplate.spec) + +A subset of Kubernetes' PodSpec type that will be merged into the final PodSpec. See [Merge Semantics](#merging-semantics) for details. + +**Default:** + +``` +{"containers":[{"env":[],"name":"post-install","securityContext":{}}],"securityContext":{}} +``` + +### [post_upgrade_job.affinity](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=post_upgrade_job.affinity) + +**Default:** `{}` + +### [post_upgrade_job.enabled](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=post_upgrade_job.enabled) + +**Default:** `true` + +### [post_upgrade_job.podTemplate.annotations](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=post_upgrade_job.podTemplate.annotations) + +Additional annotations to apply to the Pods of this Job. + +**Default:** `{}` + +### [post_upgrade_job.podTemplate.labels](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=post_upgrade_job.podTemplate.labels) + +Additional labels to apply to the Pods of this Job. + +**Default:** `{}` + +### [post_upgrade_job.podTemplate.spec](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=post_upgrade_job.podTemplate.spec) + +A subset of Kubernetes' PodSpec type that will be merged into the final PodSpec. See [Merge Semantics](#merging-semantics) for details. + +**Default:** + +``` +{"containers":[{"env":[],"name":"post-upgrade","securityContext":{}}],"securityContext":{}} +``` + +### [rackAwareness](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=rackAwareness) + +Rack Awareness settings. For details, see the [Rack Awareness documentation](https://docs.redpanda.com/docs/manage/kubernetes/kubernetes-rack-awareness/). + +**Default:** + +``` +{"enabled":false,"nodeAnnotation":"topology.kubernetes.io/zone"} +``` + +### [rackAwareness.enabled](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=rackAwareness.enabled) + +When running in multiple racks or availability zones, use a Kubernetes Node annotation value as the Redpanda rack value. Enabling this requires running with a service account with "get" Node permissions. To have the Helm chart configure these permissions, set `serviceAccount.create=true` and `rbac.enabled=true`. + +**Default:** `false` + +### [rackAwareness.nodeAnnotation](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=rackAwareness.nodeAnnotation) + +The common well-known annotation to use as the rack ID. Override this only if you use a custom Node annotation. + +**Default:** + +``` +"topology.kubernetes.io/zone" +``` + +### [rbac](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=rbac) + +Role Based Access Control. + +**Default:** + +``` +{"annotations":{},"enabled":false} +``` + +### [rbac.annotations](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=rbac.annotations) + +Annotations to add to the `rbac` resources. + +**Default:** `{}` + +### [rbac.enabled](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=rbac.enabled) + +Enable for features that need extra privileges. If you use the Redpanda Operator, you must deploy it with the `--set rbac.createRPKBundleCRs=true` flag to give it the required ClusterRoles. + +**Default:** `false` + +### [resources](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=resources) + +Pod resource management. This section simplifies resource allocation by providing a single location where resources are defined. Helm sets these resource values within the `statefulset.yaml` and `configmap.yaml` templates. The default values are for a development environment. Production-level values and other considerations are documented, where those values are different from the default. For details, see the [Pod resources documentation](https://docs.redpanda.com/docs/manage/kubernetes/manage-resources/). + +**Default:** + +``` +{"cpu":{"cores":1},"memory":{"container":{"max":"2.5Gi"}}} +``` + +### [resources.cpu](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=resources.cpu) + +CPU resources. For details, see the [Pod resources documentation](https://docs.redpanda.com/docs/manage/kubernetes/manage-resources/#configure-cpu-resources). + +**Default:** `{"cores":1}` + +### [resources.cpu.cores](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=resources.cpu.cores) + +Redpanda makes use of a thread per core model. For details, see this [blog](https://redpanda.com/blog/tpc-buffers). For this reason, Redpanda should only be given full cores. Note: You can increase cores, but decreasing cores is not currently supported. See the [GitHub issue](https://github.com/redpanda-data/redpanda/issues/350). This setting is equivalent to `--smp`, `resources.requests.cpu`, and `resources.limits.cpu`. For production, use `4` or greater. To maximize efficiency, use the `static` CPU manager policy by specifying an even integer for CPU resource requests and limits. This policy gives the Pods running Redpanda brokers access to exclusive CPUs on the node. See https://kubernetes.io/docs/tasks/administer-cluster/cpu-management-policies/#static-policy. + +**Default:** `1` + +### [resources.memory](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=resources.memory) + +Memory resources For details, see the [Pod resources documentation](https://docs.redpanda.com/docs/manage/kubernetes/manage-resources/#configure-memory-resources). + +**Default:** + +``` +{"container":{"max":"2.5Gi"}} +``` + +### [resources.memory.container](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=resources.memory.container) + +Enables memory locking. For production, set to `true`. enable_memory_locking: false It is recommended to have at least 2Gi of memory per core for the Redpanda binary. This memory is taken from the total memory given to each container. The Helm chart allocates 80% of the container's memory to Redpanda, leaving the rest for the Seastar subsystem (reserveMemory) and other container processes. So at least 2.5Gi per core is recommended in order to ensure Redpanda has a full 2Gi. These values affect `--memory` and `--reserve-memory` flags passed to Redpanda and the memory requests/limits in the StatefulSet. Valid suffixes: k, M, G, T, P, Ki, Mi, Gi, Ti, Pi To create `Guaranteed` Pod QoS for Redpanda brokers, provide both container max and min values for the container. For details, see https://kubernetes.io/docs/tasks/configure-pod-container/quality-service-pod/#create-a-pod-that-gets-assigned-a-qos-class-of-guaranteed * Every container in the Pod must have a memory limit and a memory request. * For every container in the Pod, the memory limit must equal the memory request. + +**Default:** `{"max":"2.5Gi"}` + +### [resources.memory.container.max](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=resources.memory.container.max) + +Maximum memory count for each Redpanda broker. Equivalent to `resources.limits.memory`. For production, use `10Gi` or greater. + +**Default:** `"2.5Gi"` + +### [serviceAccount](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=serviceAccount) + +Service account management. + +**Default:** + +``` +{"annotations":{},"create":false,"name":""} +``` + +### [serviceAccount.annotations](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=serviceAccount.annotations) + +Annotations to add to the service account. + +**Default:** `{}` + +### [serviceAccount.create](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=serviceAccount.create) + +Specifies whether a service account should be created. + +**Default:** `false` + +### [serviceAccount.name](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=serviceAccount.name) + +The name of the service account to use. If not set and `serviceAccount.create` is `true`, a name is generated using the `redpanda.fullname` template. + +**Default:** `""` + +### [statefulset.additionalRedpandaCmdFlags](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.additionalRedpandaCmdFlags) + +Additional flags to pass to redpanda, + +**Default:** `[]` + +### [statefulset.additionalSelectorLabels](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.additionalSelectorLabels) + +Additional labels to be added to statefulset label selector. For example, `my.k8s.service: redpanda`. + +**Default:** `{}` + +### [statefulset.annotations](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.annotations) + +DEPRECATED Please use statefulset.podTemplate.annotations. Annotations are used only for `Statefulset.spec.template.metadata.annotations`. The StatefulSet does not have any dedicated annotation. + +**Default:** `{}` + +### [statefulset.budget.maxUnavailable](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.budget.maxUnavailable) + +**Default:** `1` + +### [statefulset.extraVolumeMounts](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.extraVolumeMounts) + +**Default:** `""` + +### [statefulset.extraVolumes](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.extraVolumes) + +**Default:** `""` + +### [statefulset.initContainerImage.repository](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.initContainerImage.repository) + +**Default:** `"busybox"` + +### [statefulset.initContainerImage.tag](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.initContainerImage.tag) + +**Default:** `"latest"` + +### [statefulset.initContainers.configurator.extraVolumeMounts](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.initContainers.configurator.extraVolumeMounts) + +**Default:** `""` + +### [statefulset.initContainers.configurator.resources](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.initContainers.configurator.resources) + +To create `Guaranteed` Pods for Redpanda brokers, provide both requests and limits for CPU and memory. For details, see https://kubernetes.io/docs/tasks/configure-pod-container/quality-service-pod/#create-a-pod-that-gets-assigned-a-qos-class-of-guaranteed * Every container in the Pod must have a CPU limit and a CPU request. * For every container in the Pod, the CPU limit must equal the CPU request. + +**Default:** `{}` + +### [statefulset.initContainers.extraInitContainers](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.initContainers.extraInitContainers) + +**Default:** `""` + +### [statefulset.initContainers.fsValidator.enabled](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.initContainers.fsValidator.enabled) + +**Default:** `false` + +### [statefulset.initContainers.fsValidator.expectedFS](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.initContainers.fsValidator.expectedFS) + +**Default:** `"xfs"` + +### [statefulset.initContainers.fsValidator.extraVolumeMounts](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.initContainers.fsValidator.extraVolumeMounts) + +**Default:** `""` + +### [statefulset.initContainers.fsValidator.resources](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.initContainers.fsValidator.resources) + +To create `Guaranteed` Pods for Redpanda brokers, provide both requests and limits for CPU and memory. For details, see https://kubernetes.io/docs/tasks/configure-pod-container/quality-service-pod/#create-a-pod-that-gets-assigned-a-qos-class-of-guaranteed * Every container in the Pod must have a CPU limit and a CPU request. * For every container in the Pod, the CPU limit must equal the CPU request. + +**Default:** `{}` + +### [statefulset.initContainers.setDataDirOwnership.enabled](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.initContainers.setDataDirOwnership.enabled) + +In environments where root is not allowed, you cannot change the ownership of files and directories. Enable `setDataDirOwnership` when using default minikube cluster configuration. + +**Default:** `false` + +### [statefulset.initContainers.setDataDirOwnership.extraVolumeMounts](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.initContainers.setDataDirOwnership.extraVolumeMounts) + +**Default:** `""` + +### [statefulset.initContainers.setDataDirOwnership.resources](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.initContainers.setDataDirOwnership.resources) + +To create `Guaranteed` Pods for Redpanda brokers, provide both requests and limits for CPU and memory. For details, see https://kubernetes.io/docs/tasks/configure-pod-container/quality-service-pod/#create-a-pod-that-gets-assigned-a-qos-class-of-guaranteed * Every container in the Pod must have a CPU limit and a CPU request. * For every container in the Pod, the CPU limit must equal the CPU request. + +**Default:** `{}` + +### [statefulset.initContainers.setTieredStorageCacheDirOwnership.extraVolumeMounts](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.initContainers.setTieredStorageCacheDirOwnership.extraVolumeMounts) + +**Default:** `""` + +### [statefulset.initContainers.setTieredStorageCacheDirOwnership.resources](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.initContainers.setTieredStorageCacheDirOwnership.resources) + +To create `Guaranteed` Pods for Redpanda brokers, provide both requests and limits for CPU and memory. For details, see https://kubernetes.io/docs/tasks/configure-pod-container/quality-service-pod/#create-a-pod-that-gets-assigned-a-qos-class-of-guaranteed * Every container in the Pod must have a CPU limit and a CPU request. * For every container in the Pod, the CPU limit must equal the CPU request. + +**Default:** `{}` + +### [statefulset.initContainers.tuning.extraVolumeMounts](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.initContainers.tuning.extraVolumeMounts) + +**Default:** `""` + +### [statefulset.initContainers.tuning.resources](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.initContainers.tuning.resources) + +To create `Guaranteed` Pods for Redpanda brokers, provide both requests and limits for CPU and memory. For details, see https://kubernetes.io/docs/tasks/configure-pod-container/quality-service-pod/#create-a-pod-that-gets-assigned-a-qos-class-of-guaranteed * Every container in the Pod must have a CPU limit and a CPU request. * For every container in the Pod, the CPU limit must equal the CPU request. + +**Default:** `{}` + +### [statefulset.livenessProbe.failureThreshold](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.livenessProbe.failureThreshold) + +**Default:** `3` + +### [statefulset.livenessProbe.initialDelaySeconds](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.livenessProbe.initialDelaySeconds) + +**Default:** `10` + +### [statefulset.livenessProbe.periodSeconds](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.livenessProbe.periodSeconds) + +**Default:** `10` + +### [statefulset.nodeSelector](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.nodeSelector) + +Node selection constraints for scheduling Pods of this StatefulSet. These constraints override the global `nodeSelector` value. For details, see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector). + +**Default:** `{}` + +### [statefulset.podAffinity](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.podAffinity) + +Inter-Pod Affinity rules for scheduling Pods of this StatefulSet. For details, see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#inter-pod-affinity-and-anti-affinity). + +**Default:** `{}` + +### [statefulset.podAntiAffinity](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.podAntiAffinity) + +Anti-affinity rules for scheduling Pods of this StatefulSet. For details, see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#inter-pod-affinity-and-anti-affinity). You may either edit the default settings for anti-affinity rules, or specify new anti-affinity rules to use instead of the defaults. + +**Default:** + +``` +{"custom":{},"topologyKey":"kubernetes.io/hostname","type":"hard","weight":100} +``` + +### [statefulset.podAntiAffinity.custom](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.podAntiAffinity.custom) + +Change `podAntiAffinity.type` to `custom` and provide your own podAntiAffinity rules here. + +**Default:** `{}` + +### [statefulset.podAntiAffinity.topologyKey](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.podAntiAffinity.topologyKey) + +The topologyKey to be used. Can be used to spread across different nodes, AZs, regions etc. + +**Default:** `"kubernetes.io/hostname"` + +### [statefulset.podAntiAffinity.type](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.podAntiAffinity.type) + +Valid anti-affinity types are `soft`, `hard`, or `custom`. Use `custom` if you want to supply your own anti-affinity rules in the `podAntiAffinity.custom` object. + +**Default:** `"hard"` + +### [statefulset.podAntiAffinity.weight](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.podAntiAffinity.weight) + +Weight for `soft` anti-affinity rules. Does not apply to other anti-affinity types. + +**Default:** `100` + +### [statefulset.podTemplate.annotations](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.podTemplate.annotations) + +Additional annotations to apply to the Pods of the StatefulSet. + +**Default:** `{}` + +### [statefulset.podTemplate.labels](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.podTemplate.labels) + +Additional labels to apply to the Pods of the StatefulSet. + +**Default:** `{}` + +### [statefulset.podTemplate.spec](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.podTemplate.spec) + +A subset of Kubernetes' PodSpec type that will be merged into the final PodSpec. See [Merge Semantics](#merging-semantics) for details. + +**Default:** + +``` +{"containers":[{"env":[],"name":"redpanda","securityContext":{}}],"securityContext":{}} +``` + +### [statefulset.priorityClassName](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.priorityClassName) + +PriorityClassName given to Pods of this StatefulSet. For details, see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass). + +**Default:** `""` + +### [statefulset.readinessProbe.failureThreshold](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.readinessProbe.failureThreshold) + +**Default:** `3` + +### [statefulset.readinessProbe.initialDelaySeconds](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.readinessProbe.initialDelaySeconds) + +**Default:** `1` + +### [statefulset.readinessProbe.periodSeconds](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.readinessProbe.periodSeconds) + +**Default:** `10` + +### [statefulset.readinessProbe.successThreshold](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.readinessProbe.successThreshold) + +**Default:** `1` + +### [statefulset.replicas](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.replicas) + +Number of Redpanda brokers (Redpanda Data recommends setting this to the number of worker nodes in the cluster) + +**Default:** `3` + +### [statefulset.securityContext](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.securityContext) + +DEPRECATED: Prefer to use podTemplate.spec.securityContext or podTemplate.spec.containers[0].securityContext. + +**Default:** + +``` +{"fsGroup":101,"fsGroupChangePolicy":"OnRootMismatch","runAsUser":101} +``` + +### [statefulset.sideCars.configWatcher.enabled](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.sideCars.configWatcher.enabled) + +**Default:** `true` + +### [statefulset.sideCars.configWatcher.extraVolumeMounts](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.sideCars.configWatcher.extraVolumeMounts) + +**Default:** `""` + +### [statefulset.sideCars.configWatcher.resources](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.sideCars.configWatcher.resources) + +To create `Guaranteed` Pods for Redpanda brokers, provide both requests and limits for CPU and memory. For details, see https://kubernetes.io/docs/tasks/configure-pod-container/quality-service-pod/#create-a-pod-that-gets-assigned-a-qos-class-of-guaranteed * Every container in the Pod must have a memory limit and a memory request. * For every container in the Pod, the memory limit must equal the memory request. * Every container in the Pod must have a CPU limit and a CPU request. * For every container in the Pod, the CPU limit must equal the CPU request. To maximize efficiency, use the `static` CPU manager policy by specifying an even integer for CPU resource requests and limits. This policy gives the Pods running Redpanda brokers access to exclusive CPUs on the node. For details, see https://kubernetes.io/docs/tasks/administer-cluster/cpu-management-policies/#static-policy + +**Default:** `{}` + +### [statefulset.sideCars.configWatcher.securityContext](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.sideCars.configWatcher.securityContext) + +**Default:** `{}` + +### [statefulset.sideCars.controllers.createRBAC](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.sideCars.controllers.createRBAC) + +**Default:** `true` + +### [statefulset.sideCars.controllers.enabled](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.sideCars.controllers.enabled) + +**Default:** `false` + +### [statefulset.sideCars.controllers.healthProbeAddress](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.sideCars.controllers.healthProbeAddress) + +**Default:** `":8085"` + +### [statefulset.sideCars.controllers.image.repository](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.sideCars.controllers.image.repository) + +**Default:** + +``` +"docker.redpanda.com/redpandadata/redpanda-operator" +``` + +### [statefulset.sideCars.controllers.image.tag](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.sideCars.controllers.image.tag) + +**Default:** `"v2.1.10-23.2.18"` + +### [statefulset.sideCars.controllers.metricsAddress](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.sideCars.controllers.metricsAddress) + +**Default:** `":9082"` + +### [statefulset.sideCars.controllers.resources](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.sideCars.controllers.resources) + +To create `Guaranteed` Pods for Redpanda brokers, provide both requests and limits for CPU and memory. For details, see https://kubernetes.io/docs/tasks/configure-pod-container/quality-service-pod/#create-a-pod-that-gets-assigned-a-qos-class-of-guaranteed * Every container in the Pod must have a CPU limit and a CPU request. * For every container in the Pod, the CPU limit must equal the CPU request. * Every container in the Pod must have a CPU limit and a CPU request. * For every container in the Pod, the CPU limit must equal the CPU request. To maximize efficiency, use the `static` CPU manager policy by specifying an even integer for CPU resource requests and limits. This policy gives the Pods running Redpanda brokers access to exclusive CPUs on the node. For details, see https://kubernetes.io/docs/tasks/administer-cluster/cpu-management-policies/#static-policy + +**Default:** `{}` + +### [statefulset.sideCars.controllers.run[0]](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.sideCars.controllers.run[0]) + +**Default:** `"all"` + +### [statefulset.sideCars.controllers.securityContext](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.sideCars.controllers.securityContext) + +**Default:** `{}` + +### [statefulset.startupProbe](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.startupProbe) + +Adjust the period for your probes to meet your needs. For details, see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes). + +**Default:** + +``` +{"failureThreshold":120,"initialDelaySeconds":1,"periodSeconds":10} +``` + +### [statefulset.terminationGracePeriodSeconds](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.terminationGracePeriodSeconds) + +Termination grace period in seconds is time required to execute preStop hook which puts particular Redpanda Pod (process/container) into maintenance mode. Before settle down on particular value please put Redpanda under load and perform rolling upgrade or rolling restart. That value needs to accommodate two processes: * preStop hook needs to put Redpanda into maintenance mode * after preStop hook Redpanda needs to handle gracefully SIGTERM signal Both processes are executed sequentially where preStop hook has hard deadline in the middle of terminationGracePeriodSeconds. REF: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#hook-handler-execution https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#pod-termination + +**Default:** `90` + +### [statefulset.tolerations](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.tolerations) + +Taints to be tolerated by Pods of this StatefulSet. These tolerations override the global tolerations value. For details, see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/). + +**Default:** `[]` + +### [statefulset.topologySpreadConstraints[0].maxSkew](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.topologySpreadConstraints[0].maxSkew) + +**Default:** `1` + +### [statefulset.topologySpreadConstraints[0].topologyKey](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.topologySpreadConstraints[0].topologyKey) + +**Default:** + +``` +"topology.kubernetes.io/zone" +``` + +### [statefulset.topologySpreadConstraints[0].whenUnsatisfiable](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.topologySpreadConstraints[0].whenUnsatisfiable) + +**Default:** `"ScheduleAnyway"` + +### [statefulset.updateStrategy.type](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=statefulset.updateStrategy.type) + +**Default:** `"RollingUpdate"` + +### [storage](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=storage) + +Persistence settings. For details, see the [storage documentation](https://docs.redpanda.com/docs/manage/kubernetes/configure-storage/). + +**Default:** + +``` +{"hostPath":"","persistentVolume":{"annotations":{},"enabled":true,"labels":{},"nameOverwrite":"","size":"20Gi","storageClass":""},"tiered":{"config":{"cloud_storage_access_key":"","cloud_storage_api_endpoint":"","cloud_storage_azure_container":null,"cloud_storage_azure_managed_identity_id":null,"cloud_storage_azure_shared_key":null,"cloud_storage_azure_storage_account":null,"cloud_storage_bucket":"","cloud_storage_cache_size":5368709120,"cloud_storage_credentials_source":"config_file","cloud_storage_enable_remote_read":true,"cloud_storage_enable_remote_write":true,"cloud_storage_enabled":false,"cloud_storage_region":"","cloud_storage_secret_key":""},"credentialsSecretRef":{"accessKey":{"configurationKey":"cloud_storage_access_key"},"secretKey":{"configurationKey":"cloud_storage_secret_key"}},"hostPath":"","mountType":"emptyDir","persistentVolume":{"annotations":{},"labels":{},"storageClass":""}}} +``` + +### [storage.hostPath](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=storage.hostPath) + +Absolute path on the host to store Redpanda's data. If unspecified, then an `emptyDir` volume is used. If specified but `persistentVolume.enabled` is true, `storage.hostPath` has no effect. + +**Default:** `""` + +### [storage.persistentVolume](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=storage.persistentVolume) + +If `persistentVolume.enabled` is true, a PersistentVolumeClaim is created and used to store Redpanda's data. Otherwise, `storage.hostPath` is used. + +**Default:** + +``` +{"annotations":{},"enabled":true,"labels":{},"nameOverwrite":"","size":"20Gi","storageClass":""} +``` + +### [storage.persistentVolume.annotations](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=storage.persistentVolume.annotations) + +Additional annotations to apply to the created PersistentVolumeClaims. + +**Default:** `{}` + +### [storage.persistentVolume.labels](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=storage.persistentVolume.labels) + +Additional labels to apply to the created PersistentVolumeClaims. + +**Default:** `{}` + +### [storage.persistentVolume.nameOverwrite](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=storage.persistentVolume.nameOverwrite) + +Option to change volume claim template name for tiered storage persistent volume if tiered.mountType is set to `persistentVolume` + +**Default:** `""` + +### [storage.persistentVolume.storageClass](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=storage.persistentVolume.storageClass) + +To disable dynamic provisioning, set to `-`. If undefined or empty (default), then no storageClassName spec is set, and the default dynamic provisioner is chosen (gp2 on AWS, standard on GKE, AWS & OpenStack). + +**Default:** `""` + +### [storage.tiered.config](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=storage.tiered.config) + +Tiered Storage settings Requires `enterprise.licenseKey` or `enterprised.licenseSecretRef` For details, see the [Tiered Storage documentation](https://docs.redpanda.com/docs/manage/kubernetes/tiered-storage/). + +**Default:** + +``` +{"cloud_storage_access_key":"","cloud_storage_api_endpoint":"","cloud_storage_azure_container":null,"cloud_storage_azure_managed_identity_id":null,"cloud_storage_azure_shared_key":null,"cloud_storage_azure_storage_account":null,"cloud_storage_bucket":"","cloud_storage_cache_size":5368709120,"cloud_storage_credentials_source":"config_file","cloud_storage_enable_remote_read":true,"cloud_storage_enable_remote_write":true,"cloud_storage_enabled":false,"cloud_storage_region":"","cloud_storage_secret_key":""} +``` + +### [storage.tiered.config.cloud_storage_access_key](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=storage.tiered.config.cloud_storage_access_key) + +AWS or GCP access key (required for AWS and GCP authentication with access keys). See the [property reference documentation](https://docs.redpanda.com/docs/reference/cluster-properties/#cloud_storage_access_key). + +**Default:** `""` + +### [storage.tiered.config.cloud_storage_api_endpoint](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=storage.tiered.config.cloud_storage_api_endpoint) + +AWS or GCP API endpoint. * For AWS, this can be left blank as it is generated automatically using the bucket and region. For example, `.s3..amazonaws.com`. * For GCP, use `storage.googleapis.com` See the [property reference documentation](https://docs.redpanda.com/docs/reference/cluster-properties/#cloud_storage_api_endpoint). + +**Default:** `""` + +### [storage.tiered.config.cloud_storage_azure_container](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=storage.tiered.config.cloud_storage_azure_container) + +Name of the Azure container to use with Tiered Storage (required for ABS/ADLS). Note that the container must belong to the account specified by `cloud_storage_azure_storage_account`. See the [property reference documentation](https://docs.redpanda.com/docs/reference/cluster-properties/#cloud_storage_azure_container). + +**Default:** `nil` + +### [storage.tiered.config.cloud_storage_azure_shared_key](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=storage.tiered.config.cloud_storage_azure_shared_key) + +Shared key to be used for Azure Shared Key authentication with the Azure storage account specified by `cloud_storage_azure_storage_account`. Note that the key should be base64 encoded. See the [property reference documentation](https://docs.redpanda.com/docs/reference/cluster-properties/#cloud_storage_azure_shared_key). + +**Default:** `nil` + +### [storage.tiered.config.cloud_storage_azure_storage_account](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=storage.tiered.config.cloud_storage_azure_storage_account) + +Name of the Azure storage account to use with Tiered Storage (required for ABS/ADLS). See the [property reference documentation](https://docs.redpanda.com/docs/reference/cluster-properties/#cloud_storage_azure_storage_account). + +**Default:** `nil` + +### [storage.tiered.config.cloud_storage_bucket](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=storage.tiered.config.cloud_storage_bucket) + +AWS or GCP bucket name used for Tiered Storage (required for AWS and GCP). See the [property reference documentation](https://docs.redpanda.com/docs/reference/cluster-properties/#cloud_storage_bucket). + +**Default:** `""` + +### [storage.tiered.config.cloud_storage_cache_size](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=storage.tiered.config.cloud_storage_cache_size) + +Maximum size of the disk cache used by Tiered Storage. Default is 20 GiB. See the [property reference documentation](https://docs.redpanda.com/docs/reference/cluster-properties/#cloud_storage_cache_size). + +**Default:** `5368709120` + +### [storage.tiered.config.cloud_storage_credentials_source](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=storage.tiered.config.cloud_storage_credentials_source) + +Source of credentials used to connect to cloud services (required for AWS and GCP authentication with IAM roles). * `config_file` * `aws_instance_metadata` * `sts` * `gcp_instance_metadata` * `azure_aks_oidc_federation` * `azure_vm_instance_metadata` See the [property reference documentation](https://docs.redpanda.com/docs/reference/cluster-properties/#cloud_storage_credentials_source). + +**Default:** `"config_file"` + +### [storage.tiered.config.cloud_storage_enable_remote_read](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=storage.tiered.config.cloud_storage_enable_remote_read) + +Cluster level default remote read configuration for new topics. See the [property reference documentation](https://docs.redpanda.com/docs/reference/tunable-properties/#cloud_storage_enable_remote_read). + +**Default:** `true` + +### [storage.tiered.config.cloud_storage_enable_remote_write](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=storage.tiered.config.cloud_storage_enable_remote_write) + +Cluster level default remote write configuration for new topics. See the [property reference documentation](https://docs.redpanda.com/docs/reference/tunable-properties/#cloud_storage_enable_remote_write). + +**Default:** `true` + +### [storage.tiered.config.cloud_storage_enabled](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=storage.tiered.config.cloud_storage_enabled) + +Global flag that enables Tiered Storage if a license key is provided. See the [property reference documentation](https://docs.redpanda.com/docs/reference/cluster-properties/#cloud_storage_enabled). + +**Default:** `false` + +### [storage.tiered.config.cloud_storage_region](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=storage.tiered.config.cloud_storage_region) + +AWS or GCP region for where the bucket used for Tiered Storage is located (required for AWS and GCP). See the [property reference documentation](https://docs.redpanda.com/docs/reference/cluster-properties/#cloud_storage_region). + +**Default:** `""` + +### [storage.tiered.config.cloud_storage_secret_key](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=storage.tiered.config.cloud_storage_secret_key) + +AWS or GCP secret key (required for AWS and GCP authentication with access keys). See the [property reference documentation](https://docs.redpanda.com/docs/reference/cluster-properties/#cloud_storage_secret_key). + +**Default:** `""` + +### [storage.tiered.hostPath](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=storage.tiered.hostPath) + +Absolute path on the host to store Redpanda's Tiered Storage cache. + +**Default:** `""` + +### [storage.tiered.persistentVolume.annotations](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=storage.tiered.persistentVolume.annotations) + +Additional annotations to apply to the created PersistentVolumeClaims. + +**Default:** `{}` + +### [storage.tiered.persistentVolume.labels](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=storage.tiered.persistentVolume.labels) + +Additional labels to apply to the created PersistentVolumeClaims. + +**Default:** `{}` + +### [storage.tiered.persistentVolume.storageClass](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=storage.tiered.persistentVolume.storageClass) + +To disable dynamic provisioning, set to "-". If undefined or empty (default), then no storageClassName spec is set, and the default dynamic provisioner is chosen (gp2 on AWS, standard on GKE, AWS & OpenStack). + +**Default:** `""` + +### [tests.enabled](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=tests.enabled) + +**Default:** `true` + +### [tls](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=tls) + +TLS settings. For details, see the [TLS documentation](https://docs.redpanda.com/docs/manage/kubernetes/security/kubernetes-tls/). + +**Default:** + +``` +{"certs":{"default":{"caEnabled":true},"external":{"caEnabled":true}},"enabled":true} +``` + +### [tls.certs](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=tls.certs) + +List all Certificates here, then you can reference a specific Certificate's name in each listener's `listeners..tls.cert` setting. + +**Default:** + +``` +{"default":{"caEnabled":true},"external":{"caEnabled":true}} +``` + +### [tls.certs.default](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=tls.certs.default) + +This key is the Certificate name. To apply the Certificate to a specific listener, reference the Certificate's name in `listeners..tls.cert`. + +**Default:** `{"caEnabled":true}` + +### [tls.certs.default.caEnabled](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=tls.certs.default.caEnabled) + +Set the `caEnabled` flag to `true` only for Certificates that are not authenticated using public authorities. + +**Default:** `true` + +### [tls.certs.external](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=tls.certs.external) + +Example external tls configuration uncomment and set the right key to the listeners that require them also enable the tls setting for those listeners. + +**Default:** `{"caEnabled":true}` + +### [tls.certs.external.caEnabled](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=tls.certs.external.caEnabled) + +Set the `caEnabled` flag to `true` only for Certificates that are not authenticated using public authorities. + +**Default:** `true` + +### [tls.enabled](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=tls.enabled) + +Enable TLS globally for all listeners. Each listener must include a Certificate name in its `.tls` object. To allow you to enable TLS for individual listeners, Certificates in `auth.tls.certs` are always loaded, even if `tls.enabled` is `false`. See `listeners..tls.enabled`. + +**Default:** `true` + +### [tolerations](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=tolerations) + +Taints to be tolerated by Pods, can override this for StatefulSets. For details, see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/). + +**Default:** `[]` + +### [tuning](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=tuning) + +Redpanda tuning settings. Each is set to their default values in Redpanda. + +**Default:** `{"tune_aio_events":true}` + +### [tuning.tune_aio_events](https://artifacthub.io/packages/helm/redpanda-data/redpanda?modal=values&path=tuning.tune_aio_events) + +Increase the maximum number of outstanding asynchronous IO operations if the current value is below a certain threshold. This allows Redpanda to make as many simultaneous IO requests as possible, increasing throughput. When this option is enabled, Helm creates a privileged container. If your security profile does not allow this, you can disable this container by setting `tune_aio_events` to `false`. For more details, see the [tuning documentation](https://docs.redpanda.com/docs/deploy/deployment-option/self-hosted/kubernetes/kubernetes-tune-workers/). + +**Default:** `true` + +## Merging Semantics + +The redpanda chart implements a form of object merging that's roughly a +middleground of [JSON Merge Patch][k8s.jsonmp] and [Kubernetes' Strategic Merge +Patch][k8s.smp]. This is done to aid end users in setting or overriding fields +that are not directly exposed via the chart. + +- Directives are not supported. +- List fields that are merged by a unique key in Kubernetes' SMP (e.g. + `containers`, `env`) will be merged in a similar awy. +- Only fields explicitly allowed by the chart's JSON schema will be merged. +- Additional containers that are not present in the original value will NOT be added. + +[k8s.smp]: https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/#use-a-strategic-merge-patch-to-update-a-deployment +[k8s.jsonmp]: https://kubernetes.io/docs/tasks/manage-kubernetes-objects/update-api-object-kubectl-patch/#use-a-json-merge-patch-to-update-a-deployment diff --git a/charts/redpanda/redpanda/5.9.2/charts/connectors/.helmignore b/charts/redpanda/redpanda/5.9.2/charts/connectors/.helmignore new file mode 100644 index 000000000..04ecd888b --- /dev/null +++ b/charts/redpanda/redpanda/5.9.2/charts/connectors/.helmignore @@ -0,0 +1,24 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +README.md.gotmpl +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/charts/redpanda/redpanda/5.9.2/charts/connectors/Chart.yaml b/charts/redpanda/redpanda/5.9.2/charts/connectors/Chart.yaml new file mode 100644 index 000000000..100b252b9 --- /dev/null +++ b/charts/redpanda/redpanda/5.9.2/charts/connectors/Chart.yaml @@ -0,0 +1,25 @@ +annotations: + artifacthub.io/images: | + - name: connectors + image: docker.redpanda.com/redpandadata/connectors:v1.0.29 + - name: rpk + image: docker.redpanda.com/redpandadata/redpanda:latest + artifacthub.io/license: Apache-2.0 + artifacthub.io/links: | + - name: Documentation + url: https://docs.redpanda.com + - name: "Helm (>= 3.6.0)" + url: https://helm.sh/docs/intro/install/ +apiVersion: v2 +appVersion: v1.0.29 +description: Redpanda managed Connectors helm chart +icon: https://images.ctfassets.net/paqvtpyf8rwu/3cYHw5UzhXCbKuR24GDFGO/73fb682e6157d11c10d5b2b5da1d5af0/skate-stand-panda.svg +kubeVersion: ^1.21.0-0 +maintainers: +- name: redpanda-data + url: https://github.com/orgs/redpanda-data/people +name: connectors +sources: +- https://github.com/redpanda-data/helm-charts +type: application +version: 0.1.12 diff --git a/charts/redpanda/redpanda/5.9.2/charts/connectors/LICENSE b/charts/redpanda/redpanda/5.9.2/charts/connectors/LICENSE new file mode 100644 index 000000000..261eeb9e9 --- /dev/null +++ b/charts/redpanda/redpanda/5.9.2/charts/connectors/LICENSE @@ -0,0 +1,201 @@ + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "[]" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright [yyyy] [name of copyright owner] + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. diff --git a/charts/redpanda/redpanda/5.9.2/charts/connectors/README.md b/charts/redpanda/redpanda/5.9.2/charts/connectors/README.md new file mode 100644 index 000000000..c48f682b9 --- /dev/null +++ b/charts/redpanda/redpanda/5.9.2/charts/connectors/README.md @@ -0,0 +1,574 @@ +# Redpanda Connectors Helm Chart Specification +--- +description: Find the default values and descriptions of settings in the Redpanda Connectors Helm chart. +--- + +![Version: 0.1.12](https://img.shields.io/badge/Version-0.1.12-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v1.0.29](https://img.shields.io/badge/AppVersion-v1.0.29-informational?style=flat-square) + +This page describes the official Redpanda Connectors Helm Chart. In particular, this page describes the contents of the chart’s [`values.yaml` file](https://github.com/redpanda-data/helm-charts/blob/main/charts/connectors/values.yaml). Each of the settings is listed and described on this page, along with any default values. + +For instructions on how to install and use the chart, including how to override and customize the chart’s values, refer to the [deployment documentation](https://docs.redpanda.com/current/deploy/deployment-option/self-hosted/kubernetes/k-deploy-connectors/). + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.13.1](https://github.com/norwoodj/helm-docs/releases/v1.13.1) + +## Source Code + +* + +## Requirements + +Kubernetes: `^1.21.0-0` + +## Settings + +### [auth](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=auth) + +Authentication settings. For details, see the [SASL documentation](https://docs.redpanda.com/docs/manage/kubernetes/security/sasl-kubernetes/). The first line of the secret file is used. So the first superuser is used to authenticate to the Redpanda cluster. + +**Default:** + +``` +{"sasl":{"enabled":false,"mechanism":"scram-sha-512","secretRef":"","userName":""}} +``` + +### [auth.sasl.mechanism](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=auth.sasl.mechanism) + +The authentication mechanism to use for the superuser. Options are `scram-sha-256` and `scram-sha-512`. + +**Default:** `"scram-sha-512"` + +### [auth.sasl.secretRef](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=auth.sasl.secretRef) + +A Secret that contains your SASL user password. + +**Default:** `""` + +### [commonLabels](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=commonLabels) + +Additional labels to add to all Kubernetes objects. For example, `my.k8s.service: redpanda`. + +**Default:** `{}` + +### [connectors.additionalConfiguration](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=connectors.additionalConfiguration) + +A placeholder for any Java configuration settings for Kafka Connect that are not explicitly defined in this Helm chart. Java configuration settings are passed to the Kafka Connect startup script. + +**Default:** `""` + +### [connectors.bootstrapServers](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=connectors.bootstrapServers) + +A comma-separated list of Redpanda broker addresses in the format of IP:Port or DNS:Port. Kafka Connect uses this to connect to the Redpanda/Kafka cluster. + +**Default:** `""` + +### [connectors.brokerTLS.ca.secretNameOverwrite](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=connectors.brokerTLS.ca.secretNameOverwrite) + +If `secretRef` points to a Secret where the certificate authority (CA) is not under the `ca.crt` key, use `secretNameOverwrite` to overwrite it e.g. `corp-ca.crt`. + +**Default:** `""` + +### [connectors.brokerTLS.ca.secretRef](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=connectors.brokerTLS.ca.secretRef) + +The name of the Secret where the ca.crt file content is located. + +**Default:** `""` + +### [connectors.brokerTLS.cert.secretNameOverwrite](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=connectors.brokerTLS.cert.secretNameOverwrite) + +If secretRef points to secret where client signed certificate is not under tls.crt key then please use secretNameOverwrite to overwrite it e.g. corp-tls.crt + +**Default:** `""` + +### [connectors.brokerTLS.cert.secretRef](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=connectors.brokerTLS.cert.secretRef) + +The name of the secret where client signed certificate is located + +**Default:** `""` + +### [connectors.brokerTLS.enabled](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=connectors.brokerTLS.enabled) + +**Default:** `false` + +### [connectors.brokerTLS.key.secretNameOverwrite](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=connectors.brokerTLS.key.secretNameOverwrite) + +If secretRef points to secret where client private key is not under tls.key key then please use secretNameOverwrite to overwrite it e.g. corp-tls.key + +**Default:** `""` + +### [connectors.brokerTLS.key.secretRef](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=connectors.brokerTLS.key.secretRef) + +The name of the secret where client private key is located + +**Default:** `""` + +### [connectors.groupID](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=connectors.groupID) + +A unique string that identifies the Kafka Connect cluster. It's used in the formation of the internal topic names, ensuring that multiple Kafka Connect clusters can connect to the same Redpanda cluster without interfering with each other. + +**Default:** `"connectors-cluster"` + +### [connectors.producerBatchSize](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=connectors.producerBatchSize) + +The number of bytes of records a producer will attempt to batch together before sending to Redpanda. Batching improves throughput. + +**Default:** `131072` + +### [connectors.producerLingerMS](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=connectors.producerLingerMS) + +The time, in milliseconds, that a producer will wait before sending a batch of records. Waiting allows the producer to gather more records in the same batch and improve throughput. + +**Default:** `1` + +### [connectors.restPort](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=connectors.restPort) + +The port on which the Kafka Connect REST API listens. The API is used for administrative tasks. + +**Default:** `8083` + +### [connectors.schemaRegistryURL](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=connectors.schemaRegistryURL) + +**Default:** `""` + +### [connectors.secretManager.connectorsPrefix](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=connectors.secretManager.connectorsPrefix) + +**Default:** `""` + +### [connectors.secretManager.consolePrefix](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=connectors.secretManager.consolePrefix) + +**Default:** `""` + +### [connectors.secretManager.enabled](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=connectors.secretManager.enabled) + +**Default:** `false` + +### [connectors.secretManager.region](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=connectors.secretManager.region) + +**Default:** `""` + +### [connectors.storage.remote](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=connectors.storage.remote) + +Indicates if read and write operations for the respective topics are allowed remotely. + +**Default:** + +``` +{"read":{"config":false,"offset":false,"status":false},"write":{"config":false,"offset":false,"status":false}} +``` + +### [connectors.storage.replicationFactor](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=connectors.storage.replicationFactor) + +The number of replicas for each of the internal topics that Kafka Connect uses. + +**Default:** + +``` +{"config":-1,"offset":-1,"status":-1} +``` + +### [connectors.storage.replicationFactor.config](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=connectors.storage.replicationFactor.config) + +Replication factor for the configuration topic. + +**Default:** `-1` + +### [connectors.storage.replicationFactor.offset](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=connectors.storage.replicationFactor.offset) + +Replication factor for the offset topic. + +**Default:** `-1` + +### [connectors.storage.replicationFactor.status](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=connectors.storage.replicationFactor.status) + +Replication factor for the status topic. + +**Default:** `-1` + +### [connectors.storage.topic.config](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=connectors.storage.topic.config) + +The name of the internal topic that Kafka Connect uses to store connector and task configurations. + +**Default:** + +``` +"_internal_connectors_configs" +``` + +### [connectors.storage.topic.offset](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=connectors.storage.topic.offset) + +The name of the internal topic that Kafka Connect uses to store source connector offsets. + +**Default:** + +``` +"_internal_connectors_offsets" +``` + +### [connectors.storage.topic.status](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=connectors.storage.topic.status) + +The name of the internal topic that Kafka Connect uses to store connector and task status updates. + +**Default:** + +``` +"_internal_connectors_status" +``` + +### [container.javaGCLogEnabled](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=container.javaGCLogEnabled) + +**Default:** `"false"` + +### [container.resources](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=container.resources) + +Pod resource management. + +**Default:** + +``` +{"javaMaxHeapSize":"2G","limits":{"cpu":"1","memory":"2350Mi"},"request":{"cpu":"1","memory":"2350Mi"}} +``` + +### [container.resources.javaMaxHeapSize](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=container.resources.javaMaxHeapSize) + +Java maximum heap size must not be greater than `container.resources.limits.memory`. + +**Default:** `"2G"` + +### [container.securityContext](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=container.securityContext) + +Security context for the Redpanda Connectors container. See also `deployment.securityContext` for Pod-level settings. + +**Default:** + +``` +{"allowPrivilegeEscalation":false} +``` + +### [deployment.annotations](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=deployment.annotations) + +Additional annotations to apply to the Pods of this Deployment. + +**Default:** `{}` + +### [deployment.budget.maxUnavailable](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=deployment.budget.maxUnavailable) + +**Default:** `1` + +### [deployment.create](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=deployment.create) + +**Default:** `true` + +### [deployment.extraEnv](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=deployment.extraEnv) + +Additional environment variables for the Pods. + +**Default:** `[]` + +### [deployment.extraEnvFrom](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=deployment.extraEnvFrom) + +Configure extra environment variables from Secrets and ConfigMaps. + +**Default:** `[]` + +### [deployment.livenessProbe](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=deployment.livenessProbe) + +Adjust the period for your probes to meet your needs. For details, see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes). + +**Default:** + +``` +{"failureThreshold":3,"initialDelaySeconds":10,"periodSeconds":10,"successThreshold":1,"timeoutSeconds":1} +``` + +### [deployment.nodeAffinity](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=deployment.nodeAffinity) + +Node Affinity rules for scheduling Pods of this Deployment. The suggestion would be to spread Pods according to topology zone. For details, see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity). + +**Default:** `{}` + +### [deployment.nodeSelector](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=deployment.nodeSelector) + +Node selection constraints for scheduling Pods of this Deployment. These constraints override the global `nodeSelector` value. For details, see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector). + +**Default:** `{}` + +### [deployment.podAffinity](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=deployment.podAffinity) + +Inter-Pod Affinity rules for scheduling Pods of this Deployment. For details, see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#inter-pod-affinity-and-anti-affinity). + +**Default:** `{}` + +### [deployment.podAntiAffinity](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=deployment.podAntiAffinity) + +Anti-affinity rules for scheduling Pods of this Deployment. For details, see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#inter-pod-affinity-and-anti-affinity). You may either edit the default settings for anti-affinity rules, or specify new anti-affinity rules to use instead of the defaults. + +**Default:** + +``` +{"custom":{},"topologyKey":"kubernetes.io/hostname","type":"hard","weight":100} +``` + +### [deployment.podAntiAffinity.custom](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=deployment.podAntiAffinity.custom) + +Change `podAntiAffinity.type` to `custom` and provide your own podAntiAffinity rules here. + +**Default:** `{}` + +### [deployment.podAntiAffinity.topologyKey](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=deployment.podAntiAffinity.topologyKey) + +The `topologyKey` to be used. Can be used to spread across different nodes, AZs, regions etc. + +**Default:** `"kubernetes.io/hostname"` + +### [deployment.podAntiAffinity.type](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=deployment.podAntiAffinity.type) + +Valid anti-affinity types are `soft`, `hard`, or `custom`. Use `custom` if you want to supply your own anti-affinity rules in the `podAntiAffinity.custom` object. + +**Default:** `"hard"` + +### [deployment.podAntiAffinity.weight](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=deployment.podAntiAffinity.weight) + +Weight for `soft` anti-affinity rules. Does not apply for other anti-affinity types. + +**Default:** `100` + +### [deployment.priorityClassName](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=deployment.priorityClassName) + +PriorityClassName given to Pods of this Deployment. For details, see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass). + +**Default:** `""` + +### [deployment.progressDeadlineSeconds](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=deployment.progressDeadlineSeconds) + +The maximum time in seconds for a deployment to make progress before it is considered to be failed. The deployment controller will continue to process failed deployments and a condition with a ProgressDeadlineExceeded reason will be surfaced in the deployment status. Note that progress will not be estimated during the time a deployment is paused. + +**Default:** `600` + +### [deployment.readinessProbe.failureThreshold](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=deployment.readinessProbe.failureThreshold) + +**Default:** `2` + +### [deployment.readinessProbe.initialDelaySeconds](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=deployment.readinessProbe.initialDelaySeconds) + +**Default:** `60` + +### [deployment.readinessProbe.periodSeconds](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=deployment.readinessProbe.periodSeconds) + +**Default:** `10` + +### [deployment.readinessProbe.successThreshold](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=deployment.readinessProbe.successThreshold) + +**Default:** `3` + +### [deployment.readinessProbe.timeoutSeconds](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=deployment.readinessProbe.timeoutSeconds) + +**Default:** `5` + +### [deployment.restartPolicy](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=deployment.restartPolicy) + +**Default:** `"Always"` + +### [deployment.revisionHistoryLimit](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=deployment.revisionHistoryLimit) + +The number of old ReplicaSets to retain to allow rollback. This is a pointer to distinguish between explicit zero and not specified. + +**Default:** `10` + +### [deployment.schedulerName](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=deployment.schedulerName) + +**Default:** `""` + +### [deployment.securityContext.fsGroup](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=deployment.securityContext.fsGroup) + +**Default:** `101` + +### [deployment.securityContext.fsGroupChangePolicy](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=deployment.securityContext.fsGroupChangePolicy) + +**Default:** `"OnRootMismatch"` + +### [deployment.securityContext.runAsUser](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=deployment.securityContext.runAsUser) + +**Default:** `101` + +### [deployment.strategy.type](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=deployment.strategy.type) + +**Default:** `"RollingUpdate"` + +### [deployment.terminationGracePeriodSeconds](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=deployment.terminationGracePeriodSeconds) + +**Default:** `30` + +### [deployment.tolerations](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=deployment.tolerations) + +Taints to be tolerated by Pods of this Deployment. These tolerations override the global tolerations value. For details, see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/). + +**Default:** `[]` + +### [deployment.topologySpreadConstraints[0].maxSkew](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=deployment.topologySpreadConstraints[0].maxSkew) + +**Default:** `1` + +### [deployment.topologySpreadConstraints[0].topologyKey](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=deployment.topologySpreadConstraints[0].topologyKey) + +**Default:** + +``` +"topology.kubernetes.io/zone" +``` + +### [deployment.topologySpreadConstraints[0].whenUnsatisfiable](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=deployment.topologySpreadConstraints[0].whenUnsatisfiable) + +**Default:** `"ScheduleAnyway"` + +### [fullnameOverride](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=fullnameOverride) + +Override `connectors.fullname` template. + +**Default:** `""` + +### [image](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=image) + +Redpanda Docker image settings. + +**Default:** + +``` +{"pullPolicy":"IfNotPresent","repository":"docker.redpanda.com/redpandadata/connectors","tag":""} +``` + +### [image.pullPolicy](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=image.pullPolicy) + +The imagePullPolicy. If `image.tag` is 'latest', the default is `Always`. + +**Default:** `"IfNotPresent"` + +### [image.repository](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=image.repository) + +Docker repository from which to pull the Redpanda Docker image. + +**Default:** + +``` +"docker.redpanda.com/redpandadata/connectors" +``` + +### [image.tag](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=image.tag) + +The Redpanda version. See DockerHub for: [All stable versions](https://hub.docker.com/r/redpandadata/redpanda/tags) and [all unstable versions](https://hub.docker.com/r/redpandadata/redpanda-unstable/tags). + +**Default:** `Chart.appVersion`. + +### [imagePullSecrets](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=imagePullSecrets) + +Pull secrets may be used to provide credentials to image repositories See https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + +**Default:** `[]` + +### [logging](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=logging) + +Log-level settings. + +**Default:** `{"level":"warn"}` + +### [logging.level](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=logging.level) + +Log level Valid values (from least to most verbose) are: `error`, `warn`, `info` and `debug`. + +**Default:** `"warn"` + +### [monitoring](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=monitoring) + +Monitoring. When set to `true`, the Helm chart creates a PodMonitor that can be used by Prometheus-Operator or VictoriaMetrics-Operator to scrape the metrics. + +**Default:** + +``` +{"annotations":{},"enabled":false,"labels":{},"namespaceSelector":{"any":true},"scrapeInterval":"30s"} +``` + +### [nameOverride](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=nameOverride) + +Override `connectors.name` template. + +**Default:** `""` + +### [service](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=service) + +Service management. + +**Default:** + +``` +{"annotations":{},"name":"","ports":[{"name":"prometheus","port":9404}]} +``` + +### [service.annotations](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=service.annotations) + +Annotations to add to the Service. + +**Default:** `{}` + +### [service.name](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=service.name) + +The name of the service to use. If not set, a name is generated using the `connectors.fullname` template. + +**Default:** `""` + +### [serviceAccount](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=serviceAccount) + +ServiceAccount management. + +**Default:** + +``` +{"annotations":{},"create":false,"name":""} +``` + +### [serviceAccount.annotations](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=serviceAccount.annotations) + +Annotations to add to the ServiceAccount. + +**Default:** `{}` + +### [serviceAccount.create](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=serviceAccount.create) + +Specifies whether a ServiceAccount should be created. + +**Default:** `false` + +### [serviceAccount.name](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=serviceAccount.name) + +The name of the ServiceAccount to use. If not set and `serviceAccount.create` is `true`, a name is generated using the `connectors.fullname` template. + +**Default:** `""` + +### [storage.volumeMounts[0].mountPath](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=storage.volumeMounts[0].mountPath) + +**Default:** `"/tmp"` + +### [storage.volumeMounts[0].name](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=storage.volumeMounts[0].name) + +**Default:** `"rp-connect-tmp"` + +### [storage.volume[0].emptyDir.medium](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=storage.volume[0].emptyDir.medium) + +**Default:** `"Memory"` + +### [storage.volume[0].emptyDir.sizeLimit](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=storage.volume[0].emptyDir.sizeLimit) + +**Default:** `"5Mi"` + +### [storage.volume[0].name](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=storage.volume[0].name) + +**Default:** `"rp-connect-tmp"` + +### [test.create](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=test.create) + +**Default:** `true` + +### [tolerations](https://artifacthub.io/packages/helm/redpanda-data/connectors?modal=values&path=tolerations) + +Taints to be tolerated by Pods. For details, see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/). + +**Default:** `[]` + diff --git a/charts/redpanda/redpanda/5.9.2/charts/connectors/chart_test.go b/charts/redpanda/redpanda/5.9.2/charts/connectors/chart_test.go new file mode 100644 index 000000000..d56e956e2 --- /dev/null +++ b/charts/redpanda/redpanda/5.9.2/charts/connectors/chart_test.go @@ -0,0 +1,144 @@ +package connectors + +import ( + "encoding/json" + "fmt" + "os" + "regexp" + "slices" + "testing" + + fuzz "github.com/google/gofuzz" + "github.com/redpanda-data/helm-charts/pkg/helm" + "github.com/redpanda-data/helm-charts/pkg/testutil" + "github.com/stretchr/testify/require" + "golang.org/x/tools/txtar" + corev1 "k8s.io/api/core/v1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "sigs.k8s.io/yaml" +) + +// TestValues asserts that the chart's values.yaml file can be losslessly +// loaded into our type [Values] struct. +// NB: values.yaml should round trip through [Values], not [PartialValues], as +// [Values]'s omitempty tags are models after values.yaml. +func TestValues(t *testing.T) { + var typedValues Values + var unstructuredValues map[string]any + + require.NoError(t, yaml.Unmarshal(DefaultValuesYAML, &typedValues)) + require.NoError(t, yaml.Unmarshal(DefaultValuesYAML, &unstructuredValues)) + + typedValuesJSON, err := json.Marshal(typedValues) + require.NoError(t, err) + + unstructuredValuesJSON, err := json.Marshal(unstructuredValues) + require.NoError(t, err) + + require.JSONEq(t, string(unstructuredValuesJSON), string(typedValuesJSON)) +} + +func TestTemplate(t *testing.T) { + ctx := testutil.Context(t) + client, err := helm.New(helm.Options{ConfigHome: testutil.TempDir(t)}) + require.NoError(t, err) + + casesArchive, err := txtar.ParseFile("testdata/template-cases.txtar") + require.NoError(t, err) + + generatedCasesArchive, err := txtar.ParseFile("testdata/template-cases-generated.txtar") + require.NoError(t, err) + + goldens := testutil.NewTxTar(t, "testdata/template-cases.golden.txtar") + + for _, tc := range append(casesArchive.Files, generatedCasesArchive.Files...) { + tc := tc + t.Run(tc.Name, func(t *testing.T) { + var values PartialValues + require.NoError(t, yaml.Unmarshal(tc.Data, &values)) + + out, err := client.Template(ctx, ".", helm.TemplateOptions{ + Name: "console", + Values: values, + Set: []string{ + // Tests utilize rng; Can't have that in snapshot testing + // so always disable them. + "test.create=false", + }, + }) + require.NoError(t, err) + goldens.AssertGolden(t, testutil.YAML, fmt.Sprintf("testdata/%s.yaml.golden", tc.Name), out) + }) + } +} + +// TestGenerateCases is not a test case (sorry) but a test case generator for +// the console chart. +func TestGenerateCases(t *testing.T) { + // Nasty hack to avoid making a main function somewhere. Sorry not sorry. + if !slices.Contains(os.Args, fmt.Sprintf("-test.run=%s", t.Name())) { + t.Skipf("%s will only run if explicitly specified (-run %q)", t.Name(), t.Name()) + } + + // Makes strings easier to read. + asciiStrs := func(s *string, c fuzz.Continue) { + const alphabet = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789" + var x []byte + for i := 0; i < c.Intn(25); i++ { + x = append(x, alphabet[c.Intn(len(alphabet))]) + } + *s = string(x) + } + smallInts := func(s *int, c fuzz.Continue) { + *s = c.Intn(501) + } + + fuzzer := fuzz.New().NumElements(0, 3).SkipFieldsWithPattern( + regexp.MustCompile("^(SELinuxOptions|WindowsOptions|SeccompProfile|TCPSocket|HTTPHeaders|VolumeSource|Image)$"), + ).Funcs( + asciiStrs, + smallInts, + func(t *corev1.ServiceType, c fuzz.Continue) { + types := []corev1.ServiceType{ + corev1.ServiceTypeClusterIP, + corev1.ServiceTypeExternalName, + corev1.ServiceTypeNodePort, + corev1.ServiceTypeLoadBalancer, + } + *t = types[c.Intn(len(types))] + }, + func(s *corev1.ResourceName, c fuzz.Continue) { asciiStrs((*string)(s), c) }, + func(_ *any, c fuzz.Continue) {}, + func(_ *[]corev1.ResourceClaim, c fuzz.Continue) {}, + func(_ *[]metav1.ManagedFieldsEntry, c fuzz.Continue) {}, + ) + + nilChance := float64(0.8) + + files := make([]txtar.File, 0, 50) + for i := 0; i < 50; i++ { + // Every 5 iterations, decrease nil chance to ensure that we're biased + // towards exploring most cases. + if i%5 == 0 && nilChance > .1 { + nilChance -= .1 + } + + var values PartialValues + fuzzer.NilChance(nilChance).Fuzz(&values) + + out, err := yaml.Marshal(values) + require.NoError(t, err) + + files = append(files, txtar.File{ + Name: fmt.Sprintf("case-%03d", i), + Data: out, + }) + } + + archive := txtar.Format(&txtar.Archive{ + Comment: []byte(fmt.Sprintf(`Generated by %s`, t.Name())), + Files: files, + }) + + require.NoError(t, os.WriteFile("testdata/template-cases-generated.txtar", archive, 0o644)) +} diff --git a/charts/redpanda/redpanda/5.9.2/charts/connectors/ci/01-default-values.yaml b/charts/redpanda/redpanda/5.9.2/charts/connectors/ci/01-default-values.yaml new file mode 100644 index 000000000..d0dbb71c2 --- /dev/null +++ b/charts/redpanda/redpanda/5.9.2/charts/connectors/ci/01-default-values.yaml @@ -0,0 +1,34 @@ +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +--- +connectors: + bootstrapServers: "redpanda-0.redpanda.redpanda.svc.cluster.local.:9093,redpanda-1.redpanda.redpanda.svc.cluster.local.:9093,redpanda-2.redpanda.redpanda.svc.cluster.local.:9093" + brokerTLS: + enabled: true + ca: + secretRef: redpanda-default-cert + +logging: + level: trace + +deployment: + annotations: + test: test + test2: test2 + +service: + annotations: + test: test + test2: test2 diff --git a/charts/redpanda/redpanda/5.9.2/charts/connectors/ci/02-broker-tls-values.yaml b/charts/redpanda/redpanda/5.9.2/charts/connectors/ci/02-broker-tls-values.yaml new file mode 100644 index 000000000..42f0ebc17 --- /dev/null +++ b/charts/redpanda/redpanda/5.9.2/charts/connectors/ci/02-broker-tls-values.yaml @@ -0,0 +1,28 @@ +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +--- +connectors: + bootstrapServers: "redpanda-0.redpanda.redpanda.svc.cluster.local.:9093,redpanda-1.redpanda.redpanda.svc.cluster.local.:9093,redpanda-2.redpanda.redpanda.svc.cluster.local.:9093" + brokerTLS: + enabled: true + ca: + secretRef: redpanda-default-cert + cert: + secretRef: redpanda-default-cert + key: + secretRef: redpanda-default-cert + +logging: + level: trace diff --git a/charts/redpanda/redpanda/5.9.2/charts/connectors/deployment.go b/charts/redpanda/redpanda/5.9.2/charts/connectors/deployment.go new file mode 100644 index 000000000..2580668ad --- /dev/null +++ b/charts/redpanda/redpanda/5.9.2/charts/connectors/deployment.go @@ -0,0 +1,394 @@ +// Licensed to the Apache Software Foundation (ASF) under one or more +// contributor license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright ownership. +// The ASF licenses this file to You under the Apache License, Version 2.0 +// (the "License"); you may not use this file except in compliance with +// the License. You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +// +// +gotohelm:filename=_deployment.go.tpl +package connectors + +import ( + "fmt" + + "github.com/redpanda-data/helm-charts/pkg/gotohelm/helmette" + appsv1 "k8s.io/api/apps/v1" + corev1 "k8s.io/api/core/v1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/util/intstr" + "k8s.io/utils/ptr" +) + +func Deployment(dot *helmette.Dot) *appsv1.Deployment { + values := helmette.Unwrap[Values](dot.Values) + + if !values.Deployment.Create { + return nil + } + + var topologySpreadConstraints []corev1.TopologySpreadConstraint + for _, spread := range values.Deployment.TopologySpreadConstraints { + topologySpreadConstraints = append(topologySpreadConstraints, corev1.TopologySpreadConstraint{ + LabelSelector: &metav1.LabelSelector{ + MatchLabels: PodLabels(dot), + }, + MaxSkew: spread.MaxSkew, + TopologyKey: spread.TopologyKey, + WhenUnsatisfiable: spread.WhenUnsatisfiable, + }) + } + + ports := []corev1.ContainerPort{ + { + ContainerPort: values.Connectors.RestPort, + Name: "rest-api", + Protocol: corev1.ProtocolTCP, + }, + } + + for _, port := range values.Service.Ports { + ports = append(ports, corev1.ContainerPort{ + Name: port.Name, + ContainerPort: port.Port, + Protocol: corev1.ProtocolTCP, + }) + } + + var podAntiAffinity *corev1.PodAntiAffinity + if values.Deployment.PodAntiAffinity != nil { + if values.Deployment.PodAntiAffinity.Type == "hard" { + podAntiAffinity = &corev1.PodAntiAffinity{ + RequiredDuringSchedulingIgnoredDuringExecution: []corev1.PodAffinityTerm{{ + TopologyKey: values.Deployment.PodAntiAffinity.TopologyKey, + Namespaces: []string{dot.Release.Namespace}, + LabelSelector: &metav1.LabelSelector{ + MatchLabels: PodLabels(dot), + }, + }}, + } + } else if values.Deployment.PodAntiAffinity.Type == "soft" { + podAntiAffinity = &corev1.PodAntiAffinity{ + PreferredDuringSchedulingIgnoredDuringExecution: []corev1.WeightedPodAffinityTerm{{ + Weight: *values.Deployment.PodAntiAffinity.Weight, + PodAffinityTerm: corev1.PodAffinityTerm{ + TopologyKey: values.Deployment.PodAntiAffinity.TopologyKey, + Namespaces: []string{dot.Release.Namespace}, + LabelSelector: &metav1.LabelSelector{ + MatchLabels: PodLabels(dot), + }, + }, + }}, + } + } else if values.Deployment.PodAntiAffinity.Type == "custom" { + podAntiAffinity = values.Deployment.PodAntiAffinity.Custom + } + } + + return &appsv1.Deployment{ + TypeMeta: metav1.TypeMeta{ + APIVersion: "apps/v1", + Kind: "Deployment", + }, + ObjectMeta: metav1.ObjectMeta{ + Name: Fullname(dot), + Labels: helmette.Merge(FullLabels(dot), values.Deployment.Annotations), + }, + Spec: appsv1.DeploymentSpec{ + Replicas: values.Deployment.Replicas, + ProgressDeadlineSeconds: &values.Deployment.ProgressDeadlineSeconds, + RevisionHistoryLimit: values.Deployment.RevisionHistoryLimit, + Selector: &metav1.LabelSelector{ + MatchLabels: PodLabels(dot), + }, + Strategy: values.Deployment.Strategy, + Template: corev1.PodTemplateSpec{ + ObjectMeta: metav1.ObjectMeta{ + Annotations: values.Deployment.Annotations, + Labels: PodLabels(dot), + }, + Spec: corev1.PodSpec{ + TerminationGracePeriodSeconds: values.Deployment.TerminationGracePeriodSeconds, + Affinity: &corev1.Affinity{ + NodeAffinity: values.Deployment.NodeAffinity, + PodAffinity: values.Deployment.PodAffinity, + PodAntiAffinity: podAntiAffinity, + }, + ServiceAccountName: ServiceAccountName(dot), + Containers: []corev1.Container{ + { + Name: "connectors-cluster", + Image: fmt.Sprintf("%s:%s", values.Image.Repository, Tag(dot)), + ImagePullPolicy: values.Image.PullPolicy, + SecurityContext: &values.Container.SecurityContext, + Command: values.Deployment.Command, + Env: env(&values), + EnvFrom: values.Deployment.ExtraEnvFrom, + LivenessProbe: &corev1.Probe{ + ProbeHandler: corev1.ProbeHandler{ + HTTPGet: &corev1.HTTPGetAction{ + Path: "/", + Port: intstr.FromString("rest-api"), + Scheme: corev1.URISchemeHTTP, + }, + }, + InitialDelaySeconds: values.Deployment.LivenessProbe.InitialDelaySeconds, + TimeoutSeconds: values.Deployment.LivenessProbe.TimeoutSeconds, + PeriodSeconds: values.Deployment.LivenessProbe.PeriodSeconds, + SuccessThreshold: values.Deployment.LivenessProbe.SuccessThreshold, + FailureThreshold: values.Deployment.LivenessProbe.FailureThreshold, + }, + ReadinessProbe: &corev1.Probe{ + ProbeHandler: corev1.ProbeHandler{ + HTTPGet: &corev1.HTTPGetAction{ + Path: "/connectors", + Port: intstr.FromString("rest-api"), + Scheme: corev1.URISchemeHTTP, + }, + }, + InitialDelaySeconds: values.Deployment.ReadinessProbe.InitialDelaySeconds, + TimeoutSeconds: values.Deployment.ReadinessProbe.TimeoutSeconds, + PeriodSeconds: values.Deployment.ReadinessProbe.PeriodSeconds, + SuccessThreshold: values.Deployment.ReadinessProbe.SuccessThreshold, + FailureThreshold: values.Deployment.ReadinessProbe.FailureThreshold, + }, + Ports: ports, + Resources: corev1.ResourceRequirements{ + Requests: values.Container.Resources.Request, + Limits: values.Container.Resources.Limits, + }, + TerminationMessagePath: "/dev/termination-log", + TerminationMessagePolicy: "File", + VolumeMounts: volumeMountss(&values), + }, + }, + DNSPolicy: corev1.DNSClusterFirst, + RestartPolicy: values.Deployment.RestartPolicy, + SchedulerName: values.Deployment.SchedulerName, + NodeSelector: values.Deployment.NodeSelector, + ImagePullSecrets: values.ImagePullSecrets, + SecurityContext: values.Deployment.SecurityContext, + Tolerations: values.Deployment.Tolerations, + TopologySpreadConstraints: topologySpreadConstraints, + Volumes: volumes(&values), + }, + }, + }, + } +} + +func env(values *Values) []corev1.EnvVar { + env := []corev1.EnvVar{ + { + Name: "CONNECT_CONFIGURATION", + Value: connectorConfiguration(values), + }, + { + Name: "CONNECT_ADDITIONAL_CONFIGURATION", + Value: values.Connectors.AdditionalConfiguration, + }, + { + Name: "CONNECT_BOOTSTRAP_SERVERS", + Value: values.Connectors.BootstrapServers, + }, + } + + if !helmette.Empty(values.Connectors.SchemaRegistryURL) { + env = append(env, corev1.EnvVar{ + Name: "SCHEMA_REGISTRY_URL", + Value: values.Connectors.SchemaRegistryURL, + }) + } + + env = append(env, corev1.EnvVar{ + Name: "CONNECT_GC_LOG_ENABLED", + Value: values.Container.JavaGCLogEnabled, + }, corev1.EnvVar{ + Name: "CONNECT_HEAP_OPTS", + Value: fmt.Sprintf("-Xms256M -Xmx%s", values.Container.Resources.JavaMaxHeapSize), + }, corev1.EnvVar{ + Name: "CONNECT_LOG_LEVEL", + Value: values.Logging.Level, + }) + + if values.Auth.SASLEnabled() { + env = append(env, corev1.EnvVar{ + Name: "CONNECT_SASL_USERNAME", + Value: values.Auth.SASL.UserName, + }, corev1.EnvVar{ + Name: "CONNECT_SASL_MECHANISM", + Value: values.Auth.SASL.Mechanism, + }, corev1.EnvVar{ + Name: "CONNECT_SASL_PASSWORD_FILE", + Value: "rc-credentials/password", + }) + } + + env = append(env, corev1.EnvVar{ + Name: "CONNECT_TLS_ENABLED", + Value: fmt.Sprintf("%v", values.Connectors.BrokerTLS.Enabled), + }) + + if !helmette.Empty(values.Connectors.BrokerTLS.CA.SecretRef) { + ca := helmette.Default("ca.crt", values.Connectors.BrokerTLS.CA.SecretNameOverwrite) + env = append(env, corev1.EnvVar{ + Name: "CONNECT_TRUSTED_CERTS", + Value: fmt.Sprintf("ca/%s", ca), + }) + } + + if !helmette.Empty(values.Connectors.BrokerTLS.Cert.SecretRef) { + cert := helmette.Default("tls.crt", values.Connectors.BrokerTLS.Cert.SecretNameOverwrite) + env = append(env, corev1.EnvVar{ + Name: "CONNECT_TLS_AUTH_CERT", + Value: fmt.Sprintf("cert/%s", cert), + }) + } + + if !helmette.Empty(values.Connectors.BrokerTLS.Key.SecretRef) { + key := helmette.Default("tls.key", values.Connectors.BrokerTLS.Key.SecretNameOverwrite) + env = append(env, corev1.EnvVar{ + Name: "CONNECT_TLS_AUTH_KEY", + Value: fmt.Sprintf("key/%s", key), + }) + } + + return append(env, values.Deployment.ExtraEnv...) +} + +func connectorConfiguration(values *Values) string { + lines := []string{ + fmt.Sprintf("rest.advertised.port=%d", values.Connectors.RestPort), + fmt.Sprintf("rest.port=%d", values.Connectors.RestPort), + "key.converter=org.apache.kafka.connect.converters.ByteArrayConverter", + "value.converter=org.apache.kafka.connect.converters.ByteArrayConverter", + fmt.Sprintf("group.id=%s", values.Connectors.GroupID), + fmt.Sprintf("offset.storage.topic=%s", values.Connectors.Storage.Topic.Offset), + fmt.Sprintf("config.storage.topic=%s", values.Connectors.Storage.Topic.Config), + fmt.Sprintf("status.storage.topic=%s", values.Connectors.Storage.Topic.Status), + fmt.Sprintf("offset.storage.redpanda.remote.read=%t", values.Connectors.Storage.Remote.Read.Offset), + fmt.Sprintf("offset.storage.redpanda.remote.write=%t", values.Connectors.Storage.Remote.Write.Offset), + fmt.Sprintf("config.storage.redpanda.remote.read=%t", values.Connectors.Storage.Remote.Read.Config), + fmt.Sprintf("config.storage.redpanda.remote.write=%t", values.Connectors.Storage.Remote.Write.Config), + fmt.Sprintf("status.storage.redpanda.remote.read=%t", values.Connectors.Storage.Remote.Read.Status), + fmt.Sprintf("status.storage.redpanda.remote.write=%t", values.Connectors.Storage.Remote.Write.Status), + fmt.Sprintf("offset.storage.replication.factor=%d", values.Connectors.Storage.ReplicationFactor.Offset), + fmt.Sprintf("config.storage.replication.factor=%d", values.Connectors.Storage.ReplicationFactor.Config), + fmt.Sprintf("status.storage.replication.factor=%d", values.Connectors.Storage.ReplicationFactor.Status), + fmt.Sprintf("producer.linger.ms=%d", values.Connectors.ProducerLingerMS), + fmt.Sprintf("producer.batch.size=%d", values.Connectors.ProducerBatchSize), + "config.providers=file,secretsManager,env", + "config.providers.file.class=org.apache.kafka.common.config.provider.FileConfigProvider", + } + + if values.Connectors.SecretManager.Enabled { + lines = append( + lines, + "config.providers.secretsManager.class=com.github.jcustenborder.kafka.config.aws.SecretsManagerConfigProvider", + fmt.Sprintf("config.providers.secretsManager.param.secret.prefix=%s%s", values.Connectors.SecretManager.ConsolePrefix, values.Connectors.SecretManager.ConnectorsPrefix), + fmt.Sprintf("config.providers.secretsManager.param.aws.region=%s", values.Connectors.SecretManager.Region), + ) + } + + lines = append( + lines, + "config.providers.env.class=org.apache.kafka.common.config.provider.EnvVarConfigProvider", + ) + + return helmette.Join("\n", lines) +} + +func volumes(values *Values) []corev1.Volume { + var volumes []corev1.Volume + if !helmette.Empty(values.Connectors.BrokerTLS.CA.SecretRef) { + volumes = append(volumes, corev1.Volume{ + Name: "truststore", + VolumeSource: corev1.VolumeSource{ + Secret: &corev1.SecretVolumeSource{ + DefaultMode: ptr.To[int32](0o444), + SecretName: values.Connectors.BrokerTLS.CA.SecretRef, + }, + }, + }) + } + if !helmette.Empty(values.Connectors.BrokerTLS.Cert.SecretRef) { + volumes = append(volumes, corev1.Volume{ + Name: "cert", + VolumeSource: corev1.VolumeSource{ + Secret: &corev1.SecretVolumeSource{ + DefaultMode: ptr.To[int32](0o444), + SecretName: values.Connectors.BrokerTLS.Cert.SecretRef, + }, + }, + }) + } + if !helmette.Empty(values.Connectors.BrokerTLS.Key.SecretRef) { + volumes = append(volumes, corev1.Volume{ + Name: "key", + VolumeSource: corev1.VolumeSource{ + Secret: &corev1.SecretVolumeSource{ + DefaultMode: ptr.To[int32](0o444), + SecretName: values.Connectors.BrokerTLS.Key.SecretRef, + }, + }, + }) + } + + if values.Auth.SASLEnabled() { + volumes = append(volumes, corev1.Volume{ + Name: "rc-credentials", + VolumeSource: corev1.VolumeSource{ + Secret: &corev1.SecretVolumeSource{ + DefaultMode: ptr.To[int32](0o444), + SecretName: values.Auth.SASL.SecretRef, + }, + }, + }) + } + + return append(volumes, values.Storage.Volume...) +} + +func volumeMountss(values *Values) []corev1.VolumeMount { + var mounts []corev1.VolumeMount + + if values.Auth.SASLEnabled() { + mounts = append(mounts, corev1.VolumeMount{ + MountPath: "/opt/kafka/connect-password/rc-credentials", + Name: "rc-credentials", + }) + } + + if !helmette.Empty(values.Connectors.BrokerTLS.CA.SecretRef) { + // The /opt/kafka/connect-certs is fixed path within Connectors + mounts = append(mounts, corev1.VolumeMount{ + Name: "truststore", + MountPath: "/opt/kafka/connect-certs/ca", + }) + } + + if !helmette.Empty(values.Connectors.BrokerTLS.Cert.SecretRef) { + // The /opt/kafka/connect-certs is fixed path within Connectors + mounts = append(mounts, corev1.VolumeMount{ + Name: "cert", + MountPath: "/opt/kafka/connect-certs/cert", + }) + } + + if !helmette.Empty(values.Connectors.BrokerTLS.Key.SecretRef) { + // The /opt/kafka/connect-certs is fixed path within Connectors + mounts = append(mounts, corev1.VolumeMount{ + Name: "key", + MountPath: "/opt/kafka/connect-certs/key", + }) + } + + return append(mounts, values.Storage.VolumeMounts...) +} diff --git a/charts/redpanda/redpanda/5.9.2/charts/connectors/helpers.go b/charts/redpanda/redpanda/5.9.2/charts/connectors/helpers.go new file mode 100644 index 000000000..9440b61e2 --- /dev/null +++ b/charts/redpanda/redpanda/5.9.2/charts/connectors/helpers.go @@ -0,0 +1,101 @@ +// Licensed to the Apache Software Foundation (ASF) under one or more +// contributor license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright ownership. +// The ASF licenses this file to You under the Apache License, Version 2.0 +// (the "License"); you may not use this file except in compliance with +// the License. You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +// +// +gotohelm:filename=_helpers.go.tpl +package connectors + +import ( + "fmt" + + "github.com/redpanda-data/helm-charts/pkg/gotohelm/helmette" +) + +func Name(dot *helmette.Dot) string { + values := helmette.Unwrap[Values](dot.Values) + name := helmette.Default(dot.Chart.Name, values.NameOverride) + return trunc(name) +} + +func Fullname(dot *helmette.Dot) string { + values := helmette.Unwrap[Values](dot.Values) + + if !helmette.Empty(values.FullnameOverride) { + return trunc(values.FullnameOverride) + } + + name := helmette.Default(dot.Chart.Name, values.NameOverride) + + if helmette.Contains(name, dot.Release.Name) { + return trunc(dot.Release.Name) + } + return trunc(fmt.Sprintf("%s-%s", dot.Release.Name, name)) +} + +func FullLabels(dot *helmette.Dot) map[string]string { + return helmette.Merge(map[string]string{ + "helm.sh/chart": Chart(dot), + "app.kubernetes.io/managed-by": dot.Release.Service, + }, PodLabels(dot)) +} + +func PodLabels(dot *helmette.Dot) map[string]string { + values := helmette.Unwrap[Values](dot.Values) + return helmette.Merge(map[string]string{ + "app.kubernetes.io/name": Name(dot), + "app.kubernetes.io/instance": dot.Release.Name, + "app.kubernetes.io/component": Name(dot), + }, values.CommonLabels) +} + +func Chart(dot *helmette.Dot) string { + chart := fmt.Sprintf("%s-%s", dot.Chart.Name, dot.Chart.Version) + return trunc(helmette.Replace("+", "_", chart)) +} + +func Semver(dot *helmette.Dot) string { + return helmette.TrimPrefix("v", Tag(dot)) +} + +func ServiceAccountName(dot *helmette.Dot) string { + values := helmette.Unwrap[Values](dot.Values) + if values.ServiceAccount.Create { + return helmette.Default(Fullname(dot), values.ServiceAccount.Name) + } + return helmette.Default("default", values.ServiceAccount.Name) +} + +func ServiceName(dot *helmette.Dot) string { + values := helmette.Unwrap[Values](dot.Values) + return helmette.Default(Fullname(dot), values.Service.Name) +} + +func Tag(dot *helmette.Dot) string { + values := helmette.Unwrap[Values](dot.Values) + + tag := helmette.Default(dot.Chart.AppVersion, values.Image.Tag) + matchString := "^v(0|[1-9]\\d*)\\.(0|[1-9]\\d*)\\.(0|[1-9]\\d*)(?:-((?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\\.(?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\\+([0-9a-zA-Z-]+(?:\\.[0-9a-zA-Z-]+)*))?$" + + if !helmette.MustRegexMatch(matchString, tag) { + // This error message is for end users. This can also occur if + // AppVersion doesn't start with a 'v' in Chart.yaml. + panic("image.tag must start with a 'v' and be a valid semver") + } + + return tag +} + +func trunc(s string) string { + return helmette.TrimSuffix("-", helmette.Trunc(63, s)) +} diff --git a/charts/redpanda/redpanda/5.9.2/charts/connectors/podmonitor.go b/charts/redpanda/redpanda/5.9.2/charts/connectors/podmonitor.go new file mode 100644 index 000000000..fbee5c59e --- /dev/null +++ b/charts/redpanda/redpanda/5.9.2/charts/connectors/podmonitor.go @@ -0,0 +1,56 @@ +// Licensed to the Apache Software Foundation (ASF) under one or more +// contributor license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright ownership. +// The ASF licenses this file to You under the Apache License, Version 2.0 +// (the "License"); you may not use this file except in compliance with +// the License. You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +// +// +gotohelm:filename=_pod-monitor.go.tpl +package connectors + +import ( + monitoringv1 "github.com/prometheus-operator/prometheus-operator/pkg/apis/monitoring/v1" + "github.com/redpanda-data/helm-charts/pkg/gotohelm/helmette" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" +) + +func PodMonitor(dot *helmette.Dot) *monitoringv1.PodMonitor { + values := helmette.Unwrap[Values](dot.Values) + + // TODO Add check for .Capabilities.APIVersions.Has "monitoring.coreos.com/v1" + if !values.Monitoring.Enabled { + return nil + } + + return &monitoringv1.PodMonitor{ + TypeMeta: metav1.TypeMeta{ + APIVersion: "monitoring.coreos.com/v1", + Kind: "PodMonitor", + }, + ObjectMeta: metav1.ObjectMeta{ + Name: Fullname(dot), + Labels: values.Monitoring.Labels, + Annotations: values.Monitoring.Annotations, + }, + Spec: monitoringv1.PodMonitorSpec{ + NamespaceSelector: values.Monitoring.NamespaceSelector, + PodMetricsEndpoints: []monitoringv1.PodMetricsEndpoint{ + { + Path: "/", + Port: "prometheus", + }, + }, + Selector: metav1.LabelSelector{ + MatchLabels: PodLabels(dot), + }, + }, + } +} diff --git a/charts/redpanda/redpanda/5.9.2/charts/connectors/service.go b/charts/redpanda/redpanda/5.9.2/charts/connectors/service.go new file mode 100644 index 000000000..17d39fba8 --- /dev/null +++ b/charts/redpanda/redpanda/5.9.2/charts/connectors/service.go @@ -0,0 +1,74 @@ +// Licensed to the Apache Software Foundation (ASF) under one or more +// contributor license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright ownership. +// The ASF licenses this file to You under the Apache License, Version 2.0 +// (the "License"); you may not use this file except in compliance with +// the License. You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +// +// +gotohelm:filename=_service.go.tpl +package connectors + +import ( + "github.com/redpanda-data/helm-charts/pkg/gotohelm/helmette" + corev1 "k8s.io/api/core/v1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/util/intstr" + "k8s.io/utils/ptr" +) + +func Service(dot *helmette.Dot) *corev1.Service { + values := helmette.Unwrap[Values](dot.Values) + + ports := []corev1.ServicePort{ + { + Name: "rest-api", + Port: values.Connectors.RestPort, + TargetPort: intstr.FromInt32(values.Connectors.RestPort), + Protocol: corev1.ProtocolTCP, + }, + } + + for _, port := range values.Service.Ports { + ports = append(ports, corev1.ServicePort{ + Name: port.Name, + Port: port.Port, + TargetPort: intstr.FromInt32(port.Port), + Protocol: corev1.ProtocolTCP, + }) + } + + return &corev1.Service{ + TypeMeta: metav1.TypeMeta{ + APIVersion: "v1", + Kind: "Service", + }, + ObjectMeta: metav1.ObjectMeta{ + Name: ServiceName(dot), + // TODO this isn't 100% correct as users could have previously + // added: `annotations: {}` as the value for annotations to get + // them to render correctly. + Labels: helmette.Merge( + FullLabels(dot), + values.Service.Annotations, + ), + }, + Spec: corev1.ServiceSpec{ + IPFamilies: []corev1.IPFamily{ + corev1.IPv4Protocol, + }, + IPFamilyPolicy: ptr.To(corev1.IPFamilyPolicySingleStack), + Ports: ports, + Selector: PodLabels(dot), + SessionAffinity: corev1.ServiceAffinityNone, + Type: corev1.ServiceTypeClusterIP, + }, + } +} diff --git a/charts/redpanda/redpanda/5.9.2/charts/connectors/serviceaccount.go b/charts/redpanda/redpanda/5.9.2/charts/connectors/serviceaccount.go new file mode 100644 index 000000000..2b689effd --- /dev/null +++ b/charts/redpanda/redpanda/5.9.2/charts/connectors/serviceaccount.go @@ -0,0 +1,44 @@ +// Licensed to the Apache Software Foundation (ASF) under one or more +// contributor license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright ownership. +// The ASF licenses this file to You under the Apache License, Version 2.0 +// (the "License"); you may not use this file except in compliance with +// the License. You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +// +// +gotohelm:filename=_serviceaccount.go.tpl +package connectors + +import ( + "github.com/redpanda-data/helm-charts/pkg/gotohelm/helmette" + corev1 "k8s.io/api/core/v1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" +) + +func ServiceAccount(dot *helmette.Dot) *corev1.ServiceAccount { + values := helmette.Unwrap[Values](dot.Values) + + if !values.ServiceAccount.Create { + return nil + } + + return &corev1.ServiceAccount{ + TypeMeta: metav1.TypeMeta{ + APIVersion: "v1", + Kind: "ServiceAccount", + }, + ObjectMeta: metav1.ObjectMeta{ + Annotations: values.ServiceAccount.Annotations, + Labels: FullLabels(dot), + Name: ServiceAccountName(dot), + Namespace: dot.Release.Namespace, + }, + } +} diff --git a/charts/redpanda/redpanda/5.9.2/charts/connectors/templates/_deployment.go.tpl b/charts/redpanda/redpanda/5.9.2/charts/connectors/templates/_deployment.go.tpl new file mode 100644 index 000000000..f785c1ad9 --- /dev/null +++ b/charts/redpanda/redpanda/5.9.2/charts/connectors/templates/_deployment.go.tpl @@ -0,0 +1,136 @@ +{{- /* Generated from "deployment.go" */ -}} + +{{- define "connectors.Deployment" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- if (not $values.deployment.create) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (coalesce nil)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $topologySpreadConstraints := (coalesce nil) -}} +{{- range $_, $spread := $values.deployment.topologySpreadConstraints -}} +{{- $topologySpreadConstraints = (concat (default (list ) $topologySpreadConstraints) (list (mustMergeOverwrite (dict "maxSkew" 0 "topologyKey" "" "whenUnsatisfiable" "" ) (dict "labelSelector" (mustMergeOverwrite (dict ) (dict "matchLabels" (get (fromJson (include "connectors.PodLabels" (dict "a" (list $dot) ))) "r") )) "maxSkew" ($spread.maxSkew | int) "topologyKey" $spread.topologyKey "whenUnsatisfiable" $spread.whenUnsatisfiable )))) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $ports := (list (mustMergeOverwrite (dict "containerPort" 0 ) (dict "containerPort" ($values.connectors.restPort | int) "name" "rest-api" "protocol" "TCP" ))) -}} +{{- range $_, $port := $values.service.ports -}} +{{- $ports = (concat (default (list ) $ports) (list (mustMergeOverwrite (dict "containerPort" 0 ) (dict "name" $port.name "containerPort" ($port.port | int) "protocol" "TCP" )))) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $podAntiAffinity := (coalesce nil) -}} +{{- if (ne $values.deployment.podAntiAffinity (coalesce nil)) -}} +{{- if (eq $values.deployment.podAntiAffinity.type "hard") -}} +{{- $podAntiAffinity = (mustMergeOverwrite (dict ) (dict "requiredDuringSchedulingIgnoredDuringExecution" (list (mustMergeOverwrite (dict "topologyKey" "" ) (dict "topologyKey" $values.deployment.podAntiAffinity.topologyKey "namespaces" (list $dot.Release.Namespace) "labelSelector" (mustMergeOverwrite (dict ) (dict "matchLabels" (get (fromJson (include "connectors.PodLabels" (dict "a" (list $dot) ))) "r") )) ))) )) -}} +{{- else -}}{{- if (eq $values.deployment.podAntiAffinity.type "soft") -}} +{{- $podAntiAffinity = (mustMergeOverwrite (dict ) (dict "preferredDuringSchedulingIgnoredDuringExecution" (list (mustMergeOverwrite (dict "weight" 0 "podAffinityTerm" (dict "topologyKey" "" ) ) (dict "weight" $values.deployment.podAntiAffinity.weight "podAffinityTerm" (mustMergeOverwrite (dict "topologyKey" "" ) (dict "topologyKey" $values.deployment.podAntiAffinity.topologyKey "namespaces" (list $dot.Release.Namespace) "labelSelector" (mustMergeOverwrite (dict ) (dict "matchLabels" (get (fromJson (include "connectors.PodLabels" (dict "a" (list $dot) ))) "r") )) )) ))) )) -}} +{{- else -}}{{- if (eq $values.deployment.podAntiAffinity.type "custom") -}} +{{- $podAntiAffinity = $values.deployment.podAntiAffinity.custom -}} +{{- end -}} +{{- end -}} +{{- end -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "spec" (dict "selector" (coalesce nil) "template" (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "spec" (dict "containers" (coalesce nil) ) ) "strategy" (dict ) ) "status" (dict ) ) (mustMergeOverwrite (dict ) (dict "apiVersion" "apps/v1" "kind" "Deployment" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" (get (fromJson (include "connectors.Fullname" (dict "a" (list $dot) ))) "r") "labels" (merge (dict ) (get (fromJson (include "connectors.FullLabels" (dict "a" (list $dot) ))) "r") $values.deployment.annotations) )) "spec" (mustMergeOverwrite (dict "selector" (coalesce nil) "template" (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "spec" (dict "containers" (coalesce nil) ) ) "strategy" (dict ) ) (dict "replicas" $values.deployment.replicas "progressDeadlineSeconds" ($values.deployment.progressDeadlineSeconds | int) "revisionHistoryLimit" $values.deployment.revisionHistoryLimit "selector" (mustMergeOverwrite (dict ) (dict "matchLabels" (get (fromJson (include "connectors.PodLabels" (dict "a" (list $dot) ))) "r") )) "strategy" $values.deployment.strategy "template" (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "spec" (dict "containers" (coalesce nil) ) ) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "annotations" $values.deployment.annotations "labels" (get (fromJson (include "connectors.PodLabels" (dict "a" (list $dot) ))) "r") )) "spec" (mustMergeOverwrite (dict "containers" (coalesce nil) ) (dict "terminationGracePeriodSeconds" $values.deployment.terminationGracePeriodSeconds "affinity" (mustMergeOverwrite (dict ) (dict "nodeAffinity" $values.deployment.nodeAffinity "podAffinity" $values.deployment.podAffinity "podAntiAffinity" $podAntiAffinity )) "serviceAccountName" (get (fromJson (include "connectors.ServiceAccountName" (dict "a" (list $dot) ))) "r") "containers" (list (mustMergeOverwrite (dict "name" "" "resources" (dict ) ) (dict "name" "connectors-cluster" "image" (printf "%s:%s" $values.image.repository (get (fromJson (include "connectors.Tag" (dict "a" (list $dot) ))) "r")) "imagePullPolicy" $values.image.pullPolicy "securityContext" $values.container.securityContext "command" $values.deployment.command "env" (get (fromJson (include "connectors.env" (dict "a" (list $values) ))) "r") "envFrom" $values.deployment.extraEnvFrom "livenessProbe" (mustMergeOverwrite (dict ) (mustMergeOverwrite (dict ) (dict "httpGet" (mustMergeOverwrite (dict "port" 0 ) (dict "path" "/" "port" "rest-api" "scheme" "HTTP" )) )) (dict "initialDelaySeconds" ($values.deployment.livenessProbe.initialDelaySeconds | int) "timeoutSeconds" ($values.deployment.livenessProbe.timeoutSeconds | int) "periodSeconds" ($values.deployment.livenessProbe.periodSeconds | int) "successThreshold" ($values.deployment.livenessProbe.successThreshold | int) "failureThreshold" ($values.deployment.livenessProbe.failureThreshold | int) )) "readinessProbe" (mustMergeOverwrite (dict ) (mustMergeOverwrite (dict ) (dict "httpGet" (mustMergeOverwrite (dict "port" 0 ) (dict "path" "/connectors" "port" "rest-api" "scheme" "HTTP" )) )) (dict "initialDelaySeconds" ($values.deployment.readinessProbe.initialDelaySeconds | int) "timeoutSeconds" ($values.deployment.readinessProbe.timeoutSeconds | int) "periodSeconds" ($values.deployment.readinessProbe.periodSeconds | int) "successThreshold" ($values.deployment.readinessProbe.successThreshold | int) "failureThreshold" ($values.deployment.readinessProbe.failureThreshold | int) )) "ports" $ports "resources" (mustMergeOverwrite (dict ) (dict "requests" $values.container.resources.request "limits" $values.container.resources.limits )) "terminationMessagePath" "/dev/termination-log" "terminationMessagePolicy" "File" "volumeMounts" (get (fromJson (include "connectors.volumeMountss" (dict "a" (list $values) ))) "r") ))) "dnsPolicy" "ClusterFirst" "restartPolicy" $values.deployment.restartPolicy "schedulerName" $values.deployment.schedulerName "nodeSelector" $values.deployment.nodeSelector "imagePullSecrets" $values.imagePullSecrets "securityContext" $values.deployment.securityContext "tolerations" $values.deployment.tolerations "topologySpreadConstraints" $topologySpreadConstraints "volumes" (get (fromJson (include "connectors.volumes" (dict "a" (list $values) ))) "r") )) )) )) ))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "connectors.env" -}} +{{- $values := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $env := (list (mustMergeOverwrite (dict "name" "" ) (dict "name" "CONNECT_CONFIGURATION" "value" (get (fromJson (include "connectors.connectorConfiguration" (dict "a" (list $values) ))) "r") )) (mustMergeOverwrite (dict "name" "" ) (dict "name" "CONNECT_ADDITIONAL_CONFIGURATION" "value" $values.connectors.additionalConfiguration )) (mustMergeOverwrite (dict "name" "" ) (dict "name" "CONNECT_BOOTSTRAP_SERVERS" "value" $values.connectors.bootstrapServers ))) -}} +{{- if (not (empty $values.connectors.schemaRegistryURL)) -}} +{{- $env = (concat (default (list ) $env) (list (mustMergeOverwrite (dict "name" "" ) (dict "name" "SCHEMA_REGISTRY_URL" "value" $values.connectors.schemaRegistryURL )))) -}} +{{- end -}} +{{- $env = (concat (default (list ) $env) (list (mustMergeOverwrite (dict "name" "" ) (dict "name" "CONNECT_GC_LOG_ENABLED" "value" $values.container.javaGCLogEnabled )) (mustMergeOverwrite (dict "name" "" ) (dict "name" "CONNECT_HEAP_OPTS" "value" (printf "-Xms256M -Xmx%s" $values.container.resources.javaMaxHeapSize) )) (mustMergeOverwrite (dict "name" "" ) (dict "name" "CONNECT_LOG_LEVEL" "value" $values.logging.level )))) -}} +{{- if (get (fromJson (include "connectors.Auth.SASLEnabled" (dict "a" (list $values.auth) ))) "r") -}} +{{- $env = (concat (default (list ) $env) (list (mustMergeOverwrite (dict "name" "" ) (dict "name" "CONNECT_SASL_USERNAME" "value" $values.auth.sasl.userName )) (mustMergeOverwrite (dict "name" "" ) (dict "name" "CONNECT_SASL_MECHANISM" "value" $values.auth.sasl.mechanism )) (mustMergeOverwrite (dict "name" "" ) (dict "name" "CONNECT_SASL_PASSWORD_FILE" "value" "rc-credentials/password" )))) -}} +{{- end -}} +{{- $env = (concat (default (list ) $env) (list (mustMergeOverwrite (dict "name" "" ) (dict "name" "CONNECT_TLS_ENABLED" "value" (printf "%v" $values.connectors.brokerTLS.enabled) )))) -}} +{{- if (not (empty $values.connectors.brokerTLS.ca.secretRef)) -}} +{{- $ca := (default "ca.crt" $values.connectors.brokerTLS.ca.secretNameOverwrite) -}} +{{- $env = (concat (default (list ) $env) (list (mustMergeOverwrite (dict "name" "" ) (dict "name" "CONNECT_TRUSTED_CERTS" "value" (printf "ca/%s" $ca) )))) -}} +{{- end -}} +{{- if (not (empty $values.connectors.brokerTLS.cert.secretRef)) -}} +{{- $cert := (default "tls.crt" $values.connectors.brokerTLS.cert.secretNameOverwrite) -}} +{{- $env = (concat (default (list ) $env) (list (mustMergeOverwrite (dict "name" "" ) (dict "name" "CONNECT_TLS_AUTH_CERT" "value" (printf "cert/%s" $cert) )))) -}} +{{- end -}} +{{- if (not (empty $values.connectors.brokerTLS.key.secretRef)) -}} +{{- $key := (default "tls.key" $values.connectors.brokerTLS.key.secretNameOverwrite) -}} +{{- $env = (concat (default (list ) $env) (list (mustMergeOverwrite (dict "name" "" ) (dict "name" "CONNECT_TLS_AUTH_KEY" "value" (printf "key/%s" $key) )))) -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (concat (default (list ) $env) (default (list ) $values.deployment.extraEnv))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "connectors.connectorConfiguration" -}} +{{- $values := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $lines := (list (printf "rest.advertised.port=%d" ($values.connectors.restPort | int)) (printf "rest.port=%d" ($values.connectors.restPort | int)) "key.converter=org.apache.kafka.connect.converters.ByteArrayConverter" "value.converter=org.apache.kafka.connect.converters.ByteArrayConverter" (printf "group.id=%s" $values.connectors.groupID) (printf "offset.storage.topic=%s" $values.connectors.storage.topic.offset) (printf "config.storage.topic=%s" $values.connectors.storage.topic.config) (printf "status.storage.topic=%s" $values.connectors.storage.topic.status) (printf "offset.storage.redpanda.remote.read=%t" $values.connectors.storage.remote.read.offset) (printf "offset.storage.redpanda.remote.write=%t" $values.connectors.storage.remote.write.offset) (printf "config.storage.redpanda.remote.read=%t" $values.connectors.storage.remote.read.config) (printf "config.storage.redpanda.remote.write=%t" $values.connectors.storage.remote.write.config) (printf "status.storage.redpanda.remote.read=%t" $values.connectors.storage.remote.read.status) (printf "status.storage.redpanda.remote.write=%t" $values.connectors.storage.remote.write.status) (printf "offset.storage.replication.factor=%d" ($values.connectors.storage.replicationFactor.offset | int)) (printf "config.storage.replication.factor=%d" ($values.connectors.storage.replicationFactor.config | int)) (printf "status.storage.replication.factor=%d" ($values.connectors.storage.replicationFactor.status | int)) (printf "producer.linger.ms=%d" ($values.connectors.producerLingerMS | int)) (printf "producer.batch.size=%d" ($values.connectors.producerBatchSize | int)) "config.providers=file,secretsManager,env" "config.providers.file.class=org.apache.kafka.common.config.provider.FileConfigProvider") -}} +{{- if $values.connectors.secretManager.enabled -}} +{{- $lines = (concat (default (list ) $lines) (list "config.providers.secretsManager.class=com.github.jcustenborder.kafka.config.aws.SecretsManagerConfigProvider" (printf "config.providers.secretsManager.param.secret.prefix=%s%s" $values.connectors.secretManager.consolePrefix $values.connectors.secretManager.connectorsPrefix) (printf "config.providers.secretsManager.param.aws.region=%s" $values.connectors.secretManager.region))) -}} +{{- end -}} +{{- $lines = (concat (default (list ) $lines) (list "config.providers.env.class=org.apache.kafka.common.config.provider.EnvVarConfigProvider")) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (join "\n" $lines)) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "connectors.volumes" -}} +{{- $values := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $volumes := (coalesce nil) -}} +{{- if (not (empty $values.connectors.brokerTLS.ca.secretRef)) -}} +{{- $volumes = (concat (default (list ) $volumes) (list (mustMergeOverwrite (dict "name" "" ) (mustMergeOverwrite (dict ) (dict "secret" (mustMergeOverwrite (dict ) (dict "defaultMode" (0o444 | int) "secretName" $values.connectors.brokerTLS.ca.secretRef )) )) (dict "name" "truststore" )))) -}} +{{- end -}} +{{- if (not (empty $values.connectors.brokerTLS.cert.secretRef)) -}} +{{- $volumes = (concat (default (list ) $volumes) (list (mustMergeOverwrite (dict "name" "" ) (mustMergeOverwrite (dict ) (dict "secret" (mustMergeOverwrite (dict ) (dict "defaultMode" (0o444 | int) "secretName" $values.connectors.brokerTLS.cert.secretRef )) )) (dict "name" "cert" )))) -}} +{{- end -}} +{{- if (not (empty $values.connectors.brokerTLS.key.secretRef)) -}} +{{- $volumes = (concat (default (list ) $volumes) (list (mustMergeOverwrite (dict "name" "" ) (mustMergeOverwrite (dict ) (dict "secret" (mustMergeOverwrite (dict ) (dict "defaultMode" (0o444 | int) "secretName" $values.connectors.brokerTLS.key.secretRef )) )) (dict "name" "key" )))) -}} +{{- end -}} +{{- if (get (fromJson (include "connectors.Auth.SASLEnabled" (dict "a" (list $values.auth) ))) "r") -}} +{{- $volumes = (concat (default (list ) $volumes) (list (mustMergeOverwrite (dict "name" "" ) (mustMergeOverwrite (dict ) (dict "secret" (mustMergeOverwrite (dict ) (dict "defaultMode" (0o444 | int) "secretName" $values.auth.sasl.secretRef )) )) (dict "name" "rc-credentials" )))) -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (concat (default (list ) $volumes) (default (list ) $values.storage.volume))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "connectors.volumeMountss" -}} +{{- $values := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $mounts := (coalesce nil) -}} +{{- if (get (fromJson (include "connectors.Auth.SASLEnabled" (dict "a" (list $values.auth) ))) "r") -}} +{{- $mounts = (concat (default (list ) $mounts) (list (mustMergeOverwrite (dict "name" "" "mountPath" "" ) (dict "mountPath" "/opt/kafka/connect-password/rc-credentials" "name" "rc-credentials" )))) -}} +{{- end -}} +{{- if (not (empty $values.connectors.brokerTLS.ca.secretRef)) -}} +{{- $mounts = (concat (default (list ) $mounts) (list (mustMergeOverwrite (dict "name" "" "mountPath" "" ) (dict "name" "truststore" "mountPath" "/opt/kafka/connect-certs/ca" )))) -}} +{{- end -}} +{{- if (not (empty $values.connectors.brokerTLS.cert.secretRef)) -}} +{{- $mounts = (concat (default (list ) $mounts) (list (mustMergeOverwrite (dict "name" "" "mountPath" "" ) (dict "name" "cert" "mountPath" "/opt/kafka/connect-certs/cert" )))) -}} +{{- end -}} +{{- if (not (empty $values.connectors.brokerTLS.key.secretRef)) -}} +{{- $mounts = (concat (default (list ) $mounts) (list (mustMergeOverwrite (dict "name" "" "mountPath" "" ) (dict "name" "key" "mountPath" "/opt/kafka/connect-certs/key" )))) -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (concat (default (list ) $mounts) (default (list ) $values.storage.volumeMounts))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + diff --git a/charts/redpanda/redpanda/5.9.2/charts/connectors/templates/_helpers.go.tpl b/charts/redpanda/redpanda/5.9.2/charts/connectors/templates/_helpers.go.tpl new file mode 100644 index 000000000..49b711538 --- /dev/null +++ b/charts/redpanda/redpanda/5.9.2/charts/connectors/templates/_helpers.go.tpl @@ -0,0 +1,131 @@ +{{- /* Generated from "helpers.go" */ -}} + +{{- define "connectors.Name" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $name := (default $dot.Chart.Name $values.nameOverride) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (get (fromJson (include "connectors.trunc" (dict "a" (list $name) ))) "r")) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "connectors.Fullname" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- if (not (empty $values.fullnameOverride)) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (get (fromJson (include "connectors.trunc" (dict "a" (list $values.fullnameOverride) ))) "r")) | toJson -}} +{{- break -}} +{{- end -}} +{{- $name := (default $dot.Chart.Name $values.nameOverride) -}} +{{- if (contains $name $dot.Release.Name) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (get (fromJson (include "connectors.trunc" (dict "a" (list $dot.Release.Name) ))) "r")) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (get (fromJson (include "connectors.trunc" (dict "a" (list (printf "%s-%s" $dot.Release.Name $name)) ))) "r")) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "connectors.FullLabels" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $_is_returning = true -}} +{{- (dict "r" (merge (dict ) (dict "helm.sh/chart" (get (fromJson (include "connectors.Chart" (dict "a" (list $dot) ))) "r") "app.kubernetes.io/managed-by" $dot.Release.Service ) (get (fromJson (include "connectors.PodLabels" (dict "a" (list $dot) ))) "r"))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "connectors.PodLabels" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $_is_returning = true -}} +{{- (dict "r" (merge (dict ) (dict "app.kubernetes.io/name" (get (fromJson (include "connectors.Name" (dict "a" (list $dot) ))) "r") "app.kubernetes.io/instance" $dot.Release.Name "app.kubernetes.io/component" (get (fromJson (include "connectors.Name" (dict "a" (list $dot) ))) "r") ) $values.commonLabels)) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "connectors.Chart" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $chart := (printf "%s-%s" $dot.Chart.Name $dot.Chart.Version) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (get (fromJson (include "connectors.trunc" (dict "a" (list (replace "+" "_" $chart)) ))) "r")) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "connectors.Semver" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $_is_returning = true -}} +{{- (dict "r" (trimPrefix "v" (get (fromJson (include "connectors.Tag" (dict "a" (list $dot) ))) "r"))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "connectors.ServiceAccountName" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- if $values.serviceAccount.create -}} +{{- $_is_returning = true -}} +{{- (dict "r" (default (get (fromJson (include "connectors.Fullname" (dict "a" (list $dot) ))) "r") $values.serviceAccount.name)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (default "default" $values.serviceAccount.name)) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "connectors.ServiceName" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $_is_returning = true -}} +{{- (dict "r" (default (get (fromJson (include "connectors.Fullname" (dict "a" (list $dot) ))) "r") $values.service.name)) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "connectors.Tag" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $tag := (default $dot.Chart.AppVersion $values.image.tag) -}} +{{- $matchString := "^v(0|[1-9]\\d*)\\.(0|[1-9]\\d*)\\.(0|[1-9]\\d*)(?:-((?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\\.(?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\\+([0-9a-zA-Z-]+(?:\\.[0-9a-zA-Z-]+)*))?$" -}} +{{- if (not (mustRegexMatch $matchString $tag)) -}} +{{- $_ := (fail "image.tag must start with a 'v' and be a valid semver") -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $tag) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "connectors.trunc" -}} +{{- $s := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $_is_returning = true -}} +{{- (dict "r" (trimSuffix "-" (trunc (63 | int) $s))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + diff --git a/charts/redpanda/redpanda/5.9.2/charts/connectors/templates/_helpers.tpl b/charts/redpanda/redpanda/5.9.2/charts/connectors/templates/_helpers.tpl new file mode 100644 index 000000000..89c888eee --- /dev/null +++ b/charts/redpanda/redpanda/5.9.2/charts/connectors/templates/_helpers.tpl @@ -0,0 +1,79 @@ +{{/* +Licensed to the Apache Software Foundation (ASF) under one or more +contributor license agreements. See the NOTICE file distributed with +this work for additional information regarding copyright ownership. +The ASF licenses this file to You under the Apache License, Version 2.0 +(the "License"); you may not use this file except in compliance with +the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} +{{/* +Expand the name of the chart. +*/}} +{{- define "connectors.name" -}} +{{- get ((include "connectors.Name" (dict "a" (list .))) | fromJson) "r" }} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +*/}} +{{- define "connectors.fullname" }} +{{- get ((include "connectors.Fullname" (dict "a" (list .))) | fromJson) "r" }} +{{- end }} + +{{/* +full helm labels + common labels +*/}} +{{- define "full.labels" -}} +{{- (get ((include "connectors.FullLabels" (dict "a" (list .))) | fromJson) "r") | toYaml }} +{{- end -}} + +{{/* +pod labels merged with common labels +*/}} +{{- define "connectors-pod-labels" -}} +{{- (get ((include "connectors.PodLabels" (dict "a" (list .))) | fromJson) "r") | toYaml }} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "connectors.chart" -}} +{{- get ((include "connectors.Chart" (dict "a" (list .))) | fromJson) "r" }} +{{- end }} + +{{/* +Get the version of redpanda being used as an image +*/}} +{{- define "connectors.semver" -}} +{{- get ((include "connectors.Tag" (dict "a" (list .))) | fromJson) "r" }} +{{- end }} + +{{/* +Create the name of the service account to use +*/}} +{{- define "connectors.serviceAccountName" -}} +{{- get ((include "connectors.ServiceAccountName" (dict "a" (list .))) | fromJson) "r" }} +{{- end }} + +{{/* +Create the name of the service to use +*/}} +{{- define "connectors.serviceName" -}} +{{- get ((include "connectors.ServiceName" (dict "a" (list .))) | fromJson) "r" }} +{{- end }} + +{{/* +Use AppVersion if image.tag is not set +*/}} +{{- define "connectors.tag" -}} +{{- get ((include "connectors.Tag" (dict "a" (list .))) | fromJson) "r" }} +{{- end -}} diff --git a/charts/redpanda/redpanda/5.9.2/charts/connectors/templates/_pod-monitor.go.tpl b/charts/redpanda/redpanda/5.9.2/charts/connectors/templates/_pod-monitor.go.tpl new file mode 100644 index 000000000..4e12b2008 --- /dev/null +++ b/charts/redpanda/redpanda/5.9.2/charts/connectors/templates/_pod-monitor.go.tpl @@ -0,0 +1,18 @@ +{{- /* Generated from "podmonitor.go" */ -}} + +{{- define "connectors.PodMonitor" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- if (not $values.monitoring.enabled) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (coalesce nil)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "spec" (dict "podMetricsEndpoints" (coalesce nil) "selector" (dict ) "namespaceSelector" (dict ) ) ) (mustMergeOverwrite (dict ) (dict "apiVersion" "monitoring.coreos.com/v1" "kind" "PodMonitor" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" (get (fromJson (include "connectors.Fullname" (dict "a" (list $dot) ))) "r") "labels" $values.monitoring.labels "annotations" $values.monitoring.annotations )) "spec" (mustMergeOverwrite (dict "podMetricsEndpoints" (coalesce nil) "selector" (dict ) "namespaceSelector" (dict ) ) (dict "namespaceSelector" $values.monitoring.namespaceSelector "podMetricsEndpoints" (list (mustMergeOverwrite (dict "bearerTokenSecret" (dict "key" "" ) ) (dict "path" "/" "port" "prometheus" ))) "selector" (mustMergeOverwrite (dict ) (dict "matchLabels" (get (fromJson (include "connectors.PodLabels" (dict "a" (list $dot) ))) "r") )) )) ))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + diff --git a/charts/redpanda/redpanda/5.9.2/charts/connectors/templates/_service.go.tpl b/charts/redpanda/redpanda/5.9.2/charts/connectors/templates/_service.go.tpl new file mode 100644 index 000000000..54a7ce8a0 --- /dev/null +++ b/charts/redpanda/redpanda/5.9.2/charts/connectors/templates/_service.go.tpl @@ -0,0 +1,20 @@ +{{- /* Generated from "service.go" */ -}} + +{{- define "connectors.Service" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $ports := (list (mustMergeOverwrite (dict "port" 0 "targetPort" 0 ) (dict "name" "rest-api" "port" ($values.connectors.restPort | int) "targetPort" ($values.connectors.restPort | int) "protocol" "TCP" ))) -}} +{{- range $_, $port := $values.service.ports -}} +{{- $ports = (concat (default (list ) $ports) (list (mustMergeOverwrite (dict "port" 0 "targetPort" 0 ) (dict "name" $port.name "port" ($port.port | int) "targetPort" ($port.port | int) "protocol" "TCP" )))) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "spec" (dict ) "status" (dict "loadBalancer" (dict ) ) ) (mustMergeOverwrite (dict ) (dict "apiVersion" "v1" "kind" "Service" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" (get (fromJson (include "connectors.ServiceName" (dict "a" (list $dot) ))) "r") "labels" (merge (dict ) (get (fromJson (include "connectors.FullLabels" (dict "a" (list $dot) ))) "r") $values.service.annotations) )) "spec" (mustMergeOverwrite (dict ) (dict "ipFamilies" (list "IPv4") "ipFamilyPolicy" "SingleStack" "ports" $ports "selector" (get (fromJson (include "connectors.PodLabels" (dict "a" (list $dot) ))) "r") "sessionAffinity" "None" "type" "ClusterIP" )) ))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + diff --git a/charts/redpanda/redpanda/5.9.2/charts/connectors/templates/_serviceaccount.go.tpl b/charts/redpanda/redpanda/5.9.2/charts/connectors/templates/_serviceaccount.go.tpl new file mode 100644 index 000000000..31b5ac2ac --- /dev/null +++ b/charts/redpanda/redpanda/5.9.2/charts/connectors/templates/_serviceaccount.go.tpl @@ -0,0 +1,18 @@ +{{- /* Generated from "serviceaccount.go" */ -}} + +{{- define "connectors.ServiceAccount" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- if (not $values.serviceAccount.create) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (coalesce nil)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) ) (mustMergeOverwrite (dict ) (dict "apiVersion" "v1" "kind" "ServiceAccount" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "annotations" $values.serviceAccount.annotations "labels" (get (fromJson (include "connectors.FullLabels" (dict "a" (list $dot) ))) "r") "name" (get (fromJson (include "connectors.ServiceAccountName" (dict "a" (list $dot) ))) "r") "namespace" $dot.Release.Namespace )) ))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + diff --git a/charts/redpanda/redpanda/5.9.2/charts/connectors/templates/_shims.tpl b/charts/redpanda/redpanda/5.9.2/charts/connectors/templates/_shims.tpl new file mode 100644 index 000000000..e3bb40e41 --- /dev/null +++ b/charts/redpanda/redpanda/5.9.2/charts/connectors/templates/_shims.tpl @@ -0,0 +1,289 @@ +{{- /* Generated from "bootstrap.go" */ -}} + +{{- define "_shims.typetest" -}} +{{- $typ := (index .a 0) -}} +{{- $value := (index .a 1) -}} +{{- $zero := (index .a 2) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- if (typeIs $typ $value) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (list $value true)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (list $zero false)) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "_shims.typeassertion" -}} +{{- $typ := (index .a 0) -}} +{{- $value := (index .a 1) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- if (not (typeIs $typ $value)) -}} +{{- $_ := (fail (printf "expected type of %q got: %T" $typ $value)) -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $value) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "_shims.dicttest" -}} +{{- $m := (index .a 0) -}} +{{- $key := (index .a 1) -}} +{{- $zero := (index .a 2) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- if (hasKey $m $key) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (list (index $m $key) true)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (list $zero false)) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "_shims.compact" -}} +{{- $args := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $out := (dict ) -}} +{{- range $i, $e := $args -}} +{{- $_ := (set $out (printf "T%d" ((add (1 | int) $i) | int)) $e) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $out) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "_shims.deref" -}} +{{- $ptr := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- if (eq $ptr (coalesce nil)) -}} +{{- $_ := (fail "nil dereference") -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $ptr) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "_shims.len" -}} +{{- $m := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- if (eq $m (coalesce nil)) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (0 | int)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (len $m)) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "_shims.ptr_Deref" -}} +{{- $ptr := (index .a 0) -}} +{{- $def := (index .a 1) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- if (ne $ptr (coalesce nil)) -}} +{{- $_is_returning = true -}} +{{- (dict "r" $ptr) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $def) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "_shims.ptr_Equal" -}} +{{- $a := (index .a 0) -}} +{{- $b := (index .a 1) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- if (and (eq $a (coalesce nil)) (eq $b (coalesce nil))) -}} +{{- $_is_returning = true -}} +{{- (dict "r" true) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (eq $a $b)) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "_shims.lookup" -}} +{{- $apiVersion := (index .a 0) -}} +{{- $kind := (index .a 1) -}} +{{- $namespace := (index .a 2) -}} +{{- $name := (index .a 3) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $result := (lookup $apiVersion $kind $namespace $name) -}} +{{- if (empty $result) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (list (coalesce nil) false)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (list $result true)) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "_shims.asnumeric" -}} +{{- $value := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- if (typeIs "float64" $value) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (list $value true)) | toJson -}} +{{- break -}} +{{- end -}} +{{- if (typeIs "int64" $value) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (list $value true)) | toJson -}} +{{- break -}} +{{- end -}} +{{- if (typeIs "int" $value) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (list $value true)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (list (0 | int) false)) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "_shims.asintegral" -}} +{{- $value := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- if (or (typeIs "int64" $value) (typeIs "int" $value)) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (list $value true)) | toJson -}} +{{- break -}} +{{- end -}} +{{- if (and (typeIs "float64" $value) (eq (floor $value) $value)) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (list $value true)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (list (0 | int) false)) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "_shims.parseResource" -}} +{{- $repr := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- if (typeIs "float64" $repr) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (list (float64 $repr) 1.0)) | toJson -}} +{{- break -}} +{{- end -}} +{{- if (not (typeIs "string" $repr)) -}} +{{- $_ := (fail (printf "invalid Quantity expected string or float64 got: %T (%v)" $repr $repr)) -}} +{{- end -}} +{{- if (not (regexMatch `^[0-9]+(\.[0-9]{0,6})?(k|m|M|G|T|P|Ki|Mi|Gi|Ti|Pi)?$` $repr)) -}} +{{- $_ := (fail (printf "invalid Quantity: %q" $repr)) -}} +{{- end -}} +{{- $reprStr := (toString $repr) -}} +{{- $unit := (regexFind "(k|m|M|G|T|P|Ki|Mi|Gi|Ti|Pi)$" $repr) -}} +{{- $numeric := (float64 (substr (0 | int) ((sub ((get (fromJson (include "_shims.len" (dict "a" (list $reprStr) ))) "r") | int) ((get (fromJson (include "_shims.len" (dict "a" (list $unit) ))) "r") | int)) | int) $reprStr)) -}} +{{- $tmp_tuple_1 := (get (fromJson (include "_shims.compact" (dict "a" (list (get (fromJson (include "_shims.dicttest" (dict "a" (list (dict "" 1.0 "m" 0.001 "k" (1000 | int) "M" (1000000 | int) "G" (1000000000 | int) "T" (1000000000000 | int) "P" (1000000000000000 | int) "Ki" (1024 | int) "Mi" (1048576 | int) "Gi" (1073741824 | int) "Ti" (1099511627776 | int) "Pi" (1125899906842624 | int) ) $unit (coalesce nil)) ))) "r")) ))) "r") -}} +{{- $ok := $tmp_tuple_1.T2 -}} +{{- $scale := ($tmp_tuple_1.T1 | float64) -}} +{{- if (not $ok) -}} +{{- $_ := (fail (printf "unknown unit: %q" $unit)) -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (list $numeric $scale)) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "_shims.resource_MustParse" -}} +{{- $repr := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $tmp_tuple_2 := (get (fromJson (include "_shims.compact" (dict "a" (list (get (fromJson (include "_shims.parseResource" (dict "a" (list $repr) ))) "r")) ))) "r") -}} +{{- $scale := ($tmp_tuple_2.T2 | float64) -}} +{{- $numeric := ($tmp_tuple_2.T1 | float64) -}} +{{- $strs := (list "" "m" "k" "M" "G" "T" "P" "Ki" "Mi" "Gi" "Ti" "Pi") -}} +{{- $scales := (list 1.0 0.001 (1000 | int) (1000000 | int) (1000000000 | int) (1000000000000 | int) (1000000000000000 | int) (1024 | int) (1048576 | int) (1073741824 | int) (1099511627776 | int) (1125899906842624 | int)) -}} +{{- $idx := -1 -}} +{{- range $i, $s := $scales -}} +{{- if (eq ($s | float64) ($scale | float64)) -}} +{{- $idx = $i -}} +{{- break -}} +{{- end -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- if (eq $idx -1) -}} +{{- $_ := (fail (printf "unknown scale: %v" $scale)) -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (printf "%s%s" (toString $numeric) (index $strs $idx))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "_shims.resource_Value" -}} +{{- $repr := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $tmp_tuple_3 := (get (fromJson (include "_shims.compact" (dict "a" (list (get (fromJson (include "_shims.parseResource" (dict "a" (list $repr) ))) "r")) ))) "r") -}} +{{- $scale := ($tmp_tuple_3.T2 | float64) -}} +{{- $numeric := ($tmp_tuple_3.T1 | float64) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (int64 (ceil ((mulf $numeric $scale) | float64)))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "_shims.resource_MilliValue" -}} +{{- $repr := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $tmp_tuple_4 := (get (fromJson (include "_shims.compact" (dict "a" (list (get (fromJson (include "_shims.parseResource" (dict "a" (list $repr) ))) "r")) ))) "r") -}} +{{- $scale := ($tmp_tuple_4.T2 | float64) -}} +{{- $numeric := ($tmp_tuple_4.T1 | float64) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (int64 (ceil ((mulf ((mulf $numeric 1000.0) | float64) $scale) | float64)))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "_shims.render-manifest" -}} +{{- $tpl := (index . 0) -}} +{{- $dot := (index . 1) -}} +{{- $manifests := (get ((include $tpl (dict "a" (list $dot))) | fromJson) "r") -}} +{{- if not (typeIs "[]interface {}" $manifests) -}} +{{- $manifests = (list $manifests) -}} +{{- end -}} +{{- range $_, $manifest := $manifests -}} +{{- if ne $manifest nil }} +--- +{{toYaml (unset (unset $manifest "status") "creationTimestamp")}} +{{- end -}} +{{- end -}} +{{- end -}} diff --git a/charts/redpanda/redpanda/5.9.2/charts/connectors/templates/_values.go.tpl b/charts/redpanda/redpanda/5.9.2/charts/connectors/templates/_values.go.tpl new file mode 100644 index 000000000..9b304d4bf --- /dev/null +++ b/charts/redpanda/redpanda/5.9.2/charts/connectors/templates/_values.go.tpl @@ -0,0 +1,15 @@ +{{- /* Generated from "values.go" */ -}} + +{{- define "connectors.Auth.SASLEnabled" -}} +{{- $c := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $saslEnabled := (not (empty $c.sasl.userName)) -}} +{{- $saslEnabled = (and $saslEnabled (not (empty $c.sasl.mechanism))) -}} +{{- $saslEnabled = (and $saslEnabled (not (empty $c.sasl.secretRef))) -}} +{{- $_is_returning = true -}} +{{- (dict "r" $saslEnabled) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + diff --git a/charts/redpanda/redpanda/5.9.2/charts/connectors/templates/deployment.yaml b/charts/redpanda/redpanda/5.9.2/charts/connectors/templates/deployment.yaml new file mode 100644 index 000000000..ee78b69eb --- /dev/null +++ b/charts/redpanda/redpanda/5.9.2/charts/connectors/templates/deployment.yaml @@ -0,0 +1,17 @@ +{{/* +Licensed to the Apache Software Foundation (ASF) under one or more +contributor license agreements. See the NOTICE file distributed with +this work for additional information regarding copyright ownership. +The ASF licenses this file to You under the Apache License, Version 2.0 +(the "License"); you may not use this file except in compliance with +the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} +{{- include "_shims.render-manifest" (list "connectors.Deployment" .) -}} diff --git a/charts/redpanda/redpanda/5.9.2/charts/connectors/templates/pod-monitor.yaml b/charts/redpanda/redpanda/5.9.2/charts/connectors/templates/pod-monitor.yaml new file mode 100644 index 000000000..42c145754 --- /dev/null +++ b/charts/redpanda/redpanda/5.9.2/charts/connectors/templates/pod-monitor.yaml @@ -0,0 +1,17 @@ +{{/* +Licensed to the Apache Software Foundation (ASF) under one or more +contributor license agreements. See the NOTICE file distributed with +this work for additional information regarding copyright ownership. +The ASF licenses this file to You under the Apache License, Version 2.0 +(the "License"); you may not use this file except in compliance with +the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} +{{- include "_shims.render-manifest" (list "connectors.PodMonitor" .) -}} diff --git a/charts/redpanda/redpanda/5.9.2/charts/connectors/templates/service.yaml b/charts/redpanda/redpanda/5.9.2/charts/connectors/templates/service.yaml new file mode 100644 index 000000000..0b8825bef --- /dev/null +++ b/charts/redpanda/redpanda/5.9.2/charts/connectors/templates/service.yaml @@ -0,0 +1,17 @@ +{{/* +Licensed to the Apache Software Foundation (ASF) under one or more +contributor license agreements. See the NOTICE file distributed with +this work for additional information regarding copyright ownership. +The ASF licenses this file to You under the Apache License, Version 2.0 +(the "License"); you may not use this file except in compliance with +the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} +{{- include "_shims.render-manifest" (list "connectors.Service" .) -}} diff --git a/charts/redpanda/redpanda/5.9.2/charts/connectors/templates/serviceaccount.yaml b/charts/redpanda/redpanda/5.9.2/charts/connectors/templates/serviceaccount.yaml new file mode 100644 index 000000000..eda755fb1 --- /dev/null +++ b/charts/redpanda/redpanda/5.9.2/charts/connectors/templates/serviceaccount.yaml @@ -0,0 +1,17 @@ +{{/* +Licensed to the Apache Software Foundation (ASF) under one or more +contributor license agreements. See the NOTICE file distributed with +this work for additional information regarding copyright ownership. +The ASF licenses this file to You under the Apache License, Version 2.0 +(the "License"); you may not use this file except in compliance with +the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} +{{- include "_shims.render-manifest" (list "connectors.ServiceAccount" .) -}} diff --git a/charts/redpanda/redpanda/5.9.2/charts/connectors/templates/tests/01-mm2-values.yaml b/charts/redpanda/redpanda/5.9.2/charts/connectors/templates/tests/01-mm2-values.yaml new file mode 100644 index 000000000..f74732def --- /dev/null +++ b/charts/redpanda/redpanda/5.9.2/charts/connectors/templates/tests/01-mm2-values.yaml @@ -0,0 +1,176 @@ +{{/* +Licensed to the Apache Software Foundation (ASF) under one or more +contributor license agreements. See the NOTICE file distributed with +this work for additional information regarding copyright ownership. +The ASF licenses this file to You under the Apache License, Version 2.0 +(the "License"); you may not use this file except in compliance with +the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} +{{- define "curl-options" -}} +{{- print " -svm3 --fail --retry \"120\" --retry-max-time \"120\" --retry-all-errors -o - -w \"\\nstatus=%{http_code} %{redirect_url} size=%{size_download} time=%{time_total} content-type=\\\"%{content_type}\\\"\\n\" "}} +{{- end -}} +{{- if .Values.test.create -}} +apiVersion: v1 +kind: Pod +metadata: + name: {{ include "connectors.fullname" . }}-mm2-test-{{ randNumeric 3 }} + namespace: {{ .Release.Namespace | quote }} + labels: +{{- with include "full.labels" . }} + {{- . | nindent 4 }} +{{- end }} + annotations: + "helm.sh/hook": test + "helm.sh/hook-delete-policy": before-hook-creation +spec: + restartPolicy: Never + {{- with .Values.imagePullSecrets }} + imagePullSecrets: {{- toYaml . | nindent 4 }} + {{- end }} + containers: + - name: create-mm2 + image: docker.redpanda.com/redpandadata/redpanda:latest + command: + - /bin/bash + - -c + - | + set -xe + + trap connectorsState ERR + + connectorsState () { + echo check connectors expand status + curl {{ template "curl-options" . }} http://{{ include "connectors.serviceName" . }}:{{ .Values.connectors.restPort }}/connectors?expand=status + echo check connectors expand info + curl {{ template "curl-options" . }} http://{{ include "connectors.serviceName" . }}:{{ .Values.connectors.restPort }}/connectors?expand=info + echo check connector configuration + curl {{ template "curl-options" . }} http://{{ include "connectors.serviceName" . }}:{{ .Values.connectors.restPort }}/connectors/$CONNECTOR_NAME + echo check connector topics + curl {{ template "curl-options" . }} http://{{ include "connectors.serviceName" . }}:{{ .Values.connectors.restPort }}/connectors/$CONNECTOR_NAME/topics + } + + curl {{ template "curl-options" . }} http://{{ include "connectors.serviceName" . }}:{{ .Values.connectors.restPort }}/connectors + + SASL_MECHANISM="PLAIN" + {{- if .Values.auth.sasl.enabled }} + set -e + set +x + + IFS=: read -r CONNECT_SASL_USERNAME KAFKA_SASL_PASSWORD CONNECT_SASL_MECHANISM < $(find /mnt/users/* -print) + CONNECT_SASL_MECHANISM=${CONNECT_SASL_MECHANISM:-{{ .Values.auth.sasl.mechanism | upper }}} + if [[ -n "$CONNECT_SASL_USERNAME" && -n "$KAFKA_SASL_PASSWORD" && -n "$CONNECT_SASL_MECHANISM" ]]; then + rpk profile set user=$CONNECT_SASL_USERNAME pass=$KAFKA_SASL_PASSWORD sasl.mechanism=$CONNECT_SASL_MECHANISM + SASL_MECHANISM=$CONNECT_SASL_MECHANISM + JAAS_CONFIG_SOURCE="\"source.cluster.sasl.jaas.config\": \"org.apache.kafka.common.security.scram.ScramLoginModule required username=\\\\"\"${CONNECT_SASL_USERNAME}\\\\"\" password=\\\\"\"${KAFKA_SASL_PASSWORD}\\\\"\";\"," + JAAS_CONFIG_TARGET="\"target.cluster.sasl.jaas.config\": \"org.apache.kafka.common.security.scram.ScramLoginModule required username=\\\\"\"${CONNECT_SASL_USERNAME}\\\\"\" password=\\\\"\"${KAFKA_SASL_PASSWORD}\\\\"\";\"," + fi + + set -x + set +e + {{- end }} + + rpk profile create test + rpk profile set tls.enabled={{.Values.connectors.brokerTLS.enabled}} brokers={{ .Values.connectors.bootstrapServers }} + {{- if .Values.connectors.brokerTLS.ca.secretRef }} + rpk profile set tls.ca={{ printf "/redpanda-certs/%s" (default "ca.crt" .Values.connectors.brokerTLS.ca.secretNameOverwrite) }} + {{- end }} + + {{- if .Values.connectors.brokerTLS.enabled }} + CONNECT_TLS_ENABLED=true + {{- else }} + CONNECT_TLS_ENABLED=false + {{- end }} + SECURITY_PROTOCOL=PLAINTEXT + if [[ -n "$CONNECT_SASL_MECHANISM" && $CONNECT_TLS_ENABLED == "true" ]]; then + SECURITY_PROTOCOL="SASL_SSL" + elif [[ -n "$CONNECT_SASL_MECHANISM" ]]; then + SECURITY_PROTOCOL="SASL_PLAINTEXT" + elif [[ $CONNECT_TLS_ENABLED == "true" ]]; then + SECURITY_PROTOCOL="SSL" + fi + + rpk topic list + rpk topic create test-topic + rpk topic list + echo "Test message!" | rpk topic produce test-topic + + CONNECTOR_NAME=mm2-$RANDOM + cat << 'EOF' > /tmp/mm2-conf.json + { + "name": "CONNECTOR_NAME", + "config": { + "connector.class": "org.apache.kafka.connect.mirror.MirrorSourceConnector", + "topics": "test-topic", + "replication.factor": "1", + "tasks.max": "1", + "source.cluster.bootstrap.servers": {{ .Values.connectors.bootstrapServers | quote }}, + "target.cluster.bootstrap.servers": {{ .Values.connectors.bootstrapServers | quote }}, + "target.cluster.alias": "test-only", + "source.cluster.alias": "source", + "key.converter": "org.apache.kafka.connect.converters.ByteArrayConverter", + "value.converter": "org.apache.kafka.connect.converters.ByteArrayConverter", + "source->target.enabled": "true", + "target->source.enabled": "false", + "sync.topic.configs.interval.seconds": "5", + "sync.topics.configs.enabled": "true", + "source.cluster.ssl.truststore.type": "PEM", + "target.cluster.ssl.truststore.type": "PEM", + "source.cluster.ssl.truststore.location": {{ printf "/opt/kafka/connect-certs/ca/%s" (default "ca.crt" .Values.connectors.brokerTLS.ca.secretNameOverwrite) | quote }}, + "target.cluster.ssl.truststore.location": {{ printf "/opt/kafka/connect-certs/ca/%s" (default "ca.crt" .Values.connectors.brokerTLS.ca.secretNameOverwrite) | quote }}, + JAAS_CONFIG_SOURCE + JAAS_CONFIG_TARGET + "source.cluster.security.protocol": "SECURITY_PROTOCOL", + "target.cluster.security.protocol": "SECURITY_PROTOCOL", + "source.cluster.sasl.mechanism": "SASL_MECHANISM", + "target.cluster.sasl.mechanism": "SASL_MECHANISM", + "offset-syncs.topic.replication.factor": 1 + } + } + EOF + + sed -i "s/CONNECTOR_NAME/$CONNECTOR_NAME/g" /tmp/mm2-conf.json + sed -i "s/SASL_MECHANISM/$SASL_MECHANISM/g" /tmp/mm2-conf.json + sed -i "s/SECURITY_PROTOCOL/$SECURITY_PROTOCOL/g" /tmp/mm2-conf.json + set +x + sed -i "s/JAAS_CONFIG_SOURCE/$JAAS_CONFIG_SOURCE/g" /tmp/mm2-conf.json + sed -i "s/JAAS_CONFIG_TARGET/$JAAS_CONFIG_TARGET/g" /tmp/mm2-conf.json + set -x + + curl {{ template "curl-options" . }} -H 'Content-Type: application/json' http://{{ include "connectors.serviceName" . }}:{{ .Values.connectors.restPort }}/connectors -d @/tmp/mm2-conf.json + + # The rpk topic consume could fail for the first few times as kafka connect needs + # to spawn the task and copy one message from the source topic. To solve this race condition + # the retry should be implemented in bash for rpk topic consume or other mechanism that + # can confirm source connectors started its execution. As a fast fix fixed 30 second fix is added. + sleep 30 + + rpk topic consume source.test-topic -n 1 | grep "Test message!" + + curl {{ template "curl-options" . }} -X DELETE http://{{ include "connectors.serviceName" . }}:{{ .Values.connectors.restPort }}/connectors/$CONNECTOR_NAME + + curl {{ template "curl-options" . }} http://{{ include "connectors.serviceName" . }}:{{ .Values.connectors.restPort }}/connectors + + rpk topic delete test-topic source.test-topic mm2-offset-syncs.test-only.internal + volumeMounts: + {{- if .Values.connectors.brokerTLS.ca.secretRef }} + - mountPath: /redpanda-certs + name: redpanda-ca + {{- end }} + {{- toYaml .Values.storage.volumeMounts | nindent 8 }} + volumes: + {{- if .Values.connectors.brokerTLS.ca.secretRef }} + - name: redpanda-ca + secret: + defaultMode: 0444 + secretName: {{ .Values.connectors.brokerTLS.ca.secretRef }} + {{- end }} + {{- toYaml .Values.storage.volume | nindent 4 }} +{{- end }} diff --git a/charts/redpanda/redpanda/5.9.2/charts/connectors/testdata/template-cases-generated.txtar b/charts/redpanda/redpanda/5.9.2/charts/connectors/testdata/template-cases-generated.txtar new file mode 100644 index 000000000..575120e32 --- /dev/null +++ b/charts/redpanda/redpanda/5.9.2/charts/connectors/testdata/template-cases-generated.txtar @@ -0,0 +1,13778 @@ +Generated by TestGenerateCases +-- case-000 -- +fullnameOverride: rpVz +imagePullSecrets: +- name: "Y" +- name: oCy +- name: M +logging: + level: 0rksB2 +monitoring: + enabled: true + labels: + 5Fm2d5: 8GfL + HhgyOa: "1" + L9qHqt6R: LhlwQrUay + namespaceSelector: {} +nameOverride: pO5m +test: {} +tolerations: +- effect: 險CƅN奚4z攷Ȭ懿ǩi + key: ftgtOR + operator: 轧ǎɄHL骮磊胦Ĥ鰭 + value: HNRvd3P +- effect: $駏AF + key: QEX + operator: TŦ + tolerationSeconds: 9130697478155031191 + value: gFhGwGYsZj8 +- effect: Ð(Ƨ4ýZ_体}ʢ + key: Skz0OP3K + operator: oEa@w瑭 + value: 3G +-- case-001 -- +auth: {} +container: + javaGCLogEnabled: t1lDqf0PT8Xy + securityContext: {} +fullnameOverride: WtC +nameOverride: nZ +service: + name: 5wkC +storage: {} +-- case-002 -- +container: + javaGCLogEnabled: YUlcy4 + resources: {} +fullnameOverride: xp6vcIlb +imagePullSecrets: +- name: Tm0bmByz +- name: gSGPB +- name: 58yP +nameOverride: ZZ5 +serviceAccount: + annotations: + gM: gxAdfFrD + create: true + name: AN +storage: + volume: + - name: AhJ + volumeMounts: + - mountPath: hVlmCfXmla + mountPropagation: ÇƭȊ餧鵣鋚蕛ʖ诂瑧)ɍĿ8šȪ轭ʌ倈 + name: 482T + readOnly: true + subPath: Un28M + subPathExpr: weDK9jo + - mountPath: YWN6OS + name: 5ijm8 + subPath: safiSmZ + - mountPath: MBW5 + name: ibiELmf2 + readOnly: true + subPath: E + subPathExpr: piX +test: {} +tolerations: +- effect: 翀ɫŧ(馕Ť B + key: z4CO9NIHr + operator: =ǒ旔Īz尰淅ȜL + tolerationSeconds: -3342574177579699030 + value: 6qB +- effect: f + operator: Jǂ繦緮:Ǥ鄒鉠V}璊澘苚澞邍 + value: eAj9 +- effect: ʥ龦ȏ櫕3ø½ + key: mVGM5 + operator: pȩ纆s;畞"ŀ凓ɿ®ĄǤ_ + tolerationSeconds: 8874959473893236931 + value: S97vJbOM +-- case-003 -- +container: + javaGCLogEnabled: AGZOKrMs + securityContext: {} +fullnameOverride: kNrkCdEuw9V +imagePullSecrets: +- name: QIa +- name: 9QE3ez +- name: np1QDs89l +logging: + level: s2fGu +monitoring: + scrapeInterval: 1275505h31m51.442697795s +nameOverride: Wvpgs +tolerations: +- effect: 蠉ŊWƎ-ɄM@腒z饊4宝芵D + key: ZA +- effect: 桋 + key: 89yJQ + operator: 統nȓ璝,搼匪¨蕂Z酺ŕ賀枴蕧颥 + tolerationSeconds: 404439244630337484 + value: 6CGQZY +-- case-004 -- +fullnameOverride: 74qyne +imagePullSecrets: +- name: lnn +nameOverride: xhLPt0 +test: {} +-- case-005 -- +auth: {} +container: + javaGCLogEnabled: u12AMM +deployment: + nodeSelector: + ppXWIa: yWFoE + priorityClassName: MVCo + readinessProbe: + exec: {} + failureThreshold: -321470157 + grpc: + port: -157736567 + service: lkRxi7xVArBg7 + initialDelaySeconds: 1821796808 + periodSeconds: -469069323 + successThreshold: -1171276641 + terminationGracePeriodSeconds: -6163690760469911235 + timeoutSeconds: 1191785929 + revisionHistoryLimit: -544556764 + schedulerName: Lwp + securityContext: + fsGroupChangePolicy: eĻȊ4愻' + runAsGroup: 7076055353387776300 + runAsUser: 1448978345039473532 + supplementalGroups: + - 6910305894952865149 + strategy: + type: AT9FgtX + terminationGracePeriodSeconds: 1820238753 + topologySpreadConstraints: + - topologyKey: OAvMKg + whenUnsatisfiable: pasNu + - topologyKey: izYRz + whenUnsatisfiable: V2RO2 +fullnameOverride: J +nameOverride: W +serviceAccount: + name: VLlCi +storage: + volumeMounts: + - mountPath: 9hR6GGwna + name: f9h8iHd + subPath: u6UaQTj + subPathExpr: A13AGT +-- case-006 -- +commonLabels: + LvtMtyy: tvfxqD2lry + YC2zBn: OLSkBqQE + m2DRq: cS +fullnameOverride: R93VG +logging: + level: 0aZ +nameOverride: Vlci +service: + name: gkX +serviceAccount: + annotations: + 2oUsUW: r + lx: u6Li342dNU + create: true + name: "7" +test: {} +tolerations: +- effect: ']粢GDž洉鼭i簾Ƹȑȼ裋#' + key: XVr + operator: rȷ,xdk« + value: S7cZC +-- case-007 -- +connectors: + additionalConfiguration: ZQu + bootstrapServers: ue + brokerTLS: {} + groupID: y2 + schemaRegistryURL: kS0A8GucOgn + secretManager: + connectorsPrefix: I072i1u + consolePrefix: ppQ9x2 + region: uohiz + storage: {} +fullnameOverride: NUTO +logging: + level: n3s7 +monitoring: + enabled: false + scrapeInterval: 758193h55m31.821599286s +nameOverride: Gb7J7k +service: + name: 9PY0 +test: + create: true +tolerations: +- key: Mq8z6HgsAvY + tolerationSeconds: 2615803531399402268 + value: hlJeDG2R +- effect: Æ弽ʟʍb³Y庻啱Ŧ頱ɛ隕蜐m鼋焜 + key: h + operator: P涉晣 ľ÷ɇV湣庻/ + value: Q +- effect: k + key: rt + operator: 菔xn + tolerationSeconds: 9166113446651272576 + value: kkW +-- case-008 -- +container: + javaGCLogEnabled: pq3jgGoeY +deployment: + budget: {} + extraEnvFrom: + - prefix: W + - prefix: 6Cgj + - prefix: YV + livenessProbe: + failureThreshold: -1790317528 + httpGet: + host: qAB + path: Eim2yxc + port: qhcH6h + scheme: 5捰¥­鎻藦 + initialDelaySeconds: -853917423 + periodSeconds: 1730314559 + successThreshold: -1047272333 + terminationGracePeriodSeconds: -6159328979217767494 + timeoutSeconds: 478977165 + podAntiAffinity: + custom: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchLabels: + faNCB: E4juJ + oIG4a9Wa: Fca0z9t + mismatchLabelKeys: + - 5lmh + - zy + namespaces: + - E2xl + topologyKey: 8N3 + - namespaceSelector: {} + topologyKey: hrMRkZSK + topologyKey: 9ZbeCsEgDC + type: jUSv + priorityClassName: T6Ndpl0PL + progressDeadlineSeconds: 467220788 + schedulerName: iVovlD + terminationGracePeriodSeconds: 1520290623 +fullnameOverride: PNw8 +imagePullSecrets: +- name: EzI +- {} +- name: rjR6q +nameOverride: tPhRiQRK +test: {} +-- case-009 -- +auth: + sasl: + enabled: false + mechanism: ECm + secretRef: Udgkf + userName: nhJO6Xj +container: + javaGCLogEnabled: K + resources: + limits: {} + request: {} + securityContext: + allowPrivilegeEscalation: true +deployment: + create: false + livenessProbe: + failureThreshold: -999329257 + grpc: + port: -155863346 + service: bWO + initialDelaySeconds: 1584729597 + periodSeconds: -1715701628 + successThreshold: 729966777 + timeoutSeconds: 696662707 + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: [] + priorityClassName: oEOG + schedulerName: FzFE73 +fullnameOverride: Ygj9B +nameOverride: wCD97n +service: + name: H +serviceAccount: + annotations: + LWQ09i: tiLdCrApld + v2D6hTB: NGlgEEm + create: true + name: eyeD +test: + create: true +tolerations: +- effect: Q笜ƿ]0Ƒ5Ġ瞙镆 + key: JHnNnpNn4wHeL + operator: 羛矖暓(ĵ蕥}撟CťI精Ů + value: 5k0 +- effect: 牭顭Ů"ɇ郿ƛ摒炽?ƗlûǤ眗ɣ@ģb + key: pcwgtTr + operator: ř + value: zs +-- case-010 -- +auth: {} +commonLabels: + cUt: YvDFEsYlU + g3hOh91HKI: CHwTjLYe2XS + h4yNA: fJL +container: + javaGCLogEnabled: "" + resources: {} +fullnameOverride: LsGZn +monitoring: + enabled: true + labels: + wsUYAN3C: BzMz48 + namespaceSelector: + any: true +nameOverride: 9fz +serviceAccount: + create: false + name: bZ1w2 +storage: {} +-- case-011 -- +auth: + sasl: + mechanism: eTh + secretRef: H5TroU8 + userName: 8MR9Bee +commonLabels: + bX: vmmkhH2NHvdt + mO: pT +connectors: + additionalConfiguration: "" + bootstrapServers: vucld + brokerTLS: + enabled: false + key: + secretNameOverwrite: VT + secretRef: lz9QFe + groupID: X + producerBatchSize: 606208011 + producerLingerMS: 1644100599 + schemaRegistryURL: mGj8 + secretManager: + connectorsPrefix: uTTGy6JO572 + consolePrefix: TFKp + enabled: true + region: Zga57aiC +deployment: + budget: + maxUnavailable: -1825328882 + extraEnv: + - name: ogAtm + value: mJfm + - name: 2dTzgfH + value: sNiAP + valueFrom: + configMapKeyRef: + key: gSl56 + name: c + optional: true + resourceFieldRef: + containerName: AXKLF + divisor: "0" + resource: "" + - name: N1yV1 + value: nLSeqDK + extraEnvFrom: + - prefix: 9HB6W4t + secretRef: + name: NYC3bKPQWLc + optional: false + livenessProbe: + exec: {} + failureThreshold: -757710692 + initialDelaySeconds: -949475509 + periodSeconds: 1423942066 + successThreshold: 1080931760 + timeoutSeconds: -1902342435 + nodeAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - preference: + matchFields: + - key: qi12DQkzc + operator: 駣>蕐k泌蚮奘5d墥7Ȋ + values: + - Sp + weight: 1587628539 + podAntiAffinity: + topologyKey: rero1 + type: u + weight: 2087428837 + priorityClassName: ulsVLH + revisionHistoryLimit: -1010709730 + schedulerName: g + securityContext: + fsGroupChangePolicy: b + strategy: + type: XhI1Zz + updateStrategy: + type: OwYo +fullnameOverride: etuP +logging: + level: 20R9 +nameOverride: xiBXju +serviceAccount: + annotations: + OZRRPON: npX3 + Y1hvwE727: rZI + i1rZ2cwr: "" + name: dr5NDVhU0W3x +storage: + volumeMounts: + - mountPath: NIVHRdAc + name: BHPad + readOnly: true + subPath: z + subPathExpr: iwiB7uVoG + - mountPath: S6g7 + mountPropagation: $+g"訜駄 + name: 1iwfb + readOnly: true + subPath: 5XRI + subPathExpr: zNyXts +test: + create: false +-- case-012 -- +container: + javaGCLogEnabled: L9Ab4 +deployment: + annotations: + qhL: NwcVhzqvm + wjUv: xruF36CXB6YP + budget: {} + create: false + livenessProbe: + failureThreshold: -2109366246 + grpc: + port: -1015383620 + service: ritV + initialDelaySeconds: 1360388115 + periodSeconds: 768065118 + successThreshold: 1600450204 + terminationGracePeriodSeconds: -7255894925502993587 + timeoutSeconds: -1772311361 + nodeAffinity: {} + nodeSelector: + TPLQj2m: 7U6MPf + podAntiAffinity: + custom: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchLabels: + "": lEtTbibY + KL: "9" + cRAELbm: o7TNTG + namespaceSelector: {} + topologyKey: 65ytaH + - matchLabelKeys: + - cxFsG + - kfVIsSK1 + - k + namespaceSelector: {} + topologyKey: YL8 + topologyKey: lxPsOox + type: T + weight: -864722068 + priorityClassName: CX + progressDeadlineSeconds: 368835309 + revisionHistoryLimit: 1912936765 + schedulerName: FfXGO1 + strategy: + type: mjPaU + updateStrategy: + type: 0u +fullnameOverride: Tpn +monitoring: + labels: + "0": m4M + VAD3Bq: LIrfcIp + Zc7e: Ixb + namespaceSelector: + matchNames: + - 24w + scrapeInterval: 175243h15m49.218935959s +nameOverride: MexiU +service: + name: Ac +test: {} +tolerations: +- effect: 村ɭȢvɝ>Á阣ǵ«彼Ċȣ庯蕠ń + key: XLicRkmamr + operator: É晱鄼9腁 +- effect: FkËT鋏T碻 + key: DbJOt + operator: 涛ĩ差s坥閵;ĺ%堢醧 1?`脪雯! + value: RKg76fjFC +- effect: ƐlǎÜʛdž壟嚲A厪ļk.BF + key: r + operator: ']縖' + value: 0f +-- case-013 -- +auth: + sasl: + enabled: true + mechanism: SDp7 + secretRef: 4WR + userName: MwyeN8 +deployment: + budget: + maxUnavailable: 24384073 + create: false + livenessProbe: + exec: {} + failureThreshold: 2001873995 + grpc: + port: -570073675 + service: VF + initialDelaySeconds: 1435901271 + periodSeconds: -1827120891 + successThreshold: 543681313 + terminationGracePeriodSeconds: 7623134148266453805 + timeoutSeconds: -602096728 + nodeSelector: + pflZ7G: A0jyH + priorityClassName: zjQ2B + revisionHistoryLimit: -841820257 + schedulerName: h3uqMw4N + tolerations: + - key: 5o5Syu + operator: _ɤʞƏ穆rPNij9ʯP缪Ƈǿw + tolerationSeconds: -1826520063540927425 + value: 1VpdZ + - effect: Ǒ±Ǖ;ʐ覓朊c$迂Ƀȣf + key: "1" + operator: '"轜N_''ğ)Í5Iu:+Ņe嶵薏' + tolerationSeconds: -7530147871827456803 +fullnameOverride: bAtOao +monitoring: + enabled: true + scrapeInterval: 66327h16m50.874180173s +nameOverride: w8tCi3K +service: + name: InI +serviceAccount: + name: 6le +test: + create: true +tolerations: +- effect: ^嚿潷 + key: Xth0FkarCwDhRM + operator: ']ǒŘMpU謵Mɗ缿@篦3qǴ ʝ諜费' + tolerationSeconds: -2483428479265143204 +- effect: 堟Y注ʥ骊țL芮|łfÆ + key: IF9M6x + operator: y;旴XƬ糔剰Ǜ鮡 + value: USzGY +-- case-014 -- +auth: + sasl: + mechanism: ntVNf + secretRef: mQuWoG00Z + userName: "" +connectors: + additionalConfiguration: E + bootstrapServers: cywT8MNAo + groupID: 6AsORVCaYJ + producerBatchSize: -831136974 + schemaRegistryURL: cSf + secretManager: + connectorsPrefix: RnHNJ7bJD0 + consolePrefix: GMeK0dod3 + enabled: false + region: t77zc +fullnameOverride: u7DU +monitoring: + enabled: true + labels: + aVoQ7: vECqlu0Pe + namespaceSelector: + matchNames: + - alQT6bxHho + - jKf + - p +nameOverride: dA1zsc +serviceAccount: + name: HAAJtAWrjJ +-- case-015 -- +auth: {} +commonLabels: + 96Kx: 1DW5QoLP + LY: nDw + etW: "9" +deployment: + budget: + maxUnavailable: -1737560958 + create: false + extraEnv: + - name: Bc + value: pB + valueFrom: + configMapKeyRef: + key: RStSG + name: rpc1FHY + resourceFieldRef: + containerName: sKpIz + divisor: "0" + resource: GM5pHA + secretKeyRef: + key: gM8EqA + name: KmFME + optional: false + - name: "" + value: me8paXgJ + - name: nLU + value: "6" + valueFrom: + fieldRef: + apiVersion: rsTk + fieldPath: Hs + resourceFieldRef: + containerName: TvVr1l + divisor: "0" + resource: HH4x1 + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: null + nodeSelector: + fh9: xbk + jILeDZ3: SJ16 + uzP02S: iZVVMqQ + podAffinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: null + podAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - namespaceSelector: + matchExpressions: + - key: 57Js + operator: "" + values: + - EdjUMt + - key: mJ8aRtIDW2S + operator: Ɨ3綂ȕ0蘗Iɉ8Ȟ怶Ⱥ门ʛC嫾ʑªƛ + values: + - 7eo + - 004AeS + - key: EJ + operator: dP + values: + - IgSuQGAK6gx + - oNFCGVbRN + - C5qeL + matchLabels: + gbheV: 6ZDyWDt + namespaces: + - elkM9HO + - 8C7YR9 + - IYYqJs + topologyKey: "" + podAntiAffinity: {} + priorityClassName: 7M + progressDeadlineSeconds: -660403045 + restartPolicy: zy莃:`KEȈ乭Ş璡o髞ůKė趡ʭ + revisionHistoryLimit: -1404737890 + schedulerName: z6D0iC + terminationGracePeriodSeconds: -194304314 + updateStrategy: + type: xSEGKS +fullnameOverride: 5eY7 +logging: + level: lk9GZiF6 +nameOverride: bpgtWxol +service: + name: x +storage: + volume: + - name: pD + - name: MmiQZ4o + volumeMounts: + - mountPath: Fk9qDh + mountPropagation: OV棴ǝɃ箪 + name: GHi + readOnly: true + subPath: MHNGOL2dBmh + subPathExpr: wZHGIC2B3 + - mountPath: k97wi + mountPropagation: 摪ƝH迒LhĂ + name: A2 + subPath: ij8 + subPathExpr: vMM + - mountPath: 7iD + mountPropagation: Dè轖#KŵÅi轓m癈跔 + name: JOhkrajKTFMI + subPath: krtU + subPathExpr: cxblS +test: {} +-- case-016 -- +container: + javaGCLogEnabled: NSE + resources: + javaMaxHeapSize: "0" + request: + cpu: "0" + securityContext: {} +fullnameOverride: bGMfavR +logging: + level: oj4P +monitoring: + scrapeInterval: 1616184h3m28.108622923s +nameOverride: Cex3v +service: + annotations: + IUeOwNT: T3w1nV + Si: dNUY + name: B5Y + ports: + - name: HzTtdut + port: 741893604 + - name: yT6vYOdszF + port: -1916404761 +serviceAccount: + name: cxOBE +storage: + volume: + - name: X7ZZu + - name: KkkMA7 + - name: Btxy +test: {} +-- case-017 -- +commonLabels: + wR: GAm +connectors: + additionalConfiguration: ro5XOd9Tf + bootstrapServers: RKH + brokerTLS: + cert: + secretNameOverwrite: khTfK + secretRef: qXwTCH + enabled: true + key: + secretNameOverwrite: u0 + secretRef: OCzzkl + groupID: hPUA1m7 + producerBatchSize: 1121174748 + producerLingerMS: -221329759 + schemaRegistryURL: dt2Vd1bTg + secretManager: + connectorsPrefix: Z5Cv + consolePrefix: X1zP + enabled: true + region: LrK6I + storage: + remote: + read: + config: false + offset: false + write: + config: false + offset: false + topic: + config: Uf + offset: "n" + status: kNLwla +container: + javaGCLogEnabled: x3dH + resources: + javaMaxHeapSize: "0" + limits: + cpu: "0" + request: + cpu: "0" + securityContext: + allowPrivilegeEscalation: false +deployment: + annotations: + fet: YGwnq + create: true + extraEnvFrom: + - prefix: Ci6EGf + secretRef: + name: cDwbNN + livenessProbe: + failureThreshold: 1181508047 + grpc: + port: 1103363052 + service: BghH + httpGet: + path: 5Io5 + port: fXmkdb + scheme: ɚ + initialDelaySeconds: -215289091 + periodSeconds: 918675027 + successThreshold: -1707139863 + timeoutSeconds: 1673866844 + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: "2" + operator: 箓Ęȁ銵鷝Ā喳Ăɀ} + - key: j + operator: ɓ + matchFields: + - key: "" + operator: vǃ鞳邪§Ț皾6 + - key: Yi7SzM + operator: Ǎ浹籥岷Ħ + values: + - Czu9d1V + - key: r6y + operator: 牁p认ð_蠡hHiÖq肓ǭʤe)ĉB扝 + - {} + podAntiAffinity: + topologyKey: MECG5Y + type: bTzd + weight: -803515299 + priorityClassName: "N" + progressDeadlineSeconds: 444536561 + readinessProbe: + exec: + command: + - TGFiXP + - Z79QNgs + failureThreshold: -1832996555 + grpc: + port: 431368512 + service: eUPPAkf + httpGet: + host: f + path: KJ + port: NNA + scheme: $ǡH庋Y¶闣ĸǽv蘈 + initialDelaySeconds: 877141221 + periodSeconds: 2102410645 + successThreshold: 1537121792 + terminationGracePeriodSeconds: -8439557874955512884 + timeoutSeconds: -2026548303 + revisionHistoryLimit: 1418020237 + schedulerName: FQjdKmjClI5B + strategy: + type: WVP1Q8 + terminationGracePeriodSeconds: 1127207064 + topologySpreadConstraints: + - maxSkew: -1487816419 + topologyKey: Mw7m + whenUnsatisfiable: "" + - maxSkew: -1469244889 + topologyKey: HuZRY + whenUnsatisfiable: NX + - maxSkew: -346884429 + topologyKey: xVWCd + whenUnsatisfiable: p + updateStrategy: + type: "" +fullnameOverride: u1Dk +nameOverride: DAE +serviceAccount: + annotations: + GPwb: rsHTj2N + c4: HTI5lp + vUnChIysI: ZfUINMh + create: false + name: zF +test: + create: true +tolerations: +- effect: f + key: RDN + operator: 狀番ǵ曻縖=&Ɛʤe佥墺辅x7絼櫓 + tolerationSeconds: 4568597810181054356 + value: 7zNQUA +-- case-018 -- +auth: + sasl: + mechanism: VtLC5 + secretRef: ng2m + userName: 1Iwn7 +connectors: + additionalConfiguration: l3aLVX5 + bootstrapServers: hj4Aab + brokerTLS: + key: + secretNameOverwrite: z4oRSGo + secretRef: Ee + groupID: m + producerBatchSize: 1913291774 + producerLingerMS: -313398730 + restPort: 1476502274 + schemaRegistryURL: nL5qOV + secretManager: + connectorsPrefix: 2KQcX + consolePrefix: NnQ + region: 0P7 +fullnameOverride: hX1VdtP7gp7c +imagePullSecrets: +- name: W1 +monitoring: + annotations: + JZgY7gH: ZeFjP9nhvOjMI + gS26QJ5: cAc + labels: + DORM: tayRzd99 + yc2ti: kI0liqp5YBMr + namespaceSelector: + any: true +nameOverride: C +service: + name: CVJfMb + ports: + - name: DT +serviceAccount: + create: false + name: 3xqtRwRI +storage: + volumeMounts: + - mountPath: 5koRVhJz + mountPropagation: 穠耱誕Ȝ躰灬灺Ķ輔硯dzȦ1e蘄ò.o + name: 5lp + subPath: bEZmgVKO + subPathExpr: 5UCo6 +test: {} +-- case-019 -- +commonLabels: + 1sF: 45XnA + a1rMZK: Jzq +connectors: + additionalConfiguration: "" + bootstrapServers: ezzGY + groupID: CL5YFuVD + producerLingerMS: -936976440 + restPort: 2065008586 + schemaRegistryURL: XTAQJ + secretManager: + connectorsPrefix: Q + consolePrefix: "79" + enabled: true + region: 3EfPcaJPeL +deployment: + budget: {} + create: true + extraEnv: + - name: s + value: q7x401sB3R + - name: p + value: Odn + valueFrom: + fieldRef: + apiVersion: Tmp29KLiQ5 + fieldPath: "2" + secretKeyRef: + key: RRlr0C + name: jx + - name: M + value: dHu2S + valueFrom: + configMapKeyRef: + key: YT + name: x84MM29Kc5u + optional: true + fieldRef: + apiVersion: AKdDlUG8v + fieldPath: wHCWO + extraEnvFrom: + - configMapRef: + name: MF8pnsf + optional: false + prefix: lT + secretRef: + name: W + livenessProbe: + exec: {} + failureThreshold: 832341066 + httpGet: + host: 2YhKEXGGy + path: Er43b4o + port: 523079005 + scheme: '-' + initialDelaySeconds: -493754907 + periodSeconds: -888317874 + successThreshold: -1792385861 + timeoutSeconds: -359586002 + podAntiAffinity: + topologyKey: 4YPfUs + type: 62y + priorityClassName: HXWM5 + readinessProbe: + exec: {} + failureThreshold: -2059548026 + httpGet: + host: z + path: jn + port: k1cVehfSqQ + scheme: 筭洰a恥¾兼ƍV5 + initialDelaySeconds: 438569678 + periodSeconds: 2034323562 + successThreshold: -1007748590 + timeoutSeconds: -1489292970 + revisionHistoryLimit: -656791059 + schedulerName: Wrjb3H + tolerations: + - effect: Ƿ闄 + key: O + operator: 鵉鼌q穋R譼驪妼擕`ƛ駴ň + tolerationSeconds: -8397972967079996177 + value: 1KZwe4 +fullnameOverride: S9NS5c +monitoring: + enabled: false + namespaceSelector: {} + scrapeInterval: 1263504h12m50.743340543s +nameOverride: qQY +service: + name: iPsih4 +storage: {} +test: + create: false +tolerations: +- effect: '}´ƃë\]Ä嗍6u乡嗹v鄭°' + key: E1j + operator: 滲 + value: OA +-- case-020 -- +auth: {} +deployment: + annotations: + hM5Ozaprm: lIZA9 + mT: 0LKs + create: false + extraEnvFrom: + - configMapRef: + name: FLR + optional: false + prefix: eDtm + - configMapRef: + name: t + optional: false + prefix: dlW1 + secretRef: + name: y3pc2pFWSm + livenessProbe: + exec: + command: + - h + failureThreshold: 2104262150 + httpGet: + host: Ah8pO + path: CRw + port: -1437145013 + scheme: y崬lAJ埰u<~ţ馜哶炽nj荻Ȩ淣 @ + initialDelaySeconds: 1024187677 + periodSeconds: 913677726 + successThreshold: 1848348137 + terminationGracePeriodSeconds: 3692284600662469393 + timeoutSeconds: 414675637 + nodeAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - preference: + matchExpressions: + - key: bYDy + operator: 5ȺĜƒ靍殌ȌƗǢ4;幄 + values: + - EF9 + - FQ + - key: oxk5s + operator: '}Ū椣Ğn' + values: + - lgx + - NcKuJ + - key: NC4kwCJt + operator: ńƕÅǽȄʛ + values: + - f0 + - 7yXJIG + - W + weight: -806977733 + - preference: {} + weight: -1752665730 + - preference: + matchFields: + - key: BE + operator: +ÐQ斴T"wǶ偌T脍Ş逢 + values: + - zMTwun9 + - CeAjK + - key: TYVhhI1HI + operator: ǚůƍ嬀ĸȮ-(0玖ž[Ǚ炓檓se + weight: -1752262723 + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: TmnaP + operator: ´ĵ3QI馉ȿʊ}ƻ + values: + - EcGCXgcAX + - key: k9Y9tmH + operator: ĕÏ呇ǔƘ綹* + - key: "" + operator: 铈ş< ƞ'Sķ筋e7,=冘蚖詞 + matchFields: + - key: zc5PoF + operator: "" + values: + - y7IJrN + - F8X + - PSmazIp + - key: keuZoH + operator: Sy + values: + - 7sXP + - 37w3o9wjEfLo + - "3" + - {} + - matchExpressions: + - key: "" + operator: 賋è霺ghoơz闠Ĉ«ƍq + values: + - rhFXXif7v + - ixPCwn + - O3 + matchFields: + - key: FNmh89toZo + operator: '''勃ʇ夛浵欑"鋫驾{êPǪvÍ襑' + values: + - dV + - vRVfIecf + podAntiAffinity: + topologyKey: DK7g + type: "" + weight: 2116118619 + priorityClassName: Wy3x + progressDeadlineSeconds: -2099104625 + readinessProbe: + failureThreshold: 1384600958 + grpc: + port: -2111497644 + service: U62KFYODDp + httpGet: + host: i3U2 + path: u3nsOY + port: -120629401 + scheme: Ɲ H齧責欖Ğâ柷ɒł + initialDelaySeconds: -1607019514 + periodSeconds: 1117157063 + successThreshold: -2017370070 + terminationGracePeriodSeconds: -6500262321144121445 + timeoutSeconds: -689176139 + schedulerName: MXeR + securityContext: + fsGroupChangePolicy: Ɛ6佒ʕ + runAsGroup: 993874004271065493 + runAsUser: -6188102389190039866 + sysctls: + - name: NnI7Pde1 + value: E8nl + terminationGracePeriodSeconds: 708995785 + updateStrategy: + type: cIAjo4 +fullnameOverride: IAukfjAiE +imagePullSecrets: +- name: Jm0uOuT +logging: + level: g +monitoring: + enabled: false + labels: + IwGT2: U9Mez5Vvz + RTBh: DcL3Cfz3j + Scvr6HhI: TcOJcRH + namespaceSelector: + any: true + scrapeInterval: -90129h16m11.711713376s +nameOverride: kUuRn +storage: + volumeMounts: + - mountPath: TTEa + name: h + subPath: tG52z + subPathExpr: eh4wQ + - mountPath: iY66G4 + mountPropagation: 5ŀÖTcĿƠĎ躵9[Ãw胍 + name: WB3KpIQZ + subPath: hd + subPathExpr: Ekw2NtL7 + - mountPath: hB + mountPropagation: Ɲv抡吾蒩2ʛ + name: r7V + subPath: 4YrJ + subPathExpr: 4bIK9CT +tolerations: +- effect: Ź褦齸稽2舦胢襉`cq~ + key: iusZ5 + operator: LƩîmOv丌Þlɢɮ&żő子ʫƅq + tolerationSeconds: 1567502669304402305 + value: v1rTmQCoOJX +- effect: q#2崫 + key: rn1ih + operator: ă#暻vÔtgiɿ + value: K1 +-- case-021 -- +commonLabels: + 5D3dcbYcmq: bkcA + "y": TxHhxVY2tRx1i +connectors: + additionalConfiguration: jzE + bootstrapServers: as60 + brokerTLS: + ca: + secretNameOverwrite: fifa + secretRef: BmRMpc + cert: + secretNameOverwrite: MY5Ss + secretRef: gy7g + groupID: eOkhi4 + producerBatchSize: -500780400 + producerLingerMS: -1955065214 + schemaRegistryURL: Jrt + storage: + remote: + read: + config: false + offset: false + status: true + write: + config: true + status: true + replicationFactor: + config: -1860412640 + offset: -1901393869 + status: -4761328 + topic: + config: EI + offset: IK4 + status: WIZGj +container: + javaGCLogEnabled: HG + resources: + limits: + cpu: "0" + memory: "0" + request: + memory: "0" + securityContext: + allowPrivilegeEscalation: false +deployment: + annotations: + "8": 6L8d + budget: + maxUnavailable: -1972147103 + extraEnv: + - name: mbyKA5WPoY + value: bhMRx + extraEnvFrom: + - configMapRef: + name: e7KgN9ff + optional: false + prefix: ug4D + secretRef: + name: CzuiueSY + optional: false + - configMapRef: + name: TlIbaiI + optional: true + prefix: I + - configMapRef: + name: IuBuoY8u5xD1D7 + optional: false + prefix: 2xqoZ + nodeAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - preference: + matchExpressions: + - key: j3g + operator: ŷǘȵiì渭ʫ抁Ğŋ + values: + - DJoN22 + - 4Kszk + - key: KYKZgrf + operator: 櫮ƣ+Ź藦vď蔸聺3vMʪ + matchFields: + - key: di6 + operator: ɫ0l5璠û介ɗ蟦ǘ厁ɂh磊 + values: + - ct + - 3e + - YICL + weight: 1941396141 + - preference: + matchExpressions: + - key: PRs0G0 + operator: ©MʥȩɅ2ď鏓 + - key: L83 + operator: °¥¶ĕ焲粮剚e喏鑝梋ƃ5~Ìnidž + matchFields: + - key: 78fF + operator: =ŞŽ熧曪ń + weight: 1964511070 + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchFields: + - key: AHvs + operator: ɵȝʩm幃 + - key: 0ac + operator: MWæ諒鸠 + - {} + - matchExpressions: + - key: wRdw + operator: VP萺鵷 + - key: "" + operator: x + values: + - Fx + - I1rNR + - key: JZ + operator: 訖 + nodeSelector: + 88m: ofL96viVG + lM: uR4 + podAntiAffinity: + topologyKey: ug + type: dMLFJ2vJ + weight: -1646642412 + priorityClassName: dirA + progressDeadlineSeconds: 741558819 + readinessProbe: + exec: + command: + - Cnn275T + - 90rjZczLp + - Hi + failureThreshold: 137175425 + grpc: + port: -990908140 + service: "n" + initialDelaySeconds: 385463317 + periodSeconds: 1814148060 + successThreshold: -2130595018 + terminationGracePeriodSeconds: 1602275511469638547 + timeoutSeconds: -1983859400 + restartPolicy: 奡ʄ臔ȁ + revisionHistoryLimit: 1560482462 + schedulerName: v + securityContext: + fsGroup: 2775178225296577779 + runAsGroup: -873168801110302232 + runAsNonRoot: true + runAsUser: -8949664932683740838 + sysctls: + - name: u + value: 0mDq + - name: UDLOQRVGXH + value: "" + - name: eakEWdkHQ + value: UWw + strategy: + type: "9" + terminationGracePeriodSeconds: 1135949557 + tolerations: + - effect: ɖ + key: lzvKb + operator: V毣«mpAp餂ĵ$İƊ俊ĺ + tolerationSeconds: 1365476841054063816 + value: HqnJ8gfT + - effect: T鏚裦黂 + key: vgU + operator: 訹gǷ×婚ǀ + tolerationSeconds: -8509532606436755290 + value: KI + - effect: ?遗x + key: 6fxivUhl + operator: KŸȘ绒Nj赤 + value: mK2Hz + updateStrategy: + type: jz1E9Ra +fullnameOverride: "" +imagePullSecrets: +- name: kq1gha8w +- {} +logging: + level: rb +nameOverride: Cg +service: + annotations: + g: Haj2trb + nQCD85u: 7ENE + name: kt3xi + ports: + - name: ZD6QnCdlL + - name: kUQU +serviceAccount: + annotations: + QvndcW2wD: JmD + create: true + name: ABdKo +storage: {} +test: {} +tolerations: +- effect: -ā;CpĔ霬ie + key: S9EFzL6 + operator: ƥǝYǾĶi¢pÔ + tolerationSeconds: -8069168009016427174 + value: KpBi0ZYe +- effect: ɸ怭酟Tɛ;淸ayËz + key: jCr + operator: \qʑVȎ汕qʜźʊ圙$h袪ʅ) + tolerationSeconds: -573606976387196365 + value: sVZZ5RB +- key: cuDMjsSUzeD + operator: 注SʯLV臙?Ⱥ祉萼禝!DŽKɋ中N + tolerationSeconds: -220176424743278478 + value: ZsR4KEl1X +-- case-022 -- +commonLabels: + 3T: w2SpAA6br + I758z7Cf: 6V + JvnbWUk: pPMb +connectors: + additionalConfiguration: faRWi + bootstrapServers: XngcT + brokerTLS: + ca: + secretNameOverwrite: MDvyt3bw + secretRef: b809b + cert: + secretNameOverwrite: LP7Pcx1xGT + secretRef: Gg + enabled: true + groupID: 3SgngS9vl + producerBatchSize: 889009746 + schemaRegistryURL: b4VVbJxS + secretManager: + connectorsPrefix: ALseg + consolePrefix: JoDngQ + region: X +deployment: + create: true + nodeAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - preference: + matchExpressions: + - key: Ro3T + operator: aĒĴŪ*3ɀ 币6鳴Ã偯d?A`åȏ + - key: 7XExK + operator: 濻舒^T莄1Â]葉 + values: + - A61yP5MBIRlE + - PvGUE + - 3dEaVo + - key: cLddzEo + operator: 櫜毉FÊi嶙# + matchFields: + - key: 5d + operator: 葜.¼v詝擽Ĉ + - key: WSMmbygG + operator: "" + weight: 1129540323 + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: kwkzOO8tl + operator: ']勋Į掬+' + matchFields: + - key: CQBwi20 + operator: 餞ǚe%Af埧Q哝窓煰 + - key: 9dTBxx + operator: Ĉ|^ + - matchFields: + - key: "" + operator: Á捛ɬĿ脦ǒĈ闲F秿翕卫Ŷ~?ʞŷȎ + values: + - Lg + - key: "42" + operator: 瞍 + values: + - QQMQ + - matchExpressions: + - key: en + operator: HË熙軯-ȓ簩羗č ʏ栽竬熄s)Ó鸰 + - key: Gc9Ntp + operator: "" + matchFields: + - key: 2ZLK4z1 + operator: 捚n匸竟-6ȐÒƑ|ʁĄEʕȘ + values: + - 0GiQ + - FI + - iXXs3k + - key: uujaIM5Y0Eo + operator: Āũ7 + podAffinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: null + podAffinity: {} + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - matchLabelKeys: + - wx6 + - pZWizn + - YalB + namespaceSelector: {} + namespaces: + - VIJ8 + - "" + - "897" + topologyKey: a3iKu + podAntiAffinity: + topologyKey: E0D + type: VvN + priorityClassName: rs1 + progressDeadlineSeconds: 457348204 + readinessProbe: + exec: + command: + - 9NasaU + - gSgxcK + failureThreshold: 511258221 + httpGet: + host: Mho + path: fy80Va + port: 595852956 + scheme: Ț籦绺č擯夭fÀdcq鬎DŽƬ礛 + initialDelaySeconds: 948711230 + periodSeconds: 19027716 + successThreshold: -1810396970 + terminationGracePeriodSeconds: 1798521938678531879 + timeoutSeconds: 1797719976 + revisionHistoryLimit: -700610054 + schedulerName: 6Fuyr + strategy: + type: IbrqLLHodX + terminationGracePeriodSeconds: 1222617058 + tolerations: + - key: 9v + operator: ƱSjc(ϼ霌ʒ酁2Ɣ8kRâ + tolerationSeconds: 699537150416724653 + value: w8QXL + - effect: 旼`BȞ*ąɦ纇åʝ + key: vj3BwiVyW1t + operator: 鼦詡dƅ + tolerationSeconds: -9093487529989850129 + value: i8Agp + topologySpreadConstraints: + - topologyKey: AFVo + whenUnsatisfiable: M4 + - maxSkew: -1157554939 + topologyKey: oF + whenUnsatisfiable: juzJPaV2L03 + - topologyKey: P6ooy + whenUnsatisfiable: svPI + updateStrategy: + type: "" +fullnameOverride: cZ4G4 +monitoring: + enabled: true + labels: + Eedv: 65ZfBI + namespaceSelector: {} + scrapeInterval: 2515390h35m37.419426312s +nameOverride: 6MJPA +service: + name: x4Vu7vj + ports: + - name: G4 + port: -201865350 +tolerations: +- effect: ' ʫȲ嬮+簻' + key: qIS + operator: 奎唐涵¥ȗ咦壥縌筺 + tolerationSeconds: -7358513382849221288 + value: tiRW0E7sm +-- case-023 -- +auth: {} +container: + javaGCLogEnabled: t7nvcU + resources: + limits: + cpu: "0" + memory: "0" + request: + cpu: "0" + memory: "0" + securityContext: {} +fullnameOverride: 9tds +imagePullSecrets: +- name: t +- name: 9jeO +- name: h +logging: + level: bP +monitoring: + enabled: false + scrapeInterval: 1421023h45m34.121658414s +nameOverride: ZI341xw +serviceAccount: + create: false + name: TIG +storage: + volume: + - name: naPNMJ + volumeMounts: + - mountPath: YeET3weL4N8g + mountPropagation: d/嬈Ñ內q謯ƶ8ɳƓ肵 + name: ssEfPGv8 + readOnly: true + subPath: "7" +-- case-024 -- +connectors: + additionalConfiguration: LWHk + bootstrapServers: jn + brokerTLS: + ca: + secretNameOverwrite: qv + secretRef: LRHozVF + enabled: true + groupID: d + producerBatchSize: 1166879364 + producerLingerMS: 714735160 + restPort: -1930935263 + schemaRegistryURL: sz + secretManager: + connectorsPrefix: xoZinJy1V + consolePrefix: kjqs + enabled: false + region: hsKN +container: + javaGCLogEnabled: XS5 + resources: + javaMaxHeapSize: "0" + limits: + cpu: "0" + memory: "0" + request: + cpu: "0" + memory: "0" + securityContext: + allowPrivilegeEscalation: true +deployment: + annotations: + FU4J: "" + HJZjva: jC8uET + budget: {} + livenessProbe: + exec: + command: + - OG + - YBVu + failureThreshold: -1400952913 + grpc: + port: -2029643906 + service: 0a7ILy + httpGet: + host: Z7sbsKoc + path: RhCEkYS + port: 1662747518 + scheme: 巐ȹƠK + initialDelaySeconds: 1536143416 + periodSeconds: -971919376 + successThreshold: 1841265139 + timeoutSeconds: 1519706329 + nodeSelector: + ZBtz30: MaN + wEyS43Wq6sS: A + podAntiAffinity: + topologyKey: H0cu + type: TCF8Ne + weight: 1443189624 + priorityClassName: xL + progressDeadlineSeconds: 5438195 + readinessProbe: + failureThreshold: 2057031608 + httpGet: + host: nCaW7a + path: KggIsy + port: jP + scheme: ʆçɇ滾镡Lj癲:Ą隸C乑鏀贄e監篍z + initialDelaySeconds: 1457702974 + periodSeconds: -1732886 + successThreshold: -723791053 + terminationGracePeriodSeconds: 7303344607566636133 + timeoutSeconds: -547087401 + revisionHistoryLimit: -2103181148 + schedulerName: tXdQ7X + securityContext: + fsGroup: -1024384248472849622 + runAsNonRoot: false + runAsUser: -2673836885766820786 + sysctls: + - name: z + value: 1Xx7BcpTtc + - name: ik + value: mn7hZ2O + - name: 0tRcSAR + value: s3Fmk + strategy: + type: 7Ma6SKn + terminationGracePeriodSeconds: 1680781404 + tolerations: + - effect: '[Ȝ%1@拌魋?>Q[' + key: CM6To + operator: ȫƤP箴ɉ戮嗯嬑lwĶƼ§ʜ + tolerationSeconds: -4298573611145221598 + value: ERnxlMnsbt + updateStrategy: + type: 9jfYH2 +fullnameOverride: e4W +logging: + level: i1QoQHfki73v +nameOverride: Y47 +serviceAccount: + create: false + name: AepmYU +tolerations: +- effect: ',虔wxÓ[bÁ男ɂʁ.ʋ鎊惡&ŵÓ#' + key: M4W + operator: ¿ȉȇ滻[濱喭噫誘蝝Wť揢奬ƕ畐Ǻ + tolerationSeconds: 5209749606101630382 + value: la6lMRP +-- case-025 -- +auth: + sasl: + enabled: false + mechanism: uxD + secretRef: "" + userName: 8yKwAYM +commonLabels: + VGEccN: 1S6Om +connectors: + additionalConfiguration: "n" + bootstrapServers: JhxRF4 + groupID: 2Fy + restPort: -1355681307 + schemaRegistryURL: 9uSqcQk +container: + javaGCLogEnabled: TmzFHzZvwn + resources: + limits: + memory: "0" +deployment: + annotations: + p7R: EjfLOeG + th6: enWXwqe + extraEnv: + - name: 5j0yE + value: O9bMi + valueFrom: + configMapKeyRef: + key: byf25 + name: RIZv + optional: false + fieldRef: + apiVersion: NrtU + fieldPath: 3LC + resourceFieldRef: + containerName: AjmWfg6HqMgn + divisor: "0" + resource: OV + - name: 6hTC + value: r + valueFrom: + configMapKeyRef: + key: 0u + name: 7xxySBjT + optional: true + resourceFieldRef: + containerName: qAO + divisor: "0" + resource: XP + extraEnvFrom: + - configMapRef: + name: uLvK + optional: false + prefix: 2Ij + secretRef: + name: leDGyXv + optional: true + - configMapRef: + name: GK + prefix: dCB + secretRef: + name: u + optional: false + livenessProbe: + exec: {} + failureThreshold: -94764338 + grpc: + port: 1195513848 + service: "" + httpGet: + host: FeqfL8uSFE + path: "57" + port: -1477884035 + scheme: 彀ǥ篠 + initialDelaySeconds: 407315123 + periodSeconds: 165966784 + successThreshold: 970096625 + terminationGracePeriodSeconds: -292284363880963466 + timeoutSeconds: 2091942472 + nodeAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - preference: + matchFields: + - key: 6nwZP6 + operator: 乆`Eɪ妶窓o黥屢! + values: + - cJtx + weight: -559166881 + - preference: + matchExpressions: + - key: eyw69 + operator: 獶ʎ^ȁ耦ǚy蝸殽虄X敉${ + values: + - cLTjur + - Ab + - key: iMnx + operator: ßljƨb委揋ǖyǭɮHɋȱ钵瑴= + values: + - oTbQw + matchFields: + - key: peZc + operator: 韨醤H3擅ĭýǚɃ氤徣»嬞籍* + - key: BwW + operator: "" + values: + - lj0f + - key: RTfBwhMV7h + operator: 愐哣碍clȲ + weight: 1712242968 + podAffinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: null + podAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: 5pRrPC5 + operator: lj莇殎璑cy畟2ƫ啔2蜍揈黻~VNjj + - key: Vx5A + operator: 蔞 + values: + - TuNksgudWu + - "4" + matchLabels: + 9yQx2r0z0VT: wKG3GY + m: D7p + matchLabelKeys: + - A94QEh4T + namespaceSelector: {} + namespaces: + - m2oXksKrIQE + - IbVp + topologyKey: aR1q + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + namespaceSelector: + matchExpressions: + - key: affUCeIp + operator: Ǭ\傁斘8ĝG=W¢xŔV + values: + - cGxdE + - WWR + namespaces: + - 8PQ + - IhAKP + topologyKey: mNEK4 + weight: 1622675667 + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: 3mP + operator: ƛ)ʥ湯ǥð鸥蝪侀śv + - key: Yjw + operator: 锖膳Ǣ + values: + - JyH6LD + matchLabels: + "Y": 8Dv8Z09h + kV8iai: kRB + uyro3: N2Hv + namespaceSelector: + matchExpressions: + - key: 0r + operator: 嘏X孷Nj,ƦäMD妸*" + values: + - dl11s14 + - x2zsZLYX2j + - key: Sv + operator: 頇r蜿ǚ/ǷȦG络/脾 + namespaces: + - 5z + - AC + - F2RsWTf + topologyKey: N5mg + weight: -1962604072 + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchLabels: + GNdtPS: wYTu + LNoX7W: Tp6mRq + Sq7: bqR0 + matchLabelKeys: + - hlwJOaAy + - 3md + - X + mismatchLabelKeys: + - 4TLXNX + namespaceSelector: + matchExpressions: + - key: uoR + operator: Ȩd²ʜĽNj + - key: k + operator: 杜|漍á疦菁拙螃ɣjʆʕ瘎 + values: + - DcZ7LTc + matchLabels: + xu: U1A7mo + namespaces: + - B5 + topologyKey: Wdm54UR + podAntiAffinity: + custom: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + matchLabelKeys: + - "3" + - xz82vVz + - vEhkI + mismatchLabelKeys: + - vic9n + - Szo + - 0c + namespaceSelector: + matchLabels: + 3X: TPrUq + r1mxgoL: pg + topologyKey: RsMDTIE + weight: -1153984436 + topologyKey: LZJ6PJ1 + type: NwnuPNXi + weight: -417232056 + priorityClassName: e1exaXYQ + progressDeadlineSeconds: 202187696 + readinessProbe: + failureThreshold: 1857603986 + grpc: + port: 1093232805 + service: DU1FQs + httpGet: + host: Osa + path: CX74t + port: OxeuD39 + scheme: 覠尐_媶粷拝紾Iȡb帶墵Ò + initialDelaySeconds: -1402792412 + periodSeconds: 879643685 + successThreshold: 1435235361 + timeoutSeconds: 1464897550 + restartPolicy: '{悛Qª槟ĈW得蹏淂專驁sēɹƐ軋剭' + revisionHistoryLimit: 1394995435 + schedulerName: aA + tolerations: + - effect: cȩ飙 + key: 4Y9saWpr + operator: 輋ƾ跴Ȫ徐1Aǡ{gm櫩茻 + value: yI4k + topologySpreadConstraints: + - maxSkew: 425976069 + topologyKey: aThb + whenUnsatisfiable: G + updateStrategy: + type: CkmVnc9viBQ +fullnameOverride: uv4tHoO +imagePullSecrets: +- name: wd +- name: O +monitoring: + annotations: + hvh: "" + mDK0: OWEQ0y + zpG: XWCs + enabled: true + labels: + Ie5J5: fYnrHO + YkM4u7v: iTjIow + iP2Di: ptlD2Xuar + namespaceSelector: + matchNames: + - 9LShi + - klNT12U + - 9e + scrapeInterval: 74012h59m47.17763594s +nameOverride: z3C +service: + name: UFYrvO +test: + create: true +tolerations: +- effect: 弱伹ljȓƱ递$h鬾 + key: DK + operator: Ɨ + tolerationSeconds: -5698206097095774785 + value: D13SrG6 +- effect: =J叶步Ö + key: bk + operator: ȗ¦eŢƓ逺 + tolerationSeconds: 6164794697823934570 + value: X3Lat6r +-- case-026 -- +commonLabels: + op: VnL9o7 +connectors: + additionalConfiguration: T9YzRko + bootstrapServers: 6x4 + brokerTLS: + ca: + secretNameOverwrite: g3oj + secretRef: Dw6 + cert: + secretNameOverwrite: wSXlgsek + secretRef: i8CF9ffAM6p + enabled: true + key: + secretNameOverwrite: lyf69Al + secretRef: deo + groupID: uDg + producerLingerMS: -2006060261 + schemaRegistryURL: fT + secretManager: + connectorsPrefix: 3zl + consolePrefix: EnXNUH + enabled: true + region: cyQNlFt + storage: + remote: + read: + config: false + offset: false + status: true +container: + javaGCLogEnabled: uAsH + resources: + javaMaxHeapSize: "0" + limits: + memory: "0" + securityContext: + allowPrivilegeEscalation: false +deployment: + budget: + maxUnavailable: -2138199446 + create: false + extraEnv: + - name: fSlx6jZkW + value: Gidecru6M + valueFrom: + configMapKeyRef: + key: kDgPE80UsJ + name: VokSO + optional: false + fieldRef: + apiVersion: m0pc + fieldPath: TDq6b1g + resourceFieldRef: + containerName: aHY + divisor: "0" + resource: qGyhyCA + secretKeyRef: + key: Lab + name: XS7bBHw + optional: false + extraEnvFrom: + - configMapRef: + name: "94" + optional: true + prefix: cO1J + secretRef: + name: 5g16 + optional: false + nodeSelector: + d: H2kDk + podAffinity: + nodeAffinity: {} + podAffinity: {} + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: Fx6h + operator: ă瑡周n + matchLabels: + 4iB: XqVe + hjWyR: NY + matchLabelKeys: + - 1p + - 3kVC + namespaceSelector: + matchExpressions: + - key: 0miz + operator: K9輰隂ȧlȆ*¼'酞Ŏ + - key: 99O + operator: "" + - key: SP + operator: '`Čɪ!?钾R|櫊È' + values: + - "y" + - kAhysp4 + - GCV1j6 + matchLabels: + YUuE3XZX: X4t + kDqSk7iDzH: fkcnl + vTp: n2nALh + topologyKey: 64PeJ5 + podAntiAffinity: + custom: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: vQ1crSV + operator: 7nujʠ駺鬺|救 + - key: iOIw8g7V + operator: 萸繴裉ɕ~ŕf!ǿı棨 + - key: n6LU + operator: ȓbR筌ǫLJ + matchLabels: + NC0: "" + XGU5qvzYMs: QmNwb + cc: Ks + namespaces: + - 4pVveJZ + topologyKey: 65SB9i + - namespaceSelector: {} + namespaces: + - SDARb + - 0u + - n82TB + topologyKey: l1 + - labelSelector: + matchExpressions: + - key: h8JZN9ndz + operator: 瓇Ȟù + - key: BbnA + operator: 莾ʩ1ǔƇf楘銷Bqzʁ祤Ĉ肙 + values: + - RPGl + - fCF + - key: 7u + operator: 棣m\羨压ć$ + matchLabels: + 82yA8rU: JjJF0yf2o + 184fSrLtK: msSakH + Bq: "" + mismatchLabelKeys: + - P + namespaceSelector: + matchExpressions: + - key: h + operator: "" + values: + - mqn8Yv + - gdHikJUK + - key: 3lPz + operator: BD + - key: 0baPldJBjJn9 + operator: 樢饓4ʂ + values: + - 2AX + - UbR4z8bGYUVr + matchLabels: + DXgZ163y: 80ssC + sxdB: AWv0 + namespaces: + - qUoe + - WE + topologyKey: fZqb + topologyKey: jghLUT + type: YgTAAdKC + weight: 457351545 + priorityClassName: cMPpGa + progressDeadlineSeconds: 592124572 + readinessProbe: + exec: {} + failureThreshold: -581438581 + grpc: + port: 488383519 + service: l7batCCnvJq + httpGet: + host: FQqXfIuR + path: iUAUmylNEAU + port: -881355027 + scheme: Ȗ% + initialDelaySeconds: 1450868933 + periodSeconds: 84140252 + successThreshold: -349726428 + terminationGracePeriodSeconds: 6323959655336028953 + timeoutSeconds: 226228279 + revisionHistoryLimit: -739568709 + schedulerName: 14z62c7xgckN + securityContext: + fsGroupChangePolicy: 诅S~=ɲ*旫ĺ¬d堤Eq篣 + runAsGroup: 4871537600984265230 + runAsNonRoot: true + runAsUser: -7571157018510467782 + supplementalGroups: + - 7137947427600072682 + - -3730781858194361576 + - 6854632843582773166 + sysctls: + - name: r23vPM + value: 5UfknjwXh + strategy: + type: Je + terminationGracePeriodSeconds: 1594904318 + tolerations: + - effect: è埩仆ȅ<ǭɉ毱暏攦3q + operator: 弦ͼH昽E濄ɻ + tolerationSeconds: 3114895080936277785 + value: Y6vPY2uD + - effect: ŏȉ}葘魼A訇ɍOĩ旽ġ遌墚¦颢Ŏ + operator: 蠥ëV祍竛Ƅ-杸孡t + tolerationSeconds: 47406346758114986 + value: z + - effect: '>' + key: qdKVY + operator: 5m + value: kCCZxwF + updateStrategy: + type: apGLWC +fullnameOverride: XfK7 +logging: + level: e +monitoring: + annotations: + Ap4hj4: hGNy + IWIMYW: dOV6M + enabled: false + labels: + LSnRh7: o + OUKIb: "" + hOs: Jeldy + namespaceSelector: + any: true + matchNames: + - csE6iNb + - 0vF3H6v + - rnL + scrapeInterval: 601737h12m36.927932959s +nameOverride: ATJ +serviceAccount: + create: true + name: jmzfCmHq +storage: + volumeMounts: + - mountPath: kTnYVd0 + mountPropagation: )ȡ蟑 + name: LQoqAJrPB + readOnly: true + subPath: eogR7 + subPathExpr: jd + - mountPath: nL4z + mountPropagation: E驻ʄƒ椺Ņ熆伓1 + name: AC6X7664kgZ + readOnly: true +-- case-027 -- +auth: {} +commonLabels: + LuCiH: SWR3zOt +container: + javaGCLogEnabled: Rk2lueKjUZ + resources: + javaMaxHeapSize: "0" + limits: + cpu: "0" + request: + memory: "0" + securityContext: + allowPrivilegeEscalation: false +fullnameOverride: OL1 +nameOverride: ffe2 +service: + annotations: + JXMpPkd: YoI + Z: DVS9WjadC + name: uSz +serviceAccount: + annotations: + N7gZ: ExrpJkw + PD23ZYO: jlj + create: true + name: maeWLc +storage: + volumeMounts: + - mountPath: RDO + mountPropagation: 縖ʯLj觻ĶR腉赙CèS咍Xz + name: NFJO + readOnly: true + subPath: i4tgwgPir + subPathExpr: 8C3d4ln + - mountPath: I + mountPropagation: "" + name: okJHlIlhWWGN + subPath: UQu + subPathExpr: 1D7d +test: + create: false +tolerations: +- effect: 炩CżCX褒ȁŃ詳Ð剘畭@Tj縶 + key: 5GekCX8zF1Cj + operator: aµ + tolerationSeconds: 728571265301214109 + value: 81x9S +-- case-028 -- +auth: {} +container: + javaGCLogEnabled: 3ahn64ZT + resources: + javaMaxHeapSize: "0" + limits: + cpu: "0" + memory: "0" + securityContext: + allowPrivilegeEscalation: true +deployment: + create: true + extraEnv: + - name: DvkYw9Pk + value: USGTgIYZwyPh + valueFrom: + configMapKeyRef: + key: xomkxxc + name: 7a + optional: false + fieldRef: + apiVersion: tnGFZ3 + fieldPath: H + resourceFieldRef: + containerName: UD5gAM615 + divisor: "0" + resource: EplPSqP + - name: "" + valueFrom: + configMapKeyRef: + key: 2n + name: vw5ZWohT + optional: true + fieldRef: + apiVersion: THSyklTdw + fieldPath: KDDja + resourceFieldRef: + containerName: ha2tB3cM0 + divisor: "0" + resource: 467hL5 + secretKeyRef: + key: I + name: vv9hXsUY + optional: false + extraEnvFrom: + - configMapRef: + name: "y" + optional: true + prefix: 8yKCF + secretRef: + name: 7B5wyZ16F + optional: true + - configMapRef: + name: zqz + prefix: iYiSC0Au26P + - prefix: w + secretRef: + name: p4 + podAntiAffinity: + custom: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: 6kZhQ + operator: k赊炈ǽ|e椩骔Ɛȶ猔 + - key: gqK + operator: Ǚ胵$ğ\f35D辕叞Ǐ + values: + - pcEO171jJq + - LY + - GfNUi6qekSD + - key: k7gF + operator: 17鮅Ƒ灝1ʐɢ艹藩軞K.@媎5ɸ[ + values: + - 54w + - FSM + - 3z7CuL + matchLabels: + 9S3kV3el: 7MbZM6 + NlghDpU1T: Cli8O8lnK + OcV: "" + matchLabelKeys: + - mZggvA8 + - rJkWPc + namespaceSelector: + matchExpressions: + - key: ly0G + operator: $ȝQd睬H剹崈ł + values: + - As + - key: 7eyD22 + operator: 贻Ēa介ţ棨ʘ蝭玴 釷 + values: + - RzMGltB4 + - SFV4v + namespaces: + - Va8Nghyl5Xi7e + topologyKey: 1drlL0V + weight: -1531757892 + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: "" + operator: ʬy驮蹲ÆʎŘJ + values: + - 4knxh35 + - u + matchLabels: + CJiPPT: SI + rgLMgFHL: xLCR7k9 + matchLabelKeys: + - n2L6 + mismatchLabelKeys: + - Xm + - 8rT + namespaces: + - 1oMw4m + - b + topologyKey: WyZe3ZI + weight: -1225398774 + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: TW2 + operator: ʁ¦_bƻýK正¿őȦŭ'Ƭ1 + values: + - OvaLf52 + - KZf + - key: W80 + operator: _CEvNjn集L鲵ōF簠踑TĚƀa肆 + values: + - h1VYlc + - MKbR + - wxafhmYM + - key: d0o1Q5b2 + operator: "" + values: + - SVkBA + matchLabelKeys: + - nIc + - "" + namespaces: + - i + - B0zuARW3Ulvn9Q + - doQcG3 + topologyKey: g4 + weight: 553767105 + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: {} + mismatchLabelKeys: + - XRCSn + - udG + namespaceSelector: + matchLabels: + I7Tlp: gcBQUH + ZD: NK + wMdEcQY4E: "" + namespaces: + - Zp + - IEP7 + - R2B8UbaSFe + topologyKey: V + - labelSelector: {} + mismatchLabelKeys: + - cXL65W + - "y" + - apcJBy + namespaceSelector: + matchLabels: + 96JY: wVF0LERIzj6 + namespaces: + - vWBUXL + topologyKey: RqV9B + topologyKey: i8Sj + type: lp + weight: 1933092510 + priorityClassName: j + restartPolicy: my + revisionHistoryLimit: 1716132030 + schedulerName: KL8nKi + securityContext: + fsGroup: 6950905231485893521 + fsGroupChangePolicy: 4駝ɧɍ匑ĿŃjH(ƨ鏝搲³欍荭 + runAsNonRoot: false + runAsUser: -3842777327443310041 + sysctls: + - name: ADfyWTN + value: "" + - name: A2KbAFX + value: vfiwuHLZA3z + strategy: + type: GG3n + terminationGracePeriodSeconds: -1876643927 + tolerations: + - effect: 幉cè禟ɴ + operator: ġ襜莪_ð迾uɈkʫ~鲕Lɻ戦ʡ2ȠǷ + tolerationSeconds: -3325398021525833538 + value: QDDTEv + - effect: hǝ + key: JwoXCcww + operator: ªA[wƸ + value: NvIa14 + - effect: ŐȜŻ-簀Ȟo/.濈s呁ī + key: v + operator: 7幔ÍX靹蟳 + tolerationSeconds: -8856646878602495698 + value: zOvR +fullnameOverride: ZvvoA +imagePullSecrets: +- name: H +- name: HOE +logging: + level: k1wsL2of +monitoring: + enabled: true + namespaceSelector: + any: true + scrapeInterval: -2272665h1m59.977529594s +nameOverride: "3" +service: + annotations: + 3yehn: hb1JTt4bE6 + 8kZ: syTRQDJ + QFMui15S766: gMn5Cet2XRLMo + name: 9VQ +serviceAccount: + annotations: + kTXPsd: S4sMQbj + name: Ms3WxpzY6U +storage: {} +test: + create: false +-- case-029 -- +auth: + sasl: + mechanism: pVvPbLq8PH + secretRef: a8g3R + userName: "206" +connectors: + additionalConfiguration: Mq9r58Wn2 + bootstrapServers: GhGh + brokerTLS: + ca: + secretNameOverwrite: "" + secretRef: u + enabled: false + key: + secretNameOverwrite: kn1yG + secretRef: CE + groupID: F3e + producerBatchSize: -1760140219 + producerLingerMS: -410672871 + restPort: 1337396066 + schemaRegistryURL: eVOEb + secretManager: + connectorsPrefix: emUV + consolePrefix: pC3 + enabled: true + region: l6uFeZtI + storage: + remote: + read: + offset: true + status: true + write: + config: true + offset: false + status: true +container: + javaGCLogEnabled: "" + resources: + request: + cpu: "0" + securityContext: {} +deployment: + budget: + maxUnavailable: -1357187310 + create: true + extraEnv: + - name: "" + value: a + valueFrom: + configMapKeyRef: + key: S + optional: false + fieldRef: + apiVersion: cAFu3Wwm4O + fieldPath: "" + resourceFieldRef: + containerName: K + divisor: "0" + resource: pYz + secretKeyRef: + key: rrusH7t + name: 6hR1vtMek + optional: true + - name: 62b + value: b4k + valueFrom: + resourceFieldRef: + containerName: 9Zuqk + divisor: "0" + resource: wDbwci + secretKeyRef: + key: q + name: a3Go0SITja + optional: false + - name: CAn + value: r + valueFrom: + configMapKeyRef: + key: oBsj + name: f + optional: true + fieldRef: + apiVersion: K + fieldPath: e60DM + resourceFieldRef: + containerName: 9xyY28RraQXtmbHZs9v + divisor: "0" + resource: ddr6SE + secretKeyRef: + key: HIl + name: 6i + extraEnvFrom: + - prefix: J + secretRef: + name: 4niuc27 + optional: false + - configMapRef: + name: dVR + optional: false + prefix: WUotCc + secretRef: + optional: true + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchFields: + - key: Th8xQ0 + operator: '};ƾ:Ơȏ旊苆$ź榘ę[Ş悈ȥ' + values: + - gOPH1k + - KOsql + priorityClassName: 3ogB9tWXV + progressDeadlineSeconds: 533336746 + readinessProbe: + exec: + command: + - 4ndWdZzqE2k + failureThreshold: 2079208961 + grpc: + port: 892171148 + service: CsKUHVZ + httpGet: + host: gYLBe6Cp + path: qmK3f8GwgZ + port: 8pIb + scheme: ʥ>Yj14寧枌A|íF + initialDelaySeconds: 1156905473 + periodSeconds: -1924622812 + successThreshold: -1575566868 + terminationGracePeriodSeconds: 5810637601195744899 + timeoutSeconds: -450997563 + revisionHistoryLimit: -121719569 + schedulerName: Z7Ne6 + securityContext: + fsGroup: -790114255836881973 + runAsGroup: 4623887472960955175 + runAsNonRoot: true + runAsUser: 7622666161830127482 + supplementalGroups: + - -3228001931932573252 + - -7141992959148915907 + - -17407268992027108 + sysctls: + - name: 8qCsQ + value: RwRLG + - name: f2Rn + value: afHwsU + - name: 3jYk9 + value: V + strategy: + type: "" + terminationGracePeriodSeconds: -1948657833 + tolerations: + - effect: 冮味Pf鵸q\)霰¢玲&糦Ŀ怋ɌÁ燹 + key: uTzXciQ + operator: 3IJuʙNj + value: FB0Hu +fullnameOverride: IyM +imagePullSecrets: +- name: 1tlBA +logging: + level: MM8vHtxMK +monitoring: + enabled: false + namespaceSelector: + any: true + scrapeInterval: 1950385h21m49.305979755s +nameOverride: tl2YFI +service: + annotations: + PGxtxZYXR: X5 + name: "" + ports: + - name: 9xn + port: -684513812 + - name: u4xF + port: -391479350 + - name: rDTiR56X + port: 382665278 +test: + create: false +tolerations: +- effect: ĝȈÛ + key: W0K + operator: ɺ$嶩鸦Ę+Ŝ鞬 + tolerationSeconds: -8698254857049033349 + value: AXGq +- effect: Ǜǻ鎃ǥ蹔t處 + key: U6Kwl + operator: 袕ʒ掊蓵 + value: sP +- effect: ɷ蒱Ď脢嚼S劣Ó + key: tXkIQEUaW + operator: 絈:愅ŚŻɵl + tolerationSeconds: 6194136677012499657 + value: G8 +-- case-030 -- +auth: + sasl: + enabled: true + mechanism: rw21b + secretRef: Pmr6Q + userName: VZItSFI +commonLabels: + GCdbeC: cQ4P1cHbv +connectors: + additionalConfiguration: dIZd0USbP + bootstrapServers: znZ + brokerTLS: + ca: + secretNameOverwrite: "" + secretRef: kHUZvj2QDUh4 + cert: + secretNameOverwrite: sskJ + secretRef: l + enabled: true + key: + secretNameOverwrite: iOnKoNxj + secretRef: dRzfIju + groupID: "3" + producerBatchSize: -1998620825 + producerLingerMS: -1373192817 + restPort: -1808248501 + schemaRegistryURL: j7 + secretManager: + connectorsPrefix: 6Bx2Qil2o + consolePrefix: C6KUfZ + enabled: false + region: IkJbzZ + storage: + remote: + read: + config: true + offset: true + status: true + write: + offset: false + status: true + topic: + config: J + offset: b + status: DTmRi +container: + javaGCLogEnabled: hmX8lr55 + resources: + javaMaxHeapSize: "0" + limits: + cpu: "0" + memory: "0" + request: + cpu: "0" + memory: "0" + securityContext: + allowPrivilegeEscalation: true +deployment: + annotations: + co: d + create: false + extraEnv: + - name: U7ZgJptiGP + value: VIyGo + valueFrom: + configMapKeyRef: + key: qxBGDLH + name: RaBlc + optional: false + fieldRef: + apiVersion: ypCq1 + fieldPath: GOf + resourceFieldRef: + containerName: MtGKY + divisor: "0" + resource: I4 + secretKeyRef: + key: qV + name: "9" + optional: false + extraEnvFrom: + - configMapRef: + name: H84ze + optional: false + prefix: VTwW + secretRef: + name: gEsSRAwz + optional: false + - configMapRef: + name: eDeZ0DugXo + optional: true + prefix: SsakeA + secretRef: + name: bG0Sy7 + optional: false + - prefix: ZKPXsAv + secretRef: + name: kxqMF05 + optional: false + livenessProbe: + exec: {} + failureThreshold: 20072615 + grpc: + port: -311576311 + service: cH6 + httpGet: + host: x + path: 2cVqcw + port: 929216339 + scheme: ƇsʯDSĉʍ.RAp鷌噫蕪ʚ + initialDelaySeconds: 1309506491 + periodSeconds: 848313974 + successThreshold: -1895468765 + terminationGracePeriodSeconds: 2309372029983841470 + timeoutSeconds: -1767944726 + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: [] + nodeSelector: + 1ZriYn8T: 6W5ORGSM + "8": tu + Fn2RxRqX: HUwiz + podAffinity: + nodeAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - preference: + matchExpressions: + - key: kxw601 + operator: Ǘ裝g彋ɨ戣Ɓ乑侇ƞĉ + values: + - h7 + - "84" + - lskjSC + matchFields: + - key: jX7lO + operator: ȼf糎*¼wA漏捅ǟ#ûç潝Ɖ藪V + values: + - X3sQ + weight: -1964816880 + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: null + podAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchLabels: + a8p2hiBJSP3TS: yXy733 + matchLabelKeys: + - "" + namespaceSelector: + matchExpressions: + - key: 2YU7Rzi + operator: ō{ʗ劆譄粫 + values: + - LwQ + - KpKr + - iA5gLm + - key: QLh2Y7fPtYq + operator: v掺ÂIA"Ƃ秐ǿ傇ȴOę + matchLabels: + 88xytHI: a + namespaces: + - GkdcO + topologyKey: Gk9 + weight: 1965172043 + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: QXrC + operator: ']ƲD檖埙貊' + values: + - sBL + - M + - c + matchLabels: + M5: EqfNjRxqt + matchLabelKeys: + - eDIBN + namespaceSelector: + matchExpressions: + - key: TkA + operator: 乥摟`篿ǫ`鯛d柊朞#=粟ë0"g + values: + - pCd + - tjm1 + - key: L8komgF + operator: 牱鐦騵d公ƅ麭 + values: + - ih77z + namespaces: + - rvCrqx10 + topologyKey: ylag3 + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + matchLabelKeys: + - jJxZ6Rd3 + - "n" + - zUM + namespaceSelector: + matchExpressions: + - key: LgKlZv + operator: 蹉Dǭ乜u3嘴țýȰ¢əfɓ9M + - key: focLN + operator: 峍溌諪ɻɀ鶡凛硓Hʆ&醓y璬P且h晼Ȫ + values: + - 7M + - o + - key: PyRpMu + operator: 軏ƀʪ;ƶ1 + matchLabels: + TLgWRgpL: 6KxhJ8 + topologyKey: R + weight: -2017519918 + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: QAEMOx5 + operator: 聚Ē + values: + - ufw1Z3 + - i8Oos + matchLabels: + o6xfK8a: SfPP2rf7Roji + matchLabelKeys: + - le78Yu + - HUTODaS + namespaceSelector: + matchExpressions: + - key: 66vP + operator: u7Ƞ>懝U¤蕃 + values: + - "7" + - GK + - key: J0dXv7ZJJB + operator: 蜸薼野碇甞ĚȤ哕鈁尮"Ǘ枿話Ȕ狏 + values: + - RAX4t + - nPF + - 3ju448C + matchLabels: + M: tVDx2e + jf2: K6SX + xPh3: QQRbks + namespaces: + - "" + - 81J2ER + topologyKey: P0YlKv + weight: 1281715791 + podAntiAffinity: + custom: + requiredDuringSchedulingIgnoredDuringExecution: + - namespaceSelector: + matchExpressions: + - key: xfHcOZ + operator: R ȫ-$<¥;ʗǛ;嶗C臷l + - key: F + operator: '{剽ŢÑ?' + values: + - 4gvxHy + - 8KDxHDtm + - key: dVAZ + operator: ƶG荦鯺x硕=pŮlý:` + values: + - wfeV + - IK + matchLabels: + 31ix: HdDM + S4lHSJCMD2: lu3wExQ2H + namespaces: + - E + - 4tZ + - T + topologyKey: 7sVtS9TK + topologyKey: 7kZ3GBTH + type: ijo + weight: 575486983 + priorityClassName: kVuF7b + progressDeadlineSeconds: 1067800182 + readinessProbe: + failureThreshold: 685579944 + grpc: + port: -2063577057 + service: eR7 + httpGet: + host: EvLo + path: JpKUinL + port: 1426508719 + scheme: ?纙硺ưů溋šwš + initialDelaySeconds: -343905380 + periodSeconds: 1220161608 + successThreshold: -1225720048 + terminationGracePeriodSeconds: 5142513156327389695 + timeoutSeconds: -158246671 + restartPolicy: ȭÕpg琛>盿噸ɸ罀ʊ溠凝ï燘3宓 + revisionHistoryLimit: -867909477 + schedulerName: Cw1 + securityContext: + fsGroup: -1048504685354459048 + fsGroupChangePolicy: 紪兊B©忾iL醒Ɏ}E譮À猃#慆V" + runAsGroup: -5540900310826845836 + runAsNonRoot: true + runAsUser: 1960710021236792309 + supplementalGroups: + - -5069008871988065584 + - 1052747353682433741 + sysctls: + - name: XNC + value: H2sA + strategy: + type: jUn6q9 + terminationGracePeriodSeconds: 1204736887 + topologySpreadConstraints: + - maxSkew: -122908749 + topologyKey: Sx + whenUnsatisfiable: kzg + updateStrategy: + type: "9" +fullnameOverride: IVe +imagePullSecrets: +- name: IDsL67Xzs +- name: j3s2 +- name: rsV +logging: + level: LEXhtAdMw +monitoring: + annotations: + 8UnZf: QuGXzt2iFf + enabled: false + labels: + 5bKl7ZL: OULoJ + rjszo: x + namespaceSelector: + any: true + matchNames: + - SYEcgAmD1 + - pkOAzK + scrapeInterval: 1337119h5m47.177426828s +nameOverride: P7 +serviceAccount: + create: true + name: UQ27oL +storage: + volumeMounts: + - mountPath: T0skfqLM2b + mountPropagation: 訶)5蘳慢墰葭ƓȇkȡʑȆ\&算毳 + name: Xw + subPath: 48LdxME5 + subPathExpr: 3Z +test: + create: false +-- case-031 -- +auth: + sasl: + enabled: false + mechanism: OKrEkY + secretRef: 8nzj + userName: s +connectors: + additionalConfiguration: rJQp + bootstrapServers: 0y2l8XHWK + brokerTLS: + ca: + secretNameOverwrite: "" + secretRef: J + cert: + secretNameOverwrite: copKWn2 + secretRef: DNF6s + enabled: false + key: + secretNameOverwrite: IlMv6 + secretRef: NI3VUhJks3aM + groupID: chzc6 + producerBatchSize: 164004875 + producerLingerMS: -1169688418 + restPort: -1300816856 + schemaRegistryURL: qb + secretManager: + connectorsPrefix: e + consolePrefix: QToud + enabled: false + region: rDADY + storage: + remote: + read: + config: true + offset: true + status: false + write: + config: false + offset: true + status: true + topic: + config: vOa + offset: NoMzWmd + status: UX +container: + javaGCLogEnabled: FZNoDU + resources: + javaMaxHeapSize: "0" + limits: + cpu: "0" + memory: "0" + request: + cpu: "0" + memory: "0" + securityContext: + allowPrivilegeEscalation: true +fullnameOverride: pPZgwOOt +logging: + level: mw +monitoring: + annotations: + 5DX9hu1: TudyZCCNj + A6h88N: VYLm + labels: + bt9lo: o + mnL: cq + namespaceSelector: + any: true + matchNames: + - Oq9en + - SYEqp + - XG13YJtsJ + scrapeInterval: 48406h44m12.186557056s +nameOverride: pLehdV +service: + annotations: + RER: AU + name: MnW8I02 + ports: + - name: 5bgCNjS + - name: gh + port: 792720017 +serviceAccount: + create: false + name: "5" +storage: + volume: + - name: T6INhQ + - name: p0 + - name: EO + volumeMounts: + - mountPath: "" + mountPropagation: Ǜ绕:O+ + name: 4JTdCoLQd + readOnly: true + subPath: RUx + subPathExpr: 0E +test: + create: false +tolerations: +- effect: eǏ=ij醲55 + key: u7vPGy + operator: 欿漎蠶Ðã&¸ŭ垨甕Tàm?Ɣ + tolerationSeconds: -521603474102550743 +- effect: '&縐斮璗ɂĤǤǬŽ56=v謿ȭV囪''' + key: X + value: WYufSN7QfU +-- case-032 -- +auth: + sasl: + enabled: true + mechanism: MJPD + secretRef: SOj + userName: uc7UDCO6UyDA +connectors: + additionalConfiguration: ALs + bootstrapServers: xxQNBWz7 + brokerTLS: + ca: + secretNameOverwrite: tx69jfpT + secretRef: trj6 + cert: + secretNameOverwrite: 5wer + secretRef: zNPqap9 + enabled: false + key: + secretNameOverwrite: 3z6qEC5 + secretRef: "6" + groupID: zqmIj + producerBatchSize: -1704513512 + producerLingerMS: 1028506959 + restPort: 108700971 + schemaRegistryURL: 5EM1GqOCR + secretManager: + connectorsPrefix: CjMvZg3JUj + consolePrefix: zyHuMqq + enabled: false + region: kr + storage: + replicationFactor: + config: -1678993933 + status: -154444750 + topic: + config: lw + offset: QcAJT + status: Cg +container: + javaGCLogEnabled: PB4k + resources: + javaMaxHeapSize: "0" + limits: + memory: "0" + securityContext: + allowPrivilegeEscalation: false +deployment: + budget: + maxUnavailable: -2014617172 + create: false + extraEnvFrom: + - configMapRef: + name: uiS + optional: false + prefix: JBs5bsgvti + secretRef: + name: ctUZi + optional: true + - configMapRef: + optional: false + prefix: tBLmRa + secretRef: + name: 5Y + optional: false + livenessProbe: + exec: + command: + - qSrxe9 + - Ofev8Bf + - nfwKAZufiqv1b + failureThreshold: -1742098812 + grpc: + port: -703296778 + service: JNtb + httpGet: + host: E8hIJ8 + path: Kl96M5dD4rvo + port: 654133412 + scheme: 慌屢癱ž塛F侱鬶7罧鿧P体玿».黾ƺ + initialDelaySeconds: 1821929188 + periodSeconds: -181833766 + successThreshold: 1453387906 + terminationGracePeriodSeconds: -411476157523094884 + timeoutSeconds: -54624232 + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchFields: + - key: LGd + operator: Ʌ + values: + - cBY + - nFQxMQr + - tEAxJ + - key: BVKZ + operator: 觹IJ坌s椉08扸ʥ毄葖0z絓ȍƌII + values: + - 69up + - yC + - HYp + - key: X + operator: ¡Ʋ眭LJqśȚ0ǹ侔T + values: + - UYuQ9O + - matchExpressions: + - key: aH + operator: 倿Ź?Y峬爰R鑾Ȳǜ辇抲縷Ł + - matchFields: + - key: qg + operator: "" + values: + - IDEoPBP + - "" + - 0lyO + - key: aFD + operator: S[橧馐畷蒜ĦţƦxȪ + - key: PPBiwi + operator: Ɖ埓yxȨ崪ǒ圣ǥɳƹ涿跉礃s + values: + - Oim4eTI + - Q + nodeSelector: + PcQX0bVt: 3G + zZB: WG + podAffinity: + nodeAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - preference: + matchExpressions: + - key: 8u0nAOFL + operator: 甼 + values: + - tGVYkHw + matchFields: + - key: Fx7oaUO + operator: 辫â8ŸÍc莄ʠʧ + values: + - TbB0SsDhMS + - M9bg + - B + - key: EZlVGKXh5f + operator: d渚竵铃染訧鑩曠辕Sds±Z;œȽ + values: + - CrZH5k2 + - c0oyqS + - key: jiER + operator: b杒嘡ǒ堷©Ƣp髼ö + weight: -1261259648 + - preference: + matchExpressions: + - key: FarFKE + operator: ő%ȫƗ¥+Ŝę恏率偻z髋0BĖ乌 + values: + - LY14XZEILK2 + - d + - key: 70ON9Dm + operator: 1瑚秤¤m½m + values: + - 3gTEM4ST + - key: TKDlMr + operator: ȍ + values: + - L + matchFields: + - key: "" + operator: žE#烊0Ľ曆熥o圉釣XĂ\i螜 + values: + - Qx2kr52zB + - 31Gxk + - cMRkpXPFx + weight: 302435895 + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: "" + operator: 浘L# + values: + - LaaH + - 9zM + - Ph29 + - key: B6I + operator: 孞 + values: + - "" + - key: wsS + operator: PȚʀ鑋#栧^ + - matchExpressions: + - key: iflb + operator: MĽ扶C隕ÿ僬í + values: + - o + - kCQif + matchFields: + - key: "1" + operator: 桼ǎsc?ɇ銂 + values: + - rj5 + - wZ8 + - 28Qk + - key: ivMKhM6Ng + operator: Ō/DHT + values: + - gPzgA8 + - Cn + podAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: s7LHzr + operator: 抧胏$,鵩zǑC©\0vǻɛdz + values: + - rXF + - key: vqysFQX7b + operator: 網Ɉ諌繶ŃbĔj¡ + - key: EUeMa4 + operator: '''鱿pKp馚獮Ú' + values: + - S + - Dz + - wfXfb + matchLabels: + PKUW: Ve + bJOsUOZaJuvc26: XCVIx1 + mismatchLabelKeys: + - OKf + - EzEPAt + namespaceSelector: + matchExpressions: + - key: RKK1 + operator: "" + - key: qDcP4rJ + operator: ƊƣŋsŅ癳鷝3饔¶醐偹 + values: + - s + - "" + - key: 3Np + operator: 揷1Ä[昲ļ莶瀵ƄDŽG~満蒺醟ɟ + matchLabels: + RYJVB: I1y + yc03l: Ifbv6Y + namespaces: + - Z0 + - H80DAh + - 2GH6 + topologyKey: cqxmR1v1 + weight: 885036961 + - podAffinityTerm: + matchLabelKeys: + - OgTFlLP + - W8V + - 2H + mismatchLabelKeys: + - avBvdF + - CTPHay7gi8D + - CUr + namespaceSelector: + matchLabels: + tVu: 6F6BjVP + topologyKey: e + weight: -1410166394 + podAntiAffinity: + topologyKey: 0DOToT + type: 8KfZon1YzpW + priorityClassName: uANVq3U + progressDeadlineSeconds: -1510581315 + restartPolicy: vȺW + revisionHistoryLimit: 2114813392 + schedulerName: CR + securityContext: + fsGroup: -4345780033128932342 + fsGroupChangePolicy: ŧ抱煿ɋM莱皥櫾u$zȉx + runAsGroup: -6541979602773327729 + runAsNonRoot: false + runAsUser: -2014124308289474379 + supplementalGroups: + - -5994021217522109572 + - 3115969151950428485 + - 1514830751691567190 + sysctls: + - name: Is0j + value: JRx4T5 + strategy: + type: g5YzTXRKD + terminationGracePeriodSeconds: 1682090836 + tolerations: + - effect: U褛ɡʇ栂DzǞɴ鲀ǟŻ9 + key: FA2 + operator: 7泏舰ʒ佦ıã}譏'nʣ + value: MyulL3h + - effect: '"dz蜢过7ɏʀ' + key: kOQC0mIA6 + operator: '{僈ʐ' + tolerationSeconds: -9100644779241505077 + value: ROuVy0AbXRg + topologySpreadConstraints: + - maxSkew: -1084227068 + topologyKey: Ux0A3NJk3z6 + whenUnsatisfiable: w + - maxSkew: -1233692580 + topologyKey: oKELv + whenUnsatisfiable: "" + - maxSkew: 1321736372 + topologyKey: FKXPNh + whenUnsatisfiable: CqkZsey + updateStrategy: + type: Ml6hC +fullnameOverride: 8geRNocLQ +imagePullSecrets: +- name: vEXV +logging: + level: 6BNIG1 +monitoring: + annotations: + IPxJONB: hl8rm + iBHXKAAq: hRyn + wPazmhbAf: VofDQ + enabled: false + labels: + 8H: b5A0R8i + AisU: 65Df + oJbv: "" + namespaceSelector: + any: true + matchNames: + - n7CaGZiO + scrapeInterval: 251223h36m21.463919144s +nameOverride: "" +serviceAccount: + annotations: + 3R: vWbEq + 4dl9GK: DwjEF + name: 1Fc +storage: {} +test: + create: true +tolerations: +- effect: B獲鑽RłŠc + key: Zqpy + operator: '`瓋ßW§陆tPǶ' + tolerationSeconds: 6401684450581885663 + value: Vdg8va +- effect: 7婾!彡í萿ǜ暸4*ǝ瀒ɛāɈ琝ɢ + key: NRABB0k8z + operator: ǡ纈g旆Ǿ璈Iôÿ + tolerationSeconds: 1163412628738463513 + value: qkbLHbkA1 +- effect: ɻKpP詮aŁ齱隘' + key: 960b + operator: 諻勵灵ʙƈ3ɋH瓴_ǹĝ屳ݬ8-霖) + tolerationSeconds: -8804703866897420576 +-- case-033 -- +auth: + sasl: + enabled: false + mechanism: eEWwk + secretRef: SH + userName: x +commonLabels: + KZj1Dby: 4SqUXw +connectors: + additionalConfiguration: NbkZ2Rd4mDlY + bootstrapServers: f2 + brokerTLS: + ca: + secretNameOverwrite: tvY + secretRef: L + cert: + secretNameOverwrite: CO + secretRef: f + enabled: false + key: + secretNameOverwrite: 6aXwjPggIiB3 + secretRef: Me + groupID: JyPpZo7 + producerBatchSize: -1287630260 + producerLingerMS: 823182257 + restPort: -1714220122 + schemaRegistryURL: xFi + secretManager: + connectorsPrefix: 6EBYOEL + consolePrefix: Vbhe + enabled: false + region: CuG + storage: + remote: + read: + config: true + status: true + write: + config: false + offset: true + status: true + replicationFactor: + config: -808584898 + offset: -1416545391 + status: 224731880 + topic: + config: XunwY9Z + offset: 6q5 + status: "" +container: + javaGCLogEnabled: LSKF + resources: + javaMaxHeapSize: "0" + limits: + memory: "0" + request: + cpu: "0" + memory: "0" + securityContext: + allowPrivilegeEscalation: false +deployment: + annotations: + EaNQ34T: okvsiPGFK + ZsH7Q: LEUOL + zgKn: 48IBtjSW + budget: + maxUnavailable: 1153958610 + create: false + extraEnv: + - name: Plcb + value: j5YPI + valueFrom: + configMapKeyRef: + key: kD + name: 7v + optional: true + fieldRef: + apiVersion: fb1Ci + fieldPath: P6f4Va + secretKeyRef: + key: 2S40J + name: V + optional: false + - name: YU0bfO + value: jT5 + valueFrom: + configMapKeyRef: + key: "" + name: OBQye + optional: true + fieldRef: + apiVersion: UN3v + fieldPath: N3NnHg + resourceFieldRef: + containerName: TM7dU9JK8Y + divisor: "0" + resource: T + secretKeyRef: + key: drFdfsyL + name: Wn2 + optional: true + extraEnvFrom: + - prefix: glV + secretRef: + optional: false + - configMapRef: + name: F2 + optional: true + prefix: sYg3PgmtONE + secretRef: + name: 4jj + optional: false + livenessProbe: + exec: {} + failureThreshold: 573208914 + grpc: + port: -638612534 + service: wnmWj + initialDelaySeconds: -1420646333 + periodSeconds: -1027365231 + successThreshold: 1837320543 + timeoutSeconds: -508996840 + nodeAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - preference: + matchFields: + - key: HDmW + operator: ;ȶR啗xǐy焇灠黰&TɟĬ&啛ɀǕĬ + values: + - dLkZmcXwkLs + - key: bSlNFm + operator: "" + values: + - 3b + - k + - "" + weight: 1914081742 + - preference: + matchFields: + - key: xHLN5 + operator: Eõ虾¤ + values: + - PU + - F4 + - key: REzxn + operator: 唺fµȾHſ劫藦92ţ5刀īȓĥ + values: + - X2vhuqGtb + - 1R + - key: r + operator: )勢ƞʚTćĬ:湭Ǽ焿0\Dzl[邉缝髶 + values: + - PVMaw + - GUlDync + weight: 742714062 + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: [] + podAffinity: + nodeAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - preference: + matchExpressions: + - key: qtAZ + operator: ən翪洤 + values: + - SD4d + matchFields: + - key: 7NKbhI + operator: 絀^Ŕɛ¢Șl磹Ĺ(ȊO转z菙 + - key: ENUX + operator: Z鞏ƞ慧榷ǐéĕeʫ + values: + - NsTlbi6Hmxvy3 + - "6" + - "" + - key: 0Yz + operator: R£tsb蜗壤筧=鳪e侳V3ƻœ鏮ʖ + values: + - drirgX8L + weight: -1974323169 + - preference: + matchFields: + - key: OulPYnl + operator: ʑȆ&v爆 + values: + - QAbG + - "5" + - vThiAm4DKnR + weight: 1744834253 + podAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: RZ0 + operator: ƘɁÏą穼ß箮skhƗ + - key: 5yUXaY + operator: 澊 + matchLabels: + EO: wphVPH + Kl28xmWooSwuDBr: nRALc + bOnK6: 8h3Kg0kj3h + matchLabelKeys: + - ntr + - X + namespaceSelector: + matchExpressions: + - key: JYy4u + operator: +ʭkV閁ʏʜ + values: + - jkE8rylM + - wh5eUaC + matchLabels: + "": Hjs7g + QD3Y: EidIPZjSBG9K + namespaces: + - j4WhLEEpQb + topologyKey: 7HX2euiB + weight: -1553649478 + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: 93LTmJdbA + operator: 釨鼟峷°DX砛熏Ʋ + - key: Qk + operator: G·ck玫昿圜Ŝ#ʢohȉ$( + values: + - LmlJeSGYq9n + - C9Z73 + matchLabels: + PVQO0E: 3jKFJCwD + p8om: GjoV + matchLabelKeys: + - UrJ + - doKW + mismatchLabelKeys: + - uW4b1SK + - u + - RL + namespaceSelector: + matchExpressions: + - key: KDCwy + operator: ']ȏ jë众膱wɯ.I<¿Ú' + values: + - XYHrwjquv + - Hyk4Lj + - key: wAwVtJ + operator: '''Qxť\ț(f簛ȩ:@&庈Ť橁覡ů帳' + matchLabels: + Axf: NWQcZ + MCs: i4TQ2Fe8F + vL0h88SLvP7: E6 + topologyKey: s + - labelSelector: + matchLabels: + "": eTRlnmbOW + 9RkO: jLG + ZDom: GB + matchLabelKeys: + - Lkfq9 + - NugOS + mismatchLabelKeys: + - rI + - BLa6OVk + namespaceSelector: {} + namespaces: + - qNM17 + topologyKey: FWQOV7 + - labelSelector: + matchLabels: + 99oIA: 7kSmhXyDAZ + UFkHemc59: lgVte + poY7Q: cWSM + matchLabelKeys: + - jVKy + - Fi4Zzb0QUZ + mismatchLabelKeys: + - nYl + - oIFzB + topologyKey: wc4Xr + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: 2WfHC + operator: cĚ任纽a嘟ü庙孋ā槣. + values: + - hZ5fwO + - "Y" + - RD + - key: Joz0bWO + operator: 燎Dkʆ)湽ƫd逯[榄TȽǍ + matchLabels: + RdfPjfak: D + nXYCGG0nf: v7uex1KBj + matchLabelKeys: + - Mmq2 + namespaces: + - VWlNF + - 8RCQE + topologyKey: SAT9 + weight: -812925678 + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: "" + operator: ŇɈPĉɳ芏({#'蒛腟敐ų狂釽ƇǴh + values: + - e + - SsHkkcDn + - key: m + operator: śC芲c佟m + - key: ycN + operator: ȭ + matchLabelKeys: + - C + - EUsKF + namespaceSelector: + matchExpressions: + - key: 08sB7HIXW + operator: '{' + values: + - g498LM + - JTB + - key: sLymAyu + operator: 卤{蓍.蕕[纄( + values: + - 0jdLbJ + - "" + - RCaa + matchLabels: + 7M54ahTjl7: NUmm3 + Uw2: t + n9UP: q2uq5Q + topologyKey: Xx329oG + - labelSelector: {} + mismatchLabelKeys: + - jL + - uGU2PnM + - c3qyD + topologyKey: oD9hq + podAntiAffinity: + custom: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: WoYoJXLV0TP + operator: ' ǵeMsɌÆ' + - key: MSdKGV36l83Ke + operator: Ǩj檨ȭ囨氀R钣吏祦ǘR鴛鿾fA + values: + - bEiF39wz + - EWyj4AH + matchLabels: + blQ: brhb + matchLabelKeys: + - 5J81 + - pc + namespaceSelector: {} + namespaces: + - zbPsR + - "" + - Im2BK + topologyKey: uaWl + weight: -1926616342 + - podAffinityTerm: + labelSelector: + matchLabels: + Ye: GUeM + bVTC: "" + matchLabelKeys: + - If + - J9b4 + mismatchLabelKeys: + - "2" + - 9WhJ + namespaces: + - ySEUgx + - R + - M + topologyKey: K + weight: 1801940585 + requiredDuringSchedulingIgnoredDuringExecution: + - mismatchLabelKeys: + - s70p + - xK2tPDm9 + namespaceSelector: + matchLabels: + 3kt5: 95iXhN + miVTQ: Wwsg + namespaces: + - "2" + - U9S1v0ZrRM + topologyKey: xbCfBpsr + - labelSelector: + matchExpressions: + - key: 5sbyp + operator: ÓKzɑĐ®w 辪,厑bʏ佢 + values: + - HBC5IGEufvb + - RJeM + - e8DsOIb + matchLabels: + 0x: ei2F + matchLabelKeys: + - CVu + mismatchLabelKeys: + - Y1y0LR5js + - AdDsZLbi + namespaceSelector: + matchExpressions: + - key: "" + operator: ɮ囧ʪy纽Ŀl騦糭9ɼ騏鋂@_Dï + name: 1NfYEa + readOnly: true + subPath: LtO +test: + create: true +-- case-035 -- +auth: + sasl: + enabled: true + mechanism: 9y9We1zI + secretRef: "" + userName: hK +commonLabels: + co: MffSo + fdioW3StBvzyh: z + wle: mprjb +connectors: + additionalConfiguration: xCn + bootstrapServers: lueYFRx + brokerTLS: + ca: + secretNameOverwrite: "N" + secretRef: lIHvSGq + cert: + secretNameOverwrite: 8ke7H + secretRef: 7EnI0fI + enabled: false + key: + secretNameOverwrite: gUW + secretRef: en9C + groupID: Ue8y5CIOm1s9 + producerBatchSize: 1967229260 + producerLingerMS: -2029655136 + restPort: -559590357 + schemaRegistryURL: BkE6kE + secretManager: + connectorsPrefix: jMsIX + consolePrefix: CI19 + enabled: false + region: xbUhDB40j + storage: + remote: + read: + config: false + offset: false + status: false + write: + config: false + offset: true + status: true + replicationFactor: + config: 1605214820 + offset: 707115192 + status: 233180346 + topic: + config: "" + offset: F + status: JwDpg0NW +container: + javaGCLogEnabled: ciu04f65 + resources: + javaMaxHeapSize: "0" + limits: + cpu: "0" + memory: "0" + request: + cpu: "0" + memory: "0" + securityContext: + allowPrivilegeEscalation: false +deployment: + annotations: + 1XmrLdtzO: x6 + 6ZEV8g: jYUmAT7zj + ziKge: "" + budget: + maxUnavailable: -628496383 + create: false + extraEnvFrom: + - configMapRef: + name: Qi + optional: true + prefix: rvhE + secretRef: + name: iOK + optional: true + - configMapRef: + name: D7eYG4k + optional: false + prefix: mrA + secretRef: + name: q0wiP + optional: true + - configMapRef: + name: dGrcQT + optional: false + prefix: H01JO9 + secretRef: + name: AzjE + optional: true + livenessProbe: + exec: + command: + - teEwkHR + failureThreshold: 822446899 + grpc: + port: 1454930159 + service: Eiw + httpGet: + host: OL + path: YZ5Z0 + port: 1894574353 + scheme: 9Wƾ + initialDelaySeconds: 689975920 + periodSeconds: -1584300544 + successThreshold: -1437519051 + terminationGracePeriodSeconds: -3687935972297794657 + timeoutSeconds: -1664535334 + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - {} + nodeSelector: + yTNxFo: PwiZc65 + podAffinity: + nodeAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - preference: + matchExpressions: + - key: hua3lxe + operator: ȅ覝nȔl癋薳ǭ鳳e楉輴ʛ膧Ɵ + - key: JhcL + operator: 趸ƺ胀½+? + values: + - mP + - key: S1hp5 + operator: ï蹃S"KO蔨ʬV虴ķçȁ + matchFields: + - key: xNvhdu0t + operator: ʉ菋3į6娡褛Ǿ襚蛶髳sxZƯ铴 + values: + - zOLf + weight: -62270409 + - preference: + matchFields: + - key: BL + operator: ƓťĿ誁W'鬂ƫqʚ姸轈晾H>至Ƒ欌5 + - key: nS + operator: 塘ijʬ¢| + values: + - CeKuW + - lSaF + - "" + - key: "" + operator: c;锢%Â簰 + values: + - RProQwMwq + weight: 29536709 + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: 1Ejbb9t + operator: \9ɫǡ¥ȇ賗 + - key: XlWI4o + operator: '`ȍ泆ɮȴ湨齀Nn2衅' + matchFields: + - key: ZfkSvnt + operator: oơq斡K + values: + - m5k + - A + - "7" + podAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: tSj + operator: 亁Dž{裧箼e褰ʟ¿Ěv.劮-Col + matchLabels: + xT: 5w6 + mismatchLabelKeys: + - sFVA7a + - rQptjq + namespaceSelector: + matchExpressions: + - key: a8z5P + operator: N戡fȤȴ/栎承\ƽʧs + values: + - vQO1HBT + - key: nuT4ryYMW + operator: ȐƑ蕙.R<偳ř + values: + - g + - IsCtuvE + - 1e + matchLabels: + 6i2L: ffkUfVgqn5 + topologyKey: DFMnWiQikvU3OC + weight: 270744476 + - podAffinityTerm: + labelSelector: + matchLabels: + aKLo8qtH5FR: ZM4Ko + pVf1B: 08llv + pxd: D1 + matchLabelKeys: + - "Y" + - LnTPn + - dD6f + mismatchLabelKeys: + - DKe + namespaceSelector: + matchExpressions: + - key: K4Jk0qV + operator: 蔴桲mȴ + matchLabels: + 842orL5dk0V: i328gg + WUC2Th8PnM: nsm8 + topologyKey: stQ + weight: -2095359713 + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: y4 + operator: "" + - key: Jmz + operator: G#ɽ¤伖;ƶ迸,øn阽w + values: + - h1qfybGhqVz + - wzaLoKm + - key: mkmqLc + operator: "" + values: + - fV0Lk + matchLabels: + W: UNez + matchLabelKeys: + - MsmG7dsI + - 18RDxZo3 + - GtxTNKicmIW3H + mismatchLabelKeys: + - i83G + namespaceSelector: + matchLabels: + DsA: dEEI + l6KxKO: K + nf1q: 8t0TDWCLm + topologyKey: 0Bnjw + weight: -2070111635 + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: Go7711 + operator: 皞蹾t蝧)ď巧M迢ɍ`ɸ垕Ĩ瑟J拣實 + - key: iSBfvzSgq + operator: Ȕ:奧焸N_鵪疉ǂF>Ėƿ颛Ǩ)UÝ + values: + - "" + - mOh + - h + matchLabels: + Ei3jdSr8rf: T0VF + KpOUQNu: LVu + matchLabelKeys: + - 3R9wM + - jYR + mismatchLabelKeys: + - OYdNi + - FFUZW + - gL + namespaceSelector: + matchExpressions: + - key: ne81Y49o + operator: 且逼÷A橼­U鐀 + - key: MPlYsS + operator: 馇漹2懛ɒȡ + - key: kz59leD + operator: ȓ3șGzäǧ畬ź*S遯ɱö + values: + - "" + matchLabels: + DnxHc: IIMKKTh7 + jytoiQ: CVq + wJ: B2fd06 + namespaces: + - Gc6fCxz1v + - PzUKSWVR + topologyKey: xQdglfgw + weight: 52691844 + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: XXROV5RgOi + operator: '* 鄠hɨ乛ɝĞ#.瓏R蹎倮IJ:嚾' + values: + - e2js0jjV + matchLabels: + BtjCwBEeW5: 2c5wlpNtqI + matchLabelKeys: + - A + - J1Q + namespaceSelector: + matchExpressions: + - key: fHsfsI + operator: 工轹檏嚮ɁǤlňȋ + values: + - LKuQ + - t9Ik + - key: q6a2D3dkj2IO + operator: Ĕ时KɯU抃oʐ董5ŀ + values: + - XP + matchLabels: + 8FEMj: "" + lQqA5yzol27: r + namespaces: + - YIB8e78c + - NBpb4zKSXKv + - yrQw3s + topologyKey: OM7 + weight: 227615315 + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchLabels: + ditk2i184: 1H + fYAoB1dq: u + mismatchLabelKeys: + - 40o7Pt2t + - 6M8vIjdH + namespaceSelector: + matchExpressions: + - key: k0CLLWJ + operator: "" + values: + - PKnQ + - lk5fQk + - ZsVT + - key: 9xJA + operator: 売綺脕cƍʆ + values: + - wzppcOCF1 + - 8vNtmtdYsi + matchLabels: + K4NQB: GbVVmB + Tp: locia + topologyKey: "" + - labelSelector: + matchExpressions: + - key: GNUe + operator: ȳ魴饑揁´ƷLj敧 + values: + - 7cPl9 + - Ku1R6PGe9 + - 0GN2ik0 + - key: OKhwX1 + operator: 'ǒgǝǓ<鋓ʞ墝y浧þ:' + values: + - fJu93tqNe + - PI1Mfnnd + matchLabels: + 5P: o1Q7aT6 + CN8OViOmJe: 58saw + LQa: beDgm + matchLabelKeys: + - TUwrwr + mismatchLabelKeys: + - axK7kBkv + - BiYeKoe + namespaceSelector: + matchLabels: + TNPCe: "0" + Xr: 8j1rURg + c: o9r3qP0D957 + namespaces: + - rtD + - ZemRs0 + - xQ + topologyKey: YB8SGwhpwV + - labelSelector: + matchLabels: + A: 7q2fmfhX + Glg6E: MED4T + sixl1: H33xj + matchLabelKeys: + - BPsroSH0 + - 6z + - CRCc1 + namespaceSelector: + matchExpressions: + - key: KjSwLS6aQ + operator: 8B + values: + - BWWAR + - yVGIt + - poDVRjb + matchLabels: + 7cdkrUS: 5BC + D2Wtwzg: etyr + QIrgRhA: LrxtNTzNr + namespaces: + - DxkXW + - NR4 + topologyKey: 28GQ5Xo + podAntiAffinity: + custom: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: f + operator: ʇŨ礤Z<ǴjyG|wƦ + values: + - ejvRuuwpt1 + - gLMIfr + matchLabels: + 78L: e + Ohko: iVVK + U: I9 + matchLabelKeys: + - IC + namespaceSelector: + matchExpressions: + - key: yuDaghaX7MsB + operator: q蔧ƙÇ¿ƣ鷒啈? + values: + - 8j4L6QsQ + - Uth + - key: Na + operator: "" + values: + - UGpe7wJGcv + - gOerw7DKX + - key: Aibu + operator: tĶʉĺA8p撪ȟ骁)5ĩ碦Ƴ + matchLabels: + pUncJd: pIfYj + namespaces: + - z6PvXvcdOJ + topologyKey: "" + weight: -369728494 + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: VqyjJ1pe6s + operator: ɗ嵓 + values: + - 3I + - 3UKCu + - key: XguC + operator: 紂2(ɦ-ɒ煭5U + - key: JDe77b + operator: '*糆忮.ʊ认t昢Õ3' + values: + - H8WZa + matchLabels: + iPqYx: DhnnZ4xOm + matchLabelKeys: + - Js + - ouXfTI + namespaceSelector: {} + namespaces: + - 2OLQUB2p + - 3mETX8a + - lR3 + topologyKey: Jrv + weight: 514367026 + - podAffinityTerm: + labelSelector: + matchLabels: + 1mp6: 99m + 4Efw2wZ: bkoOfCrTsAtp1I + K7eVPls: FPhVHNRC + matchLabelKeys: + - e + - k8c29C + mismatchLabelKeys: + - 8jFnMm + - ajCfcK + namespaceSelector: + matchExpressions: + - key: SD + operator: 騔遲榌 + - key: seFza + operator: ʨĶ躾 + values: + - lWQMf + - key: aKMU + operator: łĩǼƬ\ɲÛ + values: + - 9O + - "" + matchLabels: + fWl: rvQ + topologyKey: vK45 + weight: 780671227 + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: YPiAewyLf7 + operator: ǿHżǕ|厪载ț菖Rŧ緽甀4懅Ŭǘ泛 + values: + - "4" + - k + matchLabels: + 6m44: Px5C0 + mismatchLabelKeys: + - SW + - "" + namespaceSelector: + matchExpressions: + - key: bia9 + operator: "" + values: + - uEN + - i + - RneeyW + matchLabels: + 2z4sJnMZ0zanj: XsE9K9qNs3R9d + FE3xnQiMzs: pH + "y": AuxHvFSO5 + topologyKey: Ahkr + - labelSelector: + matchLabels: + 1BI9O: TK + mismatchLabelKeys: + - ADboVaek + namespaceSelector: + matchExpressions: + - key: "" + operator: 挭ɴ + values: + - mN + - "5" + - key: "4" + operator: 庘 + values: + - SNA + - X4aO + - key: "3" + operator: ȲmǪǯy`H腂Ǭɚė;a豮塃ŨB墻 + values: + - rFKRGJSh7izi + namespaces: + - Eu + - ukjSfz + topologyKey: 5p9 + topologyKey: B4OXuwDjfXhpv + type: 3k8SY + weight: -646418769 + priorityClassName: PgbnRKfoNZ9 + progressDeadlineSeconds: 896415388 + readinessProbe: + exec: + command: + - NOohSUxF4B + failureThreshold: 1326051879 + grpc: + port: 167069356 + service: KOkYxO + httpGet: + host: iod + path: cv + port: -1874700217 + initialDelaySeconds: -286116672 + periodSeconds: 215270432 + successThreshold: -1666168294 + terminationGracePeriodSeconds: -4429146824329263796 + timeoutSeconds: 1016008226 + restartPolicy: ʘ鿕1 + revisionHistoryLimit: -756285031 + schedulerName: wkog + securityContext: + fsGroup: -7875411171408920752 + fsGroupChangePolicy: 8^ʝȽ袈gǖ陘&X + runAsGroup: -6294097412272475416 + runAsNonRoot: true + runAsUser: -5578668191823418258 + supplementalGroups: + - -8360179017668391912 + - -5953270946476852863 + sysctls: + - name: QCC + value: 6BUk + - name: OblhYC + value: 69u + - name: 6wi2Dp7MdE + value: wk + strategy: + type: ovF4f + terminationGracePeriodSeconds: 1666535039 + tolerations: + - effect: 賥蟽 + key: Ib7 + tolerationSeconds: -5135177309592069822 + value: sbwrIR + topologySpreadConstraints: + - maxSkew: 1411650727 + topologyKey: ajVI22c + whenUnsatisfiable: GTjhhGH + - maxSkew: -1481674415 + topologyKey: Ed + whenUnsatisfiable: 3Y59WCet0 + - maxSkew: 2066507739 + topologyKey: EVEZo + whenUnsatisfiable: dGL6aGB + updateStrategy: + type: IxL7 +fullnameOverride: 6fr +logging: + level: je +monitoring: + annotations: + "4": kTkxkO + enabled: true + namespaceSelector: + any: true + matchNames: + - FKCzSYm7gaXuLQ + scrapeInterval: 1559435h40m40.991511561s +nameOverride: PeueQ +service: + annotations: + YaiOBiXa: rQx + ofToM: "n" + name: mC3vFeP +serviceAccount: + annotations: + "": 9hOutlF7d + PgHx: nJWqenXs4B + create: false + name: WnDtqu +storage: + volume: + - name: 4W + volumeMounts: + - mountPath: "" + mountPropagation: 泽{9ǸSĝy鯘匉ʩ顎 + name: K + readOnly: true + subPath: ZYmQ0MFTxpFIcfQ + subPathExpr: 6Eof +test: + create: false +tolerations: +- effect: 珧卣硁 + key: q + operator: f甗垈ɰ喸ɋʍLi邦痔昝 + tolerationSeconds: -3369346527291309714 + value: 8CRfBsQ +-- case-036 -- +auth: + sasl: + enabled: true + mechanism: 4pr3gf + secretRef: Na4b + userName: ZTak1O6cR +commonLabels: + 1qqW32x: "" +connectors: + additionalConfiguration: LhQU + bootstrapServers: PJXgS + brokerTLS: + ca: + secretNameOverwrite: pMccWpS50Tt + secretRef: MyH + cert: + secretNameOverwrite: c4sa0FA + secretRef: Iv + enabled: false + key: + secretNameOverwrite: EOAKr + secretRef: no0Ke + groupID: XuGw0bAvU4mCl29 + producerBatchSize: 1402635005 + producerLingerMS: 1479365932 + restPort: -1153123375 + schemaRegistryURL: owIrcBoHKcGy + secretManager: + connectorsPrefix: FtgUV7wBq + consolePrefix: wUj + enabled: false + region: 3d60 + storage: + remote: + read: + config: true + offset: false + status: true + write: + config: false + offset: true + status: false + replicationFactor: + config: 935026050 + offset: 1816899175 + status: 1556885434 + topic: + config: BKIQd85 + offset: AqMgsp + status: cB +container: + javaGCLogEnabled: 92CKlhkT1dY + resources: + javaMaxHeapSize: "0" + limits: + cpu: "0" + memory: "0" + request: + cpu: "0" + memory: "0" + securityContext: + allowPrivilegeEscalation: false +deployment: + budget: + maxUnavailable: 867420096 + create: true + livenessProbe: + exec: {} + failureThreshold: -1589865511 + grpc: + port: 397887456 + service: aC + httpGet: + host: RIACQ5bT + path: ubCDRTj0 + port: G6dz + scheme: v怑撴碥dz/Ȱĩ褔ć咫眜 + initialDelaySeconds: -621095822 + periodSeconds: 280342995 + successThreshold: -167276282 + terminationGracePeriodSeconds: -787336059945079524 + timeoutSeconds: -1535167124 + nodeAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - preference: + matchFields: + - key: 3bTiSjGL + operator: Pʡdz饿n抈Ʊt嬩癘Ƈ + values: + - AGfqyUGQXxyY + - FVcNDfkQ + - v3hp7MN8nVKE + - key: L3S + operator: -殊 + values: + - 97iUcu + - dXmY + - KUxQvBTJu + - key: YNi + operator: ijS泉ľ;ŒvS阸多嵠{ + values: + - xf0B + weight: -207219009 + - preference: + matchExpressions: + - key: EAkVkI70 + operator: 钚寽蛺izȭ7_掅桘 + values: + - aAWkk + - ze + - 3wGu + - key: 3RyfQc6N + operator: 5ɔ螗śLƆ扒\ƃ"氧ɉ + values: + - Vv + - key: 1vVqYpX + operator: Yto%Iƈ?暊I)琣?Ć痕猖ȕ + values: + - 9yyhe2i + weight: 2145655584 + - preference: + matchExpressions: + - key: vYGC + operator: 缈饜代u灧Ȼ + matchFields: + - key: Xbz + operator: ż苡訖ɑʟĨı齻@IJ騮削ƽ蹄濁榷鰠 + values: + - qFq5zh0O + - yG0 + - nT + - key: P3 + operator: ǧ唾潣PNJ掉ơ\庱吳.,OLX + - key: 3ATe + operator: ʦ恀^ + values: + - LUm4b + weight: 351084922 + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: XLalOY + operator: 挝R凗ŵ莁5E7?Ȓʍm篫l{Č蒄 + values: + - YrzbvR + - 5awUoV + - a + - key: bhAd + operator: 鴵鈌ąt烿æy伸?^đĔʎ{Ç柧 + values: + - GqRb + - key: 8WgrpCvg + operator: bAMƺ惸鹖ŏ垇ɔǁI庫û*ɔ嶢ɚ菑 + values: + - BRd8A5 + - "9" + - K9hDIBU + matchFields: + - key: FntInb + operator: '{@əɃðŗ8''4' + - key: cPqf3 + operator: Ƌ娔殺慑 + - key: o + operator: ɧlǬ量GJ恉əŏ滸IōĈwǝ栢Jȡ + nodeSelector: + gQqg: rQO1 + podAffinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: zOF + operator: 朜褜虳忈笊=^ŦĀæ珆.ļǥ禼%鄍u坳 + - matchExpressions: + - key: 1c49YQG + operator: 鉃) + matchFields: + - key: 8VgAhL + operator: 鲼緊+靠侠婎SiǛ + values: + - xRTpCX4 + - key: nMJRs5gZCA + operator: j¯4x篭竪嗎餀箈aƦğt勤 + values: + - bJ + - matchExpressions: + - key: w2ZrgZZ + operator: 枓2ǘI1~MCʮ毳鲠紱$ + values: + - 2m4u9O + - key: V21P + operator: GɫȎt铊ʍ + values: + - LMhd + - "1" + - key: M4HbYG + operator: pƘá褊ŋɃ縷Ř4#r珩伌 + values: + - 2J0tPZtjgGXw + matchFields: + - key: ZIVyS8kWnnfkYw + operator: c耑 + values: + - Us3BB9T8ZiR + - key: Qhnd7 + operator: 醻墽Pʚ'pQĘ咒|庋Atǯ + podAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: IBWHBnu + operator: 陡陂ȗÍ + values: + - KiVSuBwz + - EKMAH2 + - KltN4D + matchLabels: + Uy: ndCtZ + matchLabelKeys: + - aH + - Jm1CJxCAOFTsTH + namespaceSelector: + matchLabels: + gNqMg: 4uZV + namespaces: + - IRrBPIF + topologyKey: gH + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: W7CLLYL + operator: p + values: + - wBg43v + - jjBoD + - key: mQi + operator: '鏷ï®Ɉʗ:' + - key: zZDCy + operator: ķËʢŖźg6 + matchLabels: + 16OpXu: Jv7c6Z + b: l7o9GuH6 + vHrx7Q7: AJ9NoDNx + matchLabelKeys: + - kuQP + mismatchLabelKeys: + - EOOVnE5 + - JATz6Dw + namespaceSelector: + matchExpressions: + - key: P82eyO3 + operator: .@薉敤 + matchLabels: + 9vDs: Q6Zs + topologyKey: sfoIVZS + weight: -135173201 + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchLabels: + jdVqK: 6uhB + matchLabelKeys: + - Pm + mismatchLabelKeys: + - Hn + namespaceSelector: + matchLabels: + n3Y: Z1 + namespaces: + - TCw + topologyKey: 7K8KHn + podAntiAffinity: + custom: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: EinF5FXZ + operator: bȓ1勳ɭ佽 + values: + - wqg6r + - 779ys6y76nH + - x0ataGm + - key: B25ck + operator: )罎ʟ²倮?.iÃw恷曇 + values: + - lAr5 + - key: tG5hyCt + operator: 葚鍍{ + values: + - VkGpC + - PTmNKiFT + matchLabels: + JcqEAka: 4bOR7 + PPatn0wk: 4tEsp0P7yU + vy1Z: MKK1V + mismatchLabelKeys: + - QRybRT + namespaceSelector: + matchExpressions: + - key: 45Q9A + operator: ũǁɩ + values: + - KlwquGdC + - 3vG + - YOsj4 + - key: uV + operator: Ȗ卑 + values: + - PDpyaQk + - 36Yc + - key: jiY1 + operator: "" + values: + - e4G2 + - QA0U + matchLabels: + zam9TqK: tw8 + topologyKey: Cm + weight: 1308300246 + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: oZ + operator: 峜Ɂ墶Ă廮 + - key: 4hL + operator: Ǡ侩歹 + values: + - "" + - 26I2B2P + - 3d + - key: qG + operator: č 榢ĘJŔ + values: + - 6pCF + matchLabels: + QAJb6: zB + namespaceSelector: {} + topologyKey: oR + - labelSelector: + matchExpressions: + - key: aFlMv8 + operator: Ɖa獝^kÖįȆǶnjo愋Ɵ + values: + - pvg + - key: 1A9MoKhHv + operator: ĥ6t+飔鋹ɦ¨怙p|ɽ飏Ɗ軖ʎ沌 + values: + - zHCQw + - "" + - qmFwLPdm + - key: 91HCIQfS + operator: ɿĐ唁 + values: + - IFd + - A8I2KrfF7y + matchLabels: + 9CL: QuOz + RQ4ARy: ynSUOh2CV + matchLabelKeys: + - q + mismatchLabelKeys: + - WKzkVK + - "" + - Sx1Rq8OW2G + namespaceSelector: + matchExpressions: + - key: nZr2S + operator: šp釹%0Lj呱Ʌ + values: + - Ke1J + - key: xSGJ + operator: "" + - key: ZQqukWS + operator: 犨·UaíƄ(ɸ + values: + - tv8GH9 + - RG9n + matchLabels: + 2eHPmc: tu41f + namespaces: + - Q5fw + - GJCz + topologyKey: 6gB + - labelSelector: + matchExpressions: + - key: NL47lV + operator: ǽʼnõ颷 攬 + values: + - QbM1FbtaaCmsyj + - key: Jp0SssgWqj + operator: 糕]ÖXȨ佫 A澡 + values: + - fd + - XmxC3TWsEmq9 + - y0 + matchLabelKeys: + - n3UP0A + - W + - jr3hc + mismatchLabelKeys: + - bvXXaN6hJq + - nEpSV + - "5" + namespaceSelector: + matchExpressions: + - key: CNfZvS4 + operator: ʕ氼呟燌ƴ偻ʧ + values: + - vGHTqK + matchLabels: + "": QYu + 5sSOpIp: ojU2Q + aF4: 7so + namespaces: + - m0TP87i + - Dbr1WY4S6 + - Ddl9oOUe5 + topologyKey: k0qv0ARQ + topologyKey: PK + type: n8LqK + weight: 1862848677 + priorityClassName: xotT7T5AcOs + progressDeadlineSeconds: -1260879447 + readinessProbe: + exec: {} + failureThreshold: 1985429634 + grpc: + port: 1193887492 + service: Nqfbjui + httpGet: + host: W + path: cMG + port: BNN + scheme: ƅÉ鐴ƠÙ + initialDelaySeconds: 520999520 + periodSeconds: 1834416895 + successThreshold: -2144235192 + terminationGracePeriodSeconds: 5498268243526196931 + timeoutSeconds: -1654928979 + restartPolicy: '>Ȏ縂ɴ垍ū*' + revisionHistoryLimit: -1294473838 + schedulerName: mlm5OhgsGh + securityContext: + fsGroup: -24635125662907280 + fsGroupChangePolicy: Ŏ痿1>a茫ȡ跦 þ + runAsGroup: -3967780041970194819 + runAsNonRoot: true + runAsUser: 8970781034706956029 + supplementalGroups: + - -8270543106812796306 + sysctls: + - name: KljKqWpUKsb3 + value: 9Zv + - name: z8scvHARn + value: sk + strategy: + type: 5cn + terminationGracePeriodSeconds: 446877207 + tolerations: + - effect: ɟ + key: J906H + operator: Ȇ:龳虹$鿲Ȥ.t齹Ń5 + tolerationSeconds: 6789201977316389154 + value: vV1 + - effect: ©Ǯ膗Ǖ盉浝Ŝɟ + key: ju6amcMPM8UK + operator: 衭蛩ņý + tolerationSeconds: -8177010640192863674 + value: S + - effect: cÑ + operator: L晚G& + tolerationSeconds: 8159638238997450391 + value: OyDyWZoaY + topologySpreadConstraints: + - maxSkew: 1646710512 + topologyKey: MbS + whenUnsatisfiable: Ia0hRF8y + updateStrategy: + type: v85FBu8J +fullnameOverride: VW0lF +imagePullSecrets: +- name: zaKvtKNIW0 +- name: "9" +- name: fG +logging: + level: PAOVCu +monitoring: + annotations: + FZ: Lz + Hn: kspXbct2sc + enabled: false + namespaceSelector: {} + scrapeInterval: 2385507h10m25.926950118s +nameOverride: taotfWzUIl +service: + annotations: + lp92O: 1QnD84Dhxl + name: GxFDpR9IkU +serviceAccount: + annotations: + 3Of: dCI + qQF2N: p + qRJTCP06eO4: st9XdjpkUTE + create: false + name: srWYjAnpR +storage: + volume: + - name: qx + - name: XeUJ + volumeMounts: + - mountPath: MMqGiv5CN + mountPropagation: 鳮耐uíȪr + name: jHofb9BQ3 + readOnly: true + subPath: aDzkmP + subPathExpr: 4sgTWM4H + - mountPath: KhsFs + mountPropagation: Ǎ繟ƣʜ + name: V02ibh + readOnly: true + subPath: LF + subPathExpr: mi +test: + create: false +tolerations: +- key: Hsie1qK + operator: 7禝Řm蟷8š\ăɴń! + tolerationSeconds: -4804202694445470283 + value: UcY +- effect: 0þ嵡壱ʄ{祗Ů< + key: 7NdQZ + operator: '{#遲TƯ|薚嫛oQ¢龀êƶȈ肯A]Ħ' + tolerationSeconds: 4179143239755402759 + value: VzOAMkU +-- case-037 -- +auth: + sasl: + enabled: false + mechanism: 4jrWn + secretRef: "" + userName: 2sGSSni +commonLabels: + HSu1: FRG692y + QExXAto3Ub2T: etTOY4y8iSmyDOe +connectors: + additionalConfiguration: FTlQkC + bootstrapServers: LeVg + brokerTLS: + ca: + secretNameOverwrite: 49XwYgsyn + secretRef: 28O + cert: + secretNameOverwrite: Wf + secretRef: EDOE + enabled: false + key: + secretNameOverwrite: 7rwbl + secretRef: TaD + groupID: q + producerBatchSize: -1100237413 + producerLingerMS: 982363719 + restPort: 1885084612 + schemaRegistryURL: N8 + secretManager: + connectorsPrefix: zyFCC0ac + consolePrefix: VGoEYwVGt + enabled: false + region: gsEq + storage: + remote: + read: + config: true + offset: true + status: true + write: + config: true + offset: false + status: false + replicationFactor: + config: 575483838 + offset: -1765361377 + status: -1294780557 + topic: + config: fiLg3L + offset: WDtxRL37SvNV + status: Guofk9 +container: + javaGCLogEnabled: mn + resources: + javaMaxHeapSize: "0" + limits: + cpu: "0" + memory: "0" + request: + cpu: "0" + memory: "0" + securityContext: + allowPrivilegeEscalation: false +deployment: + annotations: + PsITu: LgrI + budget: + maxUnavailable: 527993762 + create: true + extraEnv: + - name: 7PtPut9 + value: 4Uo + valueFrom: + configMapKeyRef: + key: H6 + name: JEPQ + optional: true + fieldRef: + apiVersion: yCSfB + fieldPath: HD + resourceFieldRef: + containerName: v0wW + divisor: "0" + resource: BliOlDq + secretKeyRef: + key: AOod + name: Ljqm + optional: false + - name: FItx + value: cZIyVQPdqZ + valueFrom: + configMapKeyRef: + key: O3 + name: KlO + optional: true + fieldRef: + apiVersion: BnfYTBc + fieldPath: xw + resourceFieldRef: + containerName: qzV549 + divisor: "0" + resource: sctpzNUt + secretKeyRef: + key: Ff4vJm + name: hoEa + optional: false + livenessProbe: + exec: + command: + - aAxGQ + - sdk0 + failureThreshold: 1572051601 + grpc: + port: -2511945 + service: mqDAn69OdiR + httpGet: + host: Cw + path: l2JEc34o3Oe + port: -1821016511 + scheme: E嫺S崕襅@卢莩ŹÍ + initialDelaySeconds: -455418157 + periodSeconds: 31037144 + successThreshold: 1836675270 + terminationGracePeriodSeconds: 3628590034628485216 + timeoutSeconds: -722680942 + nodeAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - preference: + matchExpressions: + - key: tmEGf + operator: "" + values: + - yCcLCb + - O1NTsHk78miTJ + - key: KuvLpSp4X + operator: 獴ĝB违写õʕĠEɊ繎ª + values: + - oqAB + - "y" + - cLExkHCRfD + - key: tMxc + operator: 1Ņ鸩瀚羨鱬c)0ƶ音êA{ǷZŁȃ + values: + - W2 + - rXnf + matchFields: + - key: dvXtkKrlxr + operator: m駠祸¯獒ɌƗ'Ñnj嗰蒩,幔Ǣ + values: + - vDUy + - vzx4 + - key: UU6d + operator: 惂PqbKɕ`ǃȒCʉ鞊Ĩ% + - key: qm03jaCk + operator: a靔Pƴy%(AĔð勶乀ĥČI#ɃǙ蘨 + weight: -1872535291 + - preference: + matchExpressions: + - key: GjG + operator: űŌ + - key: UQ + operator: d欻Ɲ + values: + - zpBqznM + matchFields: + - key: gKn2 + operator: ÁŠ9玫Ʌ + values: + - Iij79g + weight: 1456486091 + - preference: + matchExpressions: + - key: 1Ef + operator: G飔8`ɒ蕸祹&匪璳拖嶴6s['%邗 + values: + - iBr + - "" + - key: RXMgUipZ + operator: Qāȃ鋘ǖ0iNɭȂuŦ褌7Èȝ鹊淋廽 + values: + - NB + - key: nb6 + operator: 杘ɯ#`慐 + weight: -1381009180 + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: [] + podAffinity: + nodeAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - preference: + matchFields: + - key: YGfExP + operator: I喝ƀıjXĴǞư + values: + - gMwxOyRC964 + weight: 670180912 + - preference: + matchExpressions: + - key: PG + operator: 軋 + values: + - "" + - key: UG + operator: '#驇qeʩǏ¿貽帇2ʒ士眯隋ƋǨ' + values: + - QegWF3oN + - oatkrd + matchFields: + - key: 3eS + operator: ¼漒2踦{KǗ薵俧©2汻EÁ涼Nz珹瀝 + - key: X6L + operator: '|' + values: + - sEK2 + - qEPmyB + - VYZ + - key: 7RelIlVvL + operator: 幓賵ɱÞ + values: + - pDayYj + - z5Hu + - 4m + weight: -2031437615 + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: [] + podAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: 2FJDM9 + operator: Ŋ>剫嫝"Ą樴娽Gɚ苊绬髻F + values: + - oHS + matchLabelKeys: + - "" + mismatchLabelKeys: + - p + - YjU + - 2odlypNfA95k + namespaceSelector: + matchExpressions: + - key: BT + operator: j^Ƹʥɩ缲摭沕 + values: + - dowWlQ + - bgMn + matchLabels: + X7j: En8zXY + namespaces: + - y2KQMu + - "9" + - zzZnV + topologyKey: tL + weight: 1287421908 + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: o + operator: ſo{t柇壚乜狸羧{Xǽ桨嗂 + - key: xwmYvKHx + operator: oDžȫ涳ùY劣²ȩl,s槿ğ壽 + values: + - aWhHkHzjX + - UD9vL + - 0RGjdmKAyBU + matchLabelKeys: + - 1H + - JcEmqhN + mismatchLabelKeys: + - "" + - PDJ5Ju + - dXck + namespaceSelector: + matchExpressions: + - key: f + operator: C喅ŞiŒÔY屜槅*l$SXǙ + values: + - 9x + - key: 3W + operator: ȴ + - key: k + operator: c1ȝ鿋-灯G¸匱矝©YS)3 + values: + - iAgdu918eA + - Vh + - Ay + matchLabels: + 73TP8W: pyVmznhs + qk4vn9ey: Zo338 + r15l: msN3 + namespaces: + - yd6ggcat + topologyKey: 6ASZY + weight: 897890087 + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: yVR + operator: e + matchLabels: + 0JR7: "" + 7h: tsaIv + zJUMBFb: 73VNvB2hGIG + matchLabelKeys: + - "" + - F6e + mismatchLabelKeys: + - pQx3050 + - 48sjiLtK1OX + namespaceSelector: + matchExpressions: + - key: G0S2x + operator: 舥$Ƴ諺襔`Č詊Ù佱i^ + matchLabels: + KiIaV: 9VV + namespaces: + - "" + - wqDGw + - X8fMvo + topologyKey: PQ + weight: -234450005 + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: y95Eu + operator: 鎲鼳C羝 + values: + - rVqdBdT + - VS + - key: hcv + operator: lɏɘ顷k§4uĭ_Ǩ + values: + - oOC + - GcSQ7eMK + matchLabels: + bhI1zyBLWzjf: zMQO + iEDKDYY: "1" + matchLabelKeys: + - wc + - CQ + namespaceSelector: + matchExpressions: + - key: dXMvM0 + operator: '#欚@Khú4腠?炼DC' + values: + - "" + - P7LAsv + - key: T3JJIOe0 + operator: wƞ鱽用 + matchLabels: + WR1yFB: 1p8kbHuc + hvXw: Q + namespaces: + - r + - G83y0Rb + topologyKey: MG + weight: -1355438616 + - podAffinityTerm: + labelSelector: + matchLabels: + ng: k4 + y07PoU: lAmDC + matchLabelKeys: + - vXtdl9TKf + - w + - 5ne5 + namespaceSelector: + matchExpressions: + - key: S + operator: ȥśĭ醝U + values: + - E4 + - key: uAocj4wN + operator: żǞŃȢDǩ彇馥或 + values: + - QT + namespaces: + - vDbd + - bBdeHkb + - 2qHmj6f8r20 + topologyKey: "" + weight: 1121806715 + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: Q + operator: ĶÖ}鏀襹*貳ɇɱ + values: + - IhHh9y + - Twz + - "" + - key: wA + operator: ǘ焓緉ķĐƞ橝许椕NŬ + values: + - zH + - key: kNVTA5c5 + operator: 磰À弰¥ + matchLabels: + 3HCFedhUu: m3REU6b5 + matchLabelKeys: + - MAmo + - QMqy5uJI + - "" + mismatchLabelKeys: + - s0qo8x + namespaceSelector: + matchExpressions: + - key: wI1MBZM + operator: '&3帐箮WƑ擙Ǜƻ{®ǩ靡Ý羷觕ʛ' + values: + - 74aJ + - PJyXLgY + - XHNS8s4 + - key: aA0AN3t + operator: 旓樮ʉs鬞ǵù + values: + - SgO7 + - key: 4R + operator: p3尐\ + values: + - IB + namespaces: + - 0lYJ + - 2D + - zoo + topologyKey: qeuhMV5b + podAntiAffinity: + custom: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: 20PY3f + operator: 茟踹 + - key: ASopYP + operator: Ȭ + - key: 3ABJJ + operator: ʀ嵜瑎WR裛寋嚊韍Ȉ瑷谾ʇXɂƵ掸踷 + values: + - vN9Qn + - KTrN + matchLabels: + FEtqF1P: da9Y6HCr + TaC8ul: lKZj7JT + nKtu: 0dAf + matchLabelKeys: + - jWp + mismatchLabelKeys: + - 8ghGuz0Zts + - 2W + namespaceSelector: + matchExpressions: + - key: uQ + operator: Fȭ0 + values: + - EZNyEqasw + - nh + - 7mUbUIiNekjf + - key: 8m0i9Gw + operator: 誠öT%=%专O螆挪uv敁 + values: + - "" + - chJrkkoa9 + - XpOAIuKt1 + namespaces: + - 11BBEfT + - B9Yw + - mMPq + topologyKey: gUcmhv4Wymn + - labelSelector: + matchExpressions: + - key: jr + operator: 萺L(Š鼁嶵謝鿹犈=ŗB粦ú纑 + values: + - qV9 + - N3wxU + - gGa + matchLabels: + 5LE6Fz: ihjmXy + 8O: WL9 + matchLabelKeys: + - LF4 + - Iw5KCY + mismatchLabelKeys: + - Yj + namespaceSelector: + matchLabels: + 4g: CWx + RpPK4ak3: 5APfgG0 + namespaces: + - zlH1Ayq + - iN5A0H + - gHs0AD6 + topologyKey: ROQ5F + topologyKey: pxtZlO5o + type: yt + weight: -1822679559 + priorityClassName: E6rwXY + progressDeadlineSeconds: -1761307563 + readinessProbe: + exec: + command: + - F1Ji + failureThreshold: 1393918041 + grpc: + port: -402186756 + service: weWQs7z + httpGet: + host: W7 + path: "1" + port: -2008006258 + scheme: ƗǺƑȹƱ哮黰"bZ + initialDelaySeconds: -1529972341 + periodSeconds: 1791885136 + successThreshold: -1003238871 + terminationGracePeriodSeconds: -6904279593611975807 + timeoutSeconds: 516179111 + restartPolicy: tAȍ_祴珗ƨŐ飔矜ƧŸȺ8Ù凿吱 + revisionHistoryLimit: -1377004535 + schedulerName: k + securityContext: + fsGroup: -8943063634632832728 + fsGroupChangePolicy: 樜3g罡Sɺ:礁j + runAsGroup: -8183677367766309518 + runAsNonRoot: false + runAsUser: 6257019186377025309 + supplementalGroups: + - 6349796974429449397 + - -6495960424240767705 + sysctls: + - name: tNzNhbs + value: Li + - name: xw + value: wQYd + - name: rijilGaE1rE + value: O1VB + strategy: + type: qVm + terminationGracePeriodSeconds: -340872360 + tolerations: + - effect: 旽ǷȬƱĬɔH辂W'ʩ菽懝 + key: NRzfhGYG1Y + operator: 皏棵FɁÈ棿X + tolerationSeconds: 4658882017834992565 + value: Lu + - effect: "~" + key: k + operator: 垫 + tolerationSeconds: -950306177981439209 + value: j2wtF4uhca + topologySpreadConstraints: + - maxSkew: -1481065440 + topologyKey: SER + whenUnsatisfiable: 5L7rrGecd + updateStrategy: + type: 9C8ybQ +fullnameOverride: vRXgQsUzl3 +imagePullSecrets: +- name: d18 +logging: + level: Y0gfv +monitoring: + annotations: + Hr: 7uW + gZeic8h0Pp: C9ox + ggG9V: 0HgD + enabled: false + namespaceSelector: + matchNames: + - twAaqe5jt + scrapeInterval: -2278442h2m26.413746462s +nameOverride: 03U7 +service: + annotations: + 5bK2xe: ZRy + name: "87" + ports: + - name: yMA8tJxHo + port: -582141187 + - name: "9" + port: 830415771 +serviceAccount: + annotations: + 4XITA7: dwhbdLpr + G6zvz: "" + create: false + name: 1J +storage: + volume: + - name: QbE11Wi + - name: 5p + volumeMounts: + - mountPath: FMieal + mountPropagation: q睢1Êb2y"ğJĢ + name: GRAaf7 + readOnly: true + subPath: Wvz + subPathExpr: K4St + - mountPath: E6 + mountPropagation: 2`| + name: yu + subPath: 1Qyv + subPathExpr: lq + - mountPath: "9" + mountPropagation: J仅<Ⱦù觏牨¼Ǐ蒜,J偛l挨 + name: CkWy + subPath: 1YtfYCwcHU3 + subPathExpr: xUIPjXS +test: + create: true +tolerations: +- effect: 鮻 + key: TnWM + operator: 6yĢ置ǟȶų(ʌ寵Ůu诀. + tolerationSeconds: -4327555826581044156 + value: zsh6p +-- case-038 -- +auth: + sasl: + enabled: false + mechanism: r6Ew + secretRef: feyz + userName: p3MeX +connectors: + additionalConfiguration: eFqd + bootstrapServers: vF9T9o1K + brokerTLS: + ca: + secretNameOverwrite: nvP + secretRef: 4cOI2 + cert: + secretNameOverwrite: ZAZH + secretRef: pa6XYq09 + enabled: true + key: + secretNameOverwrite: JTIF7f + secretRef: wFZhDXH + groupID: NgUalZU70 + producerBatchSize: -1494749189 + producerLingerMS: 1372991769 + restPort: 436787525 + schemaRegistryURL: c + secretManager: + connectorsPrefix: Ed + consolePrefix: 8bUfufKV + enabled: false + region: GdY5AF + storage: + remote: + read: + config: true + offset: true + status: true + write: + config: true + offset: true + status: false + replicationFactor: + config: -1726135850 + offset: -1194630723 + status: 1047213359 + topic: + config: 5ipmMylSvvfF + offset: UVjBc + status: 5plTTvTKV +container: + javaGCLogEnabled: jIw1 + resources: + javaMaxHeapSize: "0" + limits: + cpu: "0" + memory: "0" + request: + cpu: "0" + memory: "0" + securityContext: + allowPrivilegeEscalation: false +deployment: + annotations: + Wk: JaAXs + ku: f3BwiPJdI9MX + budget: + maxUnavailable: -683730360 + create: false + extraEnvFrom: + - configMapRef: + name: xM0JJY + optional: true + prefix: MdrcdYg + secretRef: + name: md9h + optional: false + livenessProbe: + exec: + command: + - wskd + - qt9q0 + failureThreshold: -2043749481 + grpc: + port: -1703450062 + service: TBMlp + httpGet: + host: RHQg3u + path: bi2McNI + port: 2127214512 + scheme: D4¿@駉也òV雕7徑篍衾 + initialDelaySeconds: 1969882690 + periodSeconds: 412101592 + successThreshold: 1426526420 + terminationGracePeriodSeconds: 2990769791924451128 + timeoutSeconds: -65595943 + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: KmRBa + operator: ʯ惱ȷQ墨閙榈Ř欋觗 + - key: A9jxPVS + operator: ux$ + values: + - dxNjKzWbRnUM + - eXHweVWL2Pz2OY + - WV2g + - key: HNX + operator: 檯嫋R躞ĝ螩 + values: + - Rn8TX3 + matchFields: + - key: 5T5Xer2S + operator: 帯斢桁įē=搞 + values: + - J1c4aNW + - kBL + - key: kWlWYP + operator: 砱鸾ʦrO³ʬǬÒ銘`陶V + values: + - 8rj + - tRn1g + - JNMw + - key: FcK + operator: ÐDŨDř术ÛÅ謮¿錔qʃƾ + values: + - yX + - x8Y + - matchExpressions: + - key: 8H + operator: Ȥ肌 + values: + - p0ggz + - piU + - key: puh + operator: ',鑍' + values: + - iDpZ6XA1 + - FUhQ0R + - oT1raqx + - key: qevYLhMPR + operator: Wx鏅L;Ɏ擔qƑ鐿.Xʩ鍌檓ř1(柌 + values: + - RpnGZEk + - "" + nodeSelector: + "": "y" + 6Dk: 2fxwA + podAffinity: + nodeAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - preference: + matchExpressions: + - key: teMRu2T + operator: Ɲʪ·8çƋǴ肊N|蒚Ɲ啉yìɧ扶I + values: + - Bd + - "" + - key: qrADH + operator: 讉eĚ翫ÜU郂g乖ljơ絣謧帮:$棎m + matchFields: + - key: "3" + operator: 簆L叅nǜ欕巅 + weight: -1648909491 + - preference: + matchExpressions: + - key: 2Q6H + operator: 棞犺櫗dž媇僤Ȝ橴$荌 + values: + - n2zWd + - key: iv + operator: gƦ甗ì + values: + - "Y" + - HkyZzJUQa + weight: 1775867956 + - preference: + matchFields: + - key: 3Km + operator: Ƥ + values: + - HdpB + - FFce4C + - key: DDfe3Br + operator: ǣ@澳轒 + weight: -1363992583 + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: nOZtJ6 + operator: 臭ƞ亁ǃzzŘGc`ţ憝魃軠÷柆踗dz+ + values: + - 1lsA + - key: NitAsm + operator: ʛ凃ď + values: + - qXRXHjOFv + - gKZECIIQ3 + - key: i + operator: '[蹦ɑ邺絡6y罝ȘƋȆ皼殸pȲDz' + values: + - 8JPcGR + - XX + - UjJ + matchFields: + - key: evL + operator: 籬愡 + values: + - a + - key: "6" + operator: ZƾPȢu实ƯƊ讅 + - matchExpressions: + - key: "1" + operator: 2苺Œzʀ)%ŭ姀FĢȿ蹨İÎ锨lj螙 + values: + - zmAKL + - YwUOGPS + - key: SH + operator: 饓緔箈* + - matchFields: + - key: B0p + operator: 榫!Ż«rE弬摢 + podAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: OcA0Nz + operator: ƒ卺ɞ塼{ťD4櫡ĆGɐåÑHK + values: + - oGEU4xtS + - jIQQO + - "" + - key: vgsCex + operator: cü鏚.Ʀ)ǿcʕ賏狔D{ + values: + - XX13 + - key: KJfwWv9 + operator: ëe + matchLabels: + ntGxX7: se + sE2: Tm9 + matchLabelKeys: + - gHCbAaW + namespaceSelector: + matchExpressions: + - key: m24 + operator: '>Ⱥɴ燝ǭ蹞ƥ捅ƾ' + values: + - ThKy + matchLabels: + 1C: K6xD + mmCBd9: "" + namespaces: + - EiJj + topologyKey: MB7Ffl17s + weight: 849538477 + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: 7swY + operator: A鉅圁ƫŊq羹m簷 + - key: d6SeWSh + operator: 5rʮǦƎ + values: + - dm1R + - key: d + operator: '}u§kɒ改滘ɹ磆' + values: + - 41yZvs7 + - cfQ + matchLabels: + "Y": SHn4 + k: v04 + qdVWBKTq: D8 + matchLabelKeys: + - xdJ1 + - Efbwu + - GoWrIvE + namespaceSelector: + matchExpressions: + - key: RBmbA0 + operator: Wɋ痒Ɣ诖×濹綕ŠA湹8ŭ9&Ȱ镤糣E + - key: 3AYh0S4PFUGFT1Q4 + operator: 俾粶e喎鷗bFŹ + values: + - BXmjN + - "" + - X + - key: Rw + operator: 赖鏰 + values: + - lsr9z45 + namespaces: + - Le + - QR0YVKV7 + topologyKey: Pdl + weight: -1148243505 + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: IXPMNZa + operator: 杆Ų奧 + values: + - 46KgE6 + matchLabels: + KiDaIrgAdj2i6: WUooNk + S1BO: aC32zkEY + ggqE: "" + matchLabelKeys: + - nmwrQ + - l0EMEawrM + - yIo3pm + namespaceSelector: + matchExpressions: + - key: pp + operator: 襊Țj槟瓼帪ȴʨĈ¶ijH + values: + - hW + matchLabels: + y6: D4hcq4 + namespaces: + - "" + - fe + - 6mdE + topologyKey: MO8Zrjss + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: K4dO7 + operator: XgƔ6 + values: + - dedFsXyHQrV6 + - "" + - qIv + namespaceSelector: + matchExpressions: + - key: Ok + operator: ȝ.fƛ審 + values: + - IltM + - VM + - IQ + namespaces: + - XQ3u + - Z + topologyKey: 8EBdM6LA + weight: 619790919 + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: ZM + operator: To圄K岫崐ɳ紩舀氦 + values: + - ef + - 5NXS + - wHs + - key: Wz7hwea + operator: Už4Yg柹蘫ȏ凂;3u- + values: + - S8CKq + - IELC + - 4LfAe9mU21nt3m + - key: nDk7 + operator: Wy仏蚐uĨƞ + values: + - 9pI + mismatchLabelKeys: + - NWO5gU2td + - EWcIg6zintP5M + - Cylo0 + namespaceSelector: + matchLabels: + qTAJ0Ku: Kl0 + namespaces: + - 5JQb + topologyKey: rf4Nr + weight: 425635824 + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: vUAgkTO + operator: ^y醷 + values: + - Zkmn + - ALk + - key: ny + operator: 鞨[į郞Ƞʩʓ雈ßŧ嗹^Ċʌʋ烫Ơ + values: + - QI0nu16ho17 + - IHyQuhB9gR + - key: Ztr4LMZo1hL6 + operator: ô籞bü歃ɃGǡ監麧ɈFŌ- + values: + - 2UpYa + - CScTi6 + matchLabels: + TTB0NFAm0: Txb5 + sb7CDUXLD9ga: JHh565 + zAWL: xg9JgA0 + matchLabelKeys: + - "" + - kzCaeoA + mismatchLabelKeys: + - RBz + - uIX + namespaceSelector: + matchLabels: + 7bE: BVKqBxuluopC + namespaces: + - Oj9 + topologyKey: ZX4zl + weight: 160846374 + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: HH7 + operator: 緳{ƚ盧âĭ湻3÷:频:7 + values: + - gy + - Vsq + - HSl + - key: sy + operator: ƭǂʉ篸ē穯;ū戋茮酖 + values: + - qCr + - key: 5RI + operator: 涓ɨƚ攁ʋ + values: + - fIJ9 + - znCw + - ew + matchLabels: + 8wxwIB8: 5dR44Q + i6JV: nwXAFeaqSfd91 + mismatchLabelKeys: + - vxwL + - nG9S9I + - pODo + namespaceSelector: + matchExpressions: + - key: mRWuukKFvy + operator: 蛴!:Ć"ɀm¯es獞ĜŚ + values: + - hm3mu5Yy0VB + - 2f0GpZ + matchLabels: + YTpqtey0x: ktPRo + ilti14: wvhcYqTCtrQ + namespaces: + - wLUE + topologyKey: FQ + - labelSelector: + matchExpressions: + - key: Hkoj6F95em + operator: 亿懿0ʙ5Ǣ譨ŷQ + values: + - K + - k4 + - key: "n" + operator: ș郏 + values: + - AU + - 1n0T1IC + matchLabels: + XmZ: 7x + matchLabelKeys: + - ObyO + - "" + mismatchLabelKeys: + - Z1ZPMR1Zt5 + namespaceSelector: + matchExpressions: + - key: ry + operator: ~水ē鎙tj¤禬萃fÒà + values: + - l0Kd3 + matchLabels: + 5j: m8Pm + h1kue6nt: M56ZcLx + xq: "" + topologyKey: 8u1rls3h + - labelSelector: + matchExpressions: + - key: G3 + operator: 櫛Ƞ,=畾 + values: + - U3q4 + - kmv4 + - G1psh + - key: "" + operator: F宗3溜0ȺL + values: + - ZA0 + - 9qmizMS + - fTsusd7wkK0msJD + matchLabels: + N7Ngf: ya + mismatchLabelKeys: + - cgHDLS + - pZfnA + namespaceSelector: + matchExpressions: + - key: Lj3nK + operator: 墜踮vXǡMʉ1ďž熍琾竽Þ醇Ąũ + values: + - Itf + - TI6n + matchLabels: + O2XhtOAcnc: 6PW1x + matchLabelKeys: + - 59yp76ky6 + - S0trr + - G57 + namespaceSelector: + matchExpressions: + - key: oMZ + operator: 蜤 + matchLabels: + MZXascOLD: S + namespaces: + - IIhvh + - 8U + topologyKey: TQy8B4r8b + topologyKey: xuo5iwF + type: xMymP + weight: -1034622956 + priorityClassName: mUbO1P2 + progressDeadlineSeconds: -1221802348 + readinessProbe: + exec: {} + failureThreshold: 316564184 + grpc: + port: -28967743 + service: RteTOOJppyrxjp + httpGet: + host: KoK + path: i + port: 1238653747 + scheme: 蜛Ϥ餕 + initialDelaySeconds: -678114858 + periodSeconds: -1932943963 + successThreshold: -1295008485 + terminationGracePeriodSeconds: -3458096367496475490 + timeoutSeconds: 1251310237 + restartPolicy: 刊ǵ椉Ž5荭¶@Ǻ + revisionHistoryLimit: 1248617462 + schedulerName: NtMcVkr + securityContext: + fsGroup: -7790002735836358939 + fsGroupChangePolicy: '猰tą3圇épțU串ɭ惟璼ʜ ' + runAsGroup: 7078321909676639038 + runAsNonRoot: true + runAsUser: -3795473018051875448 + sysctls: + - name: 4bbbOThlM9 + value: OeQ + - name: KzYDmoPm + value: RQkJ4 + - name: gSEB + value: fCw + strategy: + type: qsB + terminationGracePeriodSeconds: 1536232091 + tolerations: + - key: Kme1g + operator: 鸋傚脨ʌȰę,缶 + tolerationSeconds: 9185074187324502073 + value: HP1mcWeehE + updateStrategy: + type: EMvj5gD +fullnameOverride: jio8f +logging: + level: A9j +monitoring: + annotations: + B4Q2a: VlA + WnWMB0U1lR9: ZFtiwVrCZ + gukX6: JE + enabled: false + labels: + HK92: SBAJug3 + namespaceSelector: + any: true + matchNames: + - knSJx6Z + - L0F + - zfWi9TED7ybZ5 + scrapeInterval: 2546609h10m30.192081859s +nameOverride: mn +service: + name: El70 +serviceAccount: + annotations: + UCvD: zlN0tsbA + create: true + name: ZkHM +storage: + volume: + - name: PQgVp5UAKMh + - name: m + - name: "" +test: + create: true +tolerations: +- effect: egɕ=1粊憎Ț$òɎ噸庤ɯ + key: do9aqZLTZ6HKm + operator: ÚǘDz姦éy便 + tolerationSeconds: -8194188728085215250 + value: kaktY +- effect: Ŷ)営雲 + key: LUyN34n + operator: ȲxȖÊǢʓȦ孻 + tolerationSeconds: 8850115598563487459 + value: au +- effect: ʄę媚醌1酙1驏ȴʦXœć + key: I9iCfca + operator: ~贙k閷Ɉ_蜦硺楚Ir廜匳&ğ-5Ō + tolerationSeconds: 5427922333042530071 + value: 2KaG3k +-- case-040 -- +auth: + sasl: + enabled: false + mechanism: eXWm9 + secretRef: M4pqhD32D + userName: KF7Nnx +commonLabels: + 4bQpba: iVh + "n": "" +connectors: + additionalConfiguration: qvMttAMx + bootstrapServers: LRTyIJY + brokerTLS: + ca: + secretNameOverwrite: rRP + secretRef: E + cert: + secretNameOverwrite: peG + secretRef: P5mPIj + enabled: false + key: + secretNameOverwrite: Tbz + secretRef: mBxPtYNUs + groupID: br + producerBatchSize: -2033745427 + producerLingerMS: -1500250091 + restPort: -1022927047 + schemaRegistryURL: cL1M + secretManager: + connectorsPrefix: cS + consolePrefix: J4nFaA + enabled: false + region: REh2 + storage: + remote: + read: + config: false + offset: false + status: true + write: + config: true + offset: true + status: false + replicationFactor: + config: -1386973481 + offset: -1418511808 + status: -748221252 + topic: + config: 9Qtxti + offset: H + status: BP +container: + javaGCLogEnabled: QXA6zua + resources: + javaMaxHeapSize: "0" + limits: + cpu: "0" + memory: "0" + request: + cpu: "0" + memory: "0" + securityContext: + allowPrivilegeEscalation: false +deployment: + annotations: + 6WNO: UvMxPC + ItkfXr: HoRGq + OqfY9eu: U + budget: + maxUnavailable: 175031450 + create: true + extraEnv: + - name: pwJ0I3ZEUK7 + value: aaFCEfM + valueFrom: + configMapKeyRef: + key: DXmjvM9 + name: JYBPb + optional: false + fieldRef: + apiVersion: 9fI + fieldPath: 90keHRVll + resourceFieldRef: + containerName: rBYEwmI + divisor: "0" + resource: Sn9Gkn + secretKeyRef: + key: T3YsImGDrshtv + name: w + optional: false + livenessProbe: + exec: + command: + - f + failureThreshold: 285554662 + grpc: + port: -2014863639 + service: vhVVIzVohs + httpGet: + path: vvG1 + port: "9" + scheme: 阖ŅxĦ鍾?翽 + initialDelaySeconds: 620513520 + periodSeconds: -983699293 + successThreshold: 537883135 + terminationGracePeriodSeconds: -6388371474898008574 + timeoutSeconds: 843588973 + nodeAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - preference: + matchExpressions: + - key: 19IV1NC + operator: ȃ}CĚ蟡ɨvǢȺ + values: + - "" + matchFields: + - key: xl + operator: VĦɓ洽Ă滕煂 + values: + - jreFryn + weight: 1586123299 + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: [] + nodeSelector: + ne: QT3mjpm7B + podAffinity: + nodeAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - preference: + matchFields: + - key: lCaMS + operator: 膳ƶHʭ暍鮊ŏŕǶp9繒Ȍ鐦M~ŲT + values: + - vWH + - i9bXTrq + - key: 9i + operator: ħ}楆$滚 + - key: 7Cy + operator: 曀螱ʞp茟{骺嘅共鞥x逈¢ƣ' + weight: -116851189 + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: [] + podAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchLabels: + Z1tWVGm: e7EmPW + Z3d: 5iGMNPlYG + matchLabelKeys: + - xbzQW + - xgW + - cQ2cTvDEvI + mismatchLabelKeys: + - yLsV + - 3ywbXylVu + - WUm9vGoqT1xY + namespaceSelector: + matchExpressions: + - key: "6" + operator: Q晦ŅǒƂȇ + values: + - ka1gnhq + - 7F + - DeX0 + - key: YoH7Cwsbl + operator: 恴j$'%P嘇 + values: + - "" + - FgHmtv7Dv + matchLabels: + E: q3RqGm + VFHD: l5 + namespaces: + - JDVu + - Jp + - sgN + topologyKey: 0Y30wF + - labelSelector: + matchExpressions: + - key: jMaH + operator: 侢ǻ蹒-Vmɓɛ廏潂譈ƤR + - key: 9B9oc51 + operator: 靏Q|g&ʂ覂 + - key: r + operator: "" + values: + - Pi + matchLabels: + RWbEj: G + matchLabelKeys: + - GQ6u + - DoezHg + - VucamL + mismatchLabelKeys: + - DZV8i + - Q5w4 + - GIR + namespaceSelector: + matchExpressions: + - key: pH + operator: Q袼ʆµ禔q + values: + - "" + - key: q47oWCI + operator: ǖ櫗ã諚框郓ǧy(M橠Ⱥȗ紶Ġ?镏{Ĺ + matchLabels: + XC9g: X9vW + ay7: HDfiZS + hk: oZm0oN + namespaces: + - 099SbHnMR + - D83JPVR + topologyKey: egq2DL + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: DiR + operator: Ɠ;苖,ɳȓ麛H[qʗcȟ.&齧į_Ȥ + matchLabelKeys: + - A35AJ5Fx + mismatchLabelKeys: + - jq4 + namespaceSelector: + matchExpressions: + - key: 618BPJ + operator: 揇õ亏暍WƳ`繥zjĞ已ǧɤ + values: + - Sd + namespaces: + - w3CMzZV + - 4YrTjo + topologyKey: RQOw + weight: -2037086478 + - podAffinityTerm: + labelSelector: {} + matchLabelKeys: + - z4roLehGIu + mismatchLabelKeys: + - iPnBzD + - we5NI + namespaceSelector: + matchExpressions: + - key: QNrHklC + operator: 鬫崤駂懄鐻君x8ʇ潩ɥžTE¬*Sɹ + values: + - MJ + matchLabels: + M8: T + namespaces: + - msRwtqnkMck + topologyKey: rCJ1sQw + weight: -1311337064 + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: Yh25gQp + operator: "" + matchLabels: + MH9S: W39vSzna + U7ph0fJ: U + Wfisq: tp + matchLabelKeys: + - hUEM + - bwGbM3B + - 7qA3sIzD + namespaceSelector: + matchExpressions: + - key: Y6zd + operator: IWţ>ɖǮ嵑Q姝銄嶅躣ĸTʡ煛妪)ǻ + values: + - RYq + - key: XE6b + operator: 獘琬DGí麮煙U8ɴ揅懌À圪y齁Z. + values: + - tg5RzsV33R + - njO + - gwxHfV + - key: kUf + operator: z`牸,尿圗薷ɱ暞Üɫ驛Ɯ + values: + - N3 + - "" + matchLabels: + UPANoyszO3: DqKx + namespaces: + - q + - T + - RntZN + topologyKey: A6n8rjlMHwlgliat + podAntiAffinity: + custom: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: aSxOcR + operator: _齯嫉Ħ + - key: AZePAX + operator: wɦ 蓋ʏ炚ȚǐĂfzŵ嫊Ǵǡe釕 + values: + - llnNm + - mksz + - rhSgv + - key: jmu0L6njnJ + operator: Àčťt§ƚʎ莽5謹W胱V嫻ŠMİ啫7 + values: + - MA6 + - xyGSDP + - wykiW + matchLabels: + "": geXhh7JgW + BPr4JUbf: T + c: P2G + matchLabelKeys: + - bIlVRSd + - LxbTkE1 + mismatchLabelKeys: + - 5CJ + - Q1 + namespaceSelector: + matchExpressions: + - key: MHL + operator: O败 + values: + - 6HK + - key: TlK + operator: «V念VáƂ>糸猠-滜 + values: + - aAqd + - DU2IY + - 8TmjiCQPB + - key: J + operator: 泛İɉGȜȻ豦岫ƎŚd檯Ɏq + values: + - JWMWurN + - ist + matchLabels: + IyOEuM9iLPf0m: 2M3Oz + topologyKey: 5FMo + weight: -1885128402 + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: cx + operator: KȵG[呖ǸbřǾ:5Z峕鱒 + values: + - cb1gAuU + - 5SR + - key: VhMrp + operator: 枇ā癣#u兂ʘ°ï]ł鋃Ȁ÷|锕+UɎ + matchLabels: + 1w: GVqua + VTVC: "N" + zJs2: 8J0rkyK + matchLabelKeys: + - eD8nG + mismatchLabelKeys: + - VBc + - Ps61 + namespaceSelector: + matchExpressions: + - key: c + operator: WVQ殰ȃ邵ʧ壤Ȃ餝HW稙癑0婝/苤ʝ + values: + - Wo9PeYtzAH4 + - Pd6 + - key: LKb + operator: iwU籇Ǜ螜撉ɦ緓 + values: + - hfFaR + - SYO + - key: jaWpOQ + operator: 葅輴ʤuş馀ťUpƟƨB頎b軖+ + values: + - S + matchLabels: + 0rs2: 6U624Rs + Jm9: qw5 + UXkt0l: Nnny + namespaces: + - pp6 + - PpD43UPH + - yGyzDnb + topologyKey: dOQt + weight: 2027685501 + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: FQ + operator: Ě$唵ljs忼ƍ崛ǦA羣捌偾粳Hu銐狣 + values: + - cjD + - key: p4ovi + operator: 厌`(茮ǰ厅ì瞐Za髭幟 + values: + - N9uzrid + matchLabels: + Aj: SkF5 + WSdwL: "70" + namespaceSelector: + matchExpressions: + - key: VnuF + operator: WXç缅紷&goc忷ĕ瀸 + values: + - o + - key: 6blyAM + operator: 菹ƚ摎枵NJ + - key: Pk8z6pc5 + operator: mǁŦ歃Ǽ + values: + - 1YIsb + - fOGtzStos4e + matchLabels: + cNN: k + tH7VC: "" + namespaces: + - hWILh + - "" + topologyKey: 6dn + weight: -670386716 + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: ffMQ7m2 + operator: 鴮爫ƞP{j伮浸軠ɭ[PȖQɓ尼M + - key: RTdpF + operator: ; + - key: IHf + operator: "" + matchLabels: + EVhEM: ni9keKo + mismatchLabelKeys: + - 4MUn + namespaceSelector: + matchExpressions: + - key: EkFrl5BBSn8NItyWV + operator: ./c + values: + - "" + - XHbe + - bn0Ln0gKL + - key: Uah + operator: Ʈ6枪伛泿VMĪƍTƤæL櫾ț酞 + values: + - OUjy + - QBmPfr + - mA1eXp8C + matchLabels: + tJ: dZ6 + topologyKey: KpySEIcfuNz + - labelSelector: + matchExpressions: + - key: wA5FZmh + operator: ?V謳抑鼺挑ǥ冺刎 + values: + - 3LYczXN9xVC + - key: S1 + operator: 7nc埊獳ŌR椾&?sʙß(ú + values: + - Tz2Vt + - "Y" + - kpC + - key: Jw + operator: .|?ȏǣv{M沪/ + values: + - AGyJ + - c1CKs5 + - "" + matchLabels: + Rp: iHT + matchLabelKeys: + - o4R + - JIi9IrD + - 7pRw + mismatchLabelKeys: + - Nnk + - 951ew + - DP + namespaceSelector: + matchExpressions: + - key: 7BmzMWwSRU + operator: 儰秘# + values: + - "" + matchLabels: + G5mmHJKQ: H5MG + namespaces: + - ACoFip + topologyKey: HuYKSfDqKssl + topologyKey: e0F8oLDkCTd + type: WlI + weight: -2036050375 + priorityClassName: gSQWfwbf + progressDeadlineSeconds: 570610379 + readinessProbe: + exec: + command: + - jSxwiEDOrw + - 0Dcuuj + - H + failureThreshold: -473671565 + grpc: + port: 2072344414 + service: Tb + httpGet: + host: OSJEX + path: C + port: n136psopLQ + scheme: ɢ糺sªǟ驲gɶUʩč02跡Ť苚2 + initialDelaySeconds: -2130499066 + periodSeconds: -39801992 + successThreshold: -1693089511 + terminationGracePeriodSeconds: 289625866324453619 + timeoutSeconds: -1707372527 + restartPolicy: °č + revisionHistoryLimit: 1380150017 + schedulerName: O26H + securityContext: + fsGroup: 7015643872446876 + fsGroupChangePolicy: 烳=~沽侣X + runAsGroup: -3630702614293936724 + runAsNonRoot: true + runAsUser: 4388805261963142582 + supplementalGroups: + - -7755253763247302204 + - -3310400039802531810 + - 2051254341870837963 + sysctls: + - name: 7UwNr + value: tkn + - name: nGm + value: V + - name: KhS + value: jbpUUVGjT + strategy: + type: 7Mz64 + terminationGracePeriodSeconds: -1194184480 + tolerations: + - effect: 曶ámɶ役ōœE顾坳4Ńɟ蒷Ǚó + key: 3u + operator: 卭ƺ?o + tolerationSeconds: 701640152884990149 + value: N1ekj + - effect: '[ȝ伨]鸲Z;ʞ9阏' + key: 6jmY + operator: n骯Ǩ + tolerationSeconds: 6874204552685767957 + value: saUOHQxkY9 + topologySpreadConstraints: + - maxSkew: 1898212660 + topologyKey: Ovevl + whenUnsatisfiable: PFGhR + updateStrategy: + type: KdJp +fullnameOverride: NCw6T6UcQY +imagePullSecrets: +- name: u +- name: 13J +- name: q9t1lU0k +logging: + level: Tb +monitoring: + annotations: + eZHJsIIV4Rky: Pk + enabled: true + labels: + n5El: sDg0twGSFjIgP + namespaceSelector: + any: true + scrapeInterval: 239636h9m22.788738258s +nameOverride: 4iNcef5 +service: + annotations: + LG: ZJQw2J8u + g: 0z9gQt4Yj + name: KxK + ports: + - name: 61dR + port: 9129423 + - name: p0D + port: 1391241101 + - name: 0MZ6s8 + port: 708219631 +serviceAccount: + annotations: + "": s + 6aAoyzS: BVK + SV0dnqH: Rk + create: true + name: FKhGHe3aO +storage: + volume: + - name: kXFFnM +test: + create: false +tolerations: +- effect: 錨 + key: MlBJ + operator: 菛垜 + tolerationSeconds: 8052990160895509636 + value: DUs0Wq9 +- effect: 鸯¨ŭ.6罘逢YĊCK蕛ʭ姪 + key: Iz26 + operator: ',F鐖烁喷' + tolerationSeconds: -4458555514794455537 + value: 32m +-- case-041 -- +auth: + sasl: + enabled: true + mechanism: I9OZ + secretRef: 2h + userName: BxNfJ +commonLabels: + AwT: yIHdj1wxg + Lr: zYUtd + eP0gw: ZlmzgOXE +connectors: + additionalConfiguration: "9" + bootstrapServers: jts02PD + brokerTLS: + ca: + secretNameOverwrite: i + secretRef: zmW + cert: + secretNameOverwrite: TU4R4tW0Nd + secretRef: G485 + enabled: false + key: + secretNameOverwrite: hDX + secretRef: dQ5 + groupID: KfcZtgISe + producerBatchSize: 1953552561 + producerLingerMS: 540861319 + restPort: -1621274024 + schemaRegistryURL: Esqu + secretManager: + connectorsPrefix: FwZ + consolePrefix: "" + enabled: false + region: e + storage: + remote: + read: + config: true + offset: true + status: true + write: + config: false + offset: false + status: true + replicationFactor: + config: 1120929712 + offset: -1861439076 + status: -1718786575 + topic: + config: n4 + offset: V + status: fLR +container: + javaGCLogEnabled: cjZh + resources: + javaMaxHeapSize: "0" + limits: + cpu: "0" + memory: "0" + request: + cpu: "0" + memory: "0" + securityContext: + allowPrivilegeEscalation: false +deployment: + budget: + maxUnavailable: 440511891 + create: true + extraEnv: + - name: WRSeLSQyxsq + value: 0xespo + valueFrom: + configMapKeyRef: + key: gsjkH + name: hjYCF8i3u + optional: false + fieldRef: + apiVersion: ilis2lH + fieldPath: slhYb + resourceFieldRef: + containerName: ufey2VJTCmS + divisor: "0" + resource: "" + secretKeyRef: + key: nR + name: GKz3 + optional: false + - name: ic + value: N8MdK + valueFrom: + configMapKeyRef: + key: 1QJrX + name: LxK + optional: false + fieldRef: + apiVersion: 0z + fieldPath: UgaSLG1n + resourceFieldRef: + containerName: i + divisor: "0" + resource: "4" + secretKeyRef: + key: "2" + name: ZCqRHp + optional: true + - name: 2TZr + value: P1UUXZH9 + valueFrom: + configMapKeyRef: + key: wgHcFon6xI + name: 6aZcc + optional: false + fieldRef: + apiVersion: dt8 + fieldPath: THGVGMQc + resourceFieldRef: + containerName: Ml + divisor: "0" + resource: tSc + secretKeyRef: + key: L2StNK + name: Qhiy + optional: false + extraEnvFrom: + - configMapRef: + name: "8" + optional: false + prefix: Z3pv + secretRef: + name: c + optional: false + - configMapRef: + name: O3v + optional: false + prefix: eXtX5G3zTnAr + secretRef: + name: FU1b + optional: true + - configMapRef: + name: cLEurajaTv1 + optional: false + prefix: YX + secretRef: + optional: false + livenessProbe: + exec: + command: + - 9lV + failureThreshold: 724202040 + grpc: + port: -1896907397 + service: 1WWZMqI + httpGet: + host: 44PUVI + path: b6Qps + port: 0Hvh0 + scheme: 陙+霒ȁ + initialDelaySeconds: 1171548340 + periodSeconds: 1136904972 + successThreshold: 1663228806 + terminationGracePeriodSeconds: 1596899246031282013 + timeoutSeconds: 1255816268 + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: poCuXUDdP + operator: 3m脄Lj伭ĸ_ȢV!fĩ聿粵昫Ȼ_Ȁ + values: + - bGZy + - key: mxZi7 + operator: 噴姷ʃƸUl>" 噸Lj#ǖHǑv + values: + - vBoyb + - 2VHyI + - key: T + operator: 汜!NJ + podAffinity: + nodeAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - preference: + matchExpressions: + - key: nLpF + operator: pʭ:DkƚȗP´紽= + weight: -2090871760 + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: [] + podAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchLabels: + P: cLp + R11HacB3: 9RqZ + a58: An2 + matchLabelKeys: + - 0O + - gUHbxc0r + - oVpvDVeeBt + mismatchLabelKeys: + - Wv9b + - ZMrNSw + namespaceSelector: + matchExpressions: + - key: TxV + operator: 暌枀R櫇杭 + matchLabels: + "": 1zdSdekKNMM + Cvc9SWB: ayTsVhL + R3BCuM: D2nQvdp + namespaces: + - 86sX + - mS0MBJIxjuB + - uz + topologyKey: a3E + weight: 1708458023 + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: QyM + operator: ñ謵g鄜Ǫ莀ś震帑X + values: + - HfAl + matchLabels: + P: TC3 + fThGsVJlo: "" + p6OA8NR: YqzS + mismatchLabelKeys: + - i8o + - SjkWvAG + namespaceSelector: + matchExpressions: + - key: LNn0eU + operator: ƻěµ揁ȟɤ桢Ɛ>绿M\»?Ʉ烐= + values: + - aNRS + - L1NpnUi92 + - key: A + operator: ȀE俫囇Ð鑒Ŕɕj揿J4 ƜƕȔ顠Z + - key: Lol + operator: 鋑祏¤m{\w'潐揥 + matchLabels: + "": eWRv + wRe: 9IuckN + topologyKey: 0D4 + weight: 2119475842 + - podAffinityTerm: + labelSelector: {} + namespaceSelector: + matchExpressions: + - key: AjGs + operator: (R瀳拊ǥit豁菻粸 + - key: b3nRH + operator: ćȹK圎盎I鼆呫痼 + values: + - Dom + - RQMg52 + - BcBODCwowaWn + matchLabels: + NMMTJCj: UsPDH + ip: baDNC39iM + rDr: p + namespaces: + - Byn5KSoK71 + - vF + topologyKey: Yw + weight: 1950258213 + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: 3qpdG + operator: c4-ÖS杺束1d煵ȩ簂嶎倖骄Ɍ$#Z + values: + - "3" + - key: L + operator: 耦V@­繙ť烗荝Dž @顕>Ĺm葍(B + values: + - ADR + matchLabels: + Ks6: 4H + crEfPdZ: M5mH + wWc0: w + matchLabelKeys: + - y0gl0w + - nuOpg5 + - Ro1eMA + mismatchLabelKeys: + - ohqF + namespaceSelector: + matchExpressions: + - key: "" + operator: 乻ũ鳅ǸƹņƜ茀ǹm歸ǃǧ殯WqW + values: + - c6wHwn4V + - bnabZlF + matchLabels: + CNJ9it: Pdp + namespaces: + - 6P + topologyKey: mws + - labelSelector: + matchExpressions: + - key: FM + operator: '{欲齜L!ƅnji!T菞ɜc珡坹|' + values: + - 5hjp + - key: OXfaexE + operator: H桄鲩§ſ/cUKG廾cLǾ瘃崚 + values: + - X9rSbDb + - key: Po94eM + operator: ®餑鑱崾歀驽 + values: + - ZaHXvJdaV + - JUq1 + - eR6 + matchLabels: + 9AR: ImAe77 + mismatchLabelKeys: + - DB2GXoYzO + namespaceSelector: + matchExpressions: + - key: scq + operator: 樰mǼ + - key: XPlg + operator: 抷½鉞H膑愭 ē + values: + - Zcqeo + - "" + - RrYuQZzQ + - key: X8GK + operator: ǧŷ + values: + - Oo2Rf + matchLabels: + anEo53b: yblBZcNB + ymCkjK6fCfH: 5k5uIkVNy + namespaces: + - dThUvgS + - p2ts + - eS56TMUxGp + topologyKey: TEvh + topologyKey: cW + type: "" + weight: 1923787359 + priorityClassName: AO + progressDeadlineSeconds: 1079618075 + readinessProbe: + exec: + command: + - Rb + - RI + - "" + failureThreshold: -1131780392 + grpc: + port: -599447137 + service: cq7 + httpGet: + host: SsaWorg + path: UpplF + port: 516047544 + scheme: 牋Ƙ榊 + initialDelaySeconds: 1799248585 + periodSeconds: 373984687 + successThreshold: -1503317917 + terminationGracePeriodSeconds: -7669958782954712463 + timeoutSeconds: 266568456 + restartPolicy: Õ験蘺Sg怰S²蜵-Ǿ笭ī庩X圂蓦5< + revisionHistoryLimit: 485115195 + schedulerName: MF3RwzBCk + securityContext: + fsGroup: -3871220937207142458 + fsGroupChangePolicy: Y蹐\¢倅J趚i転 + runAsGroup: -8140185145867863431 + runAsNonRoot: true + runAsUser: 1443110212215096345 + supplementalGroups: + - 4202411183995629949 + - 9074875661218953213 + - 3682145535007526084 + sysctls: + - name: a9wm1 + value: V48LpVsGVpu + strategy: + type: z1MRV5BXaS20 + terminationGracePeriodSeconds: 1526850382 + tolerations: + - effect: k積Lj + key: YsgfsWrB + operator: Žʚ8鋤縅÷ʪ镲 + tolerationSeconds: 8712200771279582343 + value: 0BC0Sc1 + - effect: a + key: pWUIfI + operator: ā5NƑ鬜牣^,儕髬ǖ藍 ŠɯǦ + tolerationSeconds: 7946113276490164519 + value: lsKkYhoC + - effect: 燀芜/ƶ@犩ɫƭ紱刃飚dēW帠 + key: VQfdy + operator: 腼ʮǬĴǠɬ + tolerationSeconds: -8924157374760987206 + value: UlBiper + topologySpreadConstraints: + - maxSkew: -623096425 + topologyKey: fFI6B + whenUnsatisfiable: PdDm + updateStrategy: + type: Hm36839yLnm +fullnameOverride: AqjekuF +imagePullSecrets: +- name: JeYmHo +logging: + level: fhSGoGeOVO +monitoring: + annotations: + 7gh5s: YcQQPJlU + W2IS: vZNG + bcuaxtS8Sj: F8QJd4 + enabled: false + labels: + CHV: zTXw0 + f: xv + i7b: 5Icwid + namespaceSelector: + any: true + matchNames: + - yTNHdgcpfYS + - 7ezGBhn1FJ + scrapeInterval: 1305701h8m48.166311732s +nameOverride: Ur +service: + annotations: + Z2dqRWb: FmF + name: bjGFkzr + ports: + - name: PoEHOjF + port: -510390395 + - name: DH7c + port: 369451694 +serviceAccount: + annotations: + j5DbR: "" + create: false + name: 1LIGRd6z +storage: + volume: + - name: JoBYh + - name: 4s31 +test: + create: false +-- case-042 -- +auth: + sasl: + enabled: true + mechanism: N6 + secretRef: zV + userName: ksTD03R +commonLabels: + 0F3sU: SaJRcWm + GUF2flpqQUL: KKAcWWY5 + NIiGBL37: eCFaXQGs +connectors: + additionalConfiguration: VHWNn7cM + bootstrapServers: Cufj + brokerTLS: + ca: + secretNameOverwrite: 6CC2 + secretRef: ahw + cert: + secretNameOverwrite: pCPJclf + secretRef: XynCs + enabled: false + key: + secretNameOverwrite: c2jX1p + secretRef: 4JoKw + groupID: 3QzOolf5 + producerBatchSize: -227006427 + producerLingerMS: 282669617 + restPort: -1489153770 + schemaRegistryURL: 0NFMF6Sql + secretManager: + connectorsPrefix: XkmA + consolePrefix: uOHBYjCeV + enabled: true + region: HAnfg7IX + storage: + remote: + read: + config: false + offset: false + status: false + write: + config: true + offset: false + status: true + replicationFactor: + config: -948402977 + offset: -529217276 + status: -1552614518 + topic: + config: P + offset: It + status: wF +container: + javaGCLogEnabled: "" + resources: + javaMaxHeapSize: "0" + limits: + cpu: "0" + memory: "0" + request: + cpu: "0" + memory: "0" + securityContext: + allowPrivilegeEscalation: false +deployment: + budget: + maxUnavailable: 1629881483 + create: false + extraEnv: + - name: Fif + value: 3tSkpD + valueFrom: + configMapKeyRef: + key: REro1Fq + name: L9wKUwjKABNYV + optional: false + fieldRef: + apiVersion: Jpb2 + fieldPath: 8UAa6RrFC + resourceFieldRef: + divisor: "0" + resource: 54CvEvHC + secretKeyRef: + key: F + name: cByAdOH + optional: false + extraEnvFrom: + - configMapRef: + name: YcRcIU + optional: false + prefix: kBHfd8qG + secretRef: + name: qYDGh8F + optional: true + - configMapRef: + name: RqArRvKcx + optional: false + prefix: Nk + secretRef: + name: o66DF3e + optional: false + - configMapRef: + name: FAcAyd6s + optional: true + prefix: 6MjNWd + secretRef: + name: 8B + optional: false + livenessProbe: + exec: + command: + - RyaDt95rbS + - xB48 + failureThreshold: 784891686 + grpc: + port: 390551496 + service: fVkZ + httpGet: + host: rIuzFin + path: NGsJoEcvH + port: BMI + scheme: '{銧澅ŗ妪ɑ鱄Xŋɘ@癳:­g' + initialDelaySeconds: -1933904380 + periodSeconds: 276259650 + successThreshold: 2046548753 + terminationGracePeriodSeconds: -6638478800684614739 + timeoutSeconds: 1573691516 + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: WdCi3K + operator: K愉獝8ʊ_-DŽ + values: + - z + - a8fo2i + - jFI + matchFields: + - key: A + operator: ǪŊe>?啚竈鹿蜩-¿ʒ + values: + - LO1mpxYfL + - key: Izo + operator: -Ù=粆貘ʼnɟph + values: + - HXsf + - i8G + - key: VTyRD + operator: ɸ + values: + - WPVh + - 0tmIEB4c + - matchFields: + - key: oohVNIkSc + operator: ǎ8鸗襋ãƋ[ + values: + - k5ac + - Rqt1Oi + - ccc + - key: Jb9lgJhH + operator: Vjʁy笊# + values: + - Kkpi + - jTlWbv5UPrD + - matchFields: + - key: Rg + operator: 洂{Ŋ秗AƵė蕸ʚʨT³遫< + values: + - zZDzBsm + podAffinity: + nodeAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - preference: + matchExpressions: + - key: 0PWrKZSAA8EIc + operator: Hʯ匎)1G蹩Ð趦Ȃ禽Ų{ǘÒƶżn\ + values: + - fXOr + - 7U1Ics + - "" + - key: STfde + operator: 銲 + values: + - 29Vn + - wNjqS + weight: 741986916 + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: [] + podAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchLabels: + NhiZwhBuO: h5IvAFqx + matchLabelKeys: + - hSkqAMLm + - PQ3KCpn + mismatchLabelKeys: + - Vyc + - 57y + - LdH + namespaceSelector: + matchExpressions: + - key: I8 + operator: 猊ɑÒ昍ő游 + - key: LD0xPi + operator: 掯6Ȓ骁 + - key: sqVE6U + operator: ɧǓR麐H`&驯苨镪覕ɚWʁ繊5 + values: + - UC + - p + matchLabels: + 7XjD: kIxut + F2tD: m6 + Z: 9fj + namespaces: + - Epk + topologyKey: K2kmRJbaS + weight: -1127986578 + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: HAxkB + operator: 'w ' + values: + - Rbl + matchLabels: + hlZgiLqv: "" + mbw: qzC2I + mismatchLabelKeys: + - h9W + namespaceSelector: + matchExpressions: + - key: RsAXrqlW7 + operator: f+医屨Ȫfƣʥõ巻隒ȱ繗镗}琸ƪ + values: + - xpQj + namespaces: + - Z + - fL86 + - yjWwvzz3HL + topologyKey: ReSGOlVKW + weight: 1976075077 + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: PVC + operator: '}霬变滑铒;ȝPõ割ņɥ' + values: + - hH + - SyoM + - key: wEUm4 + operator: O>垽Xk*Ȟ + values: + - LP7TxsN + - yA0qMiZhntz + - key: z5ej + operator: 叶濯šŀ瞺Dj撂Ü$鬉 + values: + - "3" + - SayBRwXjLss + matchLabels: + kryupfr: "N" + mismatchLabelKeys: + - 7v58Aijbbzr + - 5Td + - "" + namespaceSelector: + matchExpressions: + - key: NPR + operator: ĆŽPǶǣǜ,t鍋特,簬 + values: + - Echt + - S2zBVD + matchLabels: + b5m: JCUgN4 + namespaces: + - 5tFo + - ROQBeEaCa + topologyKey: "" + - labelSelector: + matchExpressions: + - key: H0 + operator: GƇbǼuȌx舺®茳Ǣ憻°r鯗 + values: + - 2pWjFL + - Pd + - key: iF395JQy + operator: 翭薯³e觙窒_e{kĘ + values: + - ElB9TE + matchLabels: + arlQ1: 5Ji3V + cfD527SUZXN: B95nY + npPKK3n: jQ2Nk + matchLabelKeys: + - fZh6WLiv + mismatchLabelKeys: + - jmBW33O + - vczPF99 + namespaceSelector: + matchExpressions: + - key: "" + operator: $^.鼖顧誑>:×兾 + values: + - 33sh + - MkhT + - aceo88Nxvo + matchLabels: + IMizQHA: m + fbOw: Et79k + t: 4BlF + namespaces: + - "" + topologyKey: j + - labelSelector: + matchExpressions: + - key: DBm + operator: 6<Ɠƍ柵ƹK鷨Žů胞朱 + - key: EW + operator: Ȼȇ϶綎渗DzȜȕC庮辞ɔ + values: + - bkmB + - lH + matchLabels: + "8": vrm + F: 9LRR + G: Qknw + matchLabelKeys: + - XDBVVJD + mismatchLabelKeys: + - k1vdw + - JHcKRmh + - YBaCax + namespaceSelector: + matchExpressions: + - key: hRX + operator: ɡÐbïſ佖蘑播譽h3`Ƀ騅\尲- + values: + - 9xi4 + - QwOFfbmV + - key: bcA + operator: _%ó=©~ÈƦ>Ä礜 + values: + - typiPHsA2 + - tR52 + matchLabels: + "": Jtgef4L + topologyKey: sKnzsZj + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchLabels: + Ng12: "0" + QyudSu: tsRA5y + VN9G: l + matchLabelKeys: + - K + mismatchLabelKeys: + - KRP2 + - eII2WRDSD + - irPHaS + namespaceSelector: + matchExpressions: + - key: TKoBwC + operator: ʧʋ騊鸦)ĮeUðVXI鍵Ǵ + values: + - mLxI0Wg + - Mzb0A1w + - tvF + matchLabels: + OkqFT: fweHH + Z9p: ubKfGhvxM + xNNR: ZJOxMl + topologyKey: uooEh1P + weight: 1385222265 + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: 02mz3TF + operator: Uë帴Ƙºb顛Î< + matchLabels: + 6GGA: pc6WNhW + nApBYzP: DYF4RQ + w: d + matchLabelKeys: + - pHV + - QHr + mismatchLabelKeys: + - vyygwe + - x + - yjf + namespaceSelector: + matchExpressions: + - key: CVbZ4UXGJU + operator: d虌|芈 + values: + - X + - CQOoQv4J + - baPs + - key: 9CRLLSg + operator: 灈选/塄Jª佨5漍Ĩ鑐+婨$斕«圪Ɯ + values: + - TOZk6JD + - key: R9NR + operator: ú-ZƗ餦ĵ跇:ō擱饍 + values: + - NCPg + matchLabels: + "": I3WuOi1b2 + oo: jY0oqR + namespaces: + - Tqrc6Ze2N + - cwqJG8fEZ + - Enix + topologyKey: G + weight: -1520224775 + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: Ycp3KvRGz + operator: ɪ惐ʕ漲竹虣pȤ= + values: + - 2UO + - 6M + - HxThxOi2V + - key: o592O0 + operator: Į~Ȩɇ煢贯嗼 + values: + - DoHIEpQDxot + - CHQTeD + - key: 2u8kQT + operator: ʃ + matchLabels: + 1yzAgQmi: ksb6DdF + matchLabelKeys: + - cHo96 + - kuHW + namespaceSelector: + matchExpressions: + - key: u4 + operator: 懌V炠劭迈țġ + values: + - k9FIUOj + - J + - key: uwMyy2qYx6hy + operator: h/ÆƴɆ腿F聈 + values: + - uei + - key: sswBKfF4e + operator: 牍Ǖ啳ɸ碟l鞢=叠喜ī=Ų齣墛靰Ô + values: + - R9KxFV + - Voq6Z + namespaces: + - qywMPFgqR + topologyKey: 4bTD + weight: 607381810 + podAntiAffinity: + custom: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: SFS4n + operator: \喆Zơ穿蹇膣憮 + values: + - 7XfjCE9 + - key: 1qwRrI + operator: Ǹ8\棧係 + values: + - EftX4 + - key: GJO + operator: ɮ件ǚ謮Ǿ佄 + values: + - ZPiBXBh + matchLabelKeys: + - U + - NYI + mismatchLabelKeys: + - RPvU + - tsP + - UTI + namespaceSelector: + matchExpressions: + - key: ZAM + operator: 3¿ťM彅 + values: + - DMm3F4GI + matchLabels: + KS6no: xRO + Ljsiegm: JJhji + tpre: EKt + namespaces: + - KceYF6pL + - "" + - I3c9p9ndODqy5 + topologyKey: x + weight: -453783752 + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: "" + operator: 柨2½vq舀髼齔Í蠔 + values: + - "" + - 89A2 + - vu + mismatchLabelKeys: + - uj + - 9DS4IruvqS + - 5hiI + namespaceSelector: + matchLabels: + a: 5oM + kfAKrh: i + o3XC: Lmn + namespaces: + - O + - wzhuV + topologyKey: bJsgWL + weight: 811646551 + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: Ks + operator: 钷ǀʝ + - key: GA + operator: :ĕū温槑蹥Ʃ + values: + - x5h0N + - xs + matchLabels: + 2R: 0uO + 6lkH: 9mu + k4L4vQRyl: bER4lJ + matchLabelKeys: + - cPXNS + - U6 + mismatchLabelKeys: + - xUdn + - HmU + - tnS2Jk + namespaceSelector: + matchExpressions: + - key: HmYpl + operator: p恾TȽCú瀺i4LĎƀɎƉ7A{Ț + - key: CwHHd + operator: 讥磖厒槡c7\ɞ晧懊 + key: b + operator: ĸ傜郠Ĩ沲INJ5ȴW离Úǣ' + tolerationSeconds: -4016572537968724845 + value: wLj4YcHC7E + updateStrategy: + type: 6P2B5DOkpdaY +fullnameOverride: GhHS +imagePullSecrets: +- name: KKI2K +- name: t5qixoHm +logging: + level: MkT53E +monitoring: + annotations: + kSsMHYkP: hdg + enabled: false + labels: + "": rbJDO + 3qrEiU: On6nePI + c: aQavQj9 + namespaceSelector: + matchNames: + - Pp + scrapeInterval: -1405670h6m56.58808485s +nameOverride: s9WyH2Y +service: + annotations: + fzz: CLoaDJm9w + rryVp: TZ + name: 8Tb8k + ports: + - name: GYfGwLr + port: -1114107001 +serviceAccount: + create: true + name: w +storage: + volume: + - name: aWdnfP53 + - name: 88Qdn0Y +test: + create: true +tolerations: +- effect: y寫ÃY=ÿ勓霌猆7訚篹 + operator: 秹yƂj + tolerationSeconds: -808124645233925629 + value: MEkdJx +- effect: 阔ɛHĠP灃oN伎Dz遽ų + key: KSBOWC + tolerationSeconds: -2431873710746455413 + value: A1eQM +-- case-043 -- +auth: + sasl: + enabled: false + mechanism: gsR + secretRef: PIWVDNSJ5h2 + userName: Nb +commonLabels: + Mv: hvvf9ur + aWpK: fy05 + xYCcuP: zC +connectors: + additionalConfiguration: d9YXDim9 + bootstrapServers: r + brokerTLS: + ca: + secretNameOverwrite: 3ULc + secretRef: db + cert: + secretNameOverwrite: xB + secretRef: u + enabled: true + key: + secretNameOverwrite: Lof + secretRef: Nm + groupID: tAHp058 + producerBatchSize: 326061542 + producerLingerMS: -812360105 + restPort: 2118887935 + schemaRegistryURL: QoRmKviP + secretManager: + connectorsPrefix: CrfpXnLE + consolePrefix: O5i8fAPb + enabled: true + region: HMVvAZ + storage: + remote: + read: + config: true + offset: true + status: true + write: + config: false + offset: true + status: true + replicationFactor: + config: 814601878 + offset: -486723389 + status: -28524957 + topic: + config: 5fJu + offset: TD4L69vOIK + status: O4GNLUy0b +container: + javaGCLogEnabled: JgX + resources: + javaMaxHeapSize: "0" + limits: + cpu: "0" + memory: "0" + request: + cpu: "0" + memory: "0" + securityContext: + allowPrivilegeEscalation: true +deployment: + budget: + maxUnavailable: 275053237 + create: false + extraEnv: + - name: Kf3T + value: A + valueFrom: + configMapKeyRef: + key: y58L3y2j + name: 935KHbGnvvRU + optional: false + fieldRef: + apiVersion: d3KFOU + fieldPath: 7L6 + resourceFieldRef: + containerName: t2Zr + divisor: "0" + resource: 6Vma1 + secretKeyRef: + key: "4" + name: wRw9G65Ia + optional: false + - name: x5pHL7nk + value: BqVjA6 + valueFrom: + configMapKeyRef: + key: Qz + name: Tv5Yk + optional: false + fieldRef: + apiVersion: Cwp2TnKc + fieldPath: phqwy + resourceFieldRef: + containerName: IRPmIS + divisor: "0" + resource: T2b4IkoE + secretKeyRef: + key: 49QU9 + name: VJexY9PvmE + optional: true + extraEnvFrom: + - configMapRef: + optional: false + prefix: ZX0G + secretRef: + name: 7d8 + optional: true + livenessProbe: + exec: + command: + - JTuvS30g + failureThreshold: -1640702378 + grpc: + port: 967836932 + service: DHJo2M + httpGet: + host: tSNAs + path: oumIal + port: 1497455731 + scheme: 敜毑穏羋4Ć徸塍灶广 + initialDelaySeconds: 580277422 + periodSeconds: 1352858518 + successThreshold: -288162847 + terminationGracePeriodSeconds: -3550736034833886440 + timeoutSeconds: 1134857368 + nodeAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - preference: + matchExpressions: + - key: 9l + operator: /脀夻粀ǁT繐窲ɋ譎Yʫ蓶¶ɐ­ + values: + - ilYoM + - KRlxfBr + - pkOnwv + - key: JPeTO00 + operator: EƱ遂øɗHi檁襡Ǥ姾踖VyǤǃ錂枴 + values: + - EKHBGGOr + - key: 97Edg + operator: Ȫ + values: + - S1s7J7oI + - Vxj7AJSI + matchFields: + - key: DDK41B9 + operator: 崦 + values: + - YI1ISW + weight: 684587648 + - preference: + matchExpressions: + - key: DJA7gLPH + operator: Əuya¬Dz鸓-毗 + values: + - Q61pLQH + matchFields: + - key: sjT + operator: 璠ɩ髓ƺ + values: + - Y7p + - S09Ii5EB + - "" + - key: b + operator: '*ŃƤÒ軿觳DŽż蠪' + weight: 346231665 + - preference: + matchExpressions: + - key: Nr3PF + operator: 劶ǽ + values: + - 5cD + - 3nxp5qH + matchFields: + - key: xEJEaTIM0JIYQ + operator: '@熹`)k殣 ' + values: + - K + weight: 1016822803 + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: "" + operator: ɐ裔x艥滦Hł¯軋Ǚǰ!荦Ŭƫ踼)肩朦 + values: + - VTc + - key: nuazd + operator: 檋魋ç厸m/ʜ + values: + - FgRAHGQAPP + - key: Qmku + operator: 遢ǪůLJ鷳莵瞸永荅Rɤ悌 + - matchExpressions: + - key: EkoeuAS9eFK + operator: "" + values: + - SZW + - 5G5EtcG + - key: lIcNlSIO6YTW + operator: B駽qçǐ鵊`w鏬鐜^釵c#î嚩Èa + - key: 9I0A + operator: 'h駨瞾蠪檾ʌ2Ǔ細Ɲe ' + values: + - 2zd + - GigtgQi + matchFields: + - key: QpMXTyA + operator: 昐 + - matchExpressions: + - key: tb84 + operator: :ëKȂ鐛顟÷!) + values: + - Fv + - AGwpAxy2 + - key: 2JS2BTg + operator: ɝư_ļX溢嵦ʞɥȢ橲ƅ(ç3Ȟƭ徔 + - key: 2dM + operator: 儗羇d肜ɢ鲵ɑ\毊ɤ嫱邁珧Ș + values: + - hcjpSwjiNZb2he + - i7r + matchFields: + - key: Z4 + operator: 2'§ + values: + - pipyk5ygBGjgjjb + nodeSelector: + 1ckyXyf: Cif + podAffinity: + nodeAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - preference: + matchExpressions: + - key: 72I + operator: .O厪> + values: + - qy + - key: qDkN + operator: 腽R雀Ȓ镚ȋŦ彼仵ƨ碦Q挪iń兟Ƨɷ + values: + - IFT + - FB + - ZV + - key: Hik4 + operator: 烳=氂ť珈臼帑淬nwȻHÖ鮑7 + values: + - 5qz + weight: -1431971269 + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: Q + operator: ɦĐƠì>Z2Ɂ-撅 + values: + - Hggu8 + - wfTW27ko + - gdO + - key: PgRx5hRr + operator: "" + matchFields: + - key: 91PYj0Wim + operator: p紃x岜|鄊ǖ眜殼"Ü洹過eY尺 + - matchExpressions: + - key: jvmYjph + operator: ǘH)2ǧŀɸU# + values: + - HkV7 + - o + - key: kbIqE7D + operator: '"Eât`ʃ進癹''0皭Ģ鶰' + - key: CXgvWZ0 + operator: Ċ舞°u箸g ƀ姲Ƹ= + values: + - 4e1oZk + - 0N3m9UO + - r2Nc2 + matchFields: + - key: kUSBT + operator: Ȧ弒祩冕毾聒Ăwv譧势H + values: + - Mtfk + - ThywTd + - pTxY9Z + - key: ty + operator: .ɐN鎁ɜ=ɯ憎2Y!}% + values: + - a4o + - O20 + - gfU + podAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: gTv61 + operator: '[徵<»ȕDZŖȿ钶蘐潿ɠ菙鈣ƦO' + matchLabels: + GNi1: XTv3 + agO1: rNYRcx + matchLabelKeys: + - q + - "" + - 4u + mismatchLabelKeys: + - E28Dz + namespaceSelector: + matchExpressions: + - key: 0j + operator: 凵TU啜Ŋ螢馹ʍſ + values: + - rRA51 + - igqVL3dl + - cMQsgEymY + - key: 2gObxnA9 + operator: .埑9±Ľ + values: + - 7xXJ3 + - b5YaQ6 + - WISJEcAF + - key: bwy + operator: ȼ殦ʬR颥Ǭʌa鴸&ąFjɚ` + values: + - w6clsK + - bjYH + matchLabels: + TY0: bhwBS + u9trttO: lGYO8h + namespaces: + - qn + - BYd2 + - kmeXHHG + topologyKey: 1Ft72IT + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: Yi + operator: '"' + values: + - k3wctb + matchLabels: + IUEo7: Wvj4K + VZH: s1lVwq7 + matchLabelKeys: + - pVo0yd + - tH2 + namespaceSelector: + matchLabels: + TW0C: fKUjlPkN5 + cpGUpaXo: xC3 + giVV: oOcx4 + namespaces: + - kaYiZrU + - Mx5F + - ty + topologyKey: 7cL + weight: -796426395 + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: 4IQ + operator: ~炷ŀ邛嵪ó5F墪ȍ驇揷A§ƚf{>ȹ + values: + - "" + - GpsIXxXhAo9 + - qs + - key: La + operator: n;憂莰 囒GȋhȆ熨e鑜Jƫ + - key: 8BkIi + operator: '}ȴ藆¨ʄk鵢ʡm' + values: + - U + - FDzLXdzU + mismatchLabelKeys: + - A2CjGC8H + - c + - IYWbM + namespaceSelector: + matchLabels: + LnrpS9obyu: 1n + wKRnL: "" + topologyKey: njqm3p7G + - labelSelector: + matchExpressions: + - key: CG + operator: §顲º + values: + - "" + - 41vsmSfIvpw + - yyVdBOWqYG3JK + - key: imA + operator: µ欤!k;壁ƶ + values: + - D2tGL + - "N" + - IzBvfEz + matchLabels: + L1: Y5MT6 + mismatchLabelKeys: + - gP42KfEC + - ON2I7o + - hYr40 + namespaceSelector: {} + namespaces: + - "6" + - uO2 + - yLgyfiR + topologyKey: zjRcu + - labelSelector: + matchExpressions: + - key: luBI + operator: ʃ>ȲºPũɹ霄F6ʣ­鴙 + values: + - cBmF8 + matchLabels: + 0vH: 9N + 2lClMO: iDGDJsP + Rbm: SV4R0ij0kv + matchLabelKeys: + - tbbRcpcmE + namespaceSelector: + matchExpressions: + - key: elN6 + operator: MȧJǐt + values: + - cfxfv + - W + - "" + matchLabels: + CZ7: KJ1 + hh6xT9iBgnx: 680J7Ww3 + topologyKey: I + podAntiAffinity: + custom: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: "8" + operator: "" + values: + - KM + - lAT + - NN6ch + - key: an9V9F7e + operator: 蒖瞗ƕ3É伿)ƒ売c+HɑHŀ礽{¿K + - key: SbRvHE + operator: ~ú+銃刅ȱ + values: + - S6tzqFt + - zKss3W + - R3XXZp + matchLabelKeys: + - N5 + mismatchLabelKeys: + - Rt8aa + - "" + - NWv + namespaceSelector: + matchLabels: + EX: HZGSzbFGX + QYppQ: jVvw0V + topologyKey: g7HL + topologyKey: FhZosc + type: smnyiuV + weight: -589206663 + priorityClassName: xuvUg + progressDeadlineSeconds: 625787929 + readinessProbe: + exec: + command: + - D6pWcMRx + - f + - WJoWsx + failureThreshold: -1732496585 + grpc: + port: 2008777 + service: EH9aue + httpGet: + host: 27wRHd + path: z5 + port: gBHMh6 + scheme: ŇZ罡î孷Ď凯IJ穮臈g嚄=榓ʄ + initialDelaySeconds: 41316909 + periodSeconds: -1536340211 + successThreshold: -872033350 + terminationGracePeriodSeconds: 755864549545305461 + timeoutSeconds: 641817532 + restartPolicy: 莺N + revisionHistoryLimit: -1523772697 + schedulerName: pAjniqNhZyOs + securityContext: + fsGroup: 4315889566768146013 + fsGroupChangePolicy: 4ŋu攠Įȯʟ%闓諗ɸDž= + runAsGroup: -2570730350940379829 + runAsNonRoot: false + runAsUser: 8876786175168037156 + supplementalGroups: + - 8106893607739023128 + - -3191337886248958794 + - -9161390975044730852 + strategy: + type: t19cLk + terminationGracePeriodSeconds: 955744914 + tolerations: + - effect: 洪 + key: RsZkLxkjJ + operator: N鱕 + tolerationSeconds: -7968213159538961006 + value: x + - effect: 送孺糯{\ȸ!¦d + key: XS + operator: Łʼn抂ôƨQ敊ȈǤ|f揻渪ʫô!iȔ + tolerationSeconds: -6845197254618999245 + value: Lw1e + topologySpreadConstraints: + - maxSkew: -1978515794 + topologyKey: g + whenUnsatisfiable: iC + - maxSkew: -755886947 + topologyKey: AMp0C4H + whenUnsatisfiable: NNjCNE + updateStrategy: + type: jtzm3 +fullnameOverride: DPRe +imagePullSecrets: +- name: iNrm +- name: tXVc4 +- name: 2FI6svfYzUT +logging: + level: xYn +monitoring: + annotations: + k8EzKZ: oXYkaOnH + enabled: true + labels: + 07sPUbsx7a: "4" + namespaceSelector: + any: true + scrapeInterval: -1922855h59m11.982156464s +nameOverride: WdYlcGB +service: + annotations: + 25swrT: LyMk + AgV: 2ZT + LR7E9YY7J: rc + name: L + ports: + - name: "0" + port: 1958832246 +serviceAccount: + annotations: + tUrOJRs: sa + u5pe: o5HFd6E + create: false + name: 2QWHyV8 +storage: + volume: + - name: 6mgHY + - name: aPVxgB + - name: ml + volumeMounts: + - mountPath: YuAZg + mountPropagation: Ŭ鷾/1p[睘6nƴ攝ŝ'Xǯ鍻市 + name: uA5mP95UbWz2DU + readOnly: true + subPath: Rd + subPathExpr: HjiP + - mountPath: I8PeS4vph6 + mountPropagation: ȁ8ǁ + name: "" + subPath: KXRi25s3l + subPathExpr: J2VIP0O + - mountPath: kMp9FbjBpDZFC + mountPropagation: Ƿ + name: h + subPath: D0waN + subPathExpr: uBJAJhe1iu +test: + create: false +tolerations: +- effect: Ȳɯ廝T憎Ľ摛lN&ƫ'ɸwc¢Vh + key: IDKt + operator: 趉 + tolerationSeconds: -769067857200268382 + value: gRii1 +-- case-044 -- +auth: + sasl: + enabled: false + mechanism: LO + secretRef: mhOAME + userName: "n" +connectors: + additionalConfiguration: xypAC + bootstrapServers: AJo + brokerTLS: + ca: + secretNameOverwrite: LZ8 + secretRef: Qd + cert: + secretNameOverwrite: "N" + secretRef: 4Hwd2 + enabled: true + key: + secretNameOverwrite: NGmzeL6Y + secretRef: ak + groupID: S7uyvF + producerBatchSize: 577860685 + producerLingerMS: -1432617314 + restPort: 871084350 + schemaRegistryURL: BMfK + secretManager: + connectorsPrefix: MIv88J + consolePrefix: 5dJ + enabled: true + region: ToqBft85 + storage: + remote: + read: + config: true + offset: true + status: true + write: + config: true + offset: false + status: false + replicationFactor: + config: 1110431616 + offset: -1272331222 + status: 342664574 + topic: + config: MSUfKAm + offset: 1EER + status: d6yOc +container: + javaGCLogEnabled: "2" + resources: + javaMaxHeapSize: "0" + limits: + cpu: "0" + memory: "0" + request: + cpu: "0" + memory: "0" + securityContext: + allowPrivilegeEscalation: true +deployment: + annotations: + e1: EPUL4 + budget: + maxUnavailable: -853711840 + create: true + extraEnv: + - name: Hn + value: RLmuTFKt + valueFrom: + configMapKeyRef: + key: u8iVw + name: l8S7wk + optional: true + fieldRef: + apiVersion: 5q4Wkck9Yhn + fieldPath: e56i1D + resourceFieldRef: + containerName: MP6 + divisor: "0" + resource: W + secretKeyRef: + key: Sow4h93xH + name: tK6mZbO + optional: true + extraEnvFrom: + - configMapRef: + name: 6a + optional: true + prefix: wqO + secretRef: + name: eZxNk + optional: false + livenessProbe: + exec: + command: + - 6AVfWWiU + - gjBVfhPqm87 + failureThreshold: -179099947 + grpc: + port: 2055240519 + service: 85th + httpGet: + host: aY98zm4 + path: qhNVygpz + port: D5cj4qxJ + scheme: 训珙仾ɠ/a]"蒟ɩ蓫nµ@- + initialDelaySeconds: -741511239 + periodSeconds: -301254020 + successThreshold: -1795354231 + terminationGracePeriodSeconds: -1555270337534101901 + timeoutSeconds: 17970381 + nodeAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - preference: + matchExpressions: + - key: ggOgs + operator: ʆ=Ǭ + values: + - 6xOHO + weight: 1438312308 + - preference: + matchExpressions: + - key: sVT + operator: Nj溚K$P" + - key: 3i + operator: 状w¿鄏荤džöǹĄ + values: + - hl9dZyPnxN + - C87 + - key: Pt + operator: ʬƴXw/8綷 + values: + - S9I6Qrsfz + matchFields: + - key: Gvnxn3 + operator: â氠喬 + values: + - d + weight: -886172272 + - preference: + matchExpressions: + - key: oy973i + operator: 圅¢璸'ɆʥʚvǴMĴ + values: + - OBP + - "1" + - YNoey99 + - key: Zy0iQotc + operator: +g + values: + - FO1apzD9 + - epCNQ66B + matchFields: + - key: 8nakITBFg + operator: '|ȍ' + values: + - 9z + - RX + - key: "" + operator: Mȃ"ô薱黭夃< + values: + - "" + - C + - YE3 + - key: iZFE5e + operator: nǮ + values: + - LHp7ijJ + weight: 567068826 + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: we + operator: ɜP苞崉汊S + values: + - 1zCAp + - DVu + - key: piI + operator: Ǔɽ觩-鸭諣0ʙɮ鈿莳CyJ2 + values: + - 8oy + - HijL4M2 + - key: Xjq + operator: d遢豾9藌NJəBǔ,ɿǸ5Ƶº'芎婑( + values: + - kGBJo + - MpcP0e2Tga + matchFields: + - key: JhC5vQ1U8 + operator: "" + values: + - t + nodeSelector: + m8ypcZn: yD + podAffinity: + nodeAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - preference: + matchExpressions: + - key: QqHIF + operator: SČA窚R顒e涜efʩCá盻ɭ峄觘1 + - key: lOM35 + operator: Ljw盫励饇脧 + matchFields: + - key: Xvd + operator: 俍郖=璻Ęb錽Ȫ碄尫ɋ硣!)桂寥 + values: + - qt + - y3U08eS + weight: 2109206004 + - preference: + matchExpressions: + - key: S + operator: ɃƗA尯DɮǪȽʎƥ銐Ǧ + values: + - "46" + - p0eIl + matchFields: + - key: Ih + operator: "" + values: + - tf3 + - yiPSH6Zx + - C + - key: uZ70o + operator: "" + values: + - 4UJb + - oH8P43gtksh + weight: -709859925 + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: QTE13xnu + operator: ŝ + values: + - VHR0qG + - MOvO + - tb1sLuv + matchFields: + - key: g + operator: Yʝz_GBDŽ糎腄Z:*秡*kƗ + values: + - tLOJ + podAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: pwXEKFjBU + operator: "" + - key: feqEDUfP + operator: 慐;姁ƣ憙c蚖J + values: + - TJyZpGt + matchLabels: + B1R: sAy6clnGGjf + mismatchLabelKeys: + - G56 + - 3U + namespaceSelector: + matchExpressions: + - key: Irk + operator: 朩š­ȅ擋fħʎ;脕擿 + values: + - fR + - HI6qMSx + - kKz + namespaces: + - 2Gjzz + - p1ZzhD4REnP + topologyKey: 6Qb + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: yCd1 + operator: "" + values: + - w + - RGxbGQ + - F01lOE + - key: gFNsh + operator: ɢ渖ŕň詌& + values: + - Qf2 + - U9ebth375LF + - key: Eym8DG + operator: 軩榺骧F鑣槙ƹ=懸 + values: + - "" + matchLabelKeys: + - e + - I + - a1moWz + mismatchLabelKeys: + - GB + namespaceSelector: + matchExpressions: + - key: br8ud4ME + operator: _粡垵Ȁu|Ňɾǡ + values: + - IRAa3b + - mJaeH + matchLabels: + QzUL: lBDdFKkr + YCq8PhpxP: pFQirOBS + topologyKey: 9fEh + weight: -1030104992 + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: HGoREM + operator: /咹ȱ駧裀 + values: + - afgtBu + - 62p2cohE + - LcvApZ + matchLabelKeys: + - Q + mismatchLabelKeys: + - a6cO + namespaceSelector: + matchExpressions: + - key: n6x6j + operator: ô萿Ɍ昙ʉĄ髪ƭ囯ğĠʏxC萓ɝzjZ + values: + - pFL5xvt + - key: s + operator: Ö祻Ř + values: + - bTZ7C33 + - 7rM4m + matchLabels: + DgZsb: m6XWnS + namespaces: + - yJgfZk + - Yf7For + - XF2ycSW + topologyKey: "4" + weight: -2000314685 + - podAffinityTerm: + labelSelector: {} + mismatchLabelKeys: + - pfRhN + - dtRA + - iTYieI78 + namespaceSelector: + matchLabels: + IF7T: rAjc + mCuB: rL0bjM3 + namespaces: + - b + topologyKey: qb + weight: 507067570 + podAntiAffinity: + custom: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: "1" + operator: rʒ±&Bc'慈棊r9ş噱ȅ + values: + - hTfTJGI + - hCkH6FF2Si + - AZSo18hB + - key: Z6aBXlU + operator: P-ŋLǃGȐ + values: + - UnrL + - 8SKSgIl + - XyUUHq + - key: mX + operator: ȂcǍ*饻蜵yȔ7 + values: + - wZkqm + - 6fK + - bLHwoiWtxS + matchLabels: + wqj3bNcE3: 7PXUv + mismatchLabelKeys: + - 95VHWEv + - oc + - XvcBqP + namespaceSelector: + matchExpressions: + - key: T2L + operator: 悪ȵǠȸR&>S%%­ + values: + - T51z8Xf + namespaces: + - 2akt + - 97MqCK + topologyKey: q + weight: 1571306470 + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: AdbAjo + operator: ɠ¡苋H籲Ž蛏LjKHw銮梀 + values: + - UFW + - RzRYQce8u + - iL + matchLabels: + JiS2: 1H8Jf + namespaceSelector: {} + namespaces: + - C8 + - ghqER + topologyKey: utHH + weight: -696696597 + - podAffinityTerm: + labelSelector: + matchLabels: + "": Bbi + eYzf2x: "2" + matchLabelKeys: + - dCIk + - 3Vwvq + - vJu + mismatchLabelKeys: + - a7 + namespaceSelector: + matchExpressions: + - key: drG3i8uijLu + operator: +ȟk崓ȆGƥ + values: + - flTafhZKt + namespaces: + - KXcRu9Rvr + - bf0AY + topologyKey: 6Hp + weight: -1330375242 + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: rlde + operator: ŗ嚩魟ʂ洁ʌº騛匱ũ閳Ŵ蕄禱0銜_犢 + values: + - 6J + - key: bI + operator: 哱{謶HKƜ滞彟 錃 + values: + - 2XcglJ8jt + - h6dh + matchLabels: + "": DJ + QbwFkC: rtU + matchLabelKeys: + - Ywe5PNR6 + mismatchLabelKeys: + - oyq + - j + namespaceSelector: + matchExpressions: + - key: AM9Vlx + operator: ɚ瀣 + values: + - YDBHwbSJx11 + matchLabels: + J: aFw + oqgO2J: EQq9cWAp + namespaces: + - fmF1dGO9 + - f2pZ93 + - IUUP + topologyKey: "" + topologyKey: YFCQ + type: Tuxria5udfO0g6l + weight: -612629711 + priorityClassName: u + progressDeadlineSeconds: -1210754760 + readinessProbe: + exec: {} + failureThreshold: 1162556666 + grpc: + port: 1033949401 + service: 0xDhM + httpGet: + host: FFe6 + path: jXYC + port: -1764755290 + scheme: 姕鯼ñ赇邬N[ƥ + initialDelaySeconds: -1796420049 + periodSeconds: 940741811 + successThreshold: 1628971624 + terminationGracePeriodSeconds: 906647697820167459 + timeoutSeconds: -1878581735 + restartPolicy: OL恟´跒ɴ珛姌Ŋ + revisionHistoryLimit: 400792738 + schedulerName: FfnrLnAtn3 + securityContext: + fsGroup: 5186362895627063604 + fsGroupChangePolicy: E甗dbƾ潸 + runAsGroup: 4738220116750422009 + runAsNonRoot: true + runAsUser: 4123601200118601914 + supplementalGroups: + - 5067618254965113558 + - 2922991898118782560 + sysctls: + - name: 1idwf + value: RtGFIRLv + - name: toxsb + value: "" + - name: bC + value: IcMTnt + strategy: + type: AQc + terminationGracePeriodSeconds: 1834992377 + tolerations: + - effect: r"ǘ + key: 7FvMPWDDP + operator: 杍Ɍ + tolerationSeconds: -4685795240412632399 + value: G9czii + topologySpreadConstraints: + - maxSkew: -1990808403 + topologyKey: y1s + whenUnsatisfiable: bxCWoMA + updateStrategy: + type: S6j +fullnameOverride: ZNfeDYT +imagePullSecrets: +- name: HaLjyQ02L +- name: yjimP +- name: 5KCFV6 +logging: + level: p +monitoring: + annotations: + SF8: t7jzDFP + enabled: true + labels: + "3": P + GGM8HrAa: AroHM7WrsoM + namespaceSelector: {} + scrapeInterval: -947976h35m5.865272977s +nameOverride: R64C +service: + annotations: + t7u5eHUdpR: nq6injR + name: L + ports: + - name: 2Pm + port: -597719959 + - name: z + port: -1354836854 +serviceAccount: + create: true + name: c +storage: + volume: + - name: RXJ + - name: JJ +test: + create: false +tolerations: +- effect: /褫ţ\軳銑Ü雷倮Ų婏$ŮƩĚ + key: 5HSJSb6w + operator: 煬3獽渷VUȁM喎_鎼崞PA1廫Á + tolerationSeconds: 5989052173653210891 + value: 02lqbv +- effect: 笶雟襠¼Ⱥc芽"鵙ȓ矎Ş赈Ɓzŭ帆弯 + key: q + tolerationSeconds: -3826318230045492347 + value: 9hOSh +- effect: ă庡泣dƤÇ漰-Čɺ阂垑 + key: Uj + operator: 蓐}à]@ƚʀ0#Ĵ.Ɓ> + tolerationSeconds: -603362735954808522 + value: ONkOq +-- case-045 -- +auth: + sasl: + enabled: true + mechanism: xG0RkV + secretRef: BIwqKvbDzty + userName: QhJxq +commonLabels: + MbBpaa: UzKZX + h52qwPFCCL1xE: q +connectors: + additionalConfiguration: zhdlWU + bootstrapServers: r1Qjuz + brokerTLS: + ca: + secretNameOverwrite: vu5uhRVRV + secretRef: sv4 + cert: + secretNameOverwrite: c + secretRef: NXfOTPmR0 + enabled: false + key: + secretNameOverwrite: xHLx8Dd + secretRef: j674MI8jFC + groupID: "1" + producerBatchSize: -816839187 + producerLingerMS: -182038831 + restPort: 1110004877 + schemaRegistryURL: lpElMB + secretManager: + connectorsPrefix: sN + consolePrefix: a0o9mHxTvK + enabled: true + region: zhGJZW + storage: + remote: + read: + config: true + offset: false + status: true + write: + config: true + offset: false + status: false + replicationFactor: + config: 1812077740 + offset: 1243553126 + status: -829555769 + topic: + config: jwiijthRuB + offset: C53fN + status: JY +container: + javaGCLogEnabled: E + resources: + javaMaxHeapSize: "0" + limits: + cpu: "0" + memory: "0" + request: + cpu: "0" + memory: "0" + securityContext: + allowPrivilegeEscalation: true +deployment: + annotations: + 51a3: g2ULKf + 91y: DbHu4ZZ + E42Z4BCZaV: rYnLAo4y + budget: + maxUnavailable: -1040325689 + create: false + extraEnv: + - name: UPHAx9 + value: QbO4m + valueFrom: + configMapKeyRef: + key: 5Z + name: fIO1tsT4L + optional: true + fieldRef: + apiVersion: k6XVQx1bizA + fieldPath: aDTDwvyQ2EkZlp + resourceFieldRef: + containerName: gARZ4U + divisor: "0" + resource: LnJW0S3driTR + secretKeyRef: + key: t4ZmT + name: fOXC9P + optional: true + extraEnvFrom: + - configMapRef: + name: aNWPY + optional: true + prefix: MuH8ACn + secretRef: + name: JkiHQd + optional: true + - configMapRef: + name: s + optional: true + prefix: v + secretRef: + name: jWW04 + optional: true + livenessProbe: + exec: + command: + - "" + - "" + failureThreshold: -1532177375 + grpc: + port: 130895075 + service: DEDl0lcO + httpGet: + host: men + path: VPV + port: VOrs + scheme: 7id{=崂妐"蘆償ʙ^v疷k` + initialDelaySeconds: -1596982922 + periodSeconds: 56768361 + successThreshold: 592299817 + terminationGracePeriodSeconds: -3570152852783991929 + timeoutSeconds: 841818051 + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: HT + operator: 笔ư -汯糵O, + values: + - W + - wa4yZu8SI + - key: bGRL28 + operator: "" + - matchExpressions: + - key: aczzo + operator: 瞦Ɖ¸ + values: + - NSkH0Tn + - key: BcZ + operator: ȗʪb蒘Ơ + values: + - YPr6 + - irqBr + - c5yp13P + - key: mJl + operator: 穚Z踿> + matchFields: + - key: p2Za + operator: "" + values: + - 2qA + - hUhp4Y + - key: sP5fxY + operator: đʜi芻u(喏eƠ=扑腧ń虮损磎 + values: + - O4 + - key: Ic4jA + operator: '"Ě钄蝼Ş' + values: + - Z + - matchExpressions: + - key: AnlK + operator: 顷媵z貢嵟v埾Ɗzv学ʑ別¼ɷ齕穁漕 + values: + - f + - ggWBzmm + - MhgW + - key: cC + operator: "" + values: + - "y" + - tPa8q + - ZQfr6 + - key: YsiT0s + operator: æ脣ǻ熛&PK$Ė.£'sVq + values: + - 86vjg + - WJVZECB + - Ois6M + matchFields: + - key: 0cMl8NXDE + operator: 8¡尗;鍼WN睧>MȼÙ斴}Xx + values: + - LjHKAAyI + - MBJl + - "" + - key: DLPymz + operator: 僔ʯ煎Q礔 + values: + - k + - dpS5fQi8cuuj + matchLabels: + O71m8d1PjMco: z + RnzP: moJ2 + b8S6njSwAa: u3InH7A + namespaces: + - 5Uf0lBWUp + topologyKey: eVQ4ec + topologyKey: tm + type: "" + weight: -887302512 + priorityClassName: O1Kw + progressDeadlineSeconds: 346316441 + readinessProbe: + exec: + command: + - C1rtCjV + - xVJ + failureThreshold: 264449477 + grpc: + port: -691797345 + service: lcF + httpGet: + host: u + path: O7iQge0AMQ + port: j3 + scheme: 猡9ȹǵ + initialDelaySeconds: -1669763451 + periodSeconds: 977763135 + successThreshold: 1558580703 + terminationGracePeriodSeconds: -6309681110777439769 + timeoutSeconds: -1984487220 + restartPolicy: 鏄纽潘翙i宫ǃŬZI摌嚶S媏§Ŵ + revisionHistoryLimit: -1788607261 + schedulerName: F8EoeT + securityContext: + fsGroup: 6765195282399752912 + fsGroupChangePolicy: ɹ緟/xZ}纨SŖ奝杆ü詁Sij徖 + runAsGroup: -5644369168799206336 + runAsNonRoot: true + runAsUser: 7294021627851308883 + supplementalGroups: + - 8068234294449949843 + sysctls: + - name: mf + value: r9jQF6Qmf + - name: lTWR1RE8VW + value: qgy + strategy: + type: rtCVvHc + terminationGracePeriodSeconds: -1972969881 + topologySpreadConstraints: + - maxSkew: -532646137 + topologyKey: jF + whenUnsatisfiable: MyH6gO2 + - maxSkew: -1392634033 + topologyKey: tu7J2 + whenUnsatisfiable: QyTBF + updateStrategy: + type: A5hk +fullnameOverride: uLr8eH +imagePullSecrets: +- name: 4E +- name: 4lLe +- name: OsAOb +logging: + level: kR +monitoring: + annotations: + ADPu3ozSd: q + IirIQ: nU4N + z1: CMu8InAI + enabled: true + namespaceSelector: + any: true + matchNames: + - UCZpu + scrapeInterval: -2400738h41m36.27693474s +nameOverride: 8UJFy +service: + annotations: + H8XRE: XmuXsN + name: 58KMN + ports: + - name: 7oEiI3 + port: -1730203461 + - name: pxPCPLymcj + port: 1857328046 +serviceAccount: + create: true + name: Vk +storage: + volume: + - name: wYHcQRdOs + - name: "" + - name: ttvGMzWGLl + volumeMounts: + - mountPath: dIJTWQIJ + mountPropagation: 摢闟2喟搩 + name: uTG + readOnly: true + subPath: L + subPathExpr: tp +test: + create: true +tolerations: +- effect: 齼/r3ȕ顉ÏveŌ脜ȹ鋕忼癲h%Ə嚼 + key: 5ik + operator: Ȳ穖ș汥ë¦ʋ/ + tolerationSeconds: -588635388335609407 + value: Nf +- effect: ɠ+ů.ʓr敡¾蔠Õ9琕Ș0ŀũ + key: Rx + operator: v氒>妉Ȇ鼏,ə$Ȑƈ + tolerationSeconds: -4656106895121584518 + value: dYSELiW +-- case-046 -- +auth: + sasl: + enabled: true + mechanism: Q1Z + secretRef: thcka + userName: fnI +connectors: + additionalConfiguration: m2GNF8s7jf + bootstrapServers: D + brokerTLS: + ca: + secretNameOverwrite: SYFFF + secretRef: cz + cert: + secretNameOverwrite: 3XIvjsWLN6 + secretRef: 6sd3d + enabled: true + key: + secretNameOverwrite: T + secretRef: 9JF + groupID: elUuL + producerBatchSize: -1573191506 + producerLingerMS: -770515576 + restPort: -1606573822 + schemaRegistryURL: 7RGVLKX7Aw + secretManager: + connectorsPrefix: gZ + consolePrefix: JVMm3xRzC6L + enabled: true + region: w3xB + storage: + remote: + read: + config: false + offset: true + status: false + write: + config: true + offset: false + status: true + replicationFactor: + config: -258960528 + offset: -2024950872 + status: 861394883 + topic: + config: atuSRuNrckHcf + offset: 1RcFXt + status: 8LlPa +container: + javaGCLogEnabled: lI + resources: + javaMaxHeapSize: "0" + limits: + cpu: "0" + memory: "0" + request: + cpu: "0" + memory: "0" + securityContext: + allowPrivilegeEscalation: false +deployment: + budget: + maxUnavailable: -149051994 + create: false + extraEnv: + - name: WU + value: peR0Ss + valueFrom: + configMapKeyRef: + key: xoj + name: LFu + optional: true + fieldRef: + apiVersion: fu + fieldPath: "" + resourceFieldRef: + containerName: a1O7Y + divisor: "0" + resource: "0" + secretKeyRef: + key: 93J1 + name: 9nuLdu6 + optional: false + - name: Mvin4FAU5 + value: 9a + valueFrom: + configMapKeyRef: + key: LweOD + name: fvKkyzS + optional: true + fieldRef: + apiVersion: epGY + fieldPath: q + resourceFieldRef: + containerName: 6c7Gx + divisor: "0" + resource: Owy + secretKeyRef: + key: E0Zk + name: KZlUt + optional: true + extraEnvFrom: + - configMapRef: + name: mLUxg + optional: true + prefix: g97qu + secretRef: + name: 4QxnP + optional: false + - configMapRef: + name: b0w + optional: true + prefix: J + secretRef: + name: sI801BdyQH + optional: false + - configMapRef: + name: NprLkY + optional: false + prefix: jezpH6a5kO + secretRef: + name: R7Ho + optional: false + livenessProbe: + exec: {} + failureThreshold: 105969409 + grpc: + port: -654227233 + service: BVatgTUI + httpGet: + host: SvQfS9AXrg + path: LfSm + port: -937311468 + scheme: Ųd;踇嗞ȅ¼3纊襶贼Ɔ郼ý渶ƁüȮ + initialDelaySeconds: -638210685 + periodSeconds: 825763830 + successThreshold: 285294064 + terminationGracePeriodSeconds: -6200311383477120435 + timeoutSeconds: 1016755696 + nodeAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - preference: + matchFields: + - key: "" + operator: Ƚ|]缴ŋĄƽQ晫喹蘉 + values: + - 1LZaJjl + weight: 2108667665 + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: Nv1N + operator: D朵ƁRč + values: + - vmxJB + matchFields: + - key: VQWv + operator: 臋NʤŇ矤ɘęłê'ß²ÝIȸe + values: + - VRLGHJ + - b9wx + - OWO + - key: kwjnJ + operator: '`>ʮ:' + - key: I1 + operator: ß躺^î歾 + - matchExpressions: + - key: 3sC + operator: ɥ飽璫誾 + values: + - "" + - FTiwF + - TZcoXdUX + - key: nXHo + operator: Dĕ风哢 ȫ晎灬c^P堓r]Ñh> + values: + - DJA5PjIE + - key: B6a + operator: ÿF[ gǝ竈霙46蹤ȩt鐱防粽磱ɞ + matchFields: + - key: B0 + operator: 6撙早ƽ"籩O+ÿ±9V瀨谐 + - key: "1" + operator: ĊÔʗ掏芊p裏k癭.ɹ擶bɡ凥 + values: + - yD9RzH1 + - nfvbXbaS + - key: rp4R + operator: c弙ú + values: + - T30OE17 + - cNJe1Vb0y + - matchFields: + - key: 0bnhPvmYY + operator: ā + values: + - ogK1 + - "" + - aC8YOr + - key: ya + operator: 洯 + values: + - o + - NJh + - Dfx9Y + - key: UjdX + operator: mă漚洰綗eɞ噢A:dɱ + values: + - OGzFB1je + - 9v + - eA + nodeSelector: + VX: MKV5ljOmB + qPiO: "" + podAffinity: + nodeAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - preference: + matchExpressions: + - key: F + operator: 鰩礄ʗOtĎFdƣÍƅf濆炝史飘 + - key: "" + operator: R8話Ů¾ɻʝÞɻ0Ǝ蕗 + values: + - HA0N0 + - key: o + operator: Ƞʁ蝟峵陭ń搏莨嶐 + matchFields: + - key: 2DQC + operator: ǥ + values: + - oncBIr + - gG + - leEScS + - key: tueth + operator: Aɰ邸ƑeŰ + weight: -2084006794 + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: [] + podAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: B5t9 + operator: jWuŅ.鵀ĕd眶mw\塠kȒ觤Ȗɯ著 + values: + - YX + matchLabelKeys: + - As + namespaceSelector: + matchLabels: + 9YGQMUgrqH: 5rQRCucN + N2djrnHv: Kt4eVwh + kUhn3: 0hb + namespaces: + - ipRMD8PjRE + - TyGdLq51qHtCTp + topologyKey: Qb + weight: 1218556128 + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: {} + matchLabelKeys: + - UEXU0jm + - 3DvGK + - q7ZgoFKzY + mismatchLabelKeys: + - 8rS + - Zhmgc + namespaceSelector: + matchExpressions: + - key: Ahp7S + operator: 垄^ȕɝi + matchLabels: + j: Z + zn: 5N1spN + namespaces: + - 5U55 + topologyKey: El4O + weight: -1441269991 + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: JeAkeb + operator: 齁.瀵倖Q{鑵À{ôk凔wȅ穝蠴礰 + values: + - NLDkgX + matchLabels: + Nb6NP: U + matchLabelKeys: + - 0xUxIZ5yra + mismatchLabelKeys: + - PO + - 0lMaP + - wjTYW4v + namespaceSelector: + matchLabels: + dfk: 2CoJF65 + l: EO55 + rSCM: 7ax + namespaces: + - LA8zh + topologyKey: ME + weight: -1429618030 + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: fSvZx + operator: 簬¥彖馜@鰭ʛSŘʪw罗羐 + values: + - WBKgoDO + - IHFoQPa6I + - 7EBoFbh7 + matchLabels: + bDJ: uVvI + mismatchLabelKeys: + - v4GMLNjOI + namespaceSelector: + matchLabels: + pIeQi8D: hs4uHTom + namespaces: + - ik + - Lt + topologyKey: QP + - labelSelector: + matchExpressions: + - key: 5s2dAmoyzPuH + operator: 鼣WŲ痹 + values: + - SjWekZOshkn + - K8vFvMOrtwkd + - vYvUI0 + matchLabels: + fr69Sg2H: VRYdncoQ + mismatchLabelKeys: + - S + - "6" + namespaceSelector: {} + namespaces: + - LUd218j + - w9 + - VqcJK3hxUk1 + topologyKey: ajmyRnnxd2R + podAntiAffinity: + custom: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: "2" + operator: 詗邼}遱方ƶVIǖ*$ȗ}弇 + - key: g + operator: ƐÑS吁ɹĹ{濍 + values: + - UrWNgdSYW + - SYsweJvP1r + matchLabels: + TzMQ8: F4coq + b3vIQZ: sUq + xcd5: MP6g + matchLabelKeys: + - t + - uMrJ + - F9jZ + namespaceSelector: + matchExpressions: + - key: b + operator: ǻǴ溤Ɂ璝4ƥ砬Ä.汃ÌQc% + namespaces: + - "6" + - Qipxt + topologyKey: WtKz + weight: -1783246152 + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: sCMVaOSO + operator: Ǽ歏Ģ`蓱g:ļ熹笡珁Ú0嘳*ʖ鱣 + values: + - kCylM + - "" + - Kpn13h4g + - key: GchDvxjZ + operator: ¿狘 + matchLabels: + BaG8QJGx: "" + dW2Wn: kBm + kulZty4hr: zdkw + matchLabelKeys: + - 29OT95 + - qW7mvgum + mismatchLabelKeys: + - "" + - keMPa + namespaceSelector: + matchExpressions: + - key: 8wu + operator: 嫧諟Ô·$rœc啢栭 + - key: "8" + operator: M2瓥3鮺Ś;絔@f%奱ʚ坔澡7ƅ戻 + values: + - 6QGU + - GL + - key: qtzYmH3 + operator: 验ǔƃ岶綇ŦE鶁蜊芨 + values: + - TSIjp + - ojx57bK + matchLabels: + 7sUo: "" + DHkjnVf: DNPHWQ + n0Rp: 4dK + namespaces: + - eD2 + topologyKey: iW + weight: -1851545717 + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: jd1N + operator: "" + values: + - 8QC + - vPFgOl + - F3qBo + - key: VS7EG1R + operator: ~衙ƛ媧 + values: + - Nx87ge + matchLabels: + tWq1XyYw: KerD + mismatchLabelKeys: + - WEbxlcBJK + - "" + - cFI + namespaceSelector: {} + topologyKey: i0Hj + - labelSelector: + matchExpressions: + - key: SZpuMyf + operator: 妮ě + values: + - x + matchLabels: + 0zhQ2: 4K9P + c: Job + lSKbx3: jzjsb + mismatchLabelKeys: + - g8jh + - 9Qbf7h8 + - PbmM + namespaceSelector: + matchExpressions: + - key: dSc1 + operator: ùǡ幘Ŋ墮臕聍sǵ=Ltɝ蘧d愗E掦 + values: + - 77h6NZ + matchLabels: + "4": cBXu0N + ed: Jd2ob9IYLON + mwzs: JYg + topologyKey: 5um1 + topologyKey: MApo + type: G3a + weight: -522398208 + priorityClassName: 8Ypa1TecZ + progressDeadlineSeconds: -197240712 + readinessProbe: + exec: + command: + - VeG + - ZpYkBZjWQp + failureThreshold: -946013108 + grpc: + port: 1733046252 + service: TE9gSM + httpGet: + host: r5F + path: cEjpG + port: UQUR + scheme: ĺFŪč<,龆ɶƹDƿ孄 + initialDelaySeconds: -1609629919 + periodSeconds: -158429668 + successThreshold: 414657348 + terminationGracePeriodSeconds: 2365381410449413752 + timeoutSeconds: 677541953 + restartPolicy: X\B4錻}ȅ浸(I惽襪葷^Ĥ%ȶ^揬 + revisionHistoryLimit: -640963372 + schedulerName: tcrF + securityContext: + fsGroup: 1542597599134889862 + fsGroupChangePolicy: d坹ɷŰ翖Ȯ笺創y8礗岉 + runAsGroup: 4178156742717272546 + runAsNonRoot: false + runAsUser: -2177916685244537831 + supplementalGroups: + - -5773129745234681762 + - 7956710079209489615 + - 8047946510130583628 + sysctls: + - name: q8BvtyH + value: 32PC + strategy: + type: Ht + terminationGracePeriodSeconds: 2099000264 + tolerations: + - effect: '{梪篤龄Ȃ溺ʓ蚙Hw塨朣手ʛMČ' + key: Q1aKV + operator: '@' + tolerationSeconds: -4086789290485374625 + value: jamSz + - effect: '3ǂ鈫嶈ȯď¥芠ĸÇȻĉ閜PɓFpē ' + key: HmRvIg + operator: '#NO%#:Wù嶴:äʚí}' + tolerationSeconds: 3271010049130049050 + value: vFFxX + topologySpreadConstraints: + - maxSkew: -1728964191 + topologyKey: uwdTzniKw + whenUnsatisfiable: V5KLT + - maxSkew: -1160977379 + topologyKey: Ey5 + whenUnsatisfiable: jJ0E + - maxSkew: -594009032 + topologyKey: Ia5x1fvG2 + whenUnsatisfiable: g47TB + updateStrategy: + type: Zn9 +fullnameOverride: tYC5CG +imagePullSecrets: +- name: KzX +- name: NR1aEs4c2 +logging: + level: TI1KLHr8o +monitoring: + annotations: + "N": "" + b: p + enabled: true + labels: + O: CY3sdu + UddrJ: zlyJcM + klftu: OSDi + namespaceSelector: {} + scrapeInterval: 2140586h7m44.853020521s +nameOverride: fa1XvkvO +service: + annotations: + H: "0" + name: UrU9Bs +serviceAccount: + create: true + name: cl +storage: + volume: + - name: b7Yo6m + - name: cHS + volumeMounts: + - mountPath: 18po2m + mountPropagation: Ś宵 + name: aWWUxCrc6 + readOnly: true + subPath: 84zs + subPathExpr: fXC +test: + create: true +tolerations: +- key: mQ0 + operator: :罀倸三Ș儁岥őď;ȃ仂ȏwɂ定t + tolerationSeconds: -3767873578200433942 + value: OgC1 +- effect: \Į镌M9ʤ馑NdĹ孳ũ¨ + key: gpqxy + operator: ǻƸ瀥 + tolerationSeconds: -5203216359238986826 + value: TyP9PwIp +-- case-047 -- +auth: + sasl: + enabled: true + mechanism: EL + secretRef: 8qA + userName: "" +commonLabels: + YQJWn90y: CaduGS6 + ytV2tl: icxW +connectors: + additionalConfiguration: s + bootstrapServers: "" + brokerTLS: + ca: + secretNameOverwrite: REGD0a + secretRef: ZFEDD + cert: + secretNameOverwrite: aG9QIiXqg + secretRef: zrc5V + enabled: true + key: + secretNameOverwrite: D + secretRef: dtIKjx4fd0k + groupID: "" + producerBatchSize: 221474765 + producerLingerMS: -999496889 + restPort: 660248664 + schemaRegistryURL: W9TUtY + secretManager: + connectorsPrefix: "0" + consolePrefix: VMaz + enabled: false + region: T9 + storage: + remote: + read: + config: true + offset: false + status: true + write: + config: false + offset: false + status: true + replicationFactor: + config: 181733785 + offset: -551216099 + status: 894783312 + topic: + config: zpj + offset: s0 + status: e3Caq +container: + javaGCLogEnabled: zIkzV8Ox + resources: + javaMaxHeapSize: "0" + limits: + cpu: "0" + memory: "0" + request: + cpu: "0" + memory: "0" + securityContext: + allowPrivilegeEscalation: true +deployment: + annotations: + 1taGex8O: RBXE4 + A: uiKIoNCT + NtMz: b7Zk1GQ7 + budget: + maxUnavailable: -1503513883 + create: true + extraEnvFrom: + - configMapRef: + name: dx + optional: true + prefix: OgoO8WCa + secretRef: + optional: true + - configMapRef: + name: Kk + optional: false + prefix: 6Rdx + secretRef: + name: nM5Hn4S + optional: false + - configMapRef: + name: nQ + optional: true + prefix: z70 + secretRef: + name: C + optional: true + livenessProbe: + exec: {} + failureThreshold: -2044419963 + grpc: + port: 1294112857 + service: T3du6tMf + httpGet: + host: y3 + path: GnHrZ + port: glSjqG9 + scheme: 0軫頟似. + initialDelaySeconds: 888211900 + periodSeconds: -42722218 + successThreshold: 337318108 + terminationGracePeriodSeconds: -1562611613414558057 + timeoutSeconds: 1870975781 + nodeAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - preference: + matchExpressions: + - key: ajGWX3E + operator: Ǫ囍 + values: + - HbIL2OUP + - q + matchFields: + - key: 453h + operator: DZƮìX莁Ǜ詍^屶K}豫ţoJ櫉 + values: + - h + - a4s + - key: Y1AE + operator: 4噸đƪǶS绲aģ序e$襫枠ÿ攒 + values: + - uVsu + weight: -280128439 + - preference: {} + weight: 46457932 + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: [] + nodeSelector: + SFPTn: eN2 + podAffinity: + nodeAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - preference: + matchExpressions: + - key: L7t6 + operator: ʆa[穳w迂v + - key: "" + operator: 频弰t剼< + - key: T7uv4GBBUzUbG6 + operator: S鯉¸ń + weight: -1468638122 + - preference: + matchExpressions: + - key: h5w7 + operator: 癸āÞ + matchFields: + - key: uv + operator: º癲癇ɇ許ɠ/ȗ捪Ƭ#ʘ堅Ŧ + values: + - Cw0B + - BqrHb6 + weight: 907696087 + - preference: + matchExpressions: + - key: hojak + operator: 1坥矸挍嘧^ʗȆ箂ƅɯƴpȵ + weight: 1364801782 + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: [] + podAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: pd8S + operator: uɝ?ɻZYƎ1Ǯʦ郬Dz + - key: DUO7i + operator: 谦`í + values: + - 6FwSwcs + - GN + matchLabels: + n6f8z: zXtgC + matchLabelKeys: + - Fnubc + - LA8QDbda + mismatchLabelKeys: + - qVxsEJ + - qE1yBoG + namespaceSelector: + matchExpressions: + - key: MrEWOI + operator: lZ7¹ɣkņl + values: + - U1nS9j70 + - yszBN8o + - neNbj2gZ + matchLabels: + 0hps: O + UgKJX: y1 + topologyKey: PMw0c + weight: -952955605 + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: b5kCbI0z + operator: "" + values: + - tXLI + - key: KnIWiUw + operator: ǂ + values: + - kQ1Z + - 0QODSv + - MQSRMGsLu9 + matchLabelKeys: + - PA + - iYvDj + mismatchLabelKeys: + - o + - FrWVnE2CYwqd + - rT1 + namespaceSelector: {} + namespaces: + - rQgxNt + - pvhrsnC + topologyKey: GEeifY + weight: 1975729679 + - podAffinityTerm: + labelSelector: + matchLabels: + EVfT8M0: o + PxD: 79PJExTR + yA: TZecIw + matchLabelKeys: + - hdY1YQQRr + mismatchLabelKeys: + - cCPWUZy + namespaceSelector: + matchExpressions: + - key: "" + operator: 嬡媏9o茺SȥƗɯkQ蘓#邯ɑ叧ɵǁ + values: + - ou2ng + - AZY8 + - d6bB + - key: pgpk + operator: n:`ʂ + matchLabels: + ojwxs: 6GFt + namespaces: + - 88ER7b + - T + - SZ3 + topologyKey: MjN + weight: 540230312 + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: Op + operator: Ň訹ʮXaG9酣敺ʞƪDŽ訯ɤ + - key: MHiaw0pSV + operator: ƋL(>Np賖ʙ + values: + - fj4sKVJws + - 4Iv + - key: O7pKHAO3pzP + operator: '%' + matchLabelKeys: + - eh93u + - gRYCx + mismatchLabelKeys: + - yy683S + namespaceSelector: + matchExpressions: + - key: 9h + operator: ıȖ飊蹯ƹ箰 + values: + - KNEG + - XdPWA + - mMvRH + - key: KTtr + operator: 觯hɪ + values: + - BcMH9NnOk + - h8ObHDc9P + matchLabels: + hT4lkum: En + sU73ic: NcW + namespaces: + - 4uQ4TMGRLt + topologyKey: 8vXEv + - labelSelector: + matchExpressions: + - key: "Y" + operator: ȅ鍼鿿$FƆnjǭ)ÿ + values: + - V2V + - key: Iz + operator: '>鱼狷趟`jCɨ*儚zkǀ柍ōÌ崉!ʥ' + matchLabels: + IM1GdEa: K3Ew + dCIEnPl73: bavvaL9ErI + s1b: ThqLOi4 + namespaceSelector: + matchExpressions: + - key: 8EKqCm + operator: ǝdz÷Ťʦ^創炲穡箃ťQ + values: + - ML + matchLabels: + PnWmWZ: odki1Yo + namespaces: + - k5I + - ncPcE + topologyKey: w4kt + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: Yj3M8wFy + operator: $<ȉ<ý暍Ě鰎3^ + values: + - eUG + - "y" + - x7 + - key: w9T3ut1T + operator: 販鳓ŕ莴傢Á礗Įǔ騦, + values: + - p6PWo + - 9j + - D5RQxUdU7 + - key: nCy5c + operator: ^-Yǫ4伴陜nk鋻歱峓sɡɂ + values: + - gB68BjwnCV + - L + - qBx3B + matchLabels: + vPL: i8KO + matchLabelKeys: + - wMm + - usVVmD + mismatchLabelKeys: + - u3k5X + - VUT71fj + namespaceSelector: + matchExpressions: + - key: V0iWHNZi + operator: "" + values: + - nUqA + - OZu9Dz + - key: x + operator: 屩lʞ敹 + matchLabels: + Rd: P8QK1 + cgd: YlfL4 + topologyKey: TBXmu4 + weight: 710078611 + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: ymyCCU + operator: Q葿暩葆ɿÇ\ė3ʔ + values: + - SLrkpqf + matchLabels: + A5Y7aa: 2hDLZ + klIJgF: LOi6 + lO4xDpk6kTs: nSmQZErq + matchLabelKeys: + - ulCY + - V + - GZw7g + mismatchLabelKeys: + - zAmZ + - ko + namespaceSelector: {} + topologyKey: "" + - labelSelector: + matchExpressions: + - key: Z5F + operator: +寺厸|珑/ĸ) + values: + - LpjJqgfBG5F + - 2Cb3Y3c + - t2UCr + matchLabels: + 6FO: "" + mismatchLabelKeys: + - TQA1xK + - t8pbUmQd + - 8wO778bgDXR + namespaceSelector: + matchExpressions: + - key: oVEoNom + operator: ʊ椴審(@Ă.綂Ȱʔ3ǯʅ + - key: K7 + operator: 暎棽阽ɥ + - key: HWJwxOp + operator: 髋}Ƿɐ耷ì鄶#ǟu|Ť貘+6莠墙荜$ÿē裬葤 + - key: 4qGD7ZW + operator: y餟ƵÁɑǡ + values: + - I + - 8ihw + - "0" + matchLabels: + "": W7oExjz5 + Gc6: we5g + kwnNTF6H: AavRqArX + mismatchLabelKeys: + - bOwb + - bK + - ghihlm2Lhp + namespaceSelector: + matchExpressions: + - key: 6BDJ + operator: "" + - key: U9EAdB + operator: 鶜}C-[j丱螜Ȳ旕dƽɿ鞨ĠK+飵 + topologyKey: 6eQggF + podAntiAffinity: + custom: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchLabels: + 7i: TbE + JXB5: J2fg + lLpX: 9AiEG4e + matchLabelKeys: + - Behe + - 1dGT2Z + - mZgjixI + mismatchLabelKeys: + - jIIXs + - Zl8X + namespaceSelector: + matchExpressions: + - key: Vlif1O + operator: ħ洱3;膲a + values: + - QalaoxQ06 + - 2lsIfdVFk + - WTKxi + - key: 6I + operator: RǨz + values: + - 7dOQ + - 9F00G + topologyKey: v0BKMpg + - labelSelector: + matchExpressions: + - key: Cxkv + operator: ɱƔ(I + values: + - JsYrlrlk + - "3" + - xCrG + - key: 0w + operator: xw + values: + - neE3 + - key: wdni + operator: )攁捙笶陯 + values: + - BTSUHf + - LRA + matchLabelKeys: + - 2Wmpf0XJ + namespaceSelector: + matchExpressions: + - key: cyu + operator: 潦c%f)v + values: + - ZmNo9Hc + - 4ec + - 8ptw + namespaces: + - M5GjE + - "" + topologyKey: V + topologyKey: "2" + type: JFBH9 + weight: 1888684498 + priorityClassName: Wg8Wu + progressDeadlineSeconds: -1524384619 + readinessProbe: + exec: + command: + - ogUapD + - JNor0OH + failureThreshold: -2099739674 + grpc: + port: 2056719693 + service: Nk8deyFml + httpGet: + host: qS + path: S6Cj2 + port: EeKCZ + scheme: ʅ鹒p + initialDelaySeconds: -359104350 + periodSeconds: 1897832932 + successThreshold: -962367820 + terminationGracePeriodSeconds: -5091110669039213167 + timeoutSeconds: -677019415 + restartPolicy: 爃ɥ90İĔ + revisionHistoryLimit: 1994939456 + schedulerName: i57b + securityContext: + fsGroup: 1520694499640274668 + fsGroupChangePolicy: 嫽Ǭ + runAsGroup: 3728458047896784619 + runAsNonRoot: false + runAsUser: -8957070032009944858 + sysctls: + - name: NBH + value: bXsgSc + - name: WTZnja + value: p4Du + strategy: + type: RDNEX8T + terminationGracePeriodSeconds: 1122010486 + topologySpreadConstraints: + - maxSkew: 2113683386 + topologyKey: H1AWsSn + whenUnsatisfiable: VEpgY + updateStrategy: + type: 6b7BSE +fullnameOverride: Bl0rL2 +imagePullSecrets: +- name: LGwi +logging: + level: b +monitoring: + annotations: + "": O + AFH4V: ga95qmjNhc + enabled: true + labels: + 9HWO7MGwhk: vGHnz6 + NNg3k: hbR + RXL: VxSIXgS + namespaceSelector: + any: true + matchNames: + - WZxK8iNK2gdU + scrapeInterval: -1823238h3m59.524888469s +nameOverride: wN +service: + annotations: + "": pZ + name: xW + ports: + - name: V + port: -1924603054 +serviceAccount: + annotations: + "": mNGwfCN + create: true + name: 3m +storage: + volume: + - name: Cm + - name: eHp5 + - name: r1T + volumeMounts: + - mountPath: 5aM + mountPropagation: Ěɲ'再ʖ|皑F9ĺOĆ|Oô + name: 2HGf2z + subPath: vuF7gt + subPathExpr: y6zTs2 + - mountPath: QU6 + mountPropagation: QǢx槱Sɼ湙Ȥ恑ñ鹒 + name: PbVBK + subPath: foAWHAo + subPathExpr: I8f + - mountPath: "" + mountPropagation: ƇNʆ¹¯檷AvdŜ踆ÿDȂ + name: cA + readOnly: true + subPath: y6Kasn + subPathExpr: DIUY0V +test: + create: true +tolerations: +- effect: 涏Ř + key: i6DqmjDv2K + operator: 钨{Õ\ʭQIɘʯIŸ + tolerationSeconds: -8713064626657727741 + value: fLHW9 +-- case-048 -- +auth: + sasl: + enabled: false + mechanism: Xr + secretRef: i5 + userName: aXR +commonLabels: + x3: e1lz +connectors: + additionalConfiguration: stdaxfP + bootstrapServers: fOZsu37vN + brokerTLS: + ca: + secretNameOverwrite: hln + secretRef: k5U1 + cert: + secretNameOverwrite: s47Hy + secretRef: ljqjD + enabled: true + key: + secretNameOverwrite: Wxw + secretRef: icjt + groupID: piupb6 + producerBatchSize: -1479166006 + producerLingerMS: -1816218257 + restPort: -2097692565 + schemaRegistryURL: xg4Cxakw + secretManager: + connectorsPrefix: KeHoy + consolePrefix: 1HcDE + enabled: false + region: snd + storage: + remote: + read: + config: false + offset: false + status: false + write: + config: true + offset: false + status: false + replicationFactor: + config: -103098671 + offset: 864522858 + status: -1797067435 + topic: + config: FBdy5 + offset: ytzBE0 + status: FHVut +container: + javaGCLogEnabled: Fu + resources: + javaMaxHeapSize: "0" + limits: + cpu: "0" + memory: "0" + request: + cpu: "0" + memory: "0" + securityContext: + allowPrivilegeEscalation: true +deployment: + budget: + maxUnavailable: 896500401 + create: true + extraEnvFrom: + - configMapRef: + name: w9vIEs + optional: true + prefix: oFWtF + secretRef: + name: Z1 + optional: true + - configMapRef: + name: 9wMxsz + optional: false + secretRef: + name: zLL2kR + optional: false + livenessProbe: + exec: {} + failureThreshold: 1532121771 + grpc: + port: 908100480 + service: P2AKgA6 + httpGet: + host: G1t + path: dTC5Sa + port: "" + scheme: 鷫w八ǤɩT÷3蔉ǰ*贝弔琎Î + initialDelaySeconds: -893256878 + periodSeconds: -674475842 + successThreshold: -1740698110 + terminationGracePeriodSeconds: 1865038295935824451 + timeoutSeconds: 326371790 + nodeAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - preference: + matchExpressions: + - key: b + operator: 鷘泝, + values: + - 0N3rqLJ + - "4" + - 1L + matchFields: + - key: gnmK + operator: '@D煡摡o昪ɼ柤斕ɲı58,tț>' + values: + - i1 + - 5PqjZCTW + weight: -1104761106 + - preference: + matchExpressions: + - key: dT + operator: 犘ijň鉻ĴɳǁȨD + values: + - XdGct + - key: 2BYB + operator: '}閂譗輸礯Ʊx' + values: + - MU2j1Vu + - "17" + - key: ypgFjkuHHfzj + operator: '`4ʫfƗ8鲙華ė' + values: + - "y" + - LHvKvSZf2 + matchFields: + - key: GImX3 + operator: "" + values: + - xQPC + - R4R + - 3Y0mxG + weight: -521155604 + - preference: + matchExpressions: + - key: ft5L + operator: ȗ垁屹3瞬铵烱#祟渥 + matchFields: + - key: Fx + operator: ǷɂZ + values: + - WT + weight: 677594922 + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: AwTQm2 + operator: 展ɏǀ襋k(ȴSǮ讶ʁ + values: + - 8i1 + - key: gQ1DB + operator: 汴F见Doĵw?Pc|昋階ʇ亸d灀麕ʞ + values: + - uqEzQKDpVw + - Q2 + - icCcpbp8 + - key: d9Z + operator: Ǽ船薲ɲĊbJĘƑƮOȄ鄹 + values: + - flK9jMt + - jt4 + - TSJ + - matchExpressions: + - key: Cf40pEWF + operator: ŌZ雯瘍 + values: + - "0" + - cSCIGvcwc + - Izvo0 + - key: mB4jp + operator: Í淙篝Hƨ_u误Ý + values: + - OTJJx + - KgWLC + - key: TxkO + operator: ȠȰsa'ʫƲ鑠 + values: + - 3gqlT + matchFields: + - key: l + operator: é糁v抯 + - key: QZFxqZ + operator: / + values: + - q0DJ + - M0 + - 6XMtos + - {} + nodeSelector: + DdMU: TvKI + cxzoe: "41" + i6KwA0A6qU1g: E6j + podAffinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: [] + podAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: 27Ay + operator: 効P禶Ƃ淑×_髉沎1g雺+ + values: + - rgEa + - d + - HhpA + - key: 1dPtPjTbh + operator: Ƿă麺 + values: + - b + matchLabelKeys: + - iEi952afuE + mismatchLabelKeys: + - O2Hto + namespaceSelector: + matchExpressions: + - key: kum0cz + operator: ɚ釣腅庆@\Ɂ檄6!G闎)īæʀŇ]璯 + values: + - "" + - 9FZmV7q + - vPK3 + - key: "" + operator: 堁əC峎&ŕDʣM'雐Ɉŗx + - key: G + operator: 'QjŌ:' + matchLabels: + BFPI4M: uzYC + MJLqR: z + namespaces: + - UX3IA3h5 + - 3Bds + - AKT9H + topologyKey: b3TODHaa + weight: -1228882596 + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: mc + operator: -V:7pƧʖò跪x©砚砰`ƨ茩钪Z敓 + values: + - wSITrxHTS9HZC3 + - CuIo6L6CDmUgu + - key: "" + operator: 媉跈铄堕Ŀ/{jň + values: + - jF3HYWqWEr7TR + matchLabels: + 4F5Kv: G00k + ctjZYe4x1uNh: gtkkPK + nTjG: pwyKCyJEv + matchLabelKeys: + - "" + - "4" + - "N" + namespaceSelector: + matchExpressions: + - key: LUJp + operator: Ū咄unjʢPXǘ憱朤Ű尙űb[灘勈Yȱ + values: + - 5Z3rbs2EdAE + - ZuP + - key: yiWkttM + operator: '`樞髨đķ姞XƃHɏ材ȝ:yĎ窘' + values: + - F + - Twn69 + - ji + - key: 4hLx + operator: bȷ + values: + - Ki + - kjWG9 + - c847VrQVN + matchLabels: + GhZu: 9T1Ai5 + namespaces: + - trsp + - eYMhJsX + topologyKey: d7QkCGS + weight: 579883095 + - podAffinityTerm: + labelSelector: + matchLabels: + "": BkvZx + 5Cl51conQ: "" + JIK0XU5wF: QpRIa + matchLabelKeys: + - rB + mismatchLabelKeys: + - 8FzxAzJeIit + - ZOQj0d + namespaceSelector: + matchLabels: + nP2HZf2eH: aUzmR3uuKY + namespaces: + - mF3O + topologyKey: QCmkc + weight: -1703667772 + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: krwcqI + operator: '#:' + values: + - ibt + - t + - i9469 + matchLabels: + HT64Ybn3: KGLr3jpQ + LpfpVnOJf: 0rLjo + erYb3: 9lRqTXj4m + matchLabelKeys: + - 9p4 + mismatchLabelKeys: + - hzEmU + namespaceSelector: + matchExpressions: + - key: VL0 + operator: JX0ɅE拮Lsʚ茲]ʢ + values: + - Uymjw + - YCn + - ethVoHhJL + matchLabels: + "": t + topologyKey: ZFbEWa + podAntiAffinity: + custom: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchLabels: + FkdFP8S: l47McZdSiw + matchLabelKeys: + - LVSg8I + - ZIbzqVPIrjF + - YWwSaAw87 + namespaceSelector: + matchExpressions: + - key: tlsDj + operator: 6Ȇ`3Ze伢qDȖ槑ȟł + - key: p + operator: 鈃'豕VĐ斆ȱ!ȃ?wqɇƬ + values: + - F + - key: RfCxe + operator: 轫Ê98叀疓}漢[D偆幕繋<Ò=峕ɀ + values: + - HDyJ9 + - 03Uzj4m + namespaces: + - Y6Ay + - 5rDS + topologyKey: sU + weight: -1397412749 + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: qQcAm + operator: ç脣Èðɇ鄅ɯrʐǷœo4刋冉菣ʠ鰼 + values: + - LdQOKui + - key: oSZdMcc + operator: "0" + values: + - TX + - UZ5iQ + - JBYSo2 + matchLabels: + WArJvOMSNO: rgBzJ + iaBvi1H: B8up7I + x: i4F + matchLabelKeys: + - k7ML + - VR + - qtQ0dTf + mismatchLabelKeys: + - s7 + namespaceSelector: + matchExpressions: + - key: c7 + operator: ʋ\ɸ|ǖ炡utɜŦ"Kxh + - key: cpqDs + operator: ɽ鈶Ʈ¡ƽǨļɤ儧Ÿn}Ǝʞƛ史 + values: + - rCrj5wg + - SXZzoY + - key: ZNVtqG + operator: Ơ瑊ȼ+櫓'ɻýʯX´cƈkĺk6 + values: + - Gsw + namespaces: + - quffgHoEKxxO + topologyKey: iHNr + weight: -284270585 + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: 4C + operator: 7zF脥Q:2僝jǑ + values: + - Uk + - key: 721gY + operator: C悺鹼岶狫ń±敛P煺\nŨ泞ǵ,ȣC菹 + values: + - r1k + - "1" + matchLabelKeys: + - g + - vDoU0BjC + mismatchLabelKeys: + - IrO + namespaceSelector: + matchLabels: + ONSj: 3Xh3NX + ONgggfk8t: DQxXyxu + wba4o3ae: Nl85N5 + topologyKey: mjD + weight: 960522068 + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: 1su + operator: Ƕ + values: + - jxhj8g4 + matchLabels: + KTyQMh: sByLd + mismatchLabelKeys: + - "" + - 4jOv0EhQW + namespaceSelector: + matchExpressions: + - key: Wm + operator: BC螝Ħ耡±湡/宥趋ɑ瘖乶:汁彌 + values: + - n56fpGxrnr + - m + - 24OqIm + - key: wfDuGoF + operator: 瑺冐¥凖摶蝾b蚽嵷銱 + values: + - ooNGd + - 6G0GF + namespaces: + - ElrXceeDN + - EAtS23 + topologyKey: NLu0gTOn8p + - labelSelector: + matchExpressions: + - key: Eq8n + operator: "" + values: + - ZdBbrGxG + - ozepn + - p + matchLabels: + a: 5Nrk3 + matchLabelKeys: + - Z + - "4" + - 4W + mismatchLabelKeys: + - hBR76gl + - ZI8T + namespaceSelector: + matchExpressions: + - key: YfWOe + operator: "" + - key: F + operator: ;起ǣlʄ川Ɖýß歙懥瘵 + matchLabels: + kbHRw: "n" + topologyKey: Qk8l + topologyKey: rXnckz + type: d04GWjGpDQOK4K + weight: 2110708875 + priorityClassName: IKSxf + progressDeadlineSeconds: -1933689162 + readinessProbe: + exec: + command: + - 0XHj27GU + failureThreshold: -2100702858 + grpc: + port: -426293371 + service: JTK0kP + httpGet: + host: QPoQbZ9 + path: PxIHuC3 + port: dY + scheme: ʏÞ荻a鎘ʇ塜H唽×ʃ刉 + initialDelaySeconds: 1930411693 + periodSeconds: 1985310483 + successThreshold: 769125679 + terminationGracePeriodSeconds: -4123472799765155241 + timeoutSeconds: -1364329005 + restartPolicy: À潌貛ă貈懍Eŵɀȩ + revisionHistoryLimit: -1768466640 + schedulerName: RMki + securityContext: + fsGroup: -3162007349665636938 + fsGroupChangePolicy: F@AǶvĭȟū琐噌黣坩Ǚɮŀ + runAsGroup: 164107928150233301 + runAsNonRoot: false + runAsUser: -6374867922909642928 + strategy: + type: OMXfGqbFsWh + terminationGracePeriodSeconds: 1025063088 + tolerations: + - effect: ƸL諟Hv餣A嶌ɣYƵ轝脡sT酉 + key: rvPW78A + tolerationSeconds: 2277475321707653696 + value: zmQU7sY + - effect: 瘅1Ʉ夆 + key: 0p + operator: 冂÷s廥肚Zj陎1aÚkĤɀǟR + tolerationSeconds: 1191004605682561615 + value: sZcoDHahsR79 + topologySpreadConstraints: + - maxSkew: -1723926017 + topologyKey: KnB17 + whenUnsatisfiable: WpP6r0 + updateStrategy: + type: 56m +fullnameOverride: xPmln +imagePullSecrets: +- name: P0 +- name: AoBx4D0STGS8Z +logging: + level: QSl3 +monitoring: + annotations: + Ph: jqBcTVUZf6Q + bphXvWC: RZuPl1 + wrQkm: whQu3 + enabled: false + labels: + WGbtca: qquyS56V2v5 + dBJC: qNJ + hO: Mv5VfzUC + namespaceSelector: {} + scrapeInterval: 856582h27m40.130242944s +nameOverride: r7G +service: + name: w4DG +serviceAccount: + annotations: + 6tv5saOxoc: 6xq4 + EMXt4yV: 6g0eIa7vAQ3 + Nv: 2r + create: false + name: YIo +storage: + volume: + - name: I0 + volumeMounts: + - mountPath: FgUy2D + mountPropagation: ül幯wȅƑʀ,姅 + name: kUw2 + subPath: D0Qb + subPathExpr: EemIo6uDnv0 + - mountPath: r + mountPropagation: 剐ƥ<¶抿菋ɯ粦梘ȡ( + name: 15LL4 + readOnly: true + subPath: tcGS + subPathExpr: pwB + - mountPath: aC8MZYmVC + mountPropagation: ʢǮZ薽R擽ē1Xȭ硡衕卣A礖XÚY2 + name: "9" + subPath: qg + subPathExpr: cPz1rA +test: + create: false +tolerations: +- effect: S爨5p皳衷ƖE + key: htSQi8X + operator: 枦悬Ɵ洌?峎 + tolerationSeconds: -3814415431062878896 + value: Rbg +-- case-049 -- +auth: + sasl: + enabled: true + mechanism: lZOXaE + secretRef: YOdINi + userName: BXFWsRQboaO4 +commonLabels: + AxgO: ie + a: xGJKP + wy9DijfF9: pY +connectors: + additionalConfiguration: q9c + bootstrapServers: IgVAbq38dU + brokerTLS: + ca: + secretNameOverwrite: kYnXvq + secretRef: IvgqIPUbzG + cert: + secretNameOverwrite: 7JbcQ + secretRef: buOno + enabled: true + key: + secretNameOverwrite: 20O + secretRef: 6hz5McyLWN + groupID: Wk7p7aNJ + producerBatchSize: 2121357080 + producerLingerMS: 2074731749 + restPort: -447671166 + schemaRegistryURL: 6N0Bmg4 + secretManager: + connectorsPrefix: x7I5NRn + consolePrefix: eDG + enabled: false + region: SkMqmYBpLtPJj + storage: + remote: + read: + config: false + offset: false + status: true + write: + config: true + offset: true + status: true + replicationFactor: + config: 1354970349 + offset: -471311251 + status: 1502440377 + topic: + config: D1lY + offset: O1OSNfw8U87 + status: GPw +container: + javaGCLogEnabled: s4ggDHmuiTC + resources: + javaMaxHeapSize: "0" + limits: + cpu: "0" + memory: "0" + request: + cpu: "0" + memory: "0" + securityContext: + allowPrivilegeEscalation: false +deployment: + budget: + maxUnavailable: -372928360 + create: false + extraEnv: + - name: FW + value: 5RU04xp + valueFrom: + configMapKeyRef: + key: 7nxdup + name: tnQpS3Y01 + optional: false + fieldRef: + apiVersion: eNiNGSSDL + fieldPath: 5119g + resourceFieldRef: + containerName: 4D + divisor: "0" + resource: 7O + secretKeyRef: + key: RERK + name: jtlhC8sfN + optional: true + - name: K3Z5 + value: v + valueFrom: + configMapKeyRef: + key: 5yl + name: J9LMEohiq + optional: false + fieldRef: + apiVersion: wbFQyoK4 + fieldPath: GL6kNJ + resourceFieldRef: + containerName: Xy2OPZ2 + divisor: "0" + resource: w + secretKeyRef: + key: 70As + name: PIR8cXF + optional: false + - name: TvqBj3M9 + value: n5DeWNx + valueFrom: + configMapKeyRef: + key: A3J + name: HC + optional: false + fieldRef: + apiVersion: 7vcn + fieldPath: NVb + resourceFieldRef: + containerName: Kw5PS + divisor: "0" + resource: M + secretKeyRef: + key: exITv + name: 6BCCh + optional: false + extraEnvFrom: + - configMapRef: + name: mKhZU + optional: false + prefix: 7r + secretRef: + name: 4dK + optional: false + - configMapRef: + name: N7 + optional: true + prefix: v8lf + secretRef: + name: Rmh + optional: true + livenessProbe: + exec: + command: + - Cx + - J87G2o + failureThreshold: 781863739 + grpc: + port: -1245485251 + service: Rea6qLZtf + httpGet: + host: m + path: 81qOdO8W + port: 2000006026 + scheme: 0觇瓄ȗ-狐´Ǝ酤ƆjĴȘ梟 + initialDelaySeconds: -845959215 + periodSeconds: 968971981 + successThreshold: -1102843833 + terminationGracePeriodSeconds: -9135098607736928416 + timeoutSeconds: -1624177358 + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: M2 + operator: ?ʪv椾ɛŵR{昂 + values: + - VijxsIC + - Z + - ccgUy6X4 + - key: Hyr7Bi + operator: 糪鄖藸*ɭ + values: + - qX9fMe + - key: SGTnNAR9 + operator: tđ鑨aɰ@Gȧ匈瑴駳ʨ譄ř顲IJ蓡"餛 + values: + - XGZRPQ + - HvYW + - SJm + matchFields: + - key: OeW + operator: z顡àP賤曑^ȴQ@蝂ź斁棈玔ʯ% + values: + - ml + - 4O7U + - wQ4YJ36 + - matchExpressions: + - key: Lya + operator: 潲pƏ黇稖4 + values: + - jC9 + - F + matchFields: + - key: Ynazf + operator: 6u閄甚 + values: + - 4qKPH + - key: hqS6 + operator: ¤W瑨ǀ螛觴囻 + values: + - ZFA3 + - O5sJmCwV + - key: Qf8jOwRnP + operator: ~I鳥撢禽殪yȿ嗍-芠ǒY`唞 + values: + - Jx4jV5qM + - PDQTY + nodeSelector: + dduQyGRf: 7nwg + podAffinity: + nodeAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - preference: + matchExpressions: + - key: A + operator: qnjü熂¤}ðÅŧ@蕑 + values: + - 6vy + - rl4UI + - FFXR + matchFields: + - key: YHp0vUR + operator: Ggɱ棁 + - key: UgkXI + operator: mn<#ɠ铑k趴ǟ韝 + values: + - 5JJK + - key: oTJ8B + operator: ȡ拳řɒW阾u掠鄗懓j9[唊ȱ + values: + - yb3 + - 2YZE2W0 + - L + weight: -1083324198 + - preference: + matchExpressions: + - key: OTNrwf + operator: ö议昇ŁüC + values: + - WLOo + - vs0cZ0R + - Khhase + weight: -711215427 + - preference: {} + weight: -1613072214 + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: [] + podAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: gVZf + operator: _逋 + values: + - JzYY + - ywDxP1 + matchLabels: + Xegma69PO3houPR: Rmbc + d: MlcH4i7 + matchLabelKeys: + - K + - f + - rhU2t + mismatchLabelKeys: + - van87 + - 0ZYdEF5 + namespaceSelector: {} + namespaces: + - P8O + topologyKey: 1NGe + weight: 569962286 + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: BeFIzF + operator: Ĝɿē + - key: Rvo6WB + operator: ʊ候ɥÂ漦靿Nj搘溦恱徒,ɴɜĿ怀Õ8貐 + values: + - PBaiU + - key: knGp2I + operator: Ǩ鄧^&膽s硢üf厵¸Ŧ錨譖梑*屟 + values: + - Nbn6I + matchLabels: + 0fc: HuJvN + 9tYU: 88OR4d2 + WR5Fy: lfBGVZo + matchLabelKeys: + - WukVD + mismatchLabelKeys: + - Vx + - BtHH + - dajjlO + namespaceSelector: + matchExpressions: + - key: t + operator: ']XFȁ窔示ʛ' + matchLabels: + 4Qh1x8JGl: Ex + 4hLpox: VP1 + gV0AjuaYC: aUwAN + namespaces: + - p + topologyKey: CM + weight: -1434839877 + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: {} + matchLabelKeys: + - 3Ss + mismatchLabelKeys: + - fobV + namespaceSelector: + matchExpressions: + - key: X0rcjmbG + operator: 聹璴ɒ轢ąG箽Ɗş + values: + - 8ghV9wL + matchLabels: + 03NYmC8: "N" + H0mvdY: iy8ac + namespaces: + - C6sd7 + - F6FE + - 9W4PbMcZ + topologyKey: G4eB + - labelSelector: + matchExpressions: + - key: sNU + operator: dYC + values: + - YQaiV + - key: Pua + operator: ɸnŔ摔岖nǏȚȂ昗 + values: + - YpXB37PnW + - f2 + - MM + - key: DxVCz6I2x + operator: 埸爻 + values: + - Hm2CX + matchLabels: + sD0FFW: DLDqfI + matchLabelKeys: + - 1ZijjM + - bMD + - wKDup + namespaceSelector: + matchExpressions: + - key: h + operator: 蠺¾l拏|GȎ俴|~嶻屶À 9攑mʏC + values: + - lt1f + - Rx6 + - z + namespaces: + - vXafQDN + topologyKey: "" + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchLabels: + R: xf6sJsIR2 + XRGK: HU40WMP2tH + matchLabelKeys: + - kZ9w2o + - C9lRMoB80Kf + mismatchLabelKeys: + - 5Q + namespaceSelector: + matchLabels: + lBX7: deB6Qg + namespaces: + - EZQJcE + - agIqApffRAjm + - hNChs7M + topologyKey: y6 + weight: 310831703 + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: LG + operator: 寭Z踸賟ð蔄lǦÏ徫*柝RŒĕă都 + values: + - Ia3H + - pGJa9 + - key: PLHavnryhJ + operator: čʬȰ呰vʤ涜Â擁隨鄡u評ƚ鼷Ō"ǩ¦ + values: + - VurUeIEAI + matchLabelKeys: + - "" + - fKBu + mismatchLabelKeys: + - L1 + - eG155Q + namespaceSelector: + matchLabels: + RYjDmg9L: S08IW6cHa + topologyKey: bIA8oKUvNZ + weight: -980786377 + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: Vdtt + operator: ƃ摰Ǹc茜颭ƅ{ɘ侼ȅ.ġ + values: + - GY + - IL + - e82zQBv8 + matchLabels: + LCyGc: 7onELXh4E + r3: 3jFJ + s: 2JH8 + matchLabelKeys: + - ett + - e + - CBNjUaCu + mismatchLabelKeys: + - gOfT + - H8q + namespaceSelector: + matchLabels: + "": wpC + oKw8pdan7Q0: dLiDRyH + namespaces: + - qw + - Rm1a1x + - kjfaf + topologyKey: guuynpKQ9lV8 + weight: -1608829726 + podAntiAffinity: + custom: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: s + operator: ɠ襱Ȣʅ鶌脸ĕŎ鋃澣'Ɵɡ舩V÷ë4 + values: + - "" + - RdE4 + - IwoP349d + - key: K8OuT + operator: Wʼn + namespaceSelector: + matchExpressions: + - key: F + operator: ɆƂr嗫nÈÚ7{ƴ视ƺ覵ʋŬƛ + values: + - CKicU4 + - QtnR1mf + namespaces: + - JZ + - 9j60y + - VdjQ + topologyKey: V79Fc + weight: 1058838095 + - podAffinityTerm: + labelSelector: + matchLabels: + IhQLO3: k0ZI08 + phsC: hrahrRruQ + matchLabelKeys: + - rCSflQW + namespaceSelector: + matchExpressions: + - key: kcxL + operator: Į + values: + - NCGT + matchLabels: + 3tPhW: yFH6u + 4PB1z: cjQ28Es3I + topologyKey: s50 + weight: 2003899640 + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: t + operator: 菠_Ɩ-ĉ垝ʮ + values: + - 2yD6SK7sQNyQ + - key: s1 + operator: 衙鵇ȔºɢG枬涕L$k賽Ö + values: + - xR + - ItozQOJu + matchLabels: + 8rP96Bm: gRg8miP + Gop: LnoRl + matchLabelKeys: + - asNzX03 + - UQz + namespaceSelector: + matchExpressions: + - key: tlFJgp + operator: 翺$ȵ硽dzXȷ鿁aȐG + values: + - yCG5CU + - key: ezfpbDKj36Qk + operator: ?盉剴痐èěȆ倒f^ + namespaces: + - C + - BWSk + topologyKey: NRyT + weight: -1887589 + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: VqAEfS9 + operator: 'š勐§2äƇ镧 ' + values: + - zAiR + - MAdfP + - u + namespaceSelector: + matchExpressions: + - key: bss + operator: 龌ɒRuĖXʃĹę琴 + values: + - fYA3 + - 3nOKAD + - CIt5uEowlBLQ1 + matchLabels: + 8ZPfixhDT2u: NhaXnN + 9m0: A1gs2 + GXhMHUyy: KmKI + namespaces: + - W + - BrU0P3 + - "" + topologyKey: PxOw + topologyKey: B + type: 0ZYR + weight: -1306525291 + priorityClassName: m3Ex + progressDeadlineSeconds: -1434788483 + readinessProbe: + exec: + command: + - MNs0Ba + failureThreshold: 584818346 + grpc: + port: 321294336 + service: "" + httpGet: + host: 7VJXwz + path: 1ygxm + port: Dcl8Z8 + scheme: 慲ė鼔ƀ + initialDelaySeconds: 1026532597 + periodSeconds: 1489595355 + successThreshold: 1696560908 + terminationGracePeriodSeconds: -4249833353592859621 + timeoutSeconds: -147660350 + restartPolicy: Y2dɪ赥ȡěȫ + revisionHistoryLimit: 529570324 + schedulerName: mzo86Jb + securityContext: + fsGroup: -2777096360811827600 + fsGroupChangePolicy: ǑȽ劐2$t剭赖' + runAsGroup: -8516502997065582904 + runAsNonRoot: true + runAsUser: 4444001915347831322 + supplementalGroups: + - -713783482271938969 + - -1237716613088890768 + - -3929371009074647393 + sysctls: + - name: xlxKwO + value: mVa0Vk + - name: Pe + value: ggm6uD4s5 + strategy: + type: 1Y + terminationGracePeriodSeconds: -1036531185 + tolerations: + - effect: ƨU;È性ǯ9ƝZ軷ĖĀ<猀Ħ瑍ş + key: hrn + operator: 駾G + tolerationSeconds: -5689841415932882459 + value: 7wGF139wPxrS + topologySpreadConstraints: + - maxSkew: 2056579760 + topologyKey: 3Vxn0PFD + whenUnsatisfiable: Zd + - maxSkew: -1862577769 + topologyKey: 0ifTRZ + whenUnsatisfiable: ovqoS + updateStrategy: + type: nlatLA +fullnameOverride: fubwSl +logging: + level: 4GjwwD +monitoring: + annotations: + dn7: Ed1FfDz + uj8: fVksEAUZ + enabled: false + labels: + OuMMzK: U + u67Epbv: bs83 + namespaceSelector: + matchNames: + - YfURCd + - pjn + scrapeInterval: -1243725h11m11.812387569s +nameOverride: pyCdF +service: + annotations: + uH: o + name: 37ihe +serviceAccount: + annotations: + "": 0h6QKRWo + ayiUDPgwgG9: Wh + create: true + name: zr1OY +storage: + volume: + - name: VzP + - name: B2c9ZE + volumeMounts: + - mountPath: H + mountPropagation: 繹Ó!矃oǷ;ŞV佬bĨ`惽鬾 + name: Pv + readOnly: true + subPath: ayluKt + subPathExpr: WSAQj + - mountPath: aJ + mountPropagation: '*灡毑Ŭĩ凭xʂ閪' + name: WOCY + readOnly: true + subPath: U3AsYVGQTA + subPathExpr: oS2EoO7q5 +test: + create: true +tolerations: +- effect: 灊ƌň + key: m4LJ7 + operator: ȁ溥洡Âƴ蘐ǎĽ懋冝幼埍Ré + tolerationSeconds: -5062975468014163162 + value: zvAp +- effect: 渊M璄劮椆 + key: AhabI + operator: ʀǏ3亚O + tolerationSeconds: -4592469483950966275 + value: "07" +- effect: 嶝¹総| + key: CAi + operator: s咴 + tolerationSeconds: -3369184239394783815 + value: n5 diff --git a/charts/redpanda/redpanda/5.9.2/charts/connectors/testdata/template-cases.golden.txtar b/charts/redpanda/redpanda/5.9.2/charts/connectors/testdata/template-cases.golden.txtar new file mode 100644 index 000000000..d483171c8 --- /dev/null +++ b/charts/redpanda/redpanda/5.9.2/charts/connectors/testdata/template-cases.golden.txtar @@ -0,0 +1,10301 @@ +-- testdata/case-000.yaml.golden -- +--- +# Source: connectors/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/component: pO5m + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: pO5m + helm.sh/chart: connectors-0.1.12 + name: rpVz +spec: + ipFamilies: + - IPv4 + ipFamilyPolicy: SingleStack + ports: + - name: rest-api + port: 8083 + protocol: TCP + targetPort: 8083 + - name: prometheus + port: 9404 + protocol: TCP + targetPort: 9404 + selector: + app.kubernetes.io/component: pO5m + app.kubernetes.io/instance: console + app.kubernetes.io/name: pO5m + sessionAffinity: None + type: ClusterIP +--- +# Source: connectors/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/component: pO5m + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: pO5m + helm.sh/chart: connectors-0.1.12 + name: rpVz +spec: + progressDeadlineSeconds: 600 + replicas: null + revisionHistoryLimit: 10 + selector: + matchLabels: + app.kubernetes.io/component: pO5m + app.kubernetes.io/instance: console + app.kubernetes.io/name: pO5m + strategy: + type: RollingUpdate + template: + metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/component: pO5m + app.kubernetes.io/instance: console + app.kubernetes.io/name: pO5m + spec: + affinity: + nodeAffinity: {} + podAffinity: {} + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchLabels: + app.kubernetes.io/component: pO5m + app.kubernetes.io/instance: console + app.kubernetes.io/name: pO5m + namespaces: + - default + topologyKey: kubernetes.io/hostname + containers: + - command: null + env: + - name: CONNECT_CONFIGURATION + value: |- + rest.advertised.port=8083 + rest.port=8083 + key.converter=org.apache.kafka.connect.converters.ByteArrayConverter + value.converter=org.apache.kafka.connect.converters.ByteArrayConverter + group.id=connectors-cluster + offset.storage.topic=_internal_connectors_offsets + config.storage.topic=_internal_connectors_configs + status.storage.topic=_internal_connectors_status + offset.storage.redpanda.remote.read=false + offset.storage.redpanda.remote.write=false + config.storage.redpanda.remote.read=false + config.storage.redpanda.remote.write=false + status.storage.redpanda.remote.read=false + status.storage.redpanda.remote.write=false + offset.storage.replication.factor=-1 + config.storage.replication.factor=-1 + status.storage.replication.factor=-1 + producer.linger.ms=1 + producer.batch.size=131072 + config.providers=file,secretsManager,env + config.providers.file.class=org.apache.kafka.common.config.provider.FileConfigProvider + config.providers.env.class=org.apache.kafka.common.config.provider.EnvVarConfigProvider + - name: CONNECT_ADDITIONAL_CONFIGURATION + value: "" + - name: CONNECT_BOOTSTRAP_SERVERS + value: "" + - name: CONNECT_GC_LOG_ENABLED + value: "false" + - name: CONNECT_HEAP_OPTS + value: -Xms256M -Xmx2G + - name: CONNECT_LOG_LEVEL + value: 0rksB2 + - name: CONNECT_TLS_ENABLED + value: "false" + envFrom: [] + image: docker.redpanda.com/redpandadata/connectors:v1.0.29 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 3 + httpGet: + path: / + port: rest-api + scheme: HTTP + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + name: connectors-cluster + ports: + - containerPort: 8083 + name: rest-api + protocol: TCP + - containerPort: 9404 + name: prometheus + protocol: TCP + readinessProbe: + failureThreshold: 2 + httpGet: + path: /connectors + port: rest-api + scheme: HTTP + initialDelaySeconds: 60 + periodSeconds: 10 + successThreshold: 3 + timeoutSeconds: 5 + resources: + limits: + cpu: "1" + memory: 2350Mi + requests: + cpu: "1" + memory: 2350Mi + securityContext: + allowPrivilegeEscalation: false + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + volumeMounts: + - mountPath: /tmp + name: rp-connect-tmp + dnsPolicy: ClusterFirst + imagePullSecrets: + - name: "Y" + - name: oCy + - name: M + nodeSelector: {} + restartPolicy: Always + schedulerName: "" + securityContext: + fsGroup: 101 + fsGroupChangePolicy: OnRootMismatch + runAsUser: 101 + serviceAccountName: default + terminationGracePeriodSeconds: 30 + tolerations: [] + topologySpreadConstraints: + - labelSelector: + matchLabels: + app.kubernetes.io/component: pO5m + app.kubernetes.io/instance: console + app.kubernetes.io/name: pO5m + maxSkew: 1 + topologyKey: topology.kubernetes.io/zone + whenUnsatisfiable: ScheduleAnyway + volumes: + - emptyDir: + medium: Memory + sizeLimit: 5Mi + name: rp-connect-tmp +--- +# Source: connectors/templates/pod-monitor.yaml +apiVersion: monitoring.coreos.com/v1 +kind: PodMonitor +metadata: + annotations: {} + creationTimestamp: null + labels: + 5Fm2d5: 8GfL + HhgyOa: "1" + L9qHqt6R: LhlwQrUay + name: rpVz +spec: + namespaceSelector: + any: true + podMetricsEndpoints: + - bearerTokenSecret: + key: "" + path: / + port: prometheus + selector: + matchLabels: + app.kubernetes.io/component: pO5m + app.kubernetes.io/instance: console + app.kubernetes.io/name: pO5m +-- testdata/case-001.yaml.golden -- +--- +# Source: connectors/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/component: nZ + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: nZ + helm.sh/chart: connectors-0.1.12 + name: 5wkC +spec: + ipFamilies: + - IPv4 + ipFamilyPolicy: SingleStack + ports: + - name: rest-api + port: 8083 + protocol: TCP + targetPort: 8083 + - name: prometheus + port: 9404 + protocol: TCP + targetPort: 9404 + selector: + app.kubernetes.io/component: nZ + app.kubernetes.io/instance: console + app.kubernetes.io/name: nZ + sessionAffinity: None + type: ClusterIP +--- +# Source: connectors/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/component: nZ + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: nZ + helm.sh/chart: connectors-0.1.12 + name: WtC +spec: + progressDeadlineSeconds: 600 + replicas: null + revisionHistoryLimit: 10 + selector: + matchLabels: + app.kubernetes.io/component: nZ + app.kubernetes.io/instance: console + app.kubernetes.io/name: nZ + strategy: + type: RollingUpdate + template: + metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/component: nZ + app.kubernetes.io/instance: console + app.kubernetes.io/name: nZ + spec: + affinity: + nodeAffinity: {} + podAffinity: {} + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchLabels: + app.kubernetes.io/component: nZ + app.kubernetes.io/instance: console + app.kubernetes.io/name: nZ + namespaces: + - default + topologyKey: kubernetes.io/hostname + containers: + - command: null + env: + - name: CONNECT_CONFIGURATION + value: |- + rest.advertised.port=8083 + rest.port=8083 + key.converter=org.apache.kafka.connect.converters.ByteArrayConverter + value.converter=org.apache.kafka.connect.converters.ByteArrayConverter + group.id=connectors-cluster + offset.storage.topic=_internal_connectors_offsets + config.storage.topic=_internal_connectors_configs + status.storage.topic=_internal_connectors_status + offset.storage.redpanda.remote.read=false + offset.storage.redpanda.remote.write=false + config.storage.redpanda.remote.read=false + config.storage.redpanda.remote.write=false + status.storage.redpanda.remote.read=false + status.storage.redpanda.remote.write=false + offset.storage.replication.factor=-1 + config.storage.replication.factor=-1 + status.storage.replication.factor=-1 + producer.linger.ms=1 + producer.batch.size=131072 + config.providers=file,secretsManager,env + config.providers.file.class=org.apache.kafka.common.config.provider.FileConfigProvider + config.providers.env.class=org.apache.kafka.common.config.provider.EnvVarConfigProvider + - name: CONNECT_ADDITIONAL_CONFIGURATION + value: "" + - name: CONNECT_BOOTSTRAP_SERVERS + value: "" + - name: CONNECT_GC_LOG_ENABLED + value: t1lDqf0PT8Xy + - name: CONNECT_HEAP_OPTS + value: -Xms256M -Xmx2G + - name: CONNECT_LOG_LEVEL + value: warn + - name: CONNECT_TLS_ENABLED + value: "false" + envFrom: [] + image: docker.redpanda.com/redpandadata/connectors:v1.0.29 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 3 + httpGet: + path: / + port: rest-api + scheme: HTTP + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + name: connectors-cluster + ports: + - containerPort: 8083 + name: rest-api + protocol: TCP + - containerPort: 9404 + name: prometheus + protocol: TCP + readinessProbe: + failureThreshold: 2 + httpGet: + path: /connectors + port: rest-api + scheme: HTTP + initialDelaySeconds: 60 + periodSeconds: 10 + successThreshold: 3 + timeoutSeconds: 5 + resources: + limits: + cpu: "1" + memory: 2350Mi + requests: + cpu: "1" + memory: 2350Mi + securityContext: + allowPrivilegeEscalation: false + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + volumeMounts: + - mountPath: /tmp + name: rp-connect-tmp + dnsPolicy: ClusterFirst + imagePullSecrets: [] + nodeSelector: {} + restartPolicy: Always + schedulerName: "" + securityContext: + fsGroup: 101 + fsGroupChangePolicy: OnRootMismatch + runAsUser: 101 + serviceAccountName: default + terminationGracePeriodSeconds: 30 + tolerations: [] + topologySpreadConstraints: + - labelSelector: + matchLabels: + app.kubernetes.io/component: nZ + app.kubernetes.io/instance: console + app.kubernetes.io/name: nZ + maxSkew: 1 + topologyKey: topology.kubernetes.io/zone + whenUnsatisfiable: ScheduleAnyway + volumes: + - emptyDir: + medium: Memory + sizeLimit: 5Mi + name: rp-connect-tmp +-- testdata/case-002.yaml.golden -- +--- +# Source: connectors/templates/serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + annotations: + gM: gxAdfFrD + creationTimestamp: null + labels: + app.kubernetes.io/component: ZZ5 + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: ZZ5 + helm.sh/chart: connectors-0.1.12 + name: AN + namespace: default +--- +# Source: connectors/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/component: ZZ5 + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: ZZ5 + helm.sh/chart: connectors-0.1.12 + name: xp6vcIlb +spec: + ipFamilies: + - IPv4 + ipFamilyPolicy: SingleStack + ports: + - name: rest-api + port: 8083 + protocol: TCP + targetPort: 8083 + - name: prometheus + port: 9404 + protocol: TCP + targetPort: 9404 + selector: + app.kubernetes.io/component: ZZ5 + app.kubernetes.io/instance: console + app.kubernetes.io/name: ZZ5 + sessionAffinity: None + type: ClusterIP +--- +# Source: connectors/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/component: ZZ5 + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: ZZ5 + helm.sh/chart: connectors-0.1.12 + name: xp6vcIlb +spec: + progressDeadlineSeconds: 600 + replicas: null + revisionHistoryLimit: 10 + selector: + matchLabels: + app.kubernetes.io/component: ZZ5 + app.kubernetes.io/instance: console + app.kubernetes.io/name: ZZ5 + strategy: + type: RollingUpdate + template: + metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/component: ZZ5 + app.kubernetes.io/instance: console + app.kubernetes.io/name: ZZ5 + spec: + affinity: + nodeAffinity: {} + podAffinity: {} + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchLabels: + app.kubernetes.io/component: ZZ5 + app.kubernetes.io/instance: console + app.kubernetes.io/name: ZZ5 + namespaces: + - default + topologyKey: kubernetes.io/hostname + containers: + - command: null + env: + - name: CONNECT_CONFIGURATION + value: |- + rest.advertised.port=8083 + rest.port=8083 + key.converter=org.apache.kafka.connect.converters.ByteArrayConverter + value.converter=org.apache.kafka.connect.converters.ByteArrayConverter + group.id=connectors-cluster + offset.storage.topic=_internal_connectors_offsets + config.storage.topic=_internal_connectors_configs + status.storage.topic=_internal_connectors_status + offset.storage.redpanda.remote.read=false + offset.storage.redpanda.remote.write=false + config.storage.redpanda.remote.read=false + config.storage.redpanda.remote.write=false + status.storage.redpanda.remote.read=false + status.storage.redpanda.remote.write=false + offset.storage.replication.factor=-1 + config.storage.replication.factor=-1 + status.storage.replication.factor=-1 + producer.linger.ms=1 + producer.batch.size=131072 + config.providers=file,secretsManager,env + config.providers.file.class=org.apache.kafka.common.config.provider.FileConfigProvider + config.providers.env.class=org.apache.kafka.common.config.provider.EnvVarConfigProvider + - name: CONNECT_ADDITIONAL_CONFIGURATION + value: "" + - name: CONNECT_BOOTSTRAP_SERVERS + value: "" + - name: CONNECT_GC_LOG_ENABLED + value: YUlcy4 + - name: CONNECT_HEAP_OPTS + value: -Xms256M -Xmx2G + - name: CONNECT_LOG_LEVEL + value: warn + - name: CONNECT_TLS_ENABLED + value: "false" + envFrom: [] + image: docker.redpanda.com/redpandadata/connectors:v1.0.29 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 3 + httpGet: + path: / + port: rest-api + scheme: HTTP + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + name: connectors-cluster + ports: + - containerPort: 8083 + name: rest-api + protocol: TCP + - containerPort: 9404 + name: prometheus + protocol: TCP + readinessProbe: + failureThreshold: 2 + httpGet: + path: /connectors + port: rest-api + scheme: HTTP + initialDelaySeconds: 60 + periodSeconds: 10 + successThreshold: 3 + timeoutSeconds: 5 + resources: + limits: + cpu: "1" + memory: 2350Mi + requests: + cpu: "1" + memory: 2350Mi + securityContext: + allowPrivilegeEscalation: false + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + volumeMounts: + - mountPath: hVlmCfXmla + mountPropagation: ÇƭȊ餧鵣鋚蕛ʖ诂瑧)ɍĿ8šȪ轭ʌ倈 + name: 482T + readOnly: true + subPath: Un28M + subPathExpr: weDK9jo + - mountPath: YWN6OS + name: 5ijm8 + subPath: safiSmZ + - mountPath: MBW5 + name: ibiELmf2 + readOnly: true + subPath: E + subPathExpr: piX + dnsPolicy: ClusterFirst + imagePullSecrets: + - name: Tm0bmByz + - name: gSGPB + - name: 58yP + nodeSelector: {} + restartPolicy: Always + schedulerName: "" + securityContext: + fsGroup: 101 + fsGroupChangePolicy: OnRootMismatch + runAsUser: 101 + serviceAccountName: AN + terminationGracePeriodSeconds: 30 + tolerations: [] + topologySpreadConstraints: + - labelSelector: + matchLabels: + app.kubernetes.io/component: ZZ5 + app.kubernetes.io/instance: console + app.kubernetes.io/name: ZZ5 + maxSkew: 1 + topologyKey: topology.kubernetes.io/zone + whenUnsatisfiable: ScheduleAnyway + volumes: + - name: AhJ +-- testdata/case-003.yaml.golden -- +--- +# Source: connectors/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/component: Wvpgs + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: Wvpgs + helm.sh/chart: connectors-0.1.12 + name: kNrkCdEuw9V +spec: + ipFamilies: + - IPv4 + ipFamilyPolicy: SingleStack + ports: + - name: rest-api + port: 8083 + protocol: TCP + targetPort: 8083 + - name: prometheus + port: 9404 + protocol: TCP + targetPort: 9404 + selector: + app.kubernetes.io/component: Wvpgs + app.kubernetes.io/instance: console + app.kubernetes.io/name: Wvpgs + sessionAffinity: None + type: ClusterIP +--- +# Source: connectors/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/component: Wvpgs + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: Wvpgs + helm.sh/chart: connectors-0.1.12 + name: kNrkCdEuw9V +spec: + progressDeadlineSeconds: 600 + replicas: null + revisionHistoryLimit: 10 + selector: + matchLabels: + app.kubernetes.io/component: Wvpgs + app.kubernetes.io/instance: console + app.kubernetes.io/name: Wvpgs + strategy: + type: RollingUpdate + template: + metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/component: Wvpgs + app.kubernetes.io/instance: console + app.kubernetes.io/name: Wvpgs + spec: + affinity: + nodeAffinity: {} + podAffinity: {} + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchLabels: + app.kubernetes.io/component: Wvpgs + app.kubernetes.io/instance: console + app.kubernetes.io/name: Wvpgs + namespaces: + - default + topologyKey: kubernetes.io/hostname + containers: + - command: null + env: + - name: CONNECT_CONFIGURATION + value: |- + rest.advertised.port=8083 + rest.port=8083 + key.converter=org.apache.kafka.connect.converters.ByteArrayConverter + value.converter=org.apache.kafka.connect.converters.ByteArrayConverter + group.id=connectors-cluster + offset.storage.topic=_internal_connectors_offsets + config.storage.topic=_internal_connectors_configs + status.storage.topic=_internal_connectors_status + offset.storage.redpanda.remote.read=false + offset.storage.redpanda.remote.write=false + config.storage.redpanda.remote.read=false + config.storage.redpanda.remote.write=false + status.storage.redpanda.remote.read=false + status.storage.redpanda.remote.write=false + offset.storage.replication.factor=-1 + config.storage.replication.factor=-1 + status.storage.replication.factor=-1 + producer.linger.ms=1 + producer.batch.size=131072 + config.providers=file,secretsManager,env + config.providers.file.class=org.apache.kafka.common.config.provider.FileConfigProvider + config.providers.env.class=org.apache.kafka.common.config.provider.EnvVarConfigProvider + - name: CONNECT_ADDITIONAL_CONFIGURATION + value: "" + - name: CONNECT_BOOTSTRAP_SERVERS + value: "" + - name: CONNECT_GC_LOG_ENABLED + value: AGZOKrMs + - name: CONNECT_HEAP_OPTS + value: -Xms256M -Xmx2G + - name: CONNECT_LOG_LEVEL + value: s2fGu + - name: CONNECT_TLS_ENABLED + value: "false" + envFrom: [] + image: docker.redpanda.com/redpandadata/connectors:v1.0.29 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 3 + httpGet: + path: / + port: rest-api + scheme: HTTP + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + name: connectors-cluster + ports: + - containerPort: 8083 + name: rest-api + protocol: TCP + - containerPort: 9404 + name: prometheus + protocol: TCP + readinessProbe: + failureThreshold: 2 + httpGet: + path: /connectors + port: rest-api + scheme: HTTP + initialDelaySeconds: 60 + periodSeconds: 10 + successThreshold: 3 + timeoutSeconds: 5 + resources: + limits: + cpu: "1" + memory: 2350Mi + requests: + cpu: "1" + memory: 2350Mi + securityContext: + allowPrivilegeEscalation: false + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + volumeMounts: + - mountPath: /tmp + name: rp-connect-tmp + dnsPolicy: ClusterFirst + imagePullSecrets: + - name: QIa + - name: 9QE3ez + - name: np1QDs89l + nodeSelector: {} + restartPolicy: Always + schedulerName: "" + securityContext: + fsGroup: 101 + fsGroupChangePolicy: OnRootMismatch + runAsUser: 101 + serviceAccountName: default + terminationGracePeriodSeconds: 30 + tolerations: [] + topologySpreadConstraints: + - labelSelector: + matchLabels: + app.kubernetes.io/component: Wvpgs + app.kubernetes.io/instance: console + app.kubernetes.io/name: Wvpgs + maxSkew: 1 + topologyKey: topology.kubernetes.io/zone + whenUnsatisfiable: ScheduleAnyway + volumes: + - emptyDir: + medium: Memory + sizeLimit: 5Mi + name: rp-connect-tmp +-- testdata/case-004.yaml.golden -- +--- +# Source: connectors/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/component: xhLPt0 + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: xhLPt0 + helm.sh/chart: connectors-0.1.12 + name: 74qyne +spec: + ipFamilies: + - IPv4 + ipFamilyPolicy: SingleStack + ports: + - name: rest-api + port: 8083 + protocol: TCP + targetPort: 8083 + - name: prometheus + port: 9404 + protocol: TCP + targetPort: 9404 + selector: + app.kubernetes.io/component: xhLPt0 + app.kubernetes.io/instance: console + app.kubernetes.io/name: xhLPt0 + sessionAffinity: None + type: ClusterIP +--- +# Source: connectors/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/component: xhLPt0 + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: xhLPt0 + helm.sh/chart: connectors-0.1.12 + name: 74qyne +spec: + progressDeadlineSeconds: 600 + replicas: null + revisionHistoryLimit: 10 + selector: + matchLabels: + app.kubernetes.io/component: xhLPt0 + app.kubernetes.io/instance: console + app.kubernetes.io/name: xhLPt0 + strategy: + type: RollingUpdate + template: + metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/component: xhLPt0 + app.kubernetes.io/instance: console + app.kubernetes.io/name: xhLPt0 + spec: + affinity: + nodeAffinity: {} + podAffinity: {} + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchLabels: + app.kubernetes.io/component: xhLPt0 + app.kubernetes.io/instance: console + app.kubernetes.io/name: xhLPt0 + namespaces: + - default + topologyKey: kubernetes.io/hostname + containers: + - command: null + env: + - name: CONNECT_CONFIGURATION + value: |- + rest.advertised.port=8083 + rest.port=8083 + key.converter=org.apache.kafka.connect.converters.ByteArrayConverter + value.converter=org.apache.kafka.connect.converters.ByteArrayConverter + group.id=connectors-cluster + offset.storage.topic=_internal_connectors_offsets + config.storage.topic=_internal_connectors_configs + status.storage.topic=_internal_connectors_status + offset.storage.redpanda.remote.read=false + offset.storage.redpanda.remote.write=false + config.storage.redpanda.remote.read=false + config.storage.redpanda.remote.write=false + status.storage.redpanda.remote.read=false + status.storage.redpanda.remote.write=false + offset.storage.replication.factor=-1 + config.storage.replication.factor=-1 + status.storage.replication.factor=-1 + producer.linger.ms=1 + producer.batch.size=131072 + config.providers=file,secretsManager,env + config.providers.file.class=org.apache.kafka.common.config.provider.FileConfigProvider + config.providers.env.class=org.apache.kafka.common.config.provider.EnvVarConfigProvider + - name: CONNECT_ADDITIONAL_CONFIGURATION + value: "" + - name: CONNECT_BOOTSTRAP_SERVERS + value: "" + - name: CONNECT_GC_LOG_ENABLED + value: "false" + - name: CONNECT_HEAP_OPTS + value: -Xms256M -Xmx2G + - name: CONNECT_LOG_LEVEL + value: warn + - name: CONNECT_TLS_ENABLED + value: "false" + envFrom: [] + image: docker.redpanda.com/redpandadata/connectors:v1.0.29 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 3 + httpGet: + path: / + port: rest-api + scheme: HTTP + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + name: connectors-cluster + ports: + - containerPort: 8083 + name: rest-api + protocol: TCP + - containerPort: 9404 + name: prometheus + protocol: TCP + readinessProbe: + failureThreshold: 2 + httpGet: + path: /connectors + port: rest-api + scheme: HTTP + initialDelaySeconds: 60 + periodSeconds: 10 + successThreshold: 3 + timeoutSeconds: 5 + resources: + limits: + cpu: "1" + memory: 2350Mi + requests: + cpu: "1" + memory: 2350Mi + securityContext: + allowPrivilegeEscalation: false + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + volumeMounts: + - mountPath: /tmp + name: rp-connect-tmp + dnsPolicy: ClusterFirst + imagePullSecrets: + - name: lnn + nodeSelector: {} + restartPolicy: Always + schedulerName: "" + securityContext: + fsGroup: 101 + fsGroupChangePolicy: OnRootMismatch + runAsUser: 101 + serviceAccountName: default + terminationGracePeriodSeconds: 30 + tolerations: [] + topologySpreadConstraints: + - labelSelector: + matchLabels: + app.kubernetes.io/component: xhLPt0 + app.kubernetes.io/instance: console + app.kubernetes.io/name: xhLPt0 + maxSkew: 1 + topologyKey: topology.kubernetes.io/zone + whenUnsatisfiable: ScheduleAnyway + volumes: + - emptyDir: + medium: Memory + sizeLimit: 5Mi + name: rp-connect-tmp +-- testdata/case-005.yaml.golden -- +--- +# Source: connectors/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/component: W + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: W + helm.sh/chart: connectors-0.1.12 + name: J +spec: + ipFamilies: + - IPv4 + ipFamilyPolicy: SingleStack + ports: + - name: rest-api + port: 8083 + protocol: TCP + targetPort: 8083 + - name: prometheus + port: 9404 + protocol: TCP + targetPort: 9404 + selector: + app.kubernetes.io/component: W + app.kubernetes.io/instance: console + app.kubernetes.io/name: W + sessionAffinity: None + type: ClusterIP +--- +# Source: connectors/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/component: W + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: W + helm.sh/chart: connectors-0.1.12 + name: J +spec: + progressDeadlineSeconds: 600 + replicas: null + revisionHistoryLimit: -544556764 + selector: + matchLabels: + app.kubernetes.io/component: W + app.kubernetes.io/instance: console + app.kubernetes.io/name: W + strategy: + type: AT9FgtX + template: + metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/component: W + app.kubernetes.io/instance: console + app.kubernetes.io/name: W + spec: + affinity: + nodeAffinity: {} + podAffinity: {} + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchLabels: + app.kubernetes.io/component: W + app.kubernetes.io/instance: console + app.kubernetes.io/name: W + namespaces: + - default + topologyKey: kubernetes.io/hostname + containers: + - command: null + env: + - name: CONNECT_CONFIGURATION + value: |- + rest.advertised.port=8083 + rest.port=8083 + key.converter=org.apache.kafka.connect.converters.ByteArrayConverter + value.converter=org.apache.kafka.connect.converters.ByteArrayConverter + group.id=connectors-cluster + offset.storage.topic=_internal_connectors_offsets + config.storage.topic=_internal_connectors_configs + status.storage.topic=_internal_connectors_status + offset.storage.redpanda.remote.read=false + offset.storage.redpanda.remote.write=false + config.storage.redpanda.remote.read=false + config.storage.redpanda.remote.write=false + status.storage.redpanda.remote.read=false + status.storage.redpanda.remote.write=false + offset.storage.replication.factor=-1 + config.storage.replication.factor=-1 + status.storage.replication.factor=-1 + producer.linger.ms=1 + producer.batch.size=131072 + config.providers=file,secretsManager,env + config.providers.file.class=org.apache.kafka.common.config.provider.FileConfigProvider + config.providers.env.class=org.apache.kafka.common.config.provider.EnvVarConfigProvider + - name: CONNECT_ADDITIONAL_CONFIGURATION + value: "" + - name: CONNECT_BOOTSTRAP_SERVERS + value: "" + - name: CONNECT_GC_LOG_ENABLED + value: u12AMM + - name: CONNECT_HEAP_OPTS + value: -Xms256M -Xmx2G + - name: CONNECT_LOG_LEVEL + value: warn + - name: CONNECT_TLS_ENABLED + value: "false" + envFrom: [] + image: docker.redpanda.com/redpandadata/connectors:v1.0.29 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 3 + httpGet: + path: / + port: rest-api + scheme: HTTP + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + name: connectors-cluster + ports: + - containerPort: 8083 + name: rest-api + protocol: TCP + - containerPort: 9404 + name: prometheus + protocol: TCP + readinessProbe: + failureThreshold: -321470157 + httpGet: + path: /connectors + port: rest-api + scheme: HTTP + initialDelaySeconds: 1821796808 + periodSeconds: -469069323 + successThreshold: -1171276641 + timeoutSeconds: 1191785929 + resources: + limits: + cpu: "1" + memory: 2350Mi + requests: + cpu: "1" + memory: 2350Mi + securityContext: + allowPrivilegeEscalation: false + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + volumeMounts: + - mountPath: 9hR6GGwna + name: f9h8iHd + subPath: u6UaQTj + subPathExpr: A13AGT + dnsPolicy: ClusterFirst + imagePullSecrets: [] + nodeSelector: + ppXWIa: yWFoE + restartPolicy: Always + schedulerName: Lwp + securityContext: + fsGroup: 101 + fsGroupChangePolicy: eĻȊ4愻' + runAsGroup: 7076055353387776000 + runAsUser: 1448978345039473400 + supplementalGroups: + - 6910305894952865000 + serviceAccountName: VLlCi + terminationGracePeriodSeconds: 1820238753 + tolerations: [] + topologySpreadConstraints: + - labelSelector: + matchLabels: + app.kubernetes.io/component: W + app.kubernetes.io/instance: console + app.kubernetes.io/name: W + maxSkew: 0 + topologyKey: OAvMKg + whenUnsatisfiable: pasNu + - labelSelector: + matchLabels: + app.kubernetes.io/component: W + app.kubernetes.io/instance: console + app.kubernetes.io/name: W + maxSkew: 0 + topologyKey: izYRz + whenUnsatisfiable: V2RO2 + volumes: + - emptyDir: + medium: Memory + sizeLimit: 5Mi + name: rp-connect-tmp +-- testdata/case-006.yaml.golden -- +--- +# Source: connectors/templates/serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + annotations: + 2oUsUW: r + lx: u6Li342dNU + creationTimestamp: null + labels: + LvtMtyy: tvfxqD2lry + YC2zBn: OLSkBqQE + app.kubernetes.io/component: Vlci + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: Vlci + helm.sh/chart: connectors-0.1.12 + m2DRq: cS + name: "7" + namespace: default +--- +# Source: connectors/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + creationTimestamp: null + labels: + LvtMtyy: tvfxqD2lry + YC2zBn: OLSkBqQE + app.kubernetes.io/component: Vlci + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: Vlci + helm.sh/chart: connectors-0.1.12 + m2DRq: cS + name: gkX +spec: + ipFamilies: + - IPv4 + ipFamilyPolicy: SingleStack + ports: + - name: rest-api + port: 8083 + protocol: TCP + targetPort: 8083 + - name: prometheus + port: 9404 + protocol: TCP + targetPort: 9404 + selector: + LvtMtyy: tvfxqD2lry + YC2zBn: OLSkBqQE + app.kubernetes.io/component: Vlci + app.kubernetes.io/instance: console + app.kubernetes.io/name: Vlci + m2DRq: cS + sessionAffinity: None + type: ClusterIP +--- +# Source: connectors/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + creationTimestamp: null + labels: + LvtMtyy: tvfxqD2lry + YC2zBn: OLSkBqQE + app.kubernetes.io/component: Vlci + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: Vlci + helm.sh/chart: connectors-0.1.12 + m2DRq: cS + name: R93VG +spec: + progressDeadlineSeconds: 600 + replicas: null + revisionHistoryLimit: 10 + selector: + matchLabels: + LvtMtyy: tvfxqD2lry + YC2zBn: OLSkBqQE + app.kubernetes.io/component: Vlci + app.kubernetes.io/instance: console + app.kubernetes.io/name: Vlci + m2DRq: cS + strategy: + type: RollingUpdate + template: + metadata: + annotations: {} + creationTimestamp: null + labels: + LvtMtyy: tvfxqD2lry + YC2zBn: OLSkBqQE + app.kubernetes.io/component: Vlci + app.kubernetes.io/instance: console + app.kubernetes.io/name: Vlci + m2DRq: cS + spec: + affinity: + nodeAffinity: {} + podAffinity: {} + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchLabels: + LvtMtyy: tvfxqD2lry + YC2zBn: OLSkBqQE + app.kubernetes.io/component: Vlci + app.kubernetes.io/instance: console + app.kubernetes.io/name: Vlci + m2DRq: cS + namespaces: + - default + topologyKey: kubernetes.io/hostname + containers: + - command: null + env: + - name: CONNECT_CONFIGURATION + value: |- + rest.advertised.port=8083 + rest.port=8083 + key.converter=org.apache.kafka.connect.converters.ByteArrayConverter + value.converter=org.apache.kafka.connect.converters.ByteArrayConverter + group.id=connectors-cluster + offset.storage.topic=_internal_connectors_offsets + config.storage.topic=_internal_connectors_configs + status.storage.topic=_internal_connectors_status + offset.storage.redpanda.remote.read=false + offset.storage.redpanda.remote.write=false + config.storage.redpanda.remote.read=false + config.storage.redpanda.remote.write=false + status.storage.redpanda.remote.read=false + status.storage.redpanda.remote.write=false + offset.storage.replication.factor=-1 + config.storage.replication.factor=-1 + status.storage.replication.factor=-1 + producer.linger.ms=1 + producer.batch.size=131072 + config.providers=file,secretsManager,env + config.providers.file.class=org.apache.kafka.common.config.provider.FileConfigProvider + config.providers.env.class=org.apache.kafka.common.config.provider.EnvVarConfigProvider + - name: CONNECT_ADDITIONAL_CONFIGURATION + value: "" + - name: CONNECT_BOOTSTRAP_SERVERS + value: "" + - name: CONNECT_GC_LOG_ENABLED + value: "false" + - name: CONNECT_HEAP_OPTS + value: -Xms256M -Xmx2G + - name: CONNECT_LOG_LEVEL + value: 0aZ + - name: CONNECT_TLS_ENABLED + value: "false" + envFrom: [] + image: docker.redpanda.com/redpandadata/connectors:v1.0.29 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 3 + httpGet: + path: / + port: rest-api + scheme: HTTP + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + name: connectors-cluster + ports: + - containerPort: 8083 + name: rest-api + protocol: TCP + - containerPort: 9404 + name: prometheus + protocol: TCP + readinessProbe: + failureThreshold: 2 + httpGet: + path: /connectors + port: rest-api + scheme: HTTP + initialDelaySeconds: 60 + periodSeconds: 10 + successThreshold: 3 + timeoutSeconds: 5 + resources: + limits: + cpu: "1" + memory: 2350Mi + requests: + cpu: "1" + memory: 2350Mi + securityContext: + allowPrivilegeEscalation: false + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + volumeMounts: + - mountPath: /tmp + name: rp-connect-tmp + dnsPolicy: ClusterFirst + imagePullSecrets: [] + nodeSelector: {} + restartPolicy: Always + schedulerName: "" + securityContext: + fsGroup: 101 + fsGroupChangePolicy: OnRootMismatch + runAsUser: 101 + serviceAccountName: "7" + terminationGracePeriodSeconds: 30 + tolerations: [] + topologySpreadConstraints: + - labelSelector: + matchLabels: + LvtMtyy: tvfxqD2lry + YC2zBn: OLSkBqQE + app.kubernetes.io/component: Vlci + app.kubernetes.io/instance: console + app.kubernetes.io/name: Vlci + m2DRq: cS + maxSkew: 1 + topologyKey: topology.kubernetes.io/zone + whenUnsatisfiable: ScheduleAnyway + volumes: + - emptyDir: + medium: Memory + sizeLimit: 5Mi + name: rp-connect-tmp +-- testdata/case-007.yaml.golden -- +--- +# Source: connectors/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/component: Gb7J7k + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: Gb7J7k + helm.sh/chart: connectors-0.1.12 + name: 9PY0 +spec: + ipFamilies: + - IPv4 + ipFamilyPolicy: SingleStack + ports: + - name: rest-api + port: 8083 + protocol: TCP + targetPort: 8083 + - name: prometheus + port: 9404 + protocol: TCP + targetPort: 9404 + selector: + app.kubernetes.io/component: Gb7J7k + app.kubernetes.io/instance: console + app.kubernetes.io/name: Gb7J7k + sessionAffinity: None + type: ClusterIP +--- +# Source: connectors/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/component: Gb7J7k + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: Gb7J7k + helm.sh/chart: connectors-0.1.12 + name: NUTO +spec: + progressDeadlineSeconds: 600 + replicas: null + revisionHistoryLimit: 10 + selector: + matchLabels: + app.kubernetes.io/component: Gb7J7k + app.kubernetes.io/instance: console + app.kubernetes.io/name: Gb7J7k + strategy: + type: RollingUpdate + template: + metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/component: Gb7J7k + app.kubernetes.io/instance: console + app.kubernetes.io/name: Gb7J7k + spec: + affinity: + nodeAffinity: {} + podAffinity: {} + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchLabels: + app.kubernetes.io/component: Gb7J7k + app.kubernetes.io/instance: console + app.kubernetes.io/name: Gb7J7k + namespaces: + - default + topologyKey: kubernetes.io/hostname + containers: + - command: null + env: + - name: CONNECT_CONFIGURATION + value: |- + rest.advertised.port=8083 + rest.port=8083 + key.converter=org.apache.kafka.connect.converters.ByteArrayConverter + value.converter=org.apache.kafka.connect.converters.ByteArrayConverter + group.id=y2 + offset.storage.topic=_internal_connectors_offsets + config.storage.topic=_internal_connectors_configs + status.storage.topic=_internal_connectors_status + offset.storage.redpanda.remote.read=false + offset.storage.redpanda.remote.write=false + config.storage.redpanda.remote.read=false + config.storage.redpanda.remote.write=false + status.storage.redpanda.remote.read=false + status.storage.redpanda.remote.write=false + offset.storage.replication.factor=-1 + config.storage.replication.factor=-1 + status.storage.replication.factor=-1 + producer.linger.ms=1 + producer.batch.size=131072 + config.providers=file,secretsManager,env + config.providers.file.class=org.apache.kafka.common.config.provider.FileConfigProvider + config.providers.env.class=org.apache.kafka.common.config.provider.EnvVarConfigProvider + - name: CONNECT_ADDITIONAL_CONFIGURATION + value: ZQu + - name: CONNECT_BOOTSTRAP_SERVERS + value: ue + - name: SCHEMA_REGISTRY_URL + value: kS0A8GucOgn + - name: CONNECT_GC_LOG_ENABLED + value: "false" + - name: CONNECT_HEAP_OPTS + value: -Xms256M -Xmx2G + - name: CONNECT_LOG_LEVEL + value: n3s7 + - name: CONNECT_TLS_ENABLED + value: "false" + envFrom: [] + image: docker.redpanda.com/redpandadata/connectors:v1.0.29 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 3 + httpGet: + path: / + port: rest-api + scheme: HTTP + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + name: connectors-cluster + ports: + - containerPort: 8083 + name: rest-api + protocol: TCP + - containerPort: 9404 + name: prometheus + protocol: TCP + readinessProbe: + failureThreshold: 2 + httpGet: + path: /connectors + port: rest-api + scheme: HTTP + initialDelaySeconds: 60 + periodSeconds: 10 + successThreshold: 3 + timeoutSeconds: 5 + resources: + limits: + cpu: "1" + memory: 2350Mi + requests: + cpu: "1" + memory: 2350Mi + securityContext: + allowPrivilegeEscalation: false + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + volumeMounts: + - mountPath: /tmp + name: rp-connect-tmp + dnsPolicy: ClusterFirst + imagePullSecrets: [] + nodeSelector: {} + restartPolicy: Always + schedulerName: "" + securityContext: + fsGroup: 101 + fsGroupChangePolicy: OnRootMismatch + runAsUser: 101 + serviceAccountName: default + terminationGracePeriodSeconds: 30 + tolerations: [] + topologySpreadConstraints: + - labelSelector: + matchLabels: + app.kubernetes.io/component: Gb7J7k + app.kubernetes.io/instance: console + app.kubernetes.io/name: Gb7J7k + maxSkew: 1 + topologyKey: topology.kubernetes.io/zone + whenUnsatisfiable: ScheduleAnyway + volumes: + - emptyDir: + medium: Memory + sizeLimit: 5Mi + name: rp-connect-tmp +-- testdata/case-008.yaml.golden -- +--- +# Source: connectors/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/component: tPhRiQRK + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: tPhRiQRK + helm.sh/chart: connectors-0.1.12 + name: PNw8 +spec: + ipFamilies: + - IPv4 + ipFamilyPolicy: SingleStack + ports: + - name: rest-api + port: 8083 + protocol: TCP + targetPort: 8083 + - name: prometheus + port: 9404 + protocol: TCP + targetPort: 9404 + selector: + app.kubernetes.io/component: tPhRiQRK + app.kubernetes.io/instance: console + app.kubernetes.io/name: tPhRiQRK + sessionAffinity: None + type: ClusterIP +--- +# Source: connectors/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/component: tPhRiQRK + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: tPhRiQRK + helm.sh/chart: connectors-0.1.12 + name: PNw8 +spec: + progressDeadlineSeconds: 467220788 + replicas: null + revisionHistoryLimit: 10 + selector: + matchLabels: + app.kubernetes.io/component: tPhRiQRK + app.kubernetes.io/instance: console + app.kubernetes.io/name: tPhRiQRK + strategy: + type: RollingUpdate + template: + metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/component: tPhRiQRK + app.kubernetes.io/instance: console + app.kubernetes.io/name: tPhRiQRK + spec: + affinity: + nodeAffinity: {} + podAffinity: {} + podAntiAffinity: null + containers: + - command: null + env: + - name: CONNECT_CONFIGURATION + value: |- + rest.advertised.port=8083 + rest.port=8083 + key.converter=org.apache.kafka.connect.converters.ByteArrayConverter + value.converter=org.apache.kafka.connect.converters.ByteArrayConverter + group.id=connectors-cluster + offset.storage.topic=_internal_connectors_offsets + config.storage.topic=_internal_connectors_configs + status.storage.topic=_internal_connectors_status + offset.storage.redpanda.remote.read=false + offset.storage.redpanda.remote.write=false + config.storage.redpanda.remote.read=false + config.storage.redpanda.remote.write=false + status.storage.redpanda.remote.read=false + status.storage.redpanda.remote.write=false + offset.storage.replication.factor=-1 + config.storage.replication.factor=-1 + status.storage.replication.factor=-1 + producer.linger.ms=1 + producer.batch.size=131072 + config.providers=file,secretsManager,env + config.providers.file.class=org.apache.kafka.common.config.provider.FileConfigProvider + config.providers.env.class=org.apache.kafka.common.config.provider.EnvVarConfigProvider + - name: CONNECT_ADDITIONAL_CONFIGURATION + value: "" + - name: CONNECT_BOOTSTRAP_SERVERS + value: "" + - name: CONNECT_GC_LOG_ENABLED + value: pq3jgGoeY + - name: CONNECT_HEAP_OPTS + value: -Xms256M -Xmx2G + - name: CONNECT_LOG_LEVEL + value: warn + - name: CONNECT_TLS_ENABLED + value: "false" + envFrom: + - prefix: W + - prefix: 6Cgj + - prefix: YV + image: docker.redpanda.com/redpandadata/connectors:v1.0.29 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: -1790317528 + httpGet: + path: / + port: rest-api + scheme: HTTP + initialDelaySeconds: -853917423 + periodSeconds: 1730314559 + successThreshold: -1047272333 + timeoutSeconds: 478977165 + name: connectors-cluster + ports: + - containerPort: 8083 + name: rest-api + protocol: TCP + - containerPort: 9404 + name: prometheus + protocol: TCP + readinessProbe: + failureThreshold: 2 + httpGet: + path: /connectors + port: rest-api + scheme: HTTP + initialDelaySeconds: 60 + periodSeconds: 10 + successThreshold: 3 + timeoutSeconds: 5 + resources: + limits: + cpu: "1" + memory: 2350Mi + requests: + cpu: "1" + memory: 2350Mi + securityContext: + allowPrivilegeEscalation: false + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + volumeMounts: + - mountPath: /tmp + name: rp-connect-tmp + dnsPolicy: ClusterFirst + imagePullSecrets: + - name: EzI + - {} + - name: rjR6q + nodeSelector: {} + restartPolicy: Always + schedulerName: iVovlD + securityContext: + fsGroup: 101 + fsGroupChangePolicy: OnRootMismatch + runAsUser: 101 + serviceAccountName: default + terminationGracePeriodSeconds: 1520290623 + tolerations: [] + topologySpreadConstraints: + - labelSelector: + matchLabels: + app.kubernetes.io/component: tPhRiQRK + app.kubernetes.io/instance: console + app.kubernetes.io/name: tPhRiQRK + maxSkew: 1 + topologyKey: topology.kubernetes.io/zone + whenUnsatisfiable: ScheduleAnyway + volumes: + - emptyDir: + medium: Memory + sizeLimit: 5Mi + name: rp-connect-tmp +-- testdata/case-009.yaml.golden -- +--- +# Source: connectors/templates/serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + annotations: + LWQ09i: tiLdCrApld + v2D6hTB: NGlgEEm + creationTimestamp: null + labels: + app.kubernetes.io/component: wCD97n + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: wCD97n + helm.sh/chart: connectors-0.1.12 + name: eyeD + namespace: default +--- +# Source: connectors/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/component: wCD97n + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: wCD97n + helm.sh/chart: connectors-0.1.12 + name: H +spec: + ipFamilies: + - IPv4 + ipFamilyPolicy: SingleStack + ports: + - name: rest-api + port: 8083 + protocol: TCP + targetPort: 8083 + - name: prometheus + port: 9404 + protocol: TCP + targetPort: 9404 + selector: + app.kubernetes.io/component: wCD97n + app.kubernetes.io/instance: console + app.kubernetes.io/name: wCD97n + sessionAffinity: None + type: ClusterIP +-- testdata/case-010.yaml.golden -- +--- +# Source: connectors/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/component: 9fz + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: 9fz + cUt: YvDFEsYlU + g3hOh91HKI: CHwTjLYe2XS + h4yNA: fJL + helm.sh/chart: connectors-0.1.12 + name: LsGZn +spec: + ipFamilies: + - IPv4 + ipFamilyPolicy: SingleStack + ports: + - name: rest-api + port: 8083 + protocol: TCP + targetPort: 8083 + - name: prometheus + port: 9404 + protocol: TCP + targetPort: 9404 + selector: + app.kubernetes.io/component: 9fz + app.kubernetes.io/instance: console + app.kubernetes.io/name: 9fz + cUt: YvDFEsYlU + g3hOh91HKI: CHwTjLYe2XS + h4yNA: fJL + sessionAffinity: None + type: ClusterIP +--- +# Source: connectors/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/component: 9fz + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: 9fz + cUt: YvDFEsYlU + g3hOh91HKI: CHwTjLYe2XS + h4yNA: fJL + helm.sh/chart: connectors-0.1.12 + name: LsGZn +spec: + progressDeadlineSeconds: 600 + replicas: null + revisionHistoryLimit: 10 + selector: + matchLabels: + app.kubernetes.io/component: 9fz + app.kubernetes.io/instance: console + app.kubernetes.io/name: 9fz + cUt: YvDFEsYlU + g3hOh91HKI: CHwTjLYe2XS + h4yNA: fJL + strategy: + type: RollingUpdate + template: + metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/component: 9fz + app.kubernetes.io/instance: console + app.kubernetes.io/name: 9fz + cUt: YvDFEsYlU + g3hOh91HKI: CHwTjLYe2XS + h4yNA: fJL + spec: + affinity: + nodeAffinity: {} + podAffinity: {} + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchLabels: + app.kubernetes.io/component: 9fz + app.kubernetes.io/instance: console + app.kubernetes.io/name: 9fz + cUt: YvDFEsYlU + g3hOh91HKI: CHwTjLYe2XS + h4yNA: fJL + namespaces: + - default + topologyKey: kubernetes.io/hostname + containers: + - command: null + env: + - name: CONNECT_CONFIGURATION + value: |- + rest.advertised.port=8083 + rest.port=8083 + key.converter=org.apache.kafka.connect.converters.ByteArrayConverter + value.converter=org.apache.kafka.connect.converters.ByteArrayConverter + group.id=connectors-cluster + offset.storage.topic=_internal_connectors_offsets + config.storage.topic=_internal_connectors_configs + status.storage.topic=_internal_connectors_status + offset.storage.redpanda.remote.read=false + offset.storage.redpanda.remote.write=false + config.storage.redpanda.remote.read=false + config.storage.redpanda.remote.write=false + status.storage.redpanda.remote.read=false + status.storage.redpanda.remote.write=false + offset.storage.replication.factor=-1 + config.storage.replication.factor=-1 + status.storage.replication.factor=-1 + producer.linger.ms=1 + producer.batch.size=131072 + config.providers=file,secretsManager,env + config.providers.file.class=org.apache.kafka.common.config.provider.FileConfigProvider + config.providers.env.class=org.apache.kafka.common.config.provider.EnvVarConfigProvider + - name: CONNECT_ADDITIONAL_CONFIGURATION + value: "" + - name: CONNECT_BOOTSTRAP_SERVERS + value: "" + - name: CONNECT_GC_LOG_ENABLED + value: "" + - name: CONNECT_HEAP_OPTS + value: -Xms256M -Xmx2G + - name: CONNECT_LOG_LEVEL + value: warn + - name: CONNECT_TLS_ENABLED + value: "false" + envFrom: [] + image: docker.redpanda.com/redpandadata/connectors:v1.0.29 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 3 + httpGet: + path: / + port: rest-api + scheme: HTTP + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + name: connectors-cluster + ports: + - containerPort: 8083 + name: rest-api + protocol: TCP + - containerPort: 9404 + name: prometheus + protocol: TCP + readinessProbe: + failureThreshold: 2 + httpGet: + path: /connectors + port: rest-api + scheme: HTTP + initialDelaySeconds: 60 + periodSeconds: 10 + successThreshold: 3 + timeoutSeconds: 5 + resources: + limits: + cpu: "1" + memory: 2350Mi + requests: + cpu: "1" + memory: 2350Mi + securityContext: + allowPrivilegeEscalation: false + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + volumeMounts: + - mountPath: /tmp + name: rp-connect-tmp + dnsPolicy: ClusterFirst + imagePullSecrets: [] + nodeSelector: {} + restartPolicy: Always + schedulerName: "" + securityContext: + fsGroup: 101 + fsGroupChangePolicy: OnRootMismatch + runAsUser: 101 + serviceAccountName: bZ1w2 + terminationGracePeriodSeconds: 30 + tolerations: [] + topologySpreadConstraints: + - labelSelector: + matchLabels: + app.kubernetes.io/component: 9fz + app.kubernetes.io/instance: console + app.kubernetes.io/name: 9fz + cUt: YvDFEsYlU + g3hOh91HKI: CHwTjLYe2XS + h4yNA: fJL + maxSkew: 1 + topologyKey: topology.kubernetes.io/zone + whenUnsatisfiable: ScheduleAnyway + volumes: + - emptyDir: + medium: Memory + sizeLimit: 5Mi + name: rp-connect-tmp +--- +# Source: connectors/templates/pod-monitor.yaml +apiVersion: monitoring.coreos.com/v1 +kind: PodMonitor +metadata: + annotations: {} + creationTimestamp: null + labels: + wsUYAN3C: BzMz48 + name: LsGZn +spec: + namespaceSelector: + any: true + podMetricsEndpoints: + - bearerTokenSecret: + key: "" + path: / + port: prometheus + selector: + matchLabels: + app.kubernetes.io/component: 9fz + app.kubernetes.io/instance: console + app.kubernetes.io/name: 9fz + cUt: YvDFEsYlU + g3hOh91HKI: CHwTjLYe2XS + h4yNA: fJL +-- testdata/case-011.yaml.golden -- +--- +# Source: connectors/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/component: xiBXju + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: xiBXju + bX: vmmkhH2NHvdt + helm.sh/chart: connectors-0.1.12 + mO: pT + name: etuP +spec: + ipFamilies: + - IPv4 + ipFamilyPolicy: SingleStack + ports: + - name: rest-api + port: 8083 + protocol: TCP + targetPort: 8083 + - name: prometheus + port: 9404 + protocol: TCP + targetPort: 9404 + selector: + app.kubernetes.io/component: xiBXju + app.kubernetes.io/instance: console + app.kubernetes.io/name: xiBXju + bX: vmmkhH2NHvdt + mO: pT + sessionAffinity: None + type: ClusterIP +--- +# Source: connectors/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/component: xiBXju + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: xiBXju + bX: vmmkhH2NHvdt + helm.sh/chart: connectors-0.1.12 + mO: pT + name: etuP +spec: + progressDeadlineSeconds: 600 + replicas: null + revisionHistoryLimit: -1010709730 + selector: + matchLabels: + app.kubernetes.io/component: xiBXju + app.kubernetes.io/instance: console + app.kubernetes.io/name: xiBXju + bX: vmmkhH2NHvdt + mO: pT + strategy: + type: XhI1Zz + template: + metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/component: xiBXju + app.kubernetes.io/instance: console + app.kubernetes.io/name: xiBXju + bX: vmmkhH2NHvdt + mO: pT + spec: + affinity: + nodeAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - preference: + matchFields: + - key: qi12DQkzc + operator: 駣>蕐k泌蚮奘5d墥7Ȋ + values: + - Sp + weight: 1587628539 + podAffinity: {} + podAntiAffinity: null + containers: + - command: null + env: + - name: CONNECT_CONFIGURATION + value: |- + rest.advertised.port=8083 + rest.port=8083 + key.converter=org.apache.kafka.connect.converters.ByteArrayConverter + value.converter=org.apache.kafka.connect.converters.ByteArrayConverter + group.id=X + offset.storage.topic=_internal_connectors_offsets + config.storage.topic=_internal_connectors_configs + status.storage.topic=_internal_connectors_status + offset.storage.redpanda.remote.read=false + offset.storage.redpanda.remote.write=false + config.storage.redpanda.remote.read=false + config.storage.redpanda.remote.write=false + status.storage.redpanda.remote.read=false + status.storage.redpanda.remote.write=false + offset.storage.replication.factor=-1 + config.storage.replication.factor=-1 + status.storage.replication.factor=-1 + producer.linger.ms=1644100599 + producer.batch.size=606208011 + config.providers=file,secretsManager,env + config.providers.file.class=org.apache.kafka.common.config.provider.FileConfigProvider + config.providers.secretsManager.class=com.github.jcustenborder.kafka.config.aws.SecretsManagerConfigProvider + config.providers.secretsManager.param.secret.prefix=TFKpuTTGy6JO572 + config.providers.secretsManager.param.aws.region=Zga57aiC + config.providers.env.class=org.apache.kafka.common.config.provider.EnvVarConfigProvider + - name: CONNECT_ADDITIONAL_CONFIGURATION + value: "" + - name: CONNECT_BOOTSTRAP_SERVERS + value: vucld + - name: SCHEMA_REGISTRY_URL + value: mGj8 + - name: CONNECT_GC_LOG_ENABLED + value: "false" + - name: CONNECT_HEAP_OPTS + value: -Xms256M -Xmx2G + - name: CONNECT_LOG_LEVEL + value: 20R9 + - name: CONNECT_SASL_USERNAME + value: 8MR9Bee + - name: CONNECT_SASL_MECHANISM + value: eTh + - name: CONNECT_SASL_PASSWORD_FILE + value: rc-credentials/password + - name: CONNECT_TLS_ENABLED + value: "false" + - name: CONNECT_TLS_AUTH_KEY + value: key/VT + - name: ogAtm + value: mJfm + - name: 2dTzgfH + value: sNiAP + valueFrom: + configMapKeyRef: + key: gSl56 + name: c + optional: true + resourceFieldRef: + containerName: AXKLF + divisor: "0" + resource: "" + - name: N1yV1 + value: nLSeqDK + envFrom: + - prefix: 9HB6W4t + secretRef: + name: NYC3bKPQWLc + optional: false + image: docker.redpanda.com/redpandadata/connectors:v1.0.29 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: -757710692 + httpGet: + path: / + port: rest-api + scheme: HTTP + initialDelaySeconds: -949475509 + periodSeconds: 1423942066 + successThreshold: 1080931760 + timeoutSeconds: -1902342435 + name: connectors-cluster + ports: + - containerPort: 8083 + name: rest-api + protocol: TCP + - containerPort: 9404 + name: prometheus + protocol: TCP + readinessProbe: + failureThreshold: 2 + httpGet: + path: /connectors + port: rest-api + scheme: HTTP + initialDelaySeconds: 60 + periodSeconds: 10 + successThreshold: 3 + timeoutSeconds: 5 + resources: + limits: + cpu: "1" + memory: 2350Mi + requests: + cpu: "1" + memory: 2350Mi + securityContext: + allowPrivilegeEscalation: false + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + volumeMounts: + - mountPath: /opt/kafka/connect-password/rc-credentials + name: rc-credentials + - mountPath: /opt/kafka/connect-certs/key + name: key + - mountPath: NIVHRdAc + name: BHPad + readOnly: true + subPath: z + subPathExpr: iwiB7uVoG + - mountPath: S6g7 + mountPropagation: $+g"訜駄 + name: 1iwfb + readOnly: true + subPath: 5XRI + subPathExpr: zNyXts + dnsPolicy: ClusterFirst + imagePullSecrets: [] + nodeSelector: {} + restartPolicy: Always + schedulerName: g + securityContext: + fsGroup: 101 + fsGroupChangePolicy: b + runAsUser: 101 + serviceAccountName: dr5NDVhU0W3x + terminationGracePeriodSeconds: 30 + tolerations: [] + topologySpreadConstraints: + - labelSelector: + matchLabels: + app.kubernetes.io/component: xiBXju + app.kubernetes.io/instance: console + app.kubernetes.io/name: xiBXju + bX: vmmkhH2NHvdt + mO: pT + maxSkew: 1 + topologyKey: topology.kubernetes.io/zone + whenUnsatisfiable: ScheduleAnyway + volumes: + - name: key + secret: + defaultMode: 292 + secretName: lz9QFe + - name: rc-credentials + secret: + defaultMode: 292 + secretName: H5TroU8 + - emptyDir: + medium: Memory + sizeLimit: 5Mi + name: rp-connect-tmp +-- testdata/case-012.yaml.golden -- +--- +# Source: connectors/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/component: MexiU + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: MexiU + helm.sh/chart: connectors-0.1.12 + name: Ac +spec: + ipFamilies: + - IPv4 + ipFamilyPolicy: SingleStack + ports: + - name: rest-api + port: 8083 + protocol: TCP + targetPort: 8083 + - name: prometheus + port: 9404 + protocol: TCP + targetPort: 9404 + selector: + app.kubernetes.io/component: MexiU + app.kubernetes.io/instance: console + app.kubernetes.io/name: MexiU + sessionAffinity: None + type: ClusterIP +-- testdata/case-013.yaml.golden -- +--- +# Source: connectors/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/component: w8tCi3K + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: w8tCi3K + helm.sh/chart: connectors-0.1.12 + name: InI +spec: + ipFamilies: + - IPv4 + ipFamilyPolicy: SingleStack + ports: + - name: rest-api + port: 8083 + protocol: TCP + targetPort: 8083 + - name: prometheus + port: 9404 + protocol: TCP + targetPort: 9404 + selector: + app.kubernetes.io/component: w8tCi3K + app.kubernetes.io/instance: console + app.kubernetes.io/name: w8tCi3K + sessionAffinity: None + type: ClusterIP +--- +# Source: connectors/templates/pod-monitor.yaml +apiVersion: monitoring.coreos.com/v1 +kind: PodMonitor +metadata: + annotations: {} + creationTimestamp: null + labels: {} + name: bAtOao +spec: + namespaceSelector: + any: true + podMetricsEndpoints: + - bearerTokenSecret: + key: "" + path: / + port: prometheus + selector: + matchLabels: + app.kubernetes.io/component: w8tCi3K + app.kubernetes.io/instance: console + app.kubernetes.io/name: w8tCi3K +-- testdata/case-014.yaml.golden -- +--- +# Source: connectors/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/component: dA1zsc + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: dA1zsc + helm.sh/chart: connectors-0.1.12 + name: u7DU +spec: + ipFamilies: + - IPv4 + ipFamilyPolicy: SingleStack + ports: + - name: rest-api + port: 8083 + protocol: TCP + targetPort: 8083 + - name: prometheus + port: 9404 + protocol: TCP + targetPort: 9404 + selector: + app.kubernetes.io/component: dA1zsc + app.kubernetes.io/instance: console + app.kubernetes.io/name: dA1zsc + sessionAffinity: None + type: ClusterIP +--- +# Source: connectors/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/component: dA1zsc + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: dA1zsc + helm.sh/chart: connectors-0.1.12 + name: u7DU +spec: + progressDeadlineSeconds: 600 + replicas: null + revisionHistoryLimit: 10 + selector: + matchLabels: + app.kubernetes.io/component: dA1zsc + app.kubernetes.io/instance: console + app.kubernetes.io/name: dA1zsc + strategy: + type: RollingUpdate + template: + metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/component: dA1zsc + app.kubernetes.io/instance: console + app.kubernetes.io/name: dA1zsc + spec: + affinity: + nodeAffinity: {} + podAffinity: {} + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchLabels: + app.kubernetes.io/component: dA1zsc + app.kubernetes.io/instance: console + app.kubernetes.io/name: dA1zsc + namespaces: + - default + topologyKey: kubernetes.io/hostname + containers: + - command: null + env: + - name: CONNECT_CONFIGURATION + value: |- + rest.advertised.port=8083 + rest.port=8083 + key.converter=org.apache.kafka.connect.converters.ByteArrayConverter + value.converter=org.apache.kafka.connect.converters.ByteArrayConverter + group.id=6AsORVCaYJ + offset.storage.topic=_internal_connectors_offsets + config.storage.topic=_internal_connectors_configs + status.storage.topic=_internal_connectors_status + offset.storage.redpanda.remote.read=false + offset.storage.redpanda.remote.write=false + config.storage.redpanda.remote.read=false + config.storage.redpanda.remote.write=false + status.storage.redpanda.remote.read=false + status.storage.redpanda.remote.write=false + offset.storage.replication.factor=-1 + config.storage.replication.factor=-1 + status.storage.replication.factor=-1 + producer.linger.ms=1 + producer.batch.size=-831136974 + config.providers=file,secretsManager,env + config.providers.file.class=org.apache.kafka.common.config.provider.FileConfigProvider + config.providers.env.class=org.apache.kafka.common.config.provider.EnvVarConfigProvider + - name: CONNECT_ADDITIONAL_CONFIGURATION + value: E + - name: CONNECT_BOOTSTRAP_SERVERS + value: cywT8MNAo + - name: SCHEMA_REGISTRY_URL + value: cSf + - name: CONNECT_GC_LOG_ENABLED + value: "false" + - name: CONNECT_HEAP_OPTS + value: -Xms256M -Xmx2G + - name: CONNECT_LOG_LEVEL + value: warn + - name: CONNECT_TLS_ENABLED + value: "false" + envFrom: [] + image: docker.redpanda.com/redpandadata/connectors:v1.0.29 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 3 + httpGet: + path: / + port: rest-api + scheme: HTTP + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + name: connectors-cluster + ports: + - containerPort: 8083 + name: rest-api + protocol: TCP + - containerPort: 9404 + name: prometheus + protocol: TCP + readinessProbe: + failureThreshold: 2 + httpGet: + path: /connectors + port: rest-api + scheme: HTTP + initialDelaySeconds: 60 + periodSeconds: 10 + successThreshold: 3 + timeoutSeconds: 5 + resources: + limits: + cpu: "1" + memory: 2350Mi + requests: + cpu: "1" + memory: 2350Mi + securityContext: + allowPrivilegeEscalation: false + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + volumeMounts: + - mountPath: /tmp + name: rp-connect-tmp + dnsPolicy: ClusterFirst + imagePullSecrets: [] + nodeSelector: {} + restartPolicy: Always + schedulerName: "" + securityContext: + fsGroup: 101 + fsGroupChangePolicy: OnRootMismatch + runAsUser: 101 + serviceAccountName: HAAJtAWrjJ + terminationGracePeriodSeconds: 30 + tolerations: [] + topologySpreadConstraints: + - labelSelector: + matchLabels: + app.kubernetes.io/component: dA1zsc + app.kubernetes.io/instance: console + app.kubernetes.io/name: dA1zsc + maxSkew: 1 + topologyKey: topology.kubernetes.io/zone + whenUnsatisfiable: ScheduleAnyway + volumes: + - emptyDir: + medium: Memory + sizeLimit: 5Mi + name: rp-connect-tmp +--- +# Source: connectors/templates/pod-monitor.yaml +apiVersion: monitoring.coreos.com/v1 +kind: PodMonitor +metadata: + annotations: {} + creationTimestamp: null + labels: + aVoQ7: vECqlu0Pe + name: u7DU +spec: + namespaceSelector: + any: true + matchNames: + - alQT6bxHho + - jKf + - p + podMetricsEndpoints: + - bearerTokenSecret: + key: "" + path: / + port: prometheus + selector: + matchLabels: + app.kubernetes.io/component: dA1zsc + app.kubernetes.io/instance: console + app.kubernetes.io/name: dA1zsc +-- testdata/case-015.yaml.golden -- +--- +# Source: connectors/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + creationTimestamp: null + labels: + 96Kx: 1DW5QoLP + LY: nDw + app.kubernetes.io/component: bpgtWxol + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: bpgtWxol + etW: "9" + helm.sh/chart: connectors-0.1.12 + name: x +spec: + ipFamilies: + - IPv4 + ipFamilyPolicy: SingleStack + ports: + - name: rest-api + port: 8083 + protocol: TCP + targetPort: 8083 + - name: prometheus + port: 9404 + protocol: TCP + targetPort: 9404 + selector: + 96Kx: 1DW5QoLP + LY: nDw + app.kubernetes.io/component: bpgtWxol + app.kubernetes.io/instance: console + app.kubernetes.io/name: bpgtWxol + etW: "9" + sessionAffinity: None + type: ClusterIP +-- testdata/case-016.yaml.golden -- +--- +# Source: connectors/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + creationTimestamp: null + labels: + IUeOwNT: T3w1nV + Si: dNUY + app.kubernetes.io/component: Cex3v + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: Cex3v + helm.sh/chart: connectors-0.1.12 + name: B5Y +spec: + ipFamilies: + - IPv4 + ipFamilyPolicy: SingleStack + ports: + - name: rest-api + port: 8083 + protocol: TCP + targetPort: 8083 + - name: HzTtdut + port: 741893604 + protocol: TCP + targetPort: 741893604 + - name: yT6vYOdszF + port: -1916404761 + protocol: TCP + targetPort: -1916404761 + selector: + app.kubernetes.io/component: Cex3v + app.kubernetes.io/instance: console + app.kubernetes.io/name: Cex3v + sessionAffinity: None + type: ClusterIP +--- +# Source: connectors/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/component: Cex3v + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: Cex3v + helm.sh/chart: connectors-0.1.12 + name: bGMfavR +spec: + progressDeadlineSeconds: 600 + replicas: null + revisionHistoryLimit: 10 + selector: + matchLabels: + app.kubernetes.io/component: Cex3v + app.kubernetes.io/instance: console + app.kubernetes.io/name: Cex3v + strategy: + type: RollingUpdate + template: + metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/component: Cex3v + app.kubernetes.io/instance: console + app.kubernetes.io/name: Cex3v + spec: + affinity: + nodeAffinity: {} + podAffinity: {} + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchLabels: + app.kubernetes.io/component: Cex3v + app.kubernetes.io/instance: console + app.kubernetes.io/name: Cex3v + namespaces: + - default + topologyKey: kubernetes.io/hostname + containers: + - command: null + env: + - name: CONNECT_CONFIGURATION + value: |- + rest.advertised.port=8083 + rest.port=8083 + key.converter=org.apache.kafka.connect.converters.ByteArrayConverter + value.converter=org.apache.kafka.connect.converters.ByteArrayConverter + group.id=connectors-cluster + offset.storage.topic=_internal_connectors_offsets + config.storage.topic=_internal_connectors_configs + status.storage.topic=_internal_connectors_status + offset.storage.redpanda.remote.read=false + offset.storage.redpanda.remote.write=false + config.storage.redpanda.remote.read=false + config.storage.redpanda.remote.write=false + status.storage.redpanda.remote.read=false + status.storage.redpanda.remote.write=false + offset.storage.replication.factor=-1 + config.storage.replication.factor=-1 + status.storage.replication.factor=-1 + producer.linger.ms=1 + producer.batch.size=131072 + config.providers=file,secretsManager,env + config.providers.file.class=org.apache.kafka.common.config.provider.FileConfigProvider + config.providers.env.class=org.apache.kafka.common.config.provider.EnvVarConfigProvider + - name: CONNECT_ADDITIONAL_CONFIGURATION + value: "" + - name: CONNECT_BOOTSTRAP_SERVERS + value: "" + - name: CONNECT_GC_LOG_ENABLED + value: NSE + - name: CONNECT_HEAP_OPTS + value: -Xms256M -Xmx0 + - name: CONNECT_LOG_LEVEL + value: oj4P + - name: CONNECT_TLS_ENABLED + value: "false" + envFrom: [] + image: docker.redpanda.com/redpandadata/connectors:v1.0.29 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 3 + httpGet: + path: / + port: rest-api + scheme: HTTP + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + name: connectors-cluster + ports: + - containerPort: 8083 + name: rest-api + protocol: TCP + - containerPort: 741893604 + name: HzTtdut + protocol: TCP + - containerPort: -1916404761 + name: yT6vYOdszF + protocol: TCP + readinessProbe: + failureThreshold: 2 + httpGet: + path: /connectors + port: rest-api + scheme: HTTP + initialDelaySeconds: 60 + periodSeconds: 10 + successThreshold: 3 + timeoutSeconds: 5 + resources: + limits: + cpu: "1" + memory: 2350Mi + requests: + cpu: "0" + memory: 2350Mi + securityContext: + allowPrivilegeEscalation: false + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + volumeMounts: + - mountPath: /tmp + name: rp-connect-tmp + dnsPolicy: ClusterFirst + imagePullSecrets: [] + nodeSelector: {} + restartPolicy: Always + schedulerName: "" + securityContext: + fsGroup: 101 + fsGroupChangePolicy: OnRootMismatch + runAsUser: 101 + serviceAccountName: cxOBE + terminationGracePeriodSeconds: 30 + tolerations: [] + topologySpreadConstraints: + - labelSelector: + matchLabels: + app.kubernetes.io/component: Cex3v + app.kubernetes.io/instance: console + app.kubernetes.io/name: Cex3v + maxSkew: 1 + topologyKey: topology.kubernetes.io/zone + whenUnsatisfiable: ScheduleAnyway + volumes: + - name: X7ZZu + - name: KkkMA7 + - name: Btxy +-- testdata/case-017.yaml.golden -- +--- +# Source: connectors/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/component: DAE + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: DAE + helm.sh/chart: connectors-0.1.12 + wR: GAm + name: u1Dk +spec: + ipFamilies: + - IPv4 + ipFamilyPolicy: SingleStack + ports: + - name: rest-api + port: 8083 + protocol: TCP + targetPort: 8083 + - name: prometheus + port: 9404 + protocol: TCP + targetPort: 9404 + selector: + app.kubernetes.io/component: DAE + app.kubernetes.io/instance: console + app.kubernetes.io/name: DAE + wR: GAm + sessionAffinity: None + type: ClusterIP +--- +# Source: connectors/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/component: DAE + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: DAE + fet: YGwnq + helm.sh/chart: connectors-0.1.12 + wR: GAm + name: u1Dk +spec: + progressDeadlineSeconds: 444536561 + replicas: null + revisionHistoryLimit: 1418020237 + selector: + matchLabels: + app.kubernetes.io/component: DAE + app.kubernetes.io/instance: console + app.kubernetes.io/name: DAE + wR: GAm + strategy: + type: WVP1Q8 + template: + metadata: + annotations: + fet: YGwnq + creationTimestamp: null + labels: + app.kubernetes.io/component: DAE + app.kubernetes.io/instance: console + app.kubernetes.io/name: DAE + wR: GAm + spec: + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: "2" + operator: 箓Ęȁ銵鷝Ā喳Ăɀ} + - key: j + operator: ɓ + matchFields: + - key: "" + operator: vǃ鞳邪§Ț皾6 + - key: Yi7SzM + operator: Ǎ浹籥岷Ħ + values: + - Czu9d1V + - key: r6y + operator: 牁p认ð_蠡hHiÖq肓ǭʤe)ĉB扝 + - {} + podAffinity: {} + podAntiAffinity: null + containers: + - command: null + env: + - name: CONNECT_CONFIGURATION + value: |- + rest.advertised.port=8083 + rest.port=8083 + key.converter=org.apache.kafka.connect.converters.ByteArrayConverter + value.converter=org.apache.kafka.connect.converters.ByteArrayConverter + group.id=hPUA1m7 + offset.storage.topic=n + config.storage.topic=Uf + status.storage.topic=kNLwla + offset.storage.redpanda.remote.read=false + offset.storage.redpanda.remote.write=false + config.storage.redpanda.remote.read=false + config.storage.redpanda.remote.write=false + status.storage.redpanda.remote.read=false + status.storage.redpanda.remote.write=false + offset.storage.replication.factor=-1 + config.storage.replication.factor=-1 + status.storage.replication.factor=-1 + producer.linger.ms=-221329759 + producer.batch.size=1121174748 + config.providers=file,secretsManager,env + config.providers.file.class=org.apache.kafka.common.config.provider.FileConfigProvider + config.providers.secretsManager.class=com.github.jcustenborder.kafka.config.aws.SecretsManagerConfigProvider + config.providers.secretsManager.param.secret.prefix=X1zPZ5Cv + config.providers.secretsManager.param.aws.region=LrK6I + config.providers.env.class=org.apache.kafka.common.config.provider.EnvVarConfigProvider + - name: CONNECT_ADDITIONAL_CONFIGURATION + value: ro5XOd9Tf + - name: CONNECT_BOOTSTRAP_SERVERS + value: RKH + - name: SCHEMA_REGISTRY_URL + value: dt2Vd1bTg + - name: CONNECT_GC_LOG_ENABLED + value: x3dH + - name: CONNECT_HEAP_OPTS + value: -Xms256M -Xmx0 + - name: CONNECT_LOG_LEVEL + value: warn + - name: CONNECT_TLS_ENABLED + value: "true" + - name: CONNECT_TLS_AUTH_CERT + value: cert/khTfK + - name: CONNECT_TLS_AUTH_KEY + value: key/u0 + envFrom: + - prefix: Ci6EGf + secretRef: + name: cDwbNN + image: docker.redpanda.com/redpandadata/connectors:v1.0.29 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 1181508047 + httpGet: + path: / + port: rest-api + scheme: HTTP + initialDelaySeconds: -215289091 + periodSeconds: 918675027 + successThreshold: -1707139863 + timeoutSeconds: 1673866844 + name: connectors-cluster + ports: + - containerPort: 8083 + name: rest-api + protocol: TCP + - containerPort: 9404 + name: prometheus + protocol: TCP + readinessProbe: + failureThreshold: -1832996555 + httpGet: + path: /connectors + port: rest-api + scheme: HTTP + initialDelaySeconds: 877141221 + periodSeconds: 2102410645 + successThreshold: 1537121792 + timeoutSeconds: -2026548303 + resources: + limits: + cpu: "0" + memory: 2350Mi + requests: + cpu: "0" + memory: 2350Mi + securityContext: + allowPrivilegeEscalation: false + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + volumeMounts: + - mountPath: /opt/kafka/connect-certs/cert + name: cert + - mountPath: /opt/kafka/connect-certs/key + name: key + - mountPath: /tmp + name: rp-connect-tmp + dnsPolicy: ClusterFirst + imagePullSecrets: [] + nodeSelector: {} + restartPolicy: Always + schedulerName: FQjdKmjClI5B + securityContext: + fsGroup: 101 + fsGroupChangePolicy: OnRootMismatch + runAsUser: 101 + serviceAccountName: zF + terminationGracePeriodSeconds: 1127207064 + tolerations: [] + topologySpreadConstraints: + - labelSelector: + matchLabels: + app.kubernetes.io/component: DAE + app.kubernetes.io/instance: console + app.kubernetes.io/name: DAE + wR: GAm + maxSkew: -1487816419 + topologyKey: Mw7m + whenUnsatisfiable: "" + - labelSelector: + matchLabels: + app.kubernetes.io/component: DAE + app.kubernetes.io/instance: console + app.kubernetes.io/name: DAE + wR: GAm + maxSkew: -1469244889 + topologyKey: HuZRY + whenUnsatisfiable: NX + - labelSelector: + matchLabels: + app.kubernetes.io/component: DAE + app.kubernetes.io/instance: console + app.kubernetes.io/name: DAE + wR: GAm + maxSkew: -346884429 + topologyKey: xVWCd + whenUnsatisfiable: p + volumes: + - name: cert + secret: + defaultMode: 292 + secretName: qXwTCH + - name: key + secret: + defaultMode: 292 + secretName: OCzzkl + - emptyDir: + medium: Memory + sizeLimit: 5Mi + name: rp-connect-tmp +-- testdata/case-018.yaml.golden -- +--- +# Source: connectors/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/component: C + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: C + helm.sh/chart: connectors-0.1.12 + name: CVJfMb +spec: + ipFamilies: + - IPv4 + ipFamilyPolicy: SingleStack + ports: + - name: rest-api + port: 1476502274 + protocol: TCP + targetPort: 1476502274 + - name: DT + port: 0 + protocol: TCP + targetPort: 0 + selector: + app.kubernetes.io/component: C + app.kubernetes.io/instance: console + app.kubernetes.io/name: C + sessionAffinity: None + type: ClusterIP +--- +# Source: connectors/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/component: C + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: C + helm.sh/chart: connectors-0.1.12 + name: hX1VdtP7gp7c +spec: + progressDeadlineSeconds: 600 + replicas: null + revisionHistoryLimit: 10 + selector: + matchLabels: + app.kubernetes.io/component: C + app.kubernetes.io/instance: console + app.kubernetes.io/name: C + strategy: + type: RollingUpdate + template: + metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/component: C + app.kubernetes.io/instance: console + app.kubernetes.io/name: C + spec: + affinity: + nodeAffinity: {} + podAffinity: {} + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchLabels: + app.kubernetes.io/component: C + app.kubernetes.io/instance: console + app.kubernetes.io/name: C + namespaces: + - default + topologyKey: kubernetes.io/hostname + containers: + - command: null + env: + - name: CONNECT_CONFIGURATION + value: |- + rest.advertised.port=1476502274 + rest.port=1476502274 + key.converter=org.apache.kafka.connect.converters.ByteArrayConverter + value.converter=org.apache.kafka.connect.converters.ByteArrayConverter + group.id=m + offset.storage.topic=_internal_connectors_offsets + config.storage.topic=_internal_connectors_configs + status.storage.topic=_internal_connectors_status + offset.storage.redpanda.remote.read=false + offset.storage.redpanda.remote.write=false + config.storage.redpanda.remote.read=false + config.storage.redpanda.remote.write=false + status.storage.redpanda.remote.read=false + status.storage.redpanda.remote.write=false + offset.storage.replication.factor=-1 + config.storage.replication.factor=-1 + status.storage.replication.factor=-1 + producer.linger.ms=-313398730 + producer.batch.size=1913291774 + config.providers=file,secretsManager,env + config.providers.file.class=org.apache.kafka.common.config.provider.FileConfigProvider + config.providers.env.class=org.apache.kafka.common.config.provider.EnvVarConfigProvider + - name: CONNECT_ADDITIONAL_CONFIGURATION + value: l3aLVX5 + - name: CONNECT_BOOTSTRAP_SERVERS + value: hj4Aab + - name: SCHEMA_REGISTRY_URL + value: nL5qOV + - name: CONNECT_GC_LOG_ENABLED + value: "false" + - name: CONNECT_HEAP_OPTS + value: -Xms256M -Xmx2G + - name: CONNECT_LOG_LEVEL + value: warn + - name: CONNECT_SASL_USERNAME + value: 1Iwn7 + - name: CONNECT_SASL_MECHANISM + value: VtLC5 + - name: CONNECT_SASL_PASSWORD_FILE + value: rc-credentials/password + - name: CONNECT_TLS_ENABLED + value: "false" + - name: CONNECT_TLS_AUTH_KEY + value: key/z4oRSGo + envFrom: [] + image: docker.redpanda.com/redpandadata/connectors:v1.0.29 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 3 + httpGet: + path: / + port: rest-api + scheme: HTTP + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + name: connectors-cluster + ports: + - containerPort: 1476502274 + name: rest-api + protocol: TCP + - containerPort: 0 + name: DT + protocol: TCP + readinessProbe: + failureThreshold: 2 + httpGet: + path: /connectors + port: rest-api + scheme: HTTP + initialDelaySeconds: 60 + periodSeconds: 10 + successThreshold: 3 + timeoutSeconds: 5 + resources: + limits: + cpu: "1" + memory: 2350Mi + requests: + cpu: "1" + memory: 2350Mi + securityContext: + allowPrivilegeEscalation: false + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + volumeMounts: + - mountPath: /opt/kafka/connect-password/rc-credentials + name: rc-credentials + - mountPath: /opt/kafka/connect-certs/key + name: key + - mountPath: 5koRVhJz + mountPropagation: 穠耱誕Ȝ躰灬灺Ķ輔硯dzȦ1e蘄ò.o + name: 5lp + subPath: bEZmgVKO + subPathExpr: 5UCo6 + dnsPolicy: ClusterFirst + imagePullSecrets: + - name: W1 + nodeSelector: {} + restartPolicy: Always + schedulerName: "" + securityContext: + fsGroup: 101 + fsGroupChangePolicy: OnRootMismatch + runAsUser: 101 + serviceAccountName: 3xqtRwRI + terminationGracePeriodSeconds: 30 + tolerations: [] + topologySpreadConstraints: + - labelSelector: + matchLabels: + app.kubernetes.io/component: C + app.kubernetes.io/instance: console + app.kubernetes.io/name: C + maxSkew: 1 + topologyKey: topology.kubernetes.io/zone + whenUnsatisfiable: ScheduleAnyway + volumes: + - name: key + secret: + defaultMode: 292 + secretName: Ee + - name: rc-credentials + secret: + defaultMode: 292 + secretName: ng2m + - emptyDir: + medium: Memory + sizeLimit: 5Mi + name: rp-connect-tmp +-- testdata/case-019.yaml.golden -- +--- +# Source: connectors/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + creationTimestamp: null + labels: + 1sF: 45XnA + a1rMZK: Jzq + app.kubernetes.io/component: qQY + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: qQY + helm.sh/chart: connectors-0.1.12 + name: iPsih4 +spec: + ipFamilies: + - IPv4 + ipFamilyPolicy: SingleStack + ports: + - name: rest-api + port: 2065008586 + protocol: TCP + targetPort: 2065008586 + - name: prometheus + port: 9404 + protocol: TCP + targetPort: 9404 + selector: + 1sF: 45XnA + a1rMZK: Jzq + app.kubernetes.io/component: qQY + app.kubernetes.io/instance: console + app.kubernetes.io/name: qQY + sessionAffinity: None + type: ClusterIP +--- +# Source: connectors/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + creationTimestamp: null + labels: + 1sF: 45XnA + a1rMZK: Jzq + app.kubernetes.io/component: qQY + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: qQY + helm.sh/chart: connectors-0.1.12 + name: S9NS5c +spec: + progressDeadlineSeconds: 600 + replicas: null + revisionHistoryLimit: -656791059 + selector: + matchLabels: + 1sF: 45XnA + a1rMZK: Jzq + app.kubernetes.io/component: qQY + app.kubernetes.io/instance: console + app.kubernetes.io/name: qQY + strategy: + type: RollingUpdate + template: + metadata: + annotations: {} + creationTimestamp: null + labels: + 1sF: 45XnA + a1rMZK: Jzq + app.kubernetes.io/component: qQY + app.kubernetes.io/instance: console + app.kubernetes.io/name: qQY + spec: + affinity: + nodeAffinity: {} + podAffinity: {} + podAntiAffinity: null + containers: + - command: null + env: + - name: CONNECT_CONFIGURATION + value: |- + rest.advertised.port=2065008586 + rest.port=2065008586 + key.converter=org.apache.kafka.connect.converters.ByteArrayConverter + value.converter=org.apache.kafka.connect.converters.ByteArrayConverter + group.id=CL5YFuVD + offset.storage.topic=_internal_connectors_offsets + config.storage.topic=_internal_connectors_configs + status.storage.topic=_internal_connectors_status + offset.storage.redpanda.remote.read=false + offset.storage.redpanda.remote.write=false + config.storage.redpanda.remote.read=false + config.storage.redpanda.remote.write=false + status.storage.redpanda.remote.read=false + status.storage.redpanda.remote.write=false + offset.storage.replication.factor=-1 + config.storage.replication.factor=-1 + status.storage.replication.factor=-1 + producer.linger.ms=-936976440 + producer.batch.size=131072 + config.providers=file,secretsManager,env + config.providers.file.class=org.apache.kafka.common.config.provider.FileConfigProvider + config.providers.secretsManager.class=com.github.jcustenborder.kafka.config.aws.SecretsManagerConfigProvider + config.providers.secretsManager.param.secret.prefix=79Q + config.providers.secretsManager.param.aws.region=3EfPcaJPeL + config.providers.env.class=org.apache.kafka.common.config.provider.EnvVarConfigProvider + - name: CONNECT_ADDITIONAL_CONFIGURATION + value: "" + - name: CONNECT_BOOTSTRAP_SERVERS + value: ezzGY + - name: SCHEMA_REGISTRY_URL + value: XTAQJ + - name: CONNECT_GC_LOG_ENABLED + value: "false" + - name: CONNECT_HEAP_OPTS + value: -Xms256M -Xmx2G + - name: CONNECT_LOG_LEVEL + value: warn + - name: CONNECT_TLS_ENABLED + value: "false" + - name: s + value: q7x401sB3R + - name: p + value: Odn + valueFrom: + fieldRef: + apiVersion: Tmp29KLiQ5 + fieldPath: "2" + secretKeyRef: + key: RRlr0C + name: jx + - name: M + value: dHu2S + valueFrom: + configMapKeyRef: + key: YT + name: x84MM29Kc5u + optional: true + fieldRef: + apiVersion: AKdDlUG8v + fieldPath: wHCWO + envFrom: + - configMapRef: + name: MF8pnsf + optional: false + prefix: lT + secretRef: + name: W + image: docker.redpanda.com/redpandadata/connectors:v1.0.29 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 832341066 + httpGet: + path: / + port: rest-api + scheme: HTTP + initialDelaySeconds: -493754907 + periodSeconds: -888317874 + successThreshold: -1792385861 + timeoutSeconds: -359586002 + name: connectors-cluster + ports: + - containerPort: 2065008586 + name: rest-api + protocol: TCP + - containerPort: 9404 + name: prometheus + protocol: TCP + readinessProbe: + failureThreshold: -2059548026 + httpGet: + path: /connectors + port: rest-api + scheme: HTTP + initialDelaySeconds: 438569678 + periodSeconds: 2034323562 + successThreshold: -1007748590 + timeoutSeconds: -1489292970 + resources: + limits: + cpu: "1" + memory: 2350Mi + requests: + cpu: "1" + memory: 2350Mi + securityContext: + allowPrivilegeEscalation: false + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + volumeMounts: + - mountPath: /tmp + name: rp-connect-tmp + dnsPolicy: ClusterFirst + imagePullSecrets: [] + nodeSelector: {} + restartPolicy: Always + schedulerName: Wrjb3H + securityContext: + fsGroup: 101 + fsGroupChangePolicy: OnRootMismatch + runAsUser: 101 + serviceAccountName: default + terminationGracePeriodSeconds: 30 + tolerations: + - effect: Ƿ闄 + key: O + operator: 鵉鼌q穋R譼驪妼擕`ƛ駴ň + tolerationSeconds: -8397972967079996000 + value: 1KZwe4 + topologySpreadConstraints: + - labelSelector: + matchLabels: + 1sF: 45XnA + a1rMZK: Jzq + app.kubernetes.io/component: qQY + app.kubernetes.io/instance: console + app.kubernetes.io/name: qQY + maxSkew: 1 + topologyKey: topology.kubernetes.io/zone + whenUnsatisfiable: ScheduleAnyway + volumes: + - emptyDir: + medium: Memory + sizeLimit: 5Mi + name: rp-connect-tmp +-- testdata/case-020.yaml.golden -- +--- +# Source: connectors/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/component: kUuRn + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: kUuRn + helm.sh/chart: connectors-0.1.12 + name: IAukfjAiE +spec: + ipFamilies: + - IPv4 + ipFamilyPolicy: SingleStack + ports: + - name: rest-api + port: 8083 + protocol: TCP + targetPort: 8083 + - name: prometheus + port: 9404 + protocol: TCP + targetPort: 9404 + selector: + app.kubernetes.io/component: kUuRn + app.kubernetes.io/instance: console + app.kubernetes.io/name: kUuRn + sessionAffinity: None + type: ClusterIP +-- testdata/case-021.yaml.golden -- +--- +# Source: connectors/templates/serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + annotations: + QvndcW2wD: JmD + creationTimestamp: null + labels: + 5D3dcbYcmq: bkcA + app.kubernetes.io/component: Cg + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: Cg + helm.sh/chart: connectors-0.1.12 + "y": TxHhxVY2tRx1i + name: ABdKo + namespace: default +--- +# Source: connectors/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + creationTimestamp: null + labels: + 5D3dcbYcmq: bkcA + app.kubernetes.io/component: Cg + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: Cg + g: Haj2trb + helm.sh/chart: connectors-0.1.12 + nQCD85u: 7ENE + "y": TxHhxVY2tRx1i + name: kt3xi +spec: + ipFamilies: + - IPv4 + ipFamilyPolicy: SingleStack + ports: + - name: rest-api + port: 8083 + protocol: TCP + targetPort: 8083 + - name: ZD6QnCdlL + port: 0 + protocol: TCP + targetPort: 0 + - name: kUQU + port: 0 + protocol: TCP + targetPort: 0 + selector: + 5D3dcbYcmq: bkcA + app.kubernetes.io/component: Cg + app.kubernetes.io/instance: console + app.kubernetes.io/name: Cg + "y": TxHhxVY2tRx1i + sessionAffinity: None + type: ClusterIP +--- +# Source: connectors/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + creationTimestamp: null + labels: + 5D3dcbYcmq: bkcA + "8": 6L8d + app.kubernetes.io/component: Cg + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: Cg + helm.sh/chart: connectors-0.1.12 + "y": TxHhxVY2tRx1i + name: console-Cg +spec: + progressDeadlineSeconds: 741558819 + replicas: null + revisionHistoryLimit: 1560482462 + selector: + matchLabels: + 5D3dcbYcmq: bkcA + app.kubernetes.io/component: Cg + app.kubernetes.io/instance: console + app.kubernetes.io/name: Cg + "y": TxHhxVY2tRx1i + strategy: + type: "9" + template: + metadata: + annotations: + "8": 6L8d + creationTimestamp: null + labels: + 5D3dcbYcmq: bkcA + app.kubernetes.io/component: Cg + app.kubernetes.io/instance: console + app.kubernetes.io/name: Cg + "y": TxHhxVY2tRx1i + spec: + affinity: + nodeAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - preference: + matchExpressions: + - key: j3g + operator: ŷǘȵiì渭ʫ抁Ğŋ + values: + - DJoN22 + - 4Kszk + - key: KYKZgrf + operator: 櫮ƣ+Ź藦vď蔸聺3vMʪ + matchFields: + - key: di6 + operator: ɫ0l5璠û介ɗ蟦ǘ厁ɂh磊 + values: + - ct + - 3e + - YICL + weight: 1941396141 + - preference: + matchExpressions: + - key: PRs0G0 + operator: ©MʥȩɅ2ď鏓 + - key: L83 + operator: °¥¶ĕ焲粮剚e喏鑝梋ƃ5~Ìnidž + matchFields: + - key: 78fF + operator: =ŞŽ熧曪ń + weight: 1964511070 + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchFields: + - key: AHvs + operator: ɵȝʩm幃 + - key: 0ac + operator: MWæ諒鸠 + - {} + - matchExpressions: + - key: wRdw + operator: VP萺鵷 + - key: "" + operator: x + values: + - Fx + - I1rNR + - key: JZ + operator: 訖 + podAffinity: {} + podAntiAffinity: null + containers: + - command: null + env: + - name: CONNECT_CONFIGURATION + value: |- + rest.advertised.port=8083 + rest.port=8083 + key.converter=org.apache.kafka.connect.converters.ByteArrayConverter + value.converter=org.apache.kafka.connect.converters.ByteArrayConverter + group.id=eOkhi4 + offset.storage.topic=IK4 + config.storage.topic=EI + status.storage.topic=WIZGj + offset.storage.redpanda.remote.read=false + offset.storage.redpanda.remote.write=false + config.storage.redpanda.remote.read=false + config.storage.redpanda.remote.write=true + status.storage.redpanda.remote.read=true + status.storage.redpanda.remote.write=true + offset.storage.replication.factor=-1901393869 + config.storage.replication.factor=-1860412640 + status.storage.replication.factor=-4761328 + producer.linger.ms=-1955065214 + producer.batch.size=-500780400 + config.providers=file,secretsManager,env + config.providers.file.class=org.apache.kafka.common.config.provider.FileConfigProvider + config.providers.env.class=org.apache.kafka.common.config.provider.EnvVarConfigProvider + - name: CONNECT_ADDITIONAL_CONFIGURATION + value: jzE + - name: CONNECT_BOOTSTRAP_SERVERS + value: as60 + - name: SCHEMA_REGISTRY_URL + value: Jrt + - name: CONNECT_GC_LOG_ENABLED + value: HG + - name: CONNECT_HEAP_OPTS + value: -Xms256M -Xmx2G + - name: CONNECT_LOG_LEVEL + value: rb + - name: CONNECT_TLS_ENABLED + value: "false" + - name: CONNECT_TRUSTED_CERTS + value: ca/fifa + - name: CONNECT_TLS_AUTH_CERT + value: cert/MY5Ss + - name: mbyKA5WPoY + value: bhMRx + envFrom: + - configMapRef: + name: e7KgN9ff + optional: false + prefix: ug4D + secretRef: + name: CzuiueSY + optional: false + - configMapRef: + name: TlIbaiI + optional: true + prefix: I + - configMapRef: + name: IuBuoY8u5xD1D7 + optional: false + prefix: 2xqoZ + image: docker.redpanda.com/redpandadata/connectors:v1.0.29 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 3 + httpGet: + path: / + port: rest-api + scheme: HTTP + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + name: connectors-cluster + ports: + - containerPort: 8083 + name: rest-api + protocol: TCP + - containerPort: 0 + name: ZD6QnCdlL + protocol: TCP + - containerPort: 0 + name: kUQU + protocol: TCP + readinessProbe: + failureThreshold: 137175425 + httpGet: + path: /connectors + port: rest-api + scheme: HTTP + initialDelaySeconds: 385463317 + periodSeconds: 1814148060 + successThreshold: -2130595018 + timeoutSeconds: -1983859400 + resources: + limits: + cpu: "0" + memory: "0" + requests: + cpu: "1" + memory: "0" + securityContext: + allowPrivilegeEscalation: false + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + volumeMounts: + - mountPath: /opt/kafka/connect-certs/ca + name: truststore + - mountPath: /opt/kafka/connect-certs/cert + name: cert + - mountPath: /tmp + name: rp-connect-tmp + dnsPolicy: ClusterFirst + imagePullSecrets: + - name: kq1gha8w + - {} + nodeSelector: + 88m: ofL96viVG + lM: uR4 + restartPolicy: 奡ʄ臔ȁ + schedulerName: v + securityContext: + fsGroup: 2775178225296577500 + fsGroupChangePolicy: OnRootMismatch + runAsGroup: -873168801110302200 + runAsNonRoot: true + runAsUser: -8949664932683741000 + sysctls: + - name: u + value: 0mDq + - name: UDLOQRVGXH + value: "" + - name: eakEWdkHQ + value: UWw + serviceAccountName: ABdKo + terminationGracePeriodSeconds: 1135949557 + tolerations: + - effect: ɖ + key: lzvKb + operator: V毣«mpAp餂ĵ$İƊ俊ĺ + tolerationSeconds: 1365476841054063900 + value: HqnJ8gfT + - effect: T鏚裦黂 + key: vgU + operator: 訹gǷ×婚ǀ + tolerationSeconds: -8509532606436755000 + value: KI + - effect: ?遗x + key: 6fxivUhl + operator: KŸȘ绒Nj赤 + value: mK2Hz + topologySpreadConstraints: + - labelSelector: + matchLabels: + 5D3dcbYcmq: bkcA + app.kubernetes.io/component: Cg + app.kubernetes.io/instance: console + app.kubernetes.io/name: Cg + "y": TxHhxVY2tRx1i + maxSkew: 1 + topologyKey: topology.kubernetes.io/zone + whenUnsatisfiable: ScheduleAnyway + volumes: + - name: truststore + secret: + defaultMode: 292 + secretName: BmRMpc + - name: cert + secret: + defaultMode: 292 + secretName: gy7g + - emptyDir: + medium: Memory + sizeLimit: 5Mi + name: rp-connect-tmp +-- testdata/case-022.yaml.golden -- +--- +# Source: connectors/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + creationTimestamp: null + labels: + 3T: w2SpAA6br + I758z7Cf: 6V + JvnbWUk: pPMb + app.kubernetes.io/component: 6MJPA + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: 6MJPA + helm.sh/chart: connectors-0.1.12 + name: x4Vu7vj +spec: + ipFamilies: + - IPv4 + ipFamilyPolicy: SingleStack + ports: + - name: rest-api + port: 8083 + protocol: TCP + targetPort: 8083 + - name: G4 + port: -201865350 + protocol: TCP + targetPort: -201865350 + selector: + 3T: w2SpAA6br + I758z7Cf: 6V + JvnbWUk: pPMb + app.kubernetes.io/component: 6MJPA + app.kubernetes.io/instance: console + app.kubernetes.io/name: 6MJPA + sessionAffinity: None + type: ClusterIP +--- +# Source: connectors/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + creationTimestamp: null + labels: + 3T: w2SpAA6br + I758z7Cf: 6V + JvnbWUk: pPMb + app.kubernetes.io/component: 6MJPA + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: 6MJPA + helm.sh/chart: connectors-0.1.12 + name: cZ4G4 +spec: + progressDeadlineSeconds: 457348204 + replicas: null + revisionHistoryLimit: -700610054 + selector: + matchLabels: + 3T: w2SpAA6br + I758z7Cf: 6V + JvnbWUk: pPMb + app.kubernetes.io/component: 6MJPA + app.kubernetes.io/instance: console + app.kubernetes.io/name: 6MJPA + strategy: + type: IbrqLLHodX + template: + metadata: + annotations: {} + creationTimestamp: null + labels: + 3T: w2SpAA6br + I758z7Cf: 6V + JvnbWUk: pPMb + app.kubernetes.io/component: 6MJPA + app.kubernetes.io/instance: console + app.kubernetes.io/name: 6MJPA + spec: + affinity: + nodeAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - preference: + matchExpressions: + - key: Ro3T + operator: aĒĴŪ*3ɀ 币6鳴Ã偯d?A`åȏ + - key: 7XExK + operator: 濻舒^T莄1Â]葉 + values: + - A61yP5MBIRlE + - PvGUE + - 3dEaVo + - key: cLddzEo + operator: 櫜毉FÊi嶙# + matchFields: + - key: 5d + operator: 葜.¼v詝擽Ĉ + - key: WSMmbygG + operator: "" + weight: 1129540323 + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: kwkzOO8tl + operator: ']勋Į掬+' + matchFields: + - key: CQBwi20 + operator: 餞ǚe%Af埧Q哝窓煰 + - key: 9dTBxx + operator: Ĉ|^ + - matchFields: + - key: "" + operator: Á捛ɬĿ脦ǒĈ闲F秿翕卫Ŷ~?ʞŷȎ + values: + - Lg + - key: "42" + operator: 瞍 + values: + - QQMQ + - matchExpressions: + - key: en + operator: HË熙軯-ȓ簩羗č ʏ栽竬熄s)Ó鸰 + - key: Gc9Ntp + operator: "" + matchFields: + - key: 2ZLK4z1 + operator: 捚n匸竟-6ȐÒƑ|ʁĄEʕȘ + values: + - 0GiQ + - FI + - iXXs3k + - key: uujaIM5Y0Eo + operator: Āũ7 + podAffinity: {} + podAntiAffinity: null + containers: + - command: null + env: + - name: CONNECT_CONFIGURATION + value: |- + rest.advertised.port=8083 + rest.port=8083 + key.converter=org.apache.kafka.connect.converters.ByteArrayConverter + value.converter=org.apache.kafka.connect.converters.ByteArrayConverter + group.id=3SgngS9vl + offset.storage.topic=_internal_connectors_offsets + config.storage.topic=_internal_connectors_configs + status.storage.topic=_internal_connectors_status + offset.storage.redpanda.remote.read=false + offset.storage.redpanda.remote.write=false + config.storage.redpanda.remote.read=false + config.storage.redpanda.remote.write=false + status.storage.redpanda.remote.read=false + status.storage.redpanda.remote.write=false + offset.storage.replication.factor=-1 + config.storage.replication.factor=-1 + status.storage.replication.factor=-1 + producer.linger.ms=1 + producer.batch.size=889009746 + config.providers=file,secretsManager,env + config.providers.file.class=org.apache.kafka.common.config.provider.FileConfigProvider + config.providers.env.class=org.apache.kafka.common.config.provider.EnvVarConfigProvider + - name: CONNECT_ADDITIONAL_CONFIGURATION + value: faRWi + - name: CONNECT_BOOTSTRAP_SERVERS + value: XngcT + - name: SCHEMA_REGISTRY_URL + value: b4VVbJxS + - name: CONNECT_GC_LOG_ENABLED + value: "false" + - name: CONNECT_HEAP_OPTS + value: -Xms256M -Xmx2G + - name: CONNECT_LOG_LEVEL + value: warn + - name: CONNECT_TLS_ENABLED + value: "true" + - name: CONNECT_TRUSTED_CERTS + value: ca/MDvyt3bw + - name: CONNECT_TLS_AUTH_CERT + value: cert/LP7Pcx1xGT + envFrom: [] + image: docker.redpanda.com/redpandadata/connectors:v1.0.29 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 3 + httpGet: + path: / + port: rest-api + scheme: HTTP + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + name: connectors-cluster + ports: + - containerPort: 8083 + name: rest-api + protocol: TCP + - containerPort: -201865350 + name: G4 + protocol: TCP + readinessProbe: + failureThreshold: 511258221 + httpGet: + path: /connectors + port: rest-api + scheme: HTTP + initialDelaySeconds: 948711230 + periodSeconds: 19027716 + successThreshold: -1810396970 + timeoutSeconds: 1797719976 + resources: + limits: + cpu: "1" + memory: 2350Mi + requests: + cpu: "1" + memory: 2350Mi + securityContext: + allowPrivilegeEscalation: false + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + volumeMounts: + - mountPath: /opt/kafka/connect-certs/ca + name: truststore + - mountPath: /opt/kafka/connect-certs/cert + name: cert + - mountPath: /tmp + name: rp-connect-tmp + dnsPolicy: ClusterFirst + imagePullSecrets: [] + nodeSelector: {} + restartPolicy: Always + schedulerName: 6Fuyr + securityContext: + fsGroup: 101 + fsGroupChangePolicy: OnRootMismatch + runAsUser: 101 + serviceAccountName: default + terminationGracePeriodSeconds: 1222617058 + tolerations: + - key: 9v + operator: ƱSjc(ϼ霌ʒ酁2Ɣ8kRâ + tolerationSeconds: 699537150416724600 + value: w8QXL + - effect: 旼`BȞ*ąɦ纇åʝ + key: vj3BwiVyW1t + operator: 鼦詡dƅ + tolerationSeconds: -9093487529989850000 + value: i8Agp + topologySpreadConstraints: + - labelSelector: + matchLabels: + 3T: w2SpAA6br + I758z7Cf: 6V + JvnbWUk: pPMb + app.kubernetes.io/component: 6MJPA + app.kubernetes.io/instance: console + app.kubernetes.io/name: 6MJPA + maxSkew: 0 + topologyKey: AFVo + whenUnsatisfiable: M4 + - labelSelector: + matchLabels: + 3T: w2SpAA6br + I758z7Cf: 6V + JvnbWUk: pPMb + app.kubernetes.io/component: 6MJPA + app.kubernetes.io/instance: console + app.kubernetes.io/name: 6MJPA + maxSkew: -1157554939 + topologyKey: oF + whenUnsatisfiable: juzJPaV2L03 + - labelSelector: + matchLabels: + 3T: w2SpAA6br + I758z7Cf: 6V + JvnbWUk: pPMb + app.kubernetes.io/component: 6MJPA + app.kubernetes.io/instance: console + app.kubernetes.io/name: 6MJPA + maxSkew: 0 + topologyKey: P6ooy + whenUnsatisfiable: svPI + volumes: + - name: truststore + secret: + defaultMode: 292 + secretName: b809b + - name: cert + secret: + defaultMode: 292 + secretName: Gg + - emptyDir: + medium: Memory + sizeLimit: 5Mi + name: rp-connect-tmp +--- +# Source: connectors/templates/pod-monitor.yaml +apiVersion: monitoring.coreos.com/v1 +kind: PodMonitor +metadata: + annotations: {} + creationTimestamp: null + labels: + Eedv: 65ZfBI + name: cZ4G4 +spec: + namespaceSelector: + any: true + podMetricsEndpoints: + - bearerTokenSecret: + key: "" + path: / + port: prometheus + selector: + matchLabels: + 3T: w2SpAA6br + I758z7Cf: 6V + JvnbWUk: pPMb + app.kubernetes.io/component: 6MJPA + app.kubernetes.io/instance: console + app.kubernetes.io/name: 6MJPA +-- testdata/case-023.yaml.golden -- +--- +# Source: connectors/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/component: ZI341xw + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: ZI341xw + helm.sh/chart: connectors-0.1.12 + name: 9tds +spec: + ipFamilies: + - IPv4 + ipFamilyPolicy: SingleStack + ports: + - name: rest-api + port: 8083 + protocol: TCP + targetPort: 8083 + - name: prometheus + port: 9404 + protocol: TCP + targetPort: 9404 + selector: + app.kubernetes.io/component: ZI341xw + app.kubernetes.io/instance: console + app.kubernetes.io/name: ZI341xw + sessionAffinity: None + type: ClusterIP +--- +# Source: connectors/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/component: ZI341xw + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: ZI341xw + helm.sh/chart: connectors-0.1.12 + name: 9tds +spec: + progressDeadlineSeconds: 600 + replicas: null + revisionHistoryLimit: 10 + selector: + matchLabels: + app.kubernetes.io/component: ZI341xw + app.kubernetes.io/instance: console + app.kubernetes.io/name: ZI341xw + strategy: + type: RollingUpdate + template: + metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/component: ZI341xw + app.kubernetes.io/instance: console + app.kubernetes.io/name: ZI341xw + spec: + affinity: + nodeAffinity: {} + podAffinity: {} + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchLabels: + app.kubernetes.io/component: ZI341xw + app.kubernetes.io/instance: console + app.kubernetes.io/name: ZI341xw + namespaces: + - default + topologyKey: kubernetes.io/hostname + containers: + - command: null + env: + - name: CONNECT_CONFIGURATION + value: |- + rest.advertised.port=8083 + rest.port=8083 + key.converter=org.apache.kafka.connect.converters.ByteArrayConverter + value.converter=org.apache.kafka.connect.converters.ByteArrayConverter + group.id=connectors-cluster + offset.storage.topic=_internal_connectors_offsets + config.storage.topic=_internal_connectors_configs + status.storage.topic=_internal_connectors_status + offset.storage.redpanda.remote.read=false + offset.storage.redpanda.remote.write=false + config.storage.redpanda.remote.read=false + config.storage.redpanda.remote.write=false + status.storage.redpanda.remote.read=false + status.storage.redpanda.remote.write=false + offset.storage.replication.factor=-1 + config.storage.replication.factor=-1 + status.storage.replication.factor=-1 + producer.linger.ms=1 + producer.batch.size=131072 + config.providers=file,secretsManager,env + config.providers.file.class=org.apache.kafka.common.config.provider.FileConfigProvider + config.providers.env.class=org.apache.kafka.common.config.provider.EnvVarConfigProvider + - name: CONNECT_ADDITIONAL_CONFIGURATION + value: "" + - name: CONNECT_BOOTSTRAP_SERVERS + value: "" + - name: CONNECT_GC_LOG_ENABLED + value: t7nvcU + - name: CONNECT_HEAP_OPTS + value: -Xms256M -Xmx2G + - name: CONNECT_LOG_LEVEL + value: bP + - name: CONNECT_TLS_ENABLED + value: "false" + envFrom: [] + image: docker.redpanda.com/redpandadata/connectors:v1.0.29 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 3 + httpGet: + path: / + port: rest-api + scheme: HTTP + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + name: connectors-cluster + ports: + - containerPort: 8083 + name: rest-api + protocol: TCP + - containerPort: 9404 + name: prometheus + protocol: TCP + readinessProbe: + failureThreshold: 2 + httpGet: + path: /connectors + port: rest-api + scheme: HTTP + initialDelaySeconds: 60 + periodSeconds: 10 + successThreshold: 3 + timeoutSeconds: 5 + resources: + limits: + cpu: "0" + memory: "0" + requests: + cpu: "0" + memory: "0" + securityContext: + allowPrivilegeEscalation: false + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + volumeMounts: + - mountPath: YeET3weL4N8g + mountPropagation: d/嬈Ñ內q謯ƶ8ɳƓ肵 + name: ssEfPGv8 + readOnly: true + subPath: "7" + dnsPolicy: ClusterFirst + imagePullSecrets: + - name: t + - name: 9jeO + - name: h + nodeSelector: {} + restartPolicy: Always + schedulerName: "" + securityContext: + fsGroup: 101 + fsGroupChangePolicy: OnRootMismatch + runAsUser: 101 + serviceAccountName: TIG + terminationGracePeriodSeconds: 30 + tolerations: [] + topologySpreadConstraints: + - labelSelector: + matchLabels: + app.kubernetes.io/component: ZI341xw + app.kubernetes.io/instance: console + app.kubernetes.io/name: ZI341xw + maxSkew: 1 + topologyKey: topology.kubernetes.io/zone + whenUnsatisfiable: ScheduleAnyway + volumes: + - name: naPNMJ +-- testdata/case-024.yaml.golden -- +--- +# Source: connectors/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/component: Y47 + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: Y47 + helm.sh/chart: connectors-0.1.12 + name: e4W +spec: + ipFamilies: + - IPv4 + ipFamilyPolicy: SingleStack + ports: + - name: rest-api + port: -1930935263 + protocol: TCP + targetPort: -1930935263 + - name: prometheus + port: 9404 + protocol: TCP + targetPort: 9404 + selector: + app.kubernetes.io/component: Y47 + app.kubernetes.io/instance: console + app.kubernetes.io/name: Y47 + sessionAffinity: None + type: ClusterIP +--- +# Source: connectors/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + creationTimestamp: null + labels: + FU4J: "" + HJZjva: jC8uET + app.kubernetes.io/component: Y47 + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: Y47 + helm.sh/chart: connectors-0.1.12 + name: e4W +spec: + progressDeadlineSeconds: 5438195 + replicas: null + revisionHistoryLimit: -2103181148 + selector: + matchLabels: + app.kubernetes.io/component: Y47 + app.kubernetes.io/instance: console + app.kubernetes.io/name: Y47 + strategy: + type: 7Ma6SKn + template: + metadata: + annotations: + FU4J: "" + HJZjva: jC8uET + creationTimestamp: null + labels: + app.kubernetes.io/component: Y47 + app.kubernetes.io/instance: console + app.kubernetes.io/name: Y47 + spec: + affinity: + nodeAffinity: {} + podAffinity: {} + podAntiAffinity: null + containers: + - command: null + env: + - name: CONNECT_CONFIGURATION + value: |- + rest.advertised.port=-1930935263 + rest.port=-1930935263 + key.converter=org.apache.kafka.connect.converters.ByteArrayConverter + value.converter=org.apache.kafka.connect.converters.ByteArrayConverter + group.id=d + offset.storage.topic=_internal_connectors_offsets + config.storage.topic=_internal_connectors_configs + status.storage.topic=_internal_connectors_status + offset.storage.redpanda.remote.read=false + offset.storage.redpanda.remote.write=false + config.storage.redpanda.remote.read=false + config.storage.redpanda.remote.write=false + status.storage.redpanda.remote.read=false + status.storage.redpanda.remote.write=false + offset.storage.replication.factor=-1 + config.storage.replication.factor=-1 + status.storage.replication.factor=-1 + producer.linger.ms=714735160 + producer.batch.size=1166879364 + config.providers=file,secretsManager,env + config.providers.file.class=org.apache.kafka.common.config.provider.FileConfigProvider + config.providers.env.class=org.apache.kafka.common.config.provider.EnvVarConfigProvider + - name: CONNECT_ADDITIONAL_CONFIGURATION + value: LWHk + - name: CONNECT_BOOTSTRAP_SERVERS + value: jn + - name: SCHEMA_REGISTRY_URL + value: sz + - name: CONNECT_GC_LOG_ENABLED + value: XS5 + - name: CONNECT_HEAP_OPTS + value: -Xms256M -Xmx0 + - name: CONNECT_LOG_LEVEL + value: i1QoQHfki73v + - name: CONNECT_TLS_ENABLED + value: "true" + - name: CONNECT_TRUSTED_CERTS + value: ca/qv + envFrom: [] + image: docker.redpanda.com/redpandadata/connectors:v1.0.29 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: -1400952913 + httpGet: + path: / + port: rest-api + scheme: HTTP + initialDelaySeconds: 1536143416 + periodSeconds: -971919376 + successThreshold: 1841265139 + timeoutSeconds: 1519706329 + name: connectors-cluster + ports: + - containerPort: -1930935263 + name: rest-api + protocol: TCP + - containerPort: 9404 + name: prometheus + protocol: TCP + readinessProbe: + failureThreshold: 2057031608 + httpGet: + path: /connectors + port: rest-api + scheme: HTTP + initialDelaySeconds: 1457702974 + periodSeconds: -1732886 + successThreshold: -723791053 + timeoutSeconds: -547087401 + resources: + limits: + cpu: "0" + memory: "0" + requests: + cpu: "0" + memory: "0" + securityContext: + allowPrivilegeEscalation: true + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + volumeMounts: + - mountPath: /opt/kafka/connect-certs/ca + name: truststore + - mountPath: /tmp + name: rp-connect-tmp + dnsPolicy: ClusterFirst + imagePullSecrets: [] + nodeSelector: + ZBtz30: MaN + wEyS43Wq6sS: A + restartPolicy: Always + schedulerName: tXdQ7X + securityContext: + fsGroup: -1024384248472849700 + fsGroupChangePolicy: OnRootMismatch + runAsNonRoot: false + runAsUser: -2673836885766821000 + sysctls: + - name: z + value: 1Xx7BcpTtc + - name: ik + value: mn7hZ2O + - name: 0tRcSAR + value: s3Fmk + serviceAccountName: AepmYU + terminationGracePeriodSeconds: 1680781404 + tolerations: + - effect: '[Ȝ%1@拌魋?>Q[' + key: CM6To + operator: ȫƤP箴ɉ戮嗯嬑lwĶƼ§ʜ + tolerationSeconds: -4298573611145221600 + value: ERnxlMnsbt + topologySpreadConstraints: + - labelSelector: + matchLabels: + app.kubernetes.io/component: Y47 + app.kubernetes.io/instance: console + app.kubernetes.io/name: Y47 + maxSkew: 1 + topologyKey: topology.kubernetes.io/zone + whenUnsatisfiable: ScheduleAnyway + volumes: + - name: truststore + secret: + defaultMode: 292 + secretName: LRHozVF + - emptyDir: + medium: Memory + sizeLimit: 5Mi + name: rp-connect-tmp +-- testdata/case-025.yaml.golden -- +--- +# Source: connectors/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + creationTimestamp: null + labels: + VGEccN: 1S6Om + app.kubernetes.io/component: z3C + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: z3C + helm.sh/chart: connectors-0.1.12 + name: UFYrvO +spec: + ipFamilies: + - IPv4 + ipFamilyPolicy: SingleStack + ports: + - name: rest-api + port: -1355681307 + protocol: TCP + targetPort: -1355681307 + - name: prometheus + port: 9404 + protocol: TCP + targetPort: 9404 + selector: + VGEccN: 1S6Om + app.kubernetes.io/component: z3C + app.kubernetes.io/instance: console + app.kubernetes.io/name: z3C + sessionAffinity: None + type: ClusterIP +--- +# Source: connectors/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + creationTimestamp: null + labels: + VGEccN: 1S6Om + app.kubernetes.io/component: z3C + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: z3C + helm.sh/chart: connectors-0.1.12 + p7R: EjfLOeG + th6: enWXwqe + name: uv4tHoO +spec: + progressDeadlineSeconds: 202187696 + replicas: null + revisionHistoryLimit: 1394995435 + selector: + matchLabels: + VGEccN: 1S6Om + app.kubernetes.io/component: z3C + app.kubernetes.io/instance: console + app.kubernetes.io/name: z3C + strategy: + type: RollingUpdate + template: + metadata: + annotations: + p7R: EjfLOeG + th6: enWXwqe + creationTimestamp: null + labels: + VGEccN: 1S6Om + app.kubernetes.io/component: z3C + app.kubernetes.io/instance: console + app.kubernetes.io/name: z3C + spec: + affinity: + nodeAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - preference: + matchFields: + - key: 6nwZP6 + operator: 乆`Eɪ妶窓o黥屢! + values: + - cJtx + weight: -559166881 + - preference: + matchExpressions: + - key: eyw69 + operator: 獶ʎ^ȁ耦ǚy蝸殽虄X敉${ + values: + - cLTjur + - Ab + - key: iMnx + operator: ßljƨb委揋ǖyǭɮHɋȱ钵瑴= + values: + - oTbQw + matchFields: + - key: peZc + operator: 韨醤H3擅ĭýǚɃ氤徣»嬞籍* + - key: BwW + operator: "" + values: + - lj0f + - key: RTfBwhMV7h + operator: 愐哣碍clȲ + weight: 1712242968 + podAffinity: {} + podAntiAffinity: null + containers: + - command: null + env: + - name: CONNECT_CONFIGURATION + value: |- + rest.advertised.port=-1355681307 + rest.port=-1355681307 + key.converter=org.apache.kafka.connect.converters.ByteArrayConverter + value.converter=org.apache.kafka.connect.converters.ByteArrayConverter + group.id=2Fy + offset.storage.topic=_internal_connectors_offsets + config.storage.topic=_internal_connectors_configs + status.storage.topic=_internal_connectors_status + offset.storage.redpanda.remote.read=false + offset.storage.redpanda.remote.write=false + config.storage.redpanda.remote.read=false + config.storage.redpanda.remote.write=false + status.storage.redpanda.remote.read=false + status.storage.redpanda.remote.write=false + offset.storage.replication.factor=-1 + config.storage.replication.factor=-1 + status.storage.replication.factor=-1 + producer.linger.ms=1 + producer.batch.size=131072 + config.providers=file,secretsManager,env + config.providers.file.class=org.apache.kafka.common.config.provider.FileConfigProvider + config.providers.env.class=org.apache.kafka.common.config.provider.EnvVarConfigProvider + - name: CONNECT_ADDITIONAL_CONFIGURATION + value: "n" + - name: CONNECT_BOOTSTRAP_SERVERS + value: JhxRF4 + - name: SCHEMA_REGISTRY_URL + value: 9uSqcQk + - name: CONNECT_GC_LOG_ENABLED + value: TmzFHzZvwn + - name: CONNECT_HEAP_OPTS + value: -Xms256M -Xmx2G + - name: CONNECT_LOG_LEVEL + value: warn + - name: CONNECT_TLS_ENABLED + value: "false" + - name: 5j0yE + value: O9bMi + valueFrom: + configMapKeyRef: + key: byf25 + name: RIZv + optional: false + fieldRef: + apiVersion: NrtU + fieldPath: 3LC + resourceFieldRef: + containerName: AjmWfg6HqMgn + divisor: "0" + resource: OV + - name: 6hTC + value: r + valueFrom: + configMapKeyRef: + key: 0u + name: 7xxySBjT + optional: true + resourceFieldRef: + containerName: qAO + divisor: "0" + resource: XP + envFrom: + - configMapRef: + name: uLvK + optional: false + prefix: 2Ij + secretRef: + name: leDGyXv + optional: true + - configMapRef: + name: GK + prefix: dCB + secretRef: + name: u + optional: false + image: docker.redpanda.com/redpandadata/connectors:v1.0.29 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: -94764338 + httpGet: + path: / + port: rest-api + scheme: HTTP + initialDelaySeconds: 407315123 + periodSeconds: 165966784 + successThreshold: 970096625 + timeoutSeconds: 2091942472 + name: connectors-cluster + ports: + - containerPort: -1355681307 + name: rest-api + protocol: TCP + - containerPort: 9404 + name: prometheus + protocol: TCP + readinessProbe: + failureThreshold: 1857603986 + httpGet: + path: /connectors + port: rest-api + scheme: HTTP + initialDelaySeconds: -1402792412 + periodSeconds: 879643685 + successThreshold: 1435235361 + timeoutSeconds: 1464897550 + resources: + limits: + cpu: "1" + memory: "0" + requests: + cpu: "1" + memory: 2350Mi + securityContext: + allowPrivilegeEscalation: false + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + volumeMounts: + - mountPath: /tmp + name: rp-connect-tmp + dnsPolicy: ClusterFirst + imagePullSecrets: + - name: wd + - name: O + nodeSelector: {} + restartPolicy: '{悛Qª槟ĈW得蹏淂專驁sēɹƐ軋剭' + schedulerName: aA + securityContext: + fsGroup: 101 + fsGroupChangePolicy: OnRootMismatch + runAsUser: 101 + serviceAccountName: default + terminationGracePeriodSeconds: 30 + tolerations: + - effect: cȩ飙 + key: 4Y9saWpr + operator: 輋ƾ跴Ȫ徐1Aǡ{gm櫩茻 + value: yI4k + topologySpreadConstraints: + - labelSelector: + matchLabels: + VGEccN: 1S6Om + app.kubernetes.io/component: z3C + app.kubernetes.io/instance: console + app.kubernetes.io/name: z3C + maxSkew: 425976069 + topologyKey: aThb + whenUnsatisfiable: G + volumes: + - emptyDir: + medium: Memory + sizeLimit: 5Mi + name: rp-connect-tmp +--- +# Source: connectors/templates/pod-monitor.yaml +apiVersion: monitoring.coreos.com/v1 +kind: PodMonitor +metadata: + annotations: + hvh: "" + mDK0: OWEQ0y + zpG: XWCs + creationTimestamp: null + labels: + Ie5J5: fYnrHO + YkM4u7v: iTjIow + iP2Di: ptlD2Xuar + name: uv4tHoO +spec: + namespaceSelector: + any: true + matchNames: + - 9LShi + - klNT12U + - 9e + podMetricsEndpoints: + - bearerTokenSecret: + key: "" + path: / + port: prometheus + selector: + matchLabels: + VGEccN: 1S6Om + app.kubernetes.io/component: z3C + app.kubernetes.io/instance: console + app.kubernetes.io/name: z3C +-- testdata/case-026.yaml.golden -- +--- +# Source: connectors/templates/serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/component: ATJ + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: ATJ + helm.sh/chart: connectors-0.1.12 + op: VnL9o7 + name: jmzfCmHq + namespace: default +--- +# Source: connectors/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/component: ATJ + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: ATJ + helm.sh/chart: connectors-0.1.12 + op: VnL9o7 + name: XfK7 +spec: + ipFamilies: + - IPv4 + ipFamilyPolicy: SingleStack + ports: + - name: rest-api + port: 8083 + protocol: TCP + targetPort: 8083 + - name: prometheus + port: 9404 + protocol: TCP + targetPort: 9404 + selector: + app.kubernetes.io/component: ATJ + app.kubernetes.io/instance: console + app.kubernetes.io/name: ATJ + op: VnL9o7 + sessionAffinity: None + type: ClusterIP +-- testdata/case-027.yaml.golden -- +--- +# Source: connectors/templates/serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + annotations: + N7gZ: ExrpJkw + PD23ZYO: jlj + creationTimestamp: null + labels: + LuCiH: SWR3zOt + app.kubernetes.io/component: ffe2 + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: ffe2 + helm.sh/chart: connectors-0.1.12 + name: maeWLc + namespace: default +--- +# Source: connectors/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + creationTimestamp: null + labels: + JXMpPkd: YoI + LuCiH: SWR3zOt + Z: DVS9WjadC + app.kubernetes.io/component: ffe2 + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: ffe2 + helm.sh/chart: connectors-0.1.12 + name: uSz +spec: + ipFamilies: + - IPv4 + ipFamilyPolicy: SingleStack + ports: + - name: rest-api + port: 8083 + protocol: TCP + targetPort: 8083 + - name: prometheus + port: 9404 + protocol: TCP + targetPort: 9404 + selector: + LuCiH: SWR3zOt + app.kubernetes.io/component: ffe2 + app.kubernetes.io/instance: console + app.kubernetes.io/name: ffe2 + sessionAffinity: None + type: ClusterIP +--- +# Source: connectors/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + creationTimestamp: null + labels: + LuCiH: SWR3zOt + app.kubernetes.io/component: ffe2 + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: ffe2 + helm.sh/chart: connectors-0.1.12 + name: OL1 +spec: + progressDeadlineSeconds: 600 + replicas: null + revisionHistoryLimit: 10 + selector: + matchLabels: + LuCiH: SWR3zOt + app.kubernetes.io/component: ffe2 + app.kubernetes.io/instance: console + app.kubernetes.io/name: ffe2 + strategy: + type: RollingUpdate + template: + metadata: + annotations: {} + creationTimestamp: null + labels: + LuCiH: SWR3zOt + app.kubernetes.io/component: ffe2 + app.kubernetes.io/instance: console + app.kubernetes.io/name: ffe2 + spec: + affinity: + nodeAffinity: {} + podAffinity: {} + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchLabels: + LuCiH: SWR3zOt + app.kubernetes.io/component: ffe2 + app.kubernetes.io/instance: console + app.kubernetes.io/name: ffe2 + namespaces: + - default + topologyKey: kubernetes.io/hostname + containers: + - command: null + env: + - name: CONNECT_CONFIGURATION + value: |- + rest.advertised.port=8083 + rest.port=8083 + key.converter=org.apache.kafka.connect.converters.ByteArrayConverter + value.converter=org.apache.kafka.connect.converters.ByteArrayConverter + group.id=connectors-cluster + offset.storage.topic=_internal_connectors_offsets + config.storage.topic=_internal_connectors_configs + status.storage.topic=_internal_connectors_status + offset.storage.redpanda.remote.read=false + offset.storage.redpanda.remote.write=false + config.storage.redpanda.remote.read=false + config.storage.redpanda.remote.write=false + status.storage.redpanda.remote.read=false + status.storage.redpanda.remote.write=false + offset.storage.replication.factor=-1 + config.storage.replication.factor=-1 + status.storage.replication.factor=-1 + producer.linger.ms=1 + producer.batch.size=131072 + config.providers=file,secretsManager,env + config.providers.file.class=org.apache.kafka.common.config.provider.FileConfigProvider + config.providers.env.class=org.apache.kafka.common.config.provider.EnvVarConfigProvider + - name: CONNECT_ADDITIONAL_CONFIGURATION + value: "" + - name: CONNECT_BOOTSTRAP_SERVERS + value: "" + - name: CONNECT_GC_LOG_ENABLED + value: Rk2lueKjUZ + - name: CONNECT_HEAP_OPTS + value: -Xms256M -Xmx0 + - name: CONNECT_LOG_LEVEL + value: warn + - name: CONNECT_TLS_ENABLED + value: "false" + envFrom: [] + image: docker.redpanda.com/redpandadata/connectors:v1.0.29 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 3 + httpGet: + path: / + port: rest-api + scheme: HTTP + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + name: connectors-cluster + ports: + - containerPort: 8083 + name: rest-api + protocol: TCP + - containerPort: 9404 + name: prometheus + protocol: TCP + readinessProbe: + failureThreshold: 2 + httpGet: + path: /connectors + port: rest-api + scheme: HTTP + initialDelaySeconds: 60 + periodSeconds: 10 + successThreshold: 3 + timeoutSeconds: 5 + resources: + limits: + cpu: "0" + memory: 2350Mi + requests: + cpu: "1" + memory: "0" + securityContext: + allowPrivilegeEscalation: false + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + volumeMounts: + - mountPath: RDO + mountPropagation: 縖ʯLj觻ĶR腉赙CèS咍Xz + name: NFJO + readOnly: true + subPath: i4tgwgPir + subPathExpr: 8C3d4ln + - mountPath: I + mountPropagation: "" + name: okJHlIlhWWGN + subPath: UQu + subPathExpr: 1D7d + dnsPolicy: ClusterFirst + imagePullSecrets: [] + nodeSelector: {} + restartPolicy: Always + schedulerName: "" + securityContext: + fsGroup: 101 + fsGroupChangePolicy: OnRootMismatch + runAsUser: 101 + serviceAccountName: maeWLc + terminationGracePeriodSeconds: 30 + tolerations: [] + topologySpreadConstraints: + - labelSelector: + matchLabels: + LuCiH: SWR3zOt + app.kubernetes.io/component: ffe2 + app.kubernetes.io/instance: console + app.kubernetes.io/name: ffe2 + maxSkew: 1 + topologyKey: topology.kubernetes.io/zone + whenUnsatisfiable: ScheduleAnyway + volumes: + - emptyDir: + medium: Memory + sizeLimit: 5Mi + name: rp-connect-tmp +-- testdata/case-028.yaml.golden -- +--- +# Source: connectors/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + creationTimestamp: null + labels: + 3yehn: hb1JTt4bE6 + 8kZ: syTRQDJ + QFMui15S766: gMn5Cet2XRLMo + app.kubernetes.io/component: "3" + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: "3" + helm.sh/chart: connectors-0.1.12 + name: 9VQ +spec: + ipFamilies: + - IPv4 + ipFamilyPolicy: SingleStack + ports: + - name: rest-api + port: 8083 + protocol: TCP + targetPort: 8083 + - name: prometheus + port: 9404 + protocol: TCP + targetPort: 9404 + selector: + app.kubernetes.io/component: "3" + app.kubernetes.io/instance: console + app.kubernetes.io/name: "3" + sessionAffinity: None + type: ClusterIP +--- +# Source: connectors/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/component: "3" + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: "3" + helm.sh/chart: connectors-0.1.12 + name: ZvvoA +spec: + progressDeadlineSeconds: 600 + replicas: null + revisionHistoryLimit: 1716132030 + selector: + matchLabels: + app.kubernetes.io/component: "3" + app.kubernetes.io/instance: console + app.kubernetes.io/name: "3" + strategy: + type: GG3n + template: + metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/component: "3" + app.kubernetes.io/instance: console + app.kubernetes.io/name: "3" + spec: + affinity: + nodeAffinity: {} + podAffinity: {} + podAntiAffinity: null + containers: + - command: null + env: + - name: CONNECT_CONFIGURATION + value: |- + rest.advertised.port=8083 + rest.port=8083 + key.converter=org.apache.kafka.connect.converters.ByteArrayConverter + value.converter=org.apache.kafka.connect.converters.ByteArrayConverter + group.id=connectors-cluster + offset.storage.topic=_internal_connectors_offsets + config.storage.topic=_internal_connectors_configs + status.storage.topic=_internal_connectors_status + offset.storage.redpanda.remote.read=false + offset.storage.redpanda.remote.write=false + config.storage.redpanda.remote.read=false + config.storage.redpanda.remote.write=false + status.storage.redpanda.remote.read=false + status.storage.redpanda.remote.write=false + offset.storage.replication.factor=-1 + config.storage.replication.factor=-1 + status.storage.replication.factor=-1 + producer.linger.ms=1 + producer.batch.size=131072 + config.providers=file,secretsManager,env + config.providers.file.class=org.apache.kafka.common.config.provider.FileConfigProvider + config.providers.env.class=org.apache.kafka.common.config.provider.EnvVarConfigProvider + - name: CONNECT_ADDITIONAL_CONFIGURATION + value: "" + - name: CONNECT_BOOTSTRAP_SERVERS + value: "" + - name: CONNECT_GC_LOG_ENABLED + value: 3ahn64ZT + - name: CONNECT_HEAP_OPTS + value: -Xms256M -Xmx0 + - name: CONNECT_LOG_LEVEL + value: k1wsL2of + - name: CONNECT_TLS_ENABLED + value: "false" + - name: DvkYw9Pk + value: USGTgIYZwyPh + valueFrom: + configMapKeyRef: + key: xomkxxc + name: 7a + optional: false + fieldRef: + apiVersion: tnGFZ3 + fieldPath: H + resourceFieldRef: + containerName: UD5gAM615 + divisor: "0" + resource: EplPSqP + - name: "" + valueFrom: + configMapKeyRef: + key: 2n + name: vw5ZWohT + optional: true + fieldRef: + apiVersion: THSyklTdw + fieldPath: KDDja + resourceFieldRef: + containerName: ha2tB3cM0 + divisor: "0" + resource: 467hL5 + secretKeyRef: + key: I + name: vv9hXsUY + optional: false + envFrom: + - configMapRef: + name: "y" + optional: true + prefix: 8yKCF + secretRef: + name: 7B5wyZ16F + optional: true + - configMapRef: + name: zqz + prefix: iYiSC0Au26P + - prefix: w + secretRef: + name: p4 + image: docker.redpanda.com/redpandadata/connectors:v1.0.29 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 3 + httpGet: + path: / + port: rest-api + scheme: HTTP + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + name: connectors-cluster + ports: + - containerPort: 8083 + name: rest-api + protocol: TCP + - containerPort: 9404 + name: prometheus + protocol: TCP + readinessProbe: + failureThreshold: 2 + httpGet: + path: /connectors + port: rest-api + scheme: HTTP + initialDelaySeconds: 60 + periodSeconds: 10 + successThreshold: 3 + timeoutSeconds: 5 + resources: + limits: + cpu: "0" + memory: "0" + requests: + cpu: "1" + memory: 2350Mi + securityContext: + allowPrivilegeEscalation: true + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + volumeMounts: + - mountPath: /tmp + name: rp-connect-tmp + dnsPolicy: ClusterFirst + imagePullSecrets: + - name: H + - name: HOE + nodeSelector: {} + restartPolicy: my + schedulerName: KL8nKi + securityContext: + fsGroup: 6950905231485894000 + fsGroupChangePolicy: 4駝ɧɍ匑ĿŃjH(ƨ鏝搲³欍荭 + runAsNonRoot: false + runAsUser: -3842777327443310000 + sysctls: + - name: ADfyWTN + value: "" + - name: A2KbAFX + value: vfiwuHLZA3z + serviceAccountName: Ms3WxpzY6U + terminationGracePeriodSeconds: -1876643927 + tolerations: + - effect: 幉cè禟ɴ + operator: ġ襜莪_ð迾uɈkʫ~鲕Lɻ戦ʡ2ȠǷ + tolerationSeconds: -3325398021525833700 + value: QDDTEv + - effect: hǝ + key: JwoXCcww + operator: ªA[wƸ + value: NvIa14 + - effect: ŐȜŻ-簀Ȟo/.濈s呁ī + key: v + operator: 7幔ÍX靹蟳 + tolerationSeconds: -8856646878602496000 + value: zOvR + topologySpreadConstraints: + - labelSelector: + matchLabels: + app.kubernetes.io/component: "3" + app.kubernetes.io/instance: console + app.kubernetes.io/name: "3" + maxSkew: 1 + topologyKey: topology.kubernetes.io/zone + whenUnsatisfiable: ScheduleAnyway + volumes: + - emptyDir: + medium: Memory + sizeLimit: 5Mi + name: rp-connect-tmp +--- +# Source: connectors/templates/pod-monitor.yaml +apiVersion: monitoring.coreos.com/v1 +kind: PodMonitor +metadata: + annotations: {} + creationTimestamp: null + labels: {} + name: ZvvoA +spec: + namespaceSelector: + any: true + podMetricsEndpoints: + - bearerTokenSecret: + key: "" + path: / + port: prometheus + selector: + matchLabels: + app.kubernetes.io/component: "3" + app.kubernetes.io/instance: console + app.kubernetes.io/name: "3" +-- testdata/case-029.yaml.golden -- +--- +# Source: connectors/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + creationTimestamp: null + labels: + PGxtxZYXR: X5 + app.kubernetes.io/component: tl2YFI + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: tl2YFI + helm.sh/chart: connectors-0.1.12 + name: IyM +spec: + ipFamilies: + - IPv4 + ipFamilyPolicy: SingleStack + ports: + - name: rest-api + port: 1337396066 + protocol: TCP + targetPort: 1337396066 + - name: 9xn + port: -684513812 + protocol: TCP + targetPort: -684513812 + - name: u4xF + port: -391479350 + protocol: TCP + targetPort: -391479350 + - name: rDTiR56X + port: 382665278 + protocol: TCP + targetPort: 382665278 + selector: + app.kubernetes.io/component: tl2YFI + app.kubernetes.io/instance: console + app.kubernetes.io/name: tl2YFI + sessionAffinity: None + type: ClusterIP +--- +# Source: connectors/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/component: tl2YFI + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: tl2YFI + helm.sh/chart: connectors-0.1.12 + name: IyM +spec: + progressDeadlineSeconds: 533336746 + replicas: null + revisionHistoryLimit: -121719569 + selector: + matchLabels: + app.kubernetes.io/component: tl2YFI + app.kubernetes.io/instance: console + app.kubernetes.io/name: tl2YFI + strategy: + type: RollingUpdate + template: + metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/component: tl2YFI + app.kubernetes.io/instance: console + app.kubernetes.io/name: tl2YFI + spec: + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchFields: + - key: Th8xQ0 + operator: '};ƾ:Ơȏ旊苆$ź榘ę[Ş悈ȥ' + values: + - gOPH1k + - KOsql + podAffinity: {} + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchLabels: + app.kubernetes.io/component: tl2YFI + app.kubernetes.io/instance: console + app.kubernetes.io/name: tl2YFI + namespaces: + - default + topologyKey: kubernetes.io/hostname + containers: + - command: null + env: + - name: CONNECT_CONFIGURATION + value: |- + rest.advertised.port=1337396066 + rest.port=1337396066 + key.converter=org.apache.kafka.connect.converters.ByteArrayConverter + value.converter=org.apache.kafka.connect.converters.ByteArrayConverter + group.id=F3e + offset.storage.topic=_internal_connectors_offsets + config.storage.topic=_internal_connectors_configs + status.storage.topic=_internal_connectors_status + offset.storage.redpanda.remote.read=true + offset.storage.redpanda.remote.write=false + config.storage.redpanda.remote.read=false + config.storage.redpanda.remote.write=true + status.storage.redpanda.remote.read=true + status.storage.redpanda.remote.write=true + offset.storage.replication.factor=-1 + config.storage.replication.factor=-1 + status.storage.replication.factor=-1 + producer.linger.ms=-410672871 + producer.batch.size=-1760140219 + config.providers=file,secretsManager,env + config.providers.file.class=org.apache.kafka.common.config.provider.FileConfigProvider + config.providers.secretsManager.class=com.github.jcustenborder.kafka.config.aws.SecretsManagerConfigProvider + config.providers.secretsManager.param.secret.prefix=pC3emUV + config.providers.secretsManager.param.aws.region=l6uFeZtI + config.providers.env.class=org.apache.kafka.common.config.provider.EnvVarConfigProvider + - name: CONNECT_ADDITIONAL_CONFIGURATION + value: Mq9r58Wn2 + - name: CONNECT_BOOTSTRAP_SERVERS + value: GhGh + - name: SCHEMA_REGISTRY_URL + value: eVOEb + - name: CONNECT_GC_LOG_ENABLED + value: "" + - name: CONNECT_HEAP_OPTS + value: -Xms256M -Xmx2G + - name: CONNECT_LOG_LEVEL + value: MM8vHtxMK + - name: CONNECT_SASL_USERNAME + value: "206" + - name: CONNECT_SASL_MECHANISM + value: pVvPbLq8PH + - name: CONNECT_SASL_PASSWORD_FILE + value: rc-credentials/password + - name: CONNECT_TLS_ENABLED + value: "false" + - name: CONNECT_TRUSTED_CERTS + value: ca/ca.crt + - name: CONNECT_TLS_AUTH_KEY + value: key/kn1yG + - name: "" + value: a + valueFrom: + configMapKeyRef: + key: S + optional: false + fieldRef: + apiVersion: cAFu3Wwm4O + fieldPath: "" + resourceFieldRef: + containerName: K + divisor: "0" + resource: pYz + secretKeyRef: + key: rrusH7t + name: 6hR1vtMek + optional: true + - name: 62b + value: b4k + valueFrom: + resourceFieldRef: + containerName: 9Zuqk + divisor: "0" + resource: wDbwci + secretKeyRef: + key: q + name: a3Go0SITja + optional: false + - name: CAn + value: r + valueFrom: + configMapKeyRef: + key: oBsj + name: f + optional: true + fieldRef: + apiVersion: K + fieldPath: e60DM + resourceFieldRef: + containerName: 9xyY28RraQXtmbHZs9v + divisor: "0" + resource: ddr6SE + secretKeyRef: + key: HIl + name: 6i + envFrom: + - prefix: J + secretRef: + name: 4niuc27 + optional: false + - configMapRef: + name: dVR + optional: false + prefix: WUotCc + secretRef: + optional: true + image: docker.redpanda.com/redpandadata/connectors:v1.0.29 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 3 + httpGet: + path: / + port: rest-api + scheme: HTTP + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + name: connectors-cluster + ports: + - containerPort: 1337396066 + name: rest-api + protocol: TCP + - containerPort: -684513812 + name: 9xn + protocol: TCP + - containerPort: -391479350 + name: u4xF + protocol: TCP + - containerPort: 382665278 + name: rDTiR56X + protocol: TCP + readinessProbe: + failureThreshold: 2079208961 + httpGet: + path: /connectors + port: rest-api + scheme: HTTP + initialDelaySeconds: 1156905473 + periodSeconds: -1924622812 + successThreshold: -1575566868 + timeoutSeconds: -450997563 + resources: + limits: + cpu: "1" + memory: 2350Mi + requests: + cpu: "0" + memory: 2350Mi + securityContext: + allowPrivilegeEscalation: false + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + volumeMounts: + - mountPath: /opt/kafka/connect-password/rc-credentials + name: rc-credentials + - mountPath: /opt/kafka/connect-certs/ca + name: truststore + - mountPath: /opt/kafka/connect-certs/key + name: key + - mountPath: /tmp + name: rp-connect-tmp + dnsPolicy: ClusterFirst + imagePullSecrets: + - name: 1tlBA + nodeSelector: {} + restartPolicy: Always + schedulerName: Z7Ne6 + securityContext: + fsGroup: -790114255836881900 + fsGroupChangePolicy: OnRootMismatch + runAsGroup: 4623887472960955000 + runAsNonRoot: true + runAsUser: 7622666161830128000 + supplementalGroups: + - -3228001931932573000 + - -7141992959148916000 + - -17407268992027108 + sysctls: + - name: 8qCsQ + value: RwRLG + - name: f2Rn + value: afHwsU + - name: 3jYk9 + value: V + serviceAccountName: default + terminationGracePeriodSeconds: -1948657833 + tolerations: + - effect: 冮味Pf鵸q\)霰¢玲&糦Ŀ怋ɌÁ燹 + key: uTzXciQ + operator: 3IJuʙNj + value: FB0Hu + topologySpreadConstraints: + - labelSelector: + matchLabels: + app.kubernetes.io/component: tl2YFI + app.kubernetes.io/instance: console + app.kubernetes.io/name: tl2YFI + maxSkew: 1 + topologyKey: topology.kubernetes.io/zone + whenUnsatisfiable: ScheduleAnyway + volumes: + - name: truststore + secret: + defaultMode: 292 + secretName: u + - name: key + secret: + defaultMode: 292 + secretName: CE + - name: rc-credentials + secret: + defaultMode: 292 + secretName: a8g3R + - emptyDir: + medium: Memory + sizeLimit: 5Mi + name: rp-connect-tmp +-- testdata/case-030.yaml.golden -- +--- +# Source: connectors/templates/serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + annotations: {} + creationTimestamp: null + labels: + GCdbeC: cQ4P1cHbv + app.kubernetes.io/component: P7 + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: P7 + helm.sh/chart: connectors-0.1.12 + name: UQ27oL + namespace: default +--- +# Source: connectors/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + creationTimestamp: null + labels: + GCdbeC: cQ4P1cHbv + app.kubernetes.io/component: P7 + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: P7 + helm.sh/chart: connectors-0.1.12 + name: IVe +spec: + ipFamilies: + - IPv4 + ipFamilyPolicy: SingleStack + ports: + - name: rest-api + port: -1808248501 + protocol: TCP + targetPort: -1808248501 + - name: prometheus + port: 9404 + protocol: TCP + targetPort: 9404 + selector: + GCdbeC: cQ4P1cHbv + app.kubernetes.io/component: P7 + app.kubernetes.io/instance: console + app.kubernetes.io/name: P7 + sessionAffinity: None + type: ClusterIP +-- testdata/case-031.yaml.golden -- +--- +# Source: connectors/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + creationTimestamp: null + labels: + RER: AU + app.kubernetes.io/component: pLehdV + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: pLehdV + helm.sh/chart: connectors-0.1.12 + name: MnW8I02 +spec: + ipFamilies: + - IPv4 + ipFamilyPolicy: SingleStack + ports: + - name: rest-api + port: -1300816856 + protocol: TCP + targetPort: -1300816856 + - name: 5bgCNjS + port: 0 + protocol: TCP + targetPort: 0 + - name: gh + port: 792720017 + protocol: TCP + targetPort: 792720017 + selector: + app.kubernetes.io/component: pLehdV + app.kubernetes.io/instance: console + app.kubernetes.io/name: pLehdV + sessionAffinity: None + type: ClusterIP +--- +# Source: connectors/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/component: pLehdV + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: pLehdV + helm.sh/chart: connectors-0.1.12 + name: pPZgwOOt +spec: + progressDeadlineSeconds: 600 + replicas: null + revisionHistoryLimit: 10 + selector: + matchLabels: + app.kubernetes.io/component: pLehdV + app.kubernetes.io/instance: console + app.kubernetes.io/name: pLehdV + strategy: + type: RollingUpdate + template: + metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/component: pLehdV + app.kubernetes.io/instance: console + app.kubernetes.io/name: pLehdV + spec: + affinity: + nodeAffinity: {} + podAffinity: {} + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchLabels: + app.kubernetes.io/component: pLehdV + app.kubernetes.io/instance: console + app.kubernetes.io/name: pLehdV + namespaces: + - default + topologyKey: kubernetes.io/hostname + containers: + - command: null + env: + - name: CONNECT_CONFIGURATION + value: |- + rest.advertised.port=-1300816856 + rest.port=-1300816856 + key.converter=org.apache.kafka.connect.converters.ByteArrayConverter + value.converter=org.apache.kafka.connect.converters.ByteArrayConverter + group.id=chzc6 + offset.storage.topic=NoMzWmd + config.storage.topic=vOa + status.storage.topic=UX + offset.storage.redpanda.remote.read=true + offset.storage.redpanda.remote.write=true + config.storage.redpanda.remote.read=true + config.storage.redpanda.remote.write=false + status.storage.redpanda.remote.read=false + status.storage.redpanda.remote.write=true + offset.storage.replication.factor=-1 + config.storage.replication.factor=-1 + status.storage.replication.factor=-1 + producer.linger.ms=-1169688418 + producer.batch.size=164004875 + config.providers=file,secretsManager,env + config.providers.file.class=org.apache.kafka.common.config.provider.FileConfigProvider + config.providers.env.class=org.apache.kafka.common.config.provider.EnvVarConfigProvider + - name: CONNECT_ADDITIONAL_CONFIGURATION + value: rJQp + - name: CONNECT_BOOTSTRAP_SERVERS + value: 0y2l8XHWK + - name: SCHEMA_REGISTRY_URL + value: qb + - name: CONNECT_GC_LOG_ENABLED + value: FZNoDU + - name: CONNECT_HEAP_OPTS + value: -Xms256M -Xmx0 + - name: CONNECT_LOG_LEVEL + value: mw + - name: CONNECT_SASL_USERNAME + value: s + - name: CONNECT_SASL_MECHANISM + value: OKrEkY + - name: CONNECT_SASL_PASSWORD_FILE + value: rc-credentials/password + - name: CONNECT_TLS_ENABLED + value: "false" + - name: CONNECT_TRUSTED_CERTS + value: ca/ca.crt + - name: CONNECT_TLS_AUTH_CERT + value: cert/copKWn2 + - name: CONNECT_TLS_AUTH_KEY + value: key/IlMv6 + envFrom: [] + image: docker.redpanda.com/redpandadata/connectors:v1.0.29 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 3 + httpGet: + path: / + port: rest-api + scheme: HTTP + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + name: connectors-cluster + ports: + - containerPort: -1300816856 + name: rest-api + protocol: TCP + - containerPort: 0 + name: 5bgCNjS + protocol: TCP + - containerPort: 792720017 + name: gh + protocol: TCP + readinessProbe: + failureThreshold: 2 + httpGet: + path: /connectors + port: rest-api + scheme: HTTP + initialDelaySeconds: 60 + periodSeconds: 10 + successThreshold: 3 + timeoutSeconds: 5 + resources: + limits: + cpu: "0" + memory: "0" + requests: + cpu: "0" + memory: "0" + securityContext: + allowPrivilegeEscalation: true + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + volumeMounts: + - mountPath: /opt/kafka/connect-password/rc-credentials + name: rc-credentials + - mountPath: /opt/kafka/connect-certs/ca + name: truststore + - mountPath: /opt/kafka/connect-certs/cert + name: cert + - mountPath: /opt/kafka/connect-certs/key + name: key + - mountPath: "" + mountPropagation: Ǜ绕:O+ + name: 4JTdCoLQd + readOnly: true + subPath: RUx + subPathExpr: 0E + dnsPolicy: ClusterFirst + imagePullSecrets: [] + nodeSelector: {} + restartPolicy: Always + schedulerName: "" + securityContext: + fsGroup: 101 + fsGroupChangePolicy: OnRootMismatch + runAsUser: 101 + serviceAccountName: "5" + terminationGracePeriodSeconds: 30 + tolerations: [] + topologySpreadConstraints: + - labelSelector: + matchLabels: + app.kubernetes.io/component: pLehdV + app.kubernetes.io/instance: console + app.kubernetes.io/name: pLehdV + maxSkew: 1 + topologyKey: topology.kubernetes.io/zone + whenUnsatisfiable: ScheduleAnyway + volumes: + - name: truststore + secret: + defaultMode: 292 + secretName: J + - name: cert + secret: + defaultMode: 292 + secretName: DNF6s + - name: key + secret: + defaultMode: 292 + secretName: NI3VUhJks3aM + - name: rc-credentials + secret: + defaultMode: 292 + secretName: 8nzj + - name: T6INhQ + - name: p0 + - name: EO +-- testdata/case-032.yaml.golden -- +--- +# Source: connectors/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/component: connectors + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: connectors + helm.sh/chart: connectors-0.1.12 + name: 8geRNocLQ +spec: + ipFamilies: + - IPv4 + ipFamilyPolicy: SingleStack + ports: + - name: rest-api + port: 108700971 + protocol: TCP + targetPort: 108700971 + - name: prometheus + port: 9404 + protocol: TCP + targetPort: 9404 + selector: + app.kubernetes.io/component: connectors + app.kubernetes.io/instance: console + app.kubernetes.io/name: connectors + sessionAffinity: None + type: ClusterIP +-- testdata/case-033.yaml.golden -- +--- +# Source: connectors/templates/serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + annotations: + gkbEy: M2fwFG + iP1: vVwLn + creationTimestamp: null + labels: + KZj1Dby: 4SqUXw + app.kubernetes.io/component: bz0yr + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: bz0yr + helm.sh/chart: connectors-0.1.12 + name: LVtVe0en + namespace: default +--- +# Source: connectors/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + creationTimestamp: null + labels: + "": kPbb + Ch7xjM: i0HEOruP + KZj1Dby: 4SqUXw + app.kubernetes.io/component: bz0yr + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: bz0yr + helm.sh/chart: connectors-0.1.12 + kt: "" + name: crWrH +spec: + ipFamilies: + - IPv4 + ipFamilyPolicy: SingleStack + ports: + - name: rest-api + port: -1714220122 + protocol: TCP + targetPort: -1714220122 + - name: f5JB9Etw + port: 1398564584 + protocol: TCP + targetPort: 1398564584 + - name: hkCnR + port: 1899193486 + protocol: TCP + targetPort: 1899193486 + - name: DUOEQmC + port: 0 + protocol: TCP + targetPort: 0 + selector: + KZj1Dby: 4SqUXw + app.kubernetes.io/component: bz0yr + app.kubernetes.io/instance: console + app.kubernetes.io/name: bz0yr + sessionAffinity: None + type: ClusterIP +-- testdata/case-034.yaml.golden -- +--- +# Source: connectors/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + creationTimestamp: null + labels: + M2Ya3Qp: efwJA + app.kubernetes.io/component: Pt + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: Pt + c: fgV + eHykHSeD: M0vI4 + helm.sh/chart: connectors-0.1.12 + ik: hu + trc: W + name: 1hV +spec: + ipFamilies: + - IPv4 + ipFamilyPolicy: SingleStack + ports: + - name: rest-api + port: -754597379 + protocol: TCP + targetPort: -754597379 + - name: 6W9P3J + port: 1027996572 + protocol: TCP + targetPort: 1027996572 + - name: UQcXQO4H6 + port: 0 + protocol: TCP + targetPort: 0 + selector: + M2Ya3Qp: efwJA + app.kubernetes.io/component: Pt + app.kubernetes.io/instance: console + app.kubernetes.io/name: Pt + trc: W + sessionAffinity: None + type: ClusterIP +-- testdata/case-035.yaml.golden -- +--- +# Source: connectors/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + creationTimestamp: null + labels: + YaiOBiXa: rQx + app.kubernetes.io/component: PeueQ + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: PeueQ + co: MffSo + fdioW3StBvzyh: z + helm.sh/chart: connectors-0.1.12 + ofToM: "n" + wle: mprjb + name: mC3vFeP +spec: + ipFamilies: + - IPv4 + ipFamilyPolicy: SingleStack + ports: + - name: rest-api + port: -559590357 + protocol: TCP + targetPort: -559590357 + - name: prometheus + port: 9404 + protocol: TCP + targetPort: 9404 + selector: + app.kubernetes.io/component: PeueQ + app.kubernetes.io/instance: console + app.kubernetes.io/name: PeueQ + co: MffSo + fdioW3StBvzyh: z + wle: mprjb + sessionAffinity: None + type: ClusterIP +--- +# Source: connectors/templates/pod-monitor.yaml +apiVersion: monitoring.coreos.com/v1 +kind: PodMonitor +metadata: + annotations: + "4": kTkxkO + creationTimestamp: null + labels: {} + name: 6fr +spec: + namespaceSelector: + any: true + matchNames: + - FKCzSYm7gaXuLQ + podMetricsEndpoints: + - bearerTokenSecret: + key: "" + path: / + port: prometheus + selector: + matchLabels: + app.kubernetes.io/component: PeueQ + app.kubernetes.io/instance: console + app.kubernetes.io/name: PeueQ + co: MffSo + fdioW3StBvzyh: z + wle: mprjb +-- testdata/case-036.yaml.golden -- +--- +# Source: connectors/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + creationTimestamp: null + labels: + 1qqW32x: "" + app.kubernetes.io/component: taotfWzUIl + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: taotfWzUIl + helm.sh/chart: connectors-0.1.12 + lp92O: 1QnD84Dhxl + name: GxFDpR9IkU +spec: + ipFamilies: + - IPv4 + ipFamilyPolicy: SingleStack + ports: + - name: rest-api + port: -1153123375 + protocol: TCP + targetPort: -1153123375 + - name: prometheus + port: 9404 + protocol: TCP + targetPort: 9404 + selector: + 1qqW32x: "" + app.kubernetes.io/component: taotfWzUIl + app.kubernetes.io/instance: console + app.kubernetes.io/name: taotfWzUIl + sessionAffinity: None + type: ClusterIP +--- +# Source: connectors/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + creationTimestamp: null + labels: + 1qqW32x: "" + app.kubernetes.io/component: taotfWzUIl + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: taotfWzUIl + helm.sh/chart: connectors-0.1.12 + name: VW0lF +spec: + progressDeadlineSeconds: -1260879447 + replicas: null + revisionHistoryLimit: -1294473838 + selector: + matchLabels: + 1qqW32x: "" + app.kubernetes.io/component: taotfWzUIl + app.kubernetes.io/instance: console + app.kubernetes.io/name: taotfWzUIl + strategy: + type: 5cn + template: + metadata: + annotations: {} + creationTimestamp: null + labels: + 1qqW32x: "" + app.kubernetes.io/component: taotfWzUIl + app.kubernetes.io/instance: console + app.kubernetes.io/name: taotfWzUIl + spec: + affinity: + nodeAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - preference: + matchFields: + - key: 3bTiSjGL + operator: Pʡdz饿n抈Ʊt嬩癘Ƈ + values: + - AGfqyUGQXxyY + - FVcNDfkQ + - v3hp7MN8nVKE + - key: L3S + operator: -殊 + values: + - 97iUcu + - dXmY + - KUxQvBTJu + - key: YNi + operator: ijS泉ľ;ŒvS阸多嵠{ + values: + - xf0B + weight: -207219009 + - preference: + matchExpressions: + - key: EAkVkI70 + operator: 钚寽蛺izȭ7_掅桘 + values: + - aAWkk + - ze + - 3wGu + - key: 3RyfQc6N + operator: 5ɔ螗śLƆ扒\ƃ"氧ɉ + values: + - Vv + - key: 1vVqYpX + operator: Yto%Iƈ?暊I)琣?Ć痕猖ȕ + values: + - 9yyhe2i + weight: 2145655584 + - preference: + matchExpressions: + - key: vYGC + operator: 缈饜代u灧Ȼ + matchFields: + - key: Xbz + operator: ż苡訖ɑʟĨı齻@IJ騮削ƽ蹄濁榷鰠 + values: + - qFq5zh0O + - yG0 + - nT + - key: P3 + operator: ǧ唾潣PNJ掉ơ\庱吳.,OLX + - key: 3ATe + operator: ʦ恀^ + values: + - LUm4b + weight: 351084922 + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: XLalOY + operator: 挝R凗ŵ莁5E7?Ȓʍm篫l{Č蒄 + values: + - YrzbvR + - 5awUoV + - a + - key: bhAd + operator: 鴵鈌ąt烿æy伸?^đĔʎ{Ç柧 + values: + - GqRb + - key: 8WgrpCvg + operator: bAMƺ惸鹖ŏ垇ɔǁI庫û*ɔ嶢ɚ菑 + values: + - BRd8A5 + - "9" + - K9hDIBU + matchFields: + - key: FntInb + operator: '{@əɃðŗ8''4' + - key: cPqf3 + operator: Ƌ娔殺慑 + - key: o + operator: ɧlǬ量GJ恉əŏ滸IōĈwǝ栢Jȡ + podAffinity: {} + podAntiAffinity: null + containers: + - command: null + env: + - name: CONNECT_CONFIGURATION + value: |- + rest.advertised.port=-1153123375 + rest.port=-1153123375 + key.converter=org.apache.kafka.connect.converters.ByteArrayConverter + value.converter=org.apache.kafka.connect.converters.ByteArrayConverter + group.id=XuGw0bAvU4mCl29 + offset.storage.topic=AqMgsp + config.storage.topic=BKIQd85 + status.storage.topic=cB + offset.storage.redpanda.remote.read=false + offset.storage.redpanda.remote.write=true + config.storage.redpanda.remote.read=true + config.storage.redpanda.remote.write=false + status.storage.redpanda.remote.read=true + status.storage.redpanda.remote.write=false + offset.storage.replication.factor=1816899175 + config.storage.replication.factor=935026050 + status.storage.replication.factor=1556885434 + producer.linger.ms=1479365932 + producer.batch.size=1402635005 + config.providers=file,secretsManager,env + config.providers.file.class=org.apache.kafka.common.config.provider.FileConfigProvider + config.providers.env.class=org.apache.kafka.common.config.provider.EnvVarConfigProvider + - name: CONNECT_ADDITIONAL_CONFIGURATION + value: LhQU + - name: CONNECT_BOOTSTRAP_SERVERS + value: PJXgS + - name: SCHEMA_REGISTRY_URL + value: owIrcBoHKcGy + - name: CONNECT_GC_LOG_ENABLED + value: 92CKlhkT1dY + - name: CONNECT_HEAP_OPTS + value: -Xms256M -Xmx0 + - name: CONNECT_LOG_LEVEL + value: PAOVCu + - name: CONNECT_SASL_USERNAME + value: ZTak1O6cR + - name: CONNECT_SASL_MECHANISM + value: 4pr3gf + - name: CONNECT_SASL_PASSWORD_FILE + value: rc-credentials/password + - name: CONNECT_TLS_ENABLED + value: "false" + - name: CONNECT_TRUSTED_CERTS + value: ca/pMccWpS50Tt + - name: CONNECT_TLS_AUTH_CERT + value: cert/c4sa0FA + - name: CONNECT_TLS_AUTH_KEY + value: key/EOAKr + envFrom: [] + image: docker.redpanda.com/redpandadata/connectors:v1.0.29 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: -1589865511 + httpGet: + path: / + port: rest-api + scheme: HTTP + initialDelaySeconds: -621095822 + periodSeconds: 280342995 + successThreshold: -167276282 + timeoutSeconds: -1535167124 + name: connectors-cluster + ports: + - containerPort: -1153123375 + name: rest-api + protocol: TCP + - containerPort: 9404 + name: prometheus + protocol: TCP + readinessProbe: + failureThreshold: 1985429634 + httpGet: + path: /connectors + port: rest-api + scheme: HTTP + initialDelaySeconds: 520999520 + periodSeconds: 1834416895 + successThreshold: -2144235192 + timeoutSeconds: -1654928979 + resources: + limits: + cpu: "0" + memory: "0" + requests: + cpu: "0" + memory: "0" + securityContext: + allowPrivilegeEscalation: false + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + volumeMounts: + - mountPath: /opt/kafka/connect-password/rc-credentials + name: rc-credentials + - mountPath: /opt/kafka/connect-certs/ca + name: truststore + - mountPath: /opt/kafka/connect-certs/cert + name: cert + - mountPath: /opt/kafka/connect-certs/key + name: key + - mountPath: MMqGiv5CN + mountPropagation: 鳮耐uíȪr + name: jHofb9BQ3 + readOnly: true + subPath: aDzkmP + subPathExpr: 4sgTWM4H + - mountPath: KhsFs + mountPropagation: Ǎ繟ƣʜ + name: V02ibh + readOnly: true + subPath: LF + subPathExpr: mi + dnsPolicy: ClusterFirst + imagePullSecrets: + - name: zaKvtKNIW0 + - name: "9" + - name: fG + nodeSelector: + gQqg: rQO1 + restartPolicy: '>Ȏ縂ɴ垍ū*' + schedulerName: mlm5OhgsGh + securityContext: + fsGroup: -24635125662907280 + fsGroupChangePolicy: Ŏ痿1>a茫ȡ跦 þ + runAsGroup: -3967780041970195000 + runAsNonRoot: true + runAsUser: 8970781034706956000 + supplementalGroups: + - -8270543106812796000 + sysctls: + - name: KljKqWpUKsb3 + value: 9Zv + - name: z8scvHARn + value: sk + serviceAccountName: srWYjAnpR + terminationGracePeriodSeconds: 446877207 + tolerations: + - effect: ɟ + key: J906H + operator: Ȇ:龳虹$鿲Ȥ.t齹Ń5 + tolerationSeconds: 6789201977316389000 + value: vV1 + - effect: ©Ǯ膗Ǖ盉浝Ŝɟ + key: ju6amcMPM8UK + operator: 衭蛩ņý + tolerationSeconds: -8177010640192863000 + value: S + - effect: cÑ + operator: L晚G& + tolerationSeconds: 8159638238997451000 + value: OyDyWZoaY + topologySpreadConstraints: + - labelSelector: + matchLabels: + 1qqW32x: "" + app.kubernetes.io/component: taotfWzUIl + app.kubernetes.io/instance: console + app.kubernetes.io/name: taotfWzUIl + maxSkew: 1646710512 + topologyKey: MbS + whenUnsatisfiable: Ia0hRF8y + volumes: + - name: truststore + secret: + defaultMode: 292 + secretName: MyH + - name: cert + secret: + defaultMode: 292 + secretName: Iv + - name: key + secret: + defaultMode: 292 + secretName: no0Ke + - name: rc-credentials + secret: + defaultMode: 292 + secretName: Na4b + - name: qx + - name: XeUJ +-- testdata/case-037.yaml.golden -- +--- +# Source: connectors/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + creationTimestamp: null + labels: + 5bK2xe: ZRy + HSu1: FRG692y + QExXAto3Ub2T: etTOY4y8iSmyDOe + app.kubernetes.io/component: 03U7 + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: 03U7 + helm.sh/chart: connectors-0.1.12 + name: "87" +spec: + ipFamilies: + - IPv4 + ipFamilyPolicy: SingleStack + ports: + - name: rest-api + port: 1885084612 + protocol: TCP + targetPort: 1885084612 + - name: yMA8tJxHo + port: -582141187 + protocol: TCP + targetPort: -582141187 + - name: "9" + port: 830415771 + protocol: TCP + targetPort: 830415771 + selector: + HSu1: FRG692y + QExXAto3Ub2T: etTOY4y8iSmyDOe + app.kubernetes.io/component: 03U7 + app.kubernetes.io/instance: console + app.kubernetes.io/name: 03U7 + sessionAffinity: None + type: ClusterIP +--- +# Source: connectors/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + creationTimestamp: null + labels: + HSu1: FRG692y + PsITu: LgrI + QExXAto3Ub2T: etTOY4y8iSmyDOe + app.kubernetes.io/component: 03U7 + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: 03U7 + helm.sh/chart: connectors-0.1.12 + name: vRXgQsUzl3 +spec: + progressDeadlineSeconds: -1761307563 + replicas: null + revisionHistoryLimit: -1377004535 + selector: + matchLabels: + HSu1: FRG692y + QExXAto3Ub2T: etTOY4y8iSmyDOe + app.kubernetes.io/component: 03U7 + app.kubernetes.io/instance: console + app.kubernetes.io/name: 03U7 + strategy: + type: qVm + template: + metadata: + annotations: + PsITu: LgrI + creationTimestamp: null + labels: + HSu1: FRG692y + QExXAto3Ub2T: etTOY4y8iSmyDOe + app.kubernetes.io/component: 03U7 + app.kubernetes.io/instance: console + app.kubernetes.io/name: 03U7 + spec: + affinity: + nodeAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - preference: + matchExpressions: + - key: tmEGf + operator: "" + values: + - yCcLCb + - O1NTsHk78miTJ + - key: KuvLpSp4X + operator: 獴ĝB违写õʕĠEɊ繎ª + values: + - oqAB + - "y" + - cLExkHCRfD + - key: tMxc + operator: 1Ņ鸩瀚羨鱬c)0ƶ音êA{ǷZŁȃ + values: + - W2 + - rXnf + matchFields: + - key: dvXtkKrlxr + operator: m駠祸¯獒ɌƗ'Ñnj嗰蒩,幔Ǣ + values: + - vDUy + - vzx4 + - key: UU6d + operator: 惂PqbKɕ`ǃȒCʉ鞊Ĩ% + - key: qm03jaCk + operator: a靔Pƴy%(AĔð勶乀ĥČI#ɃǙ蘨 + weight: -1872535291 + - preference: + matchExpressions: + - key: GjG + operator: űŌ + - key: UQ + operator: d欻Ɲ + values: + - zpBqznM + matchFields: + - key: gKn2 + operator: ÁŠ9玫Ʌ + values: + - Iij79g + weight: 1456486091 + - preference: + matchExpressions: + - key: 1Ef + operator: G飔8`ɒ蕸祹&匪璳拖嶴6s['%邗 + values: + - iBr + - "" + - key: RXMgUipZ + operator: Qāȃ鋘ǖ0iNɭȂuŦ褌7Èȝ鹊淋廽 + values: + - NB + - key: nb6 + operator: 杘ɯ#`慐 + weight: -1381009180 + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: [] + podAffinity: {} + podAntiAffinity: null + containers: + - command: null + env: + - name: CONNECT_CONFIGURATION + value: |- + rest.advertised.port=1885084612 + rest.port=1885084612 + key.converter=org.apache.kafka.connect.converters.ByteArrayConverter + value.converter=org.apache.kafka.connect.converters.ByteArrayConverter + group.id=q + offset.storage.topic=WDtxRL37SvNV + config.storage.topic=fiLg3L + status.storage.topic=Guofk9 + offset.storage.redpanda.remote.read=true + offset.storage.redpanda.remote.write=false + config.storage.redpanda.remote.read=true + config.storage.redpanda.remote.write=true + status.storage.redpanda.remote.read=true + status.storage.redpanda.remote.write=false + offset.storage.replication.factor=-1765361377 + config.storage.replication.factor=575483838 + status.storage.replication.factor=-1294780557 + producer.linger.ms=982363719 + producer.batch.size=-1100237413 + config.providers=file,secretsManager,env + config.providers.file.class=org.apache.kafka.common.config.provider.FileConfigProvider + config.providers.env.class=org.apache.kafka.common.config.provider.EnvVarConfigProvider + - name: CONNECT_ADDITIONAL_CONFIGURATION + value: FTlQkC + - name: CONNECT_BOOTSTRAP_SERVERS + value: LeVg + - name: SCHEMA_REGISTRY_URL + value: N8 + - name: CONNECT_GC_LOG_ENABLED + value: mn + - name: CONNECT_HEAP_OPTS + value: -Xms256M -Xmx0 + - name: CONNECT_LOG_LEVEL + value: Y0gfv + - name: CONNECT_TLS_ENABLED + value: "false" + - name: CONNECT_TRUSTED_CERTS + value: ca/49XwYgsyn + - name: CONNECT_TLS_AUTH_CERT + value: cert/Wf + - name: CONNECT_TLS_AUTH_KEY + value: key/7rwbl + - name: 7PtPut9 + value: 4Uo + valueFrom: + configMapKeyRef: + key: H6 + name: JEPQ + optional: true + fieldRef: + apiVersion: yCSfB + fieldPath: HD + resourceFieldRef: + containerName: v0wW + divisor: "0" + resource: BliOlDq + secretKeyRef: + key: AOod + name: Ljqm + optional: false + - name: FItx + value: cZIyVQPdqZ + valueFrom: + configMapKeyRef: + key: O3 + name: KlO + optional: true + fieldRef: + apiVersion: BnfYTBc + fieldPath: xw + resourceFieldRef: + containerName: qzV549 + divisor: "0" + resource: sctpzNUt + secretKeyRef: + key: Ff4vJm + name: hoEa + optional: false + envFrom: [] + image: docker.redpanda.com/redpandadata/connectors:v1.0.29 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 1572051601 + httpGet: + path: / + port: rest-api + scheme: HTTP + initialDelaySeconds: -455418157 + periodSeconds: 31037144 + successThreshold: 1836675270 + timeoutSeconds: -722680942 + name: connectors-cluster + ports: + - containerPort: 1885084612 + name: rest-api + protocol: TCP + - containerPort: -582141187 + name: yMA8tJxHo + protocol: TCP + - containerPort: 830415771 + name: "9" + protocol: TCP + readinessProbe: + failureThreshold: 1393918041 + httpGet: + path: /connectors + port: rest-api + scheme: HTTP + initialDelaySeconds: -1529972341 + periodSeconds: 1791885136 + successThreshold: -1003238871 + timeoutSeconds: 516179111 + resources: + limits: + cpu: "0" + memory: "0" + requests: + cpu: "0" + memory: "0" + securityContext: + allowPrivilegeEscalation: false + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + volumeMounts: + - mountPath: /opt/kafka/connect-certs/ca + name: truststore + - mountPath: /opt/kafka/connect-certs/cert + name: cert + - mountPath: /opt/kafka/connect-certs/key + name: key + - mountPath: FMieal + mountPropagation: q睢1Êb2y"ğJĢ + name: GRAaf7 + readOnly: true + subPath: Wvz + subPathExpr: K4St + - mountPath: E6 + mountPropagation: 2`| + name: yu + subPath: 1Qyv + subPathExpr: lq + - mountPath: "9" + mountPropagation: J仅<Ⱦù觏牨¼Ǐ蒜,J偛l挨 + name: CkWy + subPath: 1YtfYCwcHU3 + subPathExpr: xUIPjXS + dnsPolicy: ClusterFirst + imagePullSecrets: + - name: d18 + nodeSelector: {} + restartPolicy: tAȍ_祴珗ƨŐ飔矜ƧŸȺ8Ù凿吱 + schedulerName: k + securityContext: + fsGroup: -8943063634632833000 + fsGroupChangePolicy: 樜3g罡Sɺ:礁j + runAsGroup: -8183677367766310000 + runAsNonRoot: false + runAsUser: 6257019186377026000 + supplementalGroups: + - 6349796974429449000 + - -6495960424240768000 + sysctls: + - name: tNzNhbs + value: Li + - name: xw + value: wQYd + - name: rijilGaE1rE + value: O1VB + serviceAccountName: 1J + terminationGracePeriodSeconds: -340872360 + tolerations: + - effect: 旽ǷȬƱĬɔH辂W'ʩ菽懝 + key: NRzfhGYG1Y + operator: 皏棵FɁÈ棿X + tolerationSeconds: 4658882017834993000 + value: Lu + - effect: "~" + key: k + operator: 垫 + tolerationSeconds: -950306177981439200 + value: j2wtF4uhca + topologySpreadConstraints: + - labelSelector: + matchLabels: + HSu1: FRG692y + QExXAto3Ub2T: etTOY4y8iSmyDOe + app.kubernetes.io/component: 03U7 + app.kubernetes.io/instance: console + app.kubernetes.io/name: 03U7 + maxSkew: -1481065440 + topologyKey: SER + whenUnsatisfiable: 5L7rrGecd + volumes: + - name: truststore + secret: + defaultMode: 292 + secretName: 28O + - name: cert + secret: + defaultMode: 292 + secretName: EDOE + - name: key + secret: + defaultMode: 292 + secretName: TaD + - name: QbE11Wi + - name: 5p +-- testdata/case-038.yaml.golden -- +--- +# Source: connectors/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/component: BX8JrNja9K1E + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: BX8JrNja9K1E + eYdK: Cku + helm.sh/chart: connectors-0.1.12 + ztF1: wwq1 + name: mCI +spec: + ipFamilies: + - IPv4 + ipFamilyPolicy: SingleStack + ports: + - name: rest-api + port: 436787525 + protocol: TCP + targetPort: 436787525 + - name: mQD4tg + port: -951318322 + protocol: TCP + targetPort: -951318322 + selector: + app.kubernetes.io/component: BX8JrNja9K1E + app.kubernetes.io/instance: console + app.kubernetes.io/name: BX8JrNja9K1E + sessionAffinity: None + type: ClusterIP +-- testdata/case-039.yaml.golden -- +--- +# Source: connectors/templates/serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + annotations: + UCvD: zlN0tsbA + creationTimestamp: null + labels: + MnrW: 2y + V4b1: iOkt + app.kubernetes.io/component: mn + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: mn + helm.sh/chart: connectors-0.1.12 + name: ZkHM + namespace: default +--- +# Source: connectors/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + creationTimestamp: null + labels: + MnrW: 2y + V4b1: iOkt + app.kubernetes.io/component: mn + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: mn + helm.sh/chart: connectors-0.1.12 + name: El70 +spec: + ipFamilies: + - IPv4 + ipFamilyPolicy: SingleStack + ports: + - name: rest-api + port: 1444795321 + protocol: TCP + targetPort: 1444795321 + - name: prometheus + port: 9404 + protocol: TCP + targetPort: 9404 + selector: + MnrW: 2y + V4b1: iOkt + app.kubernetes.io/component: mn + app.kubernetes.io/instance: console + app.kubernetes.io/name: mn + sessionAffinity: None + type: ClusterIP +--- +# Source: connectors/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + creationTimestamp: null + labels: + MnrW: 2y + V4b1: iOkt + app.kubernetes.io/component: mn + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: mn + helm.sh/chart: connectors-0.1.12 + name: jio8f +spec: + progressDeadlineSeconds: -1221802348 + replicas: null + revisionHistoryLimit: 1248617462 + selector: + matchLabels: + MnrW: 2y + V4b1: iOkt + app.kubernetes.io/component: mn + app.kubernetes.io/instance: console + app.kubernetes.io/name: mn + strategy: + type: qsB + template: + metadata: + annotations: {} + creationTimestamp: null + labels: + MnrW: 2y + V4b1: iOkt + app.kubernetes.io/component: mn + app.kubernetes.io/instance: console + app.kubernetes.io/name: mn + spec: + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: fcm8Ew + operator: 副瘫 + - key: "07" + operator: 阫ƣʊPŠ!7椃ûĺɉ呙鼲坣呐ȡ + values: + - IEopzACw + - UJT7 + - key: MUXZ + operator: äĢ + values: + - ltoOhu + - SYLAu90Sic + podAffinity: {} + podAntiAffinity: null + containers: + - command: null + env: + - name: CONNECT_CONFIGURATION + value: |- + rest.advertised.port=1444795321 + rest.port=1444795321 + key.converter=org.apache.kafka.connect.converters.ByteArrayConverter + value.converter=org.apache.kafka.connect.converters.ByteArrayConverter + group.id=BOkRc + offset.storage.topic=6kl + config.storage.topic=E + status.storage.topic=mk + offset.storage.redpanda.remote.read=true + offset.storage.redpanda.remote.write=false + config.storage.redpanda.remote.read=true + config.storage.redpanda.remote.write=false + status.storage.redpanda.remote.read=true + status.storage.redpanda.remote.write=false + offset.storage.replication.factor=577990303 + config.storage.replication.factor=1941218076 + status.storage.replication.factor=-1541756269 + producer.linger.ms=1359438163 + producer.batch.size=-2127171944 + config.providers=file,secretsManager,env + config.providers.file.class=org.apache.kafka.common.config.provider.FileConfigProvider + config.providers.env.class=org.apache.kafka.common.config.provider.EnvVarConfigProvider + - name: CONNECT_ADDITIONAL_CONFIGURATION + value: 8NGjNgy + - name: CONNECT_BOOTSTRAP_SERVERS + value: xU + - name: SCHEMA_REGISTRY_URL + value: j7V227t + - name: CONNECT_GC_LOG_ENABLED + value: mnLDVzboOU + - name: CONNECT_HEAP_OPTS + value: -Xms256M -Xmx0 + - name: CONNECT_LOG_LEVEL + value: A9j + - name: CONNECT_SASL_USERNAME + value: AsbjUhR + - name: CONNECT_SASL_MECHANISM + value: 3FmU9Mj + - name: CONNECT_SASL_PASSWORD_FILE + value: rc-credentials/password + - name: CONNECT_TLS_ENABLED + value: "false" + - name: CONNECT_TRUSTED_CERTS + value: ca/ca.crt + - name: CONNECT_TLS_AUTH_CERT + value: cert/HQ + - name: CONNECT_TLS_AUTH_KEY + value: key/tls.key + - name: MMy5 + value: H + valueFrom: + configMapKeyRef: + key: nJ2K0MV + name: zp + optional: false + fieldRef: + apiVersion: wVLbzHBVPimhM + fieldPath: AejPbHX81DSFH8Q + resourceFieldRef: + containerName: Q6jlN + divisor: "0" + resource: FVErZI + secretKeyRef: + key: fAj9qbwJX41v + name: Hlf + optional: false + - name: Sz + value: ohDj + valueFrom: + configMapKeyRef: + key: MC10 + name: Q + optional: true + fieldRef: + apiVersion: tkvB + fieldPath: Wvk + resourceFieldRef: + containerName: iX + divisor: "0" + resource: VBz4peZ + secretKeyRef: + key: zQnXIdnN + name: 4L5 + optional: false + envFrom: [] + image: docker.redpanda.com/redpandadata/connectors:v1.0.29 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: -1801401906 + httpGet: + path: / + port: rest-api + scheme: HTTP + initialDelaySeconds: -1928987976 + periodSeconds: 366101264 + successThreshold: 1101494705 + timeoutSeconds: 1657384826 + name: connectors-cluster + ports: + - containerPort: 1444795321 + name: rest-api + protocol: TCP + - containerPort: 9404 + name: prometheus + protocol: TCP + readinessProbe: + failureThreshold: 316564184 + httpGet: + path: /connectors + port: rest-api + scheme: HTTP + initialDelaySeconds: -678114858 + periodSeconds: -1932943963 + successThreshold: -1295008485 + timeoutSeconds: 1251310237 + resources: + limits: + cpu: "0" + memory: "0" + requests: + cpu: "0" + memory: "0" + securityContext: + allowPrivilegeEscalation: true + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + volumeMounts: + - mountPath: /opt/kafka/connect-password/rc-credentials + name: rc-credentials + - mountPath: /opt/kafka/connect-certs/ca + name: truststore + - mountPath: /opt/kafka/connect-certs/cert + name: cert + - mountPath: /opt/kafka/connect-certs/key + name: key + - mountPath: /tmp + name: rp-connect-tmp + dnsPolicy: ClusterFirst + imagePullSecrets: [] + nodeSelector: + Q4e0pQre8Ui: ybd + W0tuX2DKY: t + hK1gicteS: oRdivh + restartPolicy: 刊ǵ椉Ž5荭¶@Ǻ + schedulerName: NtMcVkr + securityContext: + fsGroup: -7790002735836359000 + fsGroupChangePolicy: '猰tą3圇épțU串ɭ惟璼ʜ ' + runAsGroup: 7078321909676639000 + runAsNonRoot: true + runAsUser: -3795473018051875300 + sysctls: + - name: 4bbbOThlM9 + value: OeQ + - name: KzYDmoPm + value: RQkJ4 + - name: gSEB + value: fCw + serviceAccountName: ZkHM + terminationGracePeriodSeconds: 1536232091 + tolerations: + - key: Kme1g + operator: 鸋傚脨ʌȰę,缶 + tolerationSeconds: 9185074187324502000 + value: HP1mcWeehE + topologySpreadConstraints: + - labelSelector: + matchLabels: + MnrW: 2y + V4b1: iOkt + app.kubernetes.io/component: mn + app.kubernetes.io/instance: console + app.kubernetes.io/name: mn + maxSkew: 1 + topologyKey: topology.kubernetes.io/zone + whenUnsatisfiable: ScheduleAnyway + volumes: + - name: truststore + secret: + defaultMode: 292 + secretName: z0ac + - name: cert + secret: + defaultMode: 292 + secretName: Yvl1 + - name: key + secret: + defaultMode: 292 + secretName: Gq + - name: rc-credentials + secret: + defaultMode: 292 + secretName: GUdAwXVY + - name: PQgVp5UAKMh + - name: m + - name: "" +-- testdata/case-040.yaml.golden -- +--- +# Source: connectors/templates/serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + annotations: + "": s + 6aAoyzS: BVK + SV0dnqH: Rk + creationTimestamp: null + labels: + 4bQpba: iVh + app.kubernetes.io/component: 4iNcef5 + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: 4iNcef5 + helm.sh/chart: connectors-0.1.12 + "n": "" + name: FKhGHe3aO + namespace: default +--- +# Source: connectors/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + creationTimestamp: null + labels: + 4bQpba: iVh + LG: ZJQw2J8u + app.kubernetes.io/component: 4iNcef5 + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: 4iNcef5 + g: 0z9gQt4Yj + helm.sh/chart: connectors-0.1.12 + "n": "" + name: KxK +spec: + ipFamilies: + - IPv4 + ipFamilyPolicy: SingleStack + ports: + - name: rest-api + port: -1022927047 + protocol: TCP + targetPort: -1022927047 + - name: 61dR + port: 9129423 + protocol: TCP + targetPort: 9129423 + - name: p0D + port: 1391241101 + protocol: TCP + targetPort: 1391241101 + - name: 0MZ6s8 + port: 708219631 + protocol: TCP + targetPort: 708219631 + selector: + 4bQpba: iVh + app.kubernetes.io/component: 4iNcef5 + app.kubernetes.io/instance: console + app.kubernetes.io/name: 4iNcef5 + "n": "" + sessionAffinity: None + type: ClusterIP +--- +# Source: connectors/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + creationTimestamp: null + labels: + 4bQpba: iVh + 6WNO: UvMxPC + ItkfXr: HoRGq + OqfY9eu: U + app.kubernetes.io/component: 4iNcef5 + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: 4iNcef5 + helm.sh/chart: connectors-0.1.12 + "n": "" + name: NCw6T6UcQY +spec: + progressDeadlineSeconds: 570610379 + replicas: null + revisionHistoryLimit: 1380150017 + selector: + matchLabels: + 4bQpba: iVh + app.kubernetes.io/component: 4iNcef5 + app.kubernetes.io/instance: console + app.kubernetes.io/name: 4iNcef5 + "n": "" + strategy: + type: 7Mz64 + template: + metadata: + annotations: + 6WNO: UvMxPC + ItkfXr: HoRGq + OqfY9eu: U + creationTimestamp: null + labels: + 4bQpba: iVh + app.kubernetes.io/component: 4iNcef5 + app.kubernetes.io/instance: console + app.kubernetes.io/name: 4iNcef5 + "n": "" + spec: + affinity: + nodeAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - preference: + matchExpressions: + - key: 19IV1NC + operator: ȃ}CĚ蟡ɨvǢȺ + values: + - "" + matchFields: + - key: xl + operator: VĦɓ洽Ă滕煂 + values: + - jreFryn + weight: 1586123299 + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: [] + podAffinity: {} + podAntiAffinity: null + containers: + - command: null + env: + - name: CONNECT_CONFIGURATION + value: |- + rest.advertised.port=-1022927047 + rest.port=-1022927047 + key.converter=org.apache.kafka.connect.converters.ByteArrayConverter + value.converter=org.apache.kafka.connect.converters.ByteArrayConverter + group.id=br + offset.storage.topic=H + config.storage.topic=9Qtxti + status.storage.topic=BP + offset.storage.redpanda.remote.read=false + offset.storage.redpanda.remote.write=true + config.storage.redpanda.remote.read=false + config.storage.redpanda.remote.write=true + status.storage.redpanda.remote.read=true + status.storage.redpanda.remote.write=false + offset.storage.replication.factor=-1418511808 + config.storage.replication.factor=-1386973481 + status.storage.replication.factor=-748221252 + producer.linger.ms=-1500250091 + producer.batch.size=-2033745427 + config.providers=file,secretsManager,env + config.providers.file.class=org.apache.kafka.common.config.provider.FileConfigProvider + config.providers.env.class=org.apache.kafka.common.config.provider.EnvVarConfigProvider + - name: CONNECT_ADDITIONAL_CONFIGURATION + value: qvMttAMx + - name: CONNECT_BOOTSTRAP_SERVERS + value: LRTyIJY + - name: SCHEMA_REGISTRY_URL + value: cL1M + - name: CONNECT_GC_LOG_ENABLED + value: QXA6zua + - name: CONNECT_HEAP_OPTS + value: -Xms256M -Xmx0 + - name: CONNECT_LOG_LEVEL + value: Tb + - name: CONNECT_SASL_USERNAME + value: KF7Nnx + - name: CONNECT_SASL_MECHANISM + value: eXWm9 + - name: CONNECT_SASL_PASSWORD_FILE + value: rc-credentials/password + - name: CONNECT_TLS_ENABLED + value: "false" + - name: CONNECT_TRUSTED_CERTS + value: ca/rRP + - name: CONNECT_TLS_AUTH_CERT + value: cert/peG + - name: CONNECT_TLS_AUTH_KEY + value: key/Tbz + - name: pwJ0I3ZEUK7 + value: aaFCEfM + valueFrom: + configMapKeyRef: + key: DXmjvM9 + name: JYBPb + optional: false + fieldRef: + apiVersion: 9fI + fieldPath: 90keHRVll + resourceFieldRef: + containerName: rBYEwmI + divisor: "0" + resource: Sn9Gkn + secretKeyRef: + key: T3YsImGDrshtv + name: w + optional: false + envFrom: [] + image: docker.redpanda.com/redpandadata/connectors:v1.0.29 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 285554662 + httpGet: + path: / + port: rest-api + scheme: HTTP + initialDelaySeconds: 620513520 + periodSeconds: -983699293 + successThreshold: 537883135 + timeoutSeconds: 843588973 + name: connectors-cluster + ports: + - containerPort: -1022927047 + name: rest-api + protocol: TCP + - containerPort: 9129423 + name: 61dR + protocol: TCP + - containerPort: 1391241101 + name: p0D + protocol: TCP + - containerPort: 708219631 + name: 0MZ6s8 + protocol: TCP + readinessProbe: + failureThreshold: -473671565 + httpGet: + path: /connectors + port: rest-api + scheme: HTTP + initialDelaySeconds: -2130499066 + periodSeconds: -39801992 + successThreshold: -1693089511 + timeoutSeconds: -1707372527 + resources: + limits: + cpu: "0" + memory: "0" + requests: + cpu: "0" + memory: "0" + securityContext: + allowPrivilegeEscalation: false + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + volumeMounts: + - mountPath: /opt/kafka/connect-password/rc-credentials + name: rc-credentials + - mountPath: /opt/kafka/connect-certs/ca + name: truststore + - mountPath: /opt/kafka/connect-certs/cert + name: cert + - mountPath: /opt/kafka/connect-certs/key + name: key + - mountPath: /tmp + name: rp-connect-tmp + dnsPolicy: ClusterFirst + imagePullSecrets: + - name: u + - name: 13J + - name: q9t1lU0k + nodeSelector: + ne: QT3mjpm7B + restartPolicy: °č + schedulerName: O26H + securityContext: + fsGroup: 7015643872446876 + fsGroupChangePolicy: 烳=~沽侣X + runAsGroup: -3630702614293936600 + runAsNonRoot: true + runAsUser: 4388805261963142700 + supplementalGroups: + - -7755253763247303000 + - -3310400039802532000 + - 2051254341870838000 + sysctls: + - name: 7UwNr + value: tkn + - name: nGm + value: V + - name: KhS + value: jbpUUVGjT + serviceAccountName: FKhGHe3aO + terminationGracePeriodSeconds: -1194184480 + tolerations: + - effect: 曶ámɶ役ōœE顾坳4Ńɟ蒷Ǚó + key: 3u + operator: 卭ƺ?o + tolerationSeconds: 701640152884990200 + value: N1ekj + - effect: '[ȝ伨]鸲Z;ʞ9阏' + key: 6jmY + operator: n骯Ǩ + tolerationSeconds: 6874204552685768000 + value: saUOHQxkY9 + topologySpreadConstraints: + - labelSelector: + matchLabels: + 4bQpba: iVh + app.kubernetes.io/component: 4iNcef5 + app.kubernetes.io/instance: console + app.kubernetes.io/name: 4iNcef5 + "n": "" + maxSkew: 1898212660 + topologyKey: Ovevl + whenUnsatisfiable: PFGhR + volumes: + - name: truststore + secret: + defaultMode: 292 + secretName: E + - name: cert + secret: + defaultMode: 292 + secretName: P5mPIj + - name: key + secret: + defaultMode: 292 + secretName: mBxPtYNUs + - name: rc-credentials + secret: + defaultMode: 292 + secretName: M4pqhD32D + - name: kXFFnM +--- +# Source: connectors/templates/pod-monitor.yaml +apiVersion: monitoring.coreos.com/v1 +kind: PodMonitor +metadata: + annotations: + eZHJsIIV4Rky: Pk + creationTimestamp: null + labels: + n5El: sDg0twGSFjIgP + name: NCw6T6UcQY +spec: + namespaceSelector: + any: true + podMetricsEndpoints: + - bearerTokenSecret: + key: "" + path: / + port: prometheus + selector: + matchLabels: + 4bQpba: iVh + app.kubernetes.io/component: 4iNcef5 + app.kubernetes.io/instance: console + app.kubernetes.io/name: 4iNcef5 + "n": "" +-- testdata/case-041.yaml.golden -- +--- +# Source: connectors/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + creationTimestamp: null + labels: + AwT: yIHdj1wxg + Lr: zYUtd + Z2dqRWb: FmF + app.kubernetes.io/component: Ur + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: Ur + eP0gw: ZlmzgOXE + helm.sh/chart: connectors-0.1.12 + name: bjGFkzr +spec: + ipFamilies: + - IPv4 + ipFamilyPolicy: SingleStack + ports: + - name: rest-api + port: -1621274024 + protocol: TCP + targetPort: -1621274024 + - name: PoEHOjF + port: -510390395 + protocol: TCP + targetPort: -510390395 + - name: DH7c + port: 369451694 + protocol: TCP + targetPort: 369451694 + selector: + AwT: yIHdj1wxg + Lr: zYUtd + app.kubernetes.io/component: Ur + app.kubernetes.io/instance: console + app.kubernetes.io/name: Ur + eP0gw: ZlmzgOXE + sessionAffinity: None + type: ClusterIP +--- +# Source: connectors/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + creationTimestamp: null + labels: + AwT: yIHdj1wxg + Lr: zYUtd + app.kubernetes.io/component: Ur + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: Ur + eP0gw: ZlmzgOXE + helm.sh/chart: connectors-0.1.12 + name: AqjekuF +spec: + progressDeadlineSeconds: 1079618075 + replicas: null + revisionHistoryLimit: 485115195 + selector: + matchLabels: + AwT: yIHdj1wxg + Lr: zYUtd + app.kubernetes.io/component: Ur + app.kubernetes.io/instance: console + app.kubernetes.io/name: Ur + eP0gw: ZlmzgOXE + strategy: + type: z1MRV5BXaS20 + template: + metadata: + annotations: {} + creationTimestamp: null + labels: + AwT: yIHdj1wxg + Lr: zYUtd + app.kubernetes.io/component: Ur + app.kubernetes.io/instance: console + app.kubernetes.io/name: Ur + eP0gw: ZlmzgOXE + spec: + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: poCuXUDdP + operator: 3m脄Lj伭ĸ_ȢV!fĩ聿粵昫Ȼ_Ȁ + values: + - bGZy + - key: mxZi7 + operator: 噴姷ʃƸUl>" 噸Lj#ǖHǑv + values: + - vBoyb + - 2VHyI + - key: T + operator: 汜!NJ + podAffinity: {} + podAntiAffinity: null + containers: + - command: null + env: + - name: CONNECT_CONFIGURATION + value: |- + rest.advertised.port=-1621274024 + rest.port=-1621274024 + key.converter=org.apache.kafka.connect.converters.ByteArrayConverter + value.converter=org.apache.kafka.connect.converters.ByteArrayConverter + group.id=KfcZtgISe + offset.storage.topic=V + config.storage.topic=n4 + status.storage.topic=fLR + offset.storage.redpanda.remote.read=true + offset.storage.redpanda.remote.write=false + config.storage.redpanda.remote.read=true + config.storage.redpanda.remote.write=false + status.storage.redpanda.remote.read=true + status.storage.redpanda.remote.write=true + offset.storage.replication.factor=-1861439076 + config.storage.replication.factor=1120929712 + status.storage.replication.factor=-1718786575 + producer.linger.ms=540861319 + producer.batch.size=1953552561 + config.providers=file,secretsManager,env + config.providers.file.class=org.apache.kafka.common.config.provider.FileConfigProvider + config.providers.env.class=org.apache.kafka.common.config.provider.EnvVarConfigProvider + - name: CONNECT_ADDITIONAL_CONFIGURATION + value: "9" + - name: CONNECT_BOOTSTRAP_SERVERS + value: jts02PD + - name: SCHEMA_REGISTRY_URL + value: Esqu + - name: CONNECT_GC_LOG_ENABLED + value: cjZh + - name: CONNECT_HEAP_OPTS + value: -Xms256M -Xmx0 + - name: CONNECT_LOG_LEVEL + value: fhSGoGeOVO + - name: CONNECT_SASL_USERNAME + value: BxNfJ + - name: CONNECT_SASL_MECHANISM + value: I9OZ + - name: CONNECT_SASL_PASSWORD_FILE + value: rc-credentials/password + - name: CONNECT_TLS_ENABLED + value: "false" + - name: CONNECT_TRUSTED_CERTS + value: ca/i + - name: CONNECT_TLS_AUTH_CERT + value: cert/TU4R4tW0Nd + - name: CONNECT_TLS_AUTH_KEY + value: key/hDX + - name: WRSeLSQyxsq + value: 0xespo + valueFrom: + configMapKeyRef: + key: gsjkH + name: hjYCF8i3u + optional: false + fieldRef: + apiVersion: ilis2lH + fieldPath: slhYb + resourceFieldRef: + containerName: ufey2VJTCmS + divisor: "0" + resource: "" + secretKeyRef: + key: nR + name: GKz3 + optional: false + - name: ic + value: N8MdK + valueFrom: + configMapKeyRef: + key: 1QJrX + name: LxK + optional: false + fieldRef: + apiVersion: 0z + fieldPath: UgaSLG1n + resourceFieldRef: + containerName: i + divisor: "0" + resource: "4" + secretKeyRef: + key: "2" + name: ZCqRHp + optional: true + - name: 2TZr + value: P1UUXZH9 + valueFrom: + configMapKeyRef: + key: wgHcFon6xI + name: 6aZcc + optional: false + fieldRef: + apiVersion: dt8 + fieldPath: THGVGMQc + resourceFieldRef: + containerName: Ml + divisor: "0" + resource: tSc + secretKeyRef: + key: L2StNK + name: Qhiy + optional: false + envFrom: + - configMapRef: + name: "8" + optional: false + prefix: Z3pv + secretRef: + name: c + optional: false + - configMapRef: + name: O3v + optional: false + prefix: eXtX5G3zTnAr + secretRef: + name: FU1b + optional: true + - configMapRef: + name: cLEurajaTv1 + optional: false + prefix: YX + secretRef: + optional: false + image: docker.redpanda.com/redpandadata/connectors:v1.0.29 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 724202040 + httpGet: + path: / + port: rest-api + scheme: HTTP + initialDelaySeconds: 1171548340 + periodSeconds: 1136904972 + successThreshold: 1663228806 + timeoutSeconds: 1255816268 + name: connectors-cluster + ports: + - containerPort: -1621274024 + name: rest-api + protocol: TCP + - containerPort: -510390395 + name: PoEHOjF + protocol: TCP + - containerPort: 369451694 + name: DH7c + protocol: TCP + readinessProbe: + failureThreshold: -1131780392 + httpGet: + path: /connectors + port: rest-api + scheme: HTTP + initialDelaySeconds: 1799248585 + periodSeconds: 373984687 + successThreshold: -1503317917 + timeoutSeconds: 266568456 + resources: + limits: + cpu: "0" + memory: "0" + requests: + cpu: "0" + memory: "0" + securityContext: + allowPrivilegeEscalation: false + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + volumeMounts: + - mountPath: /opt/kafka/connect-password/rc-credentials + name: rc-credentials + - mountPath: /opt/kafka/connect-certs/ca + name: truststore + - mountPath: /opt/kafka/connect-certs/cert + name: cert + - mountPath: /opt/kafka/connect-certs/key + name: key + - mountPath: /tmp + name: rp-connect-tmp + dnsPolicy: ClusterFirst + imagePullSecrets: + - name: JeYmHo + nodeSelector: {} + restartPolicy: Õ験蘺Sg怰S²蜵-Ǿ笭ī庩X圂蓦5< + schedulerName: MF3RwzBCk + securityContext: + fsGroup: -3871220937207142400 + fsGroupChangePolicy: Y蹐\¢倅J趚i転 + runAsGroup: -8140185145867863000 + runAsNonRoot: true + runAsUser: 1443110212215096300 + supplementalGroups: + - 4202411183995630000 + - 9074875661218953000 + - 3682145535007526000 + sysctls: + - name: a9wm1 + value: V48LpVsGVpu + serviceAccountName: 1LIGRd6z + terminationGracePeriodSeconds: 1526850382 + tolerations: + - effect: k積Lj + key: YsgfsWrB + operator: Žʚ8鋤縅÷ʪ镲 + tolerationSeconds: 8712200771279582000 + value: 0BC0Sc1 + - effect: a + key: pWUIfI + operator: ā5NƑ鬜牣^,儕髬ǖ藍 ŠɯǦ + tolerationSeconds: 7946113276490164000 + value: lsKkYhoC + - effect: 燀芜/ƶ@犩ɫƭ紱刃飚dēW帠 + key: VQfdy + operator: 腼ʮǬĴǠɬ + tolerationSeconds: -8924157374760988000 + value: UlBiper + topologySpreadConstraints: + - labelSelector: + matchLabels: + AwT: yIHdj1wxg + Lr: zYUtd + app.kubernetes.io/component: Ur + app.kubernetes.io/instance: console + app.kubernetes.io/name: Ur + eP0gw: ZlmzgOXE + maxSkew: -623096425 + topologyKey: fFI6B + whenUnsatisfiable: PdDm + volumes: + - name: truststore + secret: + defaultMode: 292 + secretName: zmW + - name: cert + secret: + defaultMode: 292 + secretName: G485 + - name: key + secret: + defaultMode: 292 + secretName: dQ5 + - name: rc-credentials + secret: + defaultMode: 292 + secretName: 2h + - name: JoBYh + - name: 4s31 +-- testdata/case-042.yaml.golden -- +--- +# Source: connectors/templates/serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + annotations: {} + creationTimestamp: null + labels: + 0F3sU: SaJRcWm + GUF2flpqQUL: KKAcWWY5 + NIiGBL37: eCFaXQGs + app.kubernetes.io/component: s9WyH2Y + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: s9WyH2Y + helm.sh/chart: connectors-0.1.12 + name: w + namespace: default +--- +# Source: connectors/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + creationTimestamp: null + labels: + 0F3sU: SaJRcWm + GUF2flpqQUL: KKAcWWY5 + NIiGBL37: eCFaXQGs + app.kubernetes.io/component: s9WyH2Y + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: s9WyH2Y + fzz: CLoaDJm9w + helm.sh/chart: connectors-0.1.12 + rryVp: TZ + name: 8Tb8k +spec: + ipFamilies: + - IPv4 + ipFamilyPolicy: SingleStack + ports: + - name: rest-api + port: -1489153770 + protocol: TCP + targetPort: -1489153770 + - name: GYfGwLr + port: -1114107001 + protocol: TCP + targetPort: -1114107001 + selector: + 0F3sU: SaJRcWm + GUF2flpqQUL: KKAcWWY5 + NIiGBL37: eCFaXQGs + app.kubernetes.io/component: s9WyH2Y + app.kubernetes.io/instance: console + app.kubernetes.io/name: s9WyH2Y + sessionAffinity: None + type: ClusterIP +-- testdata/case-043.yaml.golden -- +--- +# Source: connectors/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + creationTimestamp: null + labels: + 25swrT: LyMk + AgV: 2ZT + LR7E9YY7J: rc + Mv: hvvf9ur + aWpK: fy05 + app.kubernetes.io/component: WdYlcGB + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: WdYlcGB + helm.sh/chart: connectors-0.1.12 + xYCcuP: zC + name: L +spec: + ipFamilies: + - IPv4 + ipFamilyPolicy: SingleStack + ports: + - name: rest-api + port: 2118887935 + protocol: TCP + targetPort: 2118887935 + - name: "0" + port: 1958832246 + protocol: TCP + targetPort: 1958832246 + selector: + Mv: hvvf9ur + aWpK: fy05 + app.kubernetes.io/component: WdYlcGB + app.kubernetes.io/instance: console + app.kubernetes.io/name: WdYlcGB + xYCcuP: zC + sessionAffinity: None + type: ClusterIP +--- +# Source: connectors/templates/pod-monitor.yaml +apiVersion: monitoring.coreos.com/v1 +kind: PodMonitor +metadata: + annotations: + k8EzKZ: oXYkaOnH + creationTimestamp: null + labels: + 07sPUbsx7a: "4" + name: DPRe +spec: + namespaceSelector: + any: true + podMetricsEndpoints: + - bearerTokenSecret: + key: "" + path: / + port: prometheus + selector: + matchLabels: + Mv: hvvf9ur + aWpK: fy05 + app.kubernetes.io/component: WdYlcGB + app.kubernetes.io/instance: console + app.kubernetes.io/name: WdYlcGB + xYCcuP: zC +-- testdata/case-044.yaml.golden -- +--- +# Source: connectors/templates/serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/component: R64C + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: R64C + helm.sh/chart: connectors-0.1.12 + name: c + namespace: default +--- +# Source: connectors/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/component: R64C + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: R64C + helm.sh/chart: connectors-0.1.12 + t7u5eHUdpR: nq6injR + name: L +spec: + ipFamilies: + - IPv4 + ipFamilyPolicy: SingleStack + ports: + - name: rest-api + port: 871084350 + protocol: TCP + targetPort: 871084350 + - name: 2Pm + port: -597719959 + protocol: TCP + targetPort: -597719959 + - name: z + port: -1354836854 + protocol: TCP + targetPort: -1354836854 + selector: + app.kubernetes.io/component: R64C + app.kubernetes.io/instance: console + app.kubernetes.io/name: R64C + sessionAffinity: None + type: ClusterIP +--- +# Source: connectors/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/component: R64C + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: R64C + e1: EPUL4 + helm.sh/chart: connectors-0.1.12 + name: ZNfeDYT +spec: + progressDeadlineSeconds: -1210754760 + replicas: null + revisionHistoryLimit: 400792738 + selector: + matchLabels: + app.kubernetes.io/component: R64C + app.kubernetes.io/instance: console + app.kubernetes.io/name: R64C + strategy: + type: AQc + template: + metadata: + annotations: + e1: EPUL4 + creationTimestamp: null + labels: + app.kubernetes.io/component: R64C + app.kubernetes.io/instance: console + app.kubernetes.io/name: R64C + spec: + affinity: + nodeAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - preference: + matchExpressions: + - key: ggOgs + operator: ʆ=Ǭ + values: + - 6xOHO + weight: 1438312308 + - preference: + matchExpressions: + - key: sVT + operator: Nj溚K$P" + - key: 3i + operator: 状w¿鄏荤džöǹĄ + values: + - hl9dZyPnxN + - C87 + - key: Pt + operator: ʬƴXw/8綷 + values: + - S9I6Qrsfz + matchFields: + - key: Gvnxn3 + operator: â氠喬 + values: + - d + weight: -886172272 + - preference: + matchExpressions: + - key: oy973i + operator: 圅¢璸'ɆʥʚvǴMĴ + values: + - OBP + - "1" + - YNoey99 + - key: Zy0iQotc + operator: +g + values: + - FO1apzD9 + - epCNQ66B + matchFields: + - key: 8nakITBFg + operator: '|ȍ' + values: + - 9z + - RX + - key: "" + operator: Mȃ"ô薱黭夃< + values: + - "" + - C + - YE3 + - key: iZFE5e + operator: nǮ + values: + - LHp7ijJ + weight: 567068826 + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: we + operator: ɜP苞崉汊S + values: + - 1zCAp + - DVu + - key: piI + operator: Ǔɽ觩-鸭諣0ʙɮ鈿莳CyJ2 + values: + - 8oy + - HijL4M2 + - key: Xjq + operator: d遢豾9藌NJəBǔ,ɿǸ5Ƶº'芎婑( + values: + - kGBJo + - MpcP0e2Tga + matchFields: + - key: JhC5vQ1U8 + operator: "" + values: + - t + podAffinity: {} + podAntiAffinity: null + containers: + - command: null + env: + - name: CONNECT_CONFIGURATION + value: |- + rest.advertised.port=871084350 + rest.port=871084350 + key.converter=org.apache.kafka.connect.converters.ByteArrayConverter + value.converter=org.apache.kafka.connect.converters.ByteArrayConverter + group.id=S7uyvF + offset.storage.topic=1EER + config.storage.topic=MSUfKAm + status.storage.topic=d6yOc + offset.storage.redpanda.remote.read=true + offset.storage.redpanda.remote.write=false + config.storage.redpanda.remote.read=true + config.storage.redpanda.remote.write=true + status.storage.redpanda.remote.read=true + status.storage.redpanda.remote.write=false + offset.storage.replication.factor=-1272331222 + config.storage.replication.factor=1110431616 + status.storage.replication.factor=342664574 + producer.linger.ms=-1432617314 + producer.batch.size=577860685 + config.providers=file,secretsManager,env + config.providers.file.class=org.apache.kafka.common.config.provider.FileConfigProvider + config.providers.secretsManager.class=com.github.jcustenborder.kafka.config.aws.SecretsManagerConfigProvider + config.providers.secretsManager.param.secret.prefix=5dJMIv88J + config.providers.secretsManager.param.aws.region=ToqBft85 + config.providers.env.class=org.apache.kafka.common.config.provider.EnvVarConfigProvider + - name: CONNECT_ADDITIONAL_CONFIGURATION + value: xypAC + - name: CONNECT_BOOTSTRAP_SERVERS + value: AJo + - name: SCHEMA_REGISTRY_URL + value: BMfK + - name: CONNECT_GC_LOG_ENABLED + value: "2" + - name: CONNECT_HEAP_OPTS + value: -Xms256M -Xmx0 + - name: CONNECT_LOG_LEVEL + value: p + - name: CONNECT_SASL_USERNAME + value: "n" + - name: CONNECT_SASL_MECHANISM + value: LO + - name: CONNECT_SASL_PASSWORD_FILE + value: rc-credentials/password + - name: CONNECT_TLS_ENABLED + value: "true" + - name: CONNECT_TRUSTED_CERTS + value: ca/LZ8 + - name: CONNECT_TLS_AUTH_CERT + value: cert/N + - name: CONNECT_TLS_AUTH_KEY + value: key/NGmzeL6Y + - name: Hn + value: RLmuTFKt + valueFrom: + configMapKeyRef: + key: u8iVw + name: l8S7wk + optional: true + fieldRef: + apiVersion: 5q4Wkck9Yhn + fieldPath: e56i1D + resourceFieldRef: + containerName: MP6 + divisor: "0" + resource: W + secretKeyRef: + key: Sow4h93xH + name: tK6mZbO + optional: true + envFrom: + - configMapRef: + name: 6a + optional: true + prefix: wqO + secretRef: + name: eZxNk + optional: false + image: docker.redpanda.com/redpandadata/connectors:v1.0.29 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: -179099947 + httpGet: + path: / + port: rest-api + scheme: HTTP + initialDelaySeconds: -741511239 + periodSeconds: -301254020 + successThreshold: -1795354231 + timeoutSeconds: 17970381 + name: connectors-cluster + ports: + - containerPort: 871084350 + name: rest-api + protocol: TCP + - containerPort: -597719959 + name: 2Pm + protocol: TCP + - containerPort: -1354836854 + name: z + protocol: TCP + readinessProbe: + failureThreshold: 1162556666 + httpGet: + path: /connectors + port: rest-api + scheme: HTTP + initialDelaySeconds: -1796420049 + periodSeconds: 940741811 + successThreshold: 1628971624 + timeoutSeconds: -1878581735 + resources: + limits: + cpu: "0" + memory: "0" + requests: + cpu: "0" + memory: "0" + securityContext: + allowPrivilegeEscalation: true + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + volumeMounts: + - mountPath: /opt/kafka/connect-password/rc-credentials + name: rc-credentials + - mountPath: /opt/kafka/connect-certs/ca + name: truststore + - mountPath: /opt/kafka/connect-certs/cert + name: cert + - mountPath: /opt/kafka/connect-certs/key + name: key + - mountPath: /tmp + name: rp-connect-tmp + dnsPolicy: ClusterFirst + imagePullSecrets: + - name: HaLjyQ02L + - name: yjimP + - name: 5KCFV6 + nodeSelector: + m8ypcZn: yD + restartPolicy: OL恟´跒ɴ珛姌Ŋ + schedulerName: FfnrLnAtn3 + securityContext: + fsGroup: 5186362895627063000 + fsGroupChangePolicy: E甗dbƾ潸 + runAsGroup: 4738220116750422000 + runAsNonRoot: true + runAsUser: 4123601200118601700 + supplementalGroups: + - 5067618254965114000 + - 2922991898118782500 + sysctls: + - name: 1idwf + value: RtGFIRLv + - name: toxsb + value: "" + - name: bC + value: IcMTnt + serviceAccountName: c + terminationGracePeriodSeconds: 1834992377 + tolerations: + - effect: r"ǘ + key: 7FvMPWDDP + operator: 杍Ɍ + tolerationSeconds: -4685795240412632000 + value: G9czii + topologySpreadConstraints: + - labelSelector: + matchLabels: + app.kubernetes.io/component: R64C + app.kubernetes.io/instance: console + app.kubernetes.io/name: R64C + maxSkew: -1990808403 + topologyKey: y1s + whenUnsatisfiable: bxCWoMA + volumes: + - name: truststore + secret: + defaultMode: 292 + secretName: Qd + - name: cert + secret: + defaultMode: 292 + secretName: 4Hwd2 + - name: key + secret: + defaultMode: 292 + secretName: ak + - name: rc-credentials + secret: + defaultMode: 292 + secretName: mhOAME + - name: RXJ + - name: JJ +--- +# Source: connectors/templates/pod-monitor.yaml +apiVersion: monitoring.coreos.com/v1 +kind: PodMonitor +metadata: + annotations: + SF8: t7jzDFP + creationTimestamp: null + labels: + "3": P + GGM8HrAa: AroHM7WrsoM + name: ZNfeDYT +spec: + namespaceSelector: + any: true + podMetricsEndpoints: + - bearerTokenSecret: + key: "" + path: / + port: prometheus + selector: + matchLabels: + app.kubernetes.io/component: R64C + app.kubernetes.io/instance: console + app.kubernetes.io/name: R64C +-- testdata/case-045.yaml.golden -- +--- +# Source: connectors/templates/serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + annotations: {} + creationTimestamp: null + labels: + MbBpaa: UzKZX + app.kubernetes.io/component: 8UJFy + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: 8UJFy + h52qwPFCCL1xE: q + helm.sh/chart: connectors-0.1.12 + name: Vk + namespace: default +--- +# Source: connectors/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + creationTimestamp: null + labels: + H8XRE: XmuXsN + MbBpaa: UzKZX + app.kubernetes.io/component: 8UJFy + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: 8UJFy + h52qwPFCCL1xE: q + helm.sh/chart: connectors-0.1.12 + name: 58KMN +spec: + ipFamilies: + - IPv4 + ipFamilyPolicy: SingleStack + ports: + - name: rest-api + port: 1110004877 + protocol: TCP + targetPort: 1110004877 + - name: 7oEiI3 + port: -1730203461 + protocol: TCP + targetPort: -1730203461 + - name: pxPCPLymcj + port: 1857328046 + protocol: TCP + targetPort: 1857328046 + selector: + MbBpaa: UzKZX + app.kubernetes.io/component: 8UJFy + app.kubernetes.io/instance: console + app.kubernetes.io/name: 8UJFy + h52qwPFCCL1xE: q + sessionAffinity: None + type: ClusterIP +--- +# Source: connectors/templates/pod-monitor.yaml +apiVersion: monitoring.coreos.com/v1 +kind: PodMonitor +metadata: + annotations: + ADPu3ozSd: q + IirIQ: nU4N + z1: CMu8InAI + creationTimestamp: null + labels: {} + name: uLr8eH +spec: + namespaceSelector: + any: true + matchNames: + - UCZpu + podMetricsEndpoints: + - bearerTokenSecret: + key: "" + path: / + port: prometheus + selector: + matchLabels: + MbBpaa: UzKZX + app.kubernetes.io/component: 8UJFy + app.kubernetes.io/instance: console + app.kubernetes.io/name: 8UJFy + h52qwPFCCL1xE: q +-- testdata/case-046.yaml.golden -- +--- +# Source: connectors/templates/serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/component: fa1XvkvO + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: fa1XvkvO + helm.sh/chart: connectors-0.1.12 + name: cl + namespace: default +--- +# Source: connectors/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + creationTimestamp: null + labels: + H: "0" + app.kubernetes.io/component: fa1XvkvO + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: fa1XvkvO + helm.sh/chart: connectors-0.1.12 + name: UrU9Bs +spec: + ipFamilies: + - IPv4 + ipFamilyPolicy: SingleStack + ports: + - name: rest-api + port: -1606573822 + protocol: TCP + targetPort: -1606573822 + - name: prometheus + port: 9404 + protocol: TCP + targetPort: 9404 + selector: + app.kubernetes.io/component: fa1XvkvO + app.kubernetes.io/instance: console + app.kubernetes.io/name: fa1XvkvO + sessionAffinity: None + type: ClusterIP +--- +# Source: connectors/templates/pod-monitor.yaml +apiVersion: monitoring.coreos.com/v1 +kind: PodMonitor +metadata: + annotations: + "N": "" + b: p + creationTimestamp: null + labels: + O: CY3sdu + UddrJ: zlyJcM + klftu: OSDi + name: tYC5CG +spec: + namespaceSelector: + any: true + podMetricsEndpoints: + - bearerTokenSecret: + key: "" + path: / + port: prometheus + selector: + matchLabels: + app.kubernetes.io/component: fa1XvkvO + app.kubernetes.io/instance: console + app.kubernetes.io/name: fa1XvkvO +-- testdata/case-047.yaml.golden -- +--- +# Source: connectors/templates/serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + annotations: + "": mNGwfCN + creationTimestamp: null + labels: + YQJWn90y: CaduGS6 + app.kubernetes.io/component: wN + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: wN + helm.sh/chart: connectors-0.1.12 + ytV2tl: icxW + name: 3m + namespace: default +--- +# Source: connectors/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + creationTimestamp: null + labels: + "": pZ + YQJWn90y: CaduGS6 + app.kubernetes.io/component: wN + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: wN + helm.sh/chart: connectors-0.1.12 + ytV2tl: icxW + name: xW +spec: + ipFamilies: + - IPv4 + ipFamilyPolicy: SingleStack + ports: + - name: rest-api + port: 660248664 + protocol: TCP + targetPort: 660248664 + - name: V + port: -1924603054 + protocol: TCP + targetPort: -1924603054 + selector: + YQJWn90y: CaduGS6 + app.kubernetes.io/component: wN + app.kubernetes.io/instance: console + app.kubernetes.io/name: wN + ytV2tl: icxW + sessionAffinity: None + type: ClusterIP +--- +# Source: connectors/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + creationTimestamp: null + labels: + 1taGex8O: RBXE4 + A: uiKIoNCT + NtMz: b7Zk1GQ7 + YQJWn90y: CaduGS6 + app.kubernetes.io/component: wN + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: wN + helm.sh/chart: connectors-0.1.12 + ytV2tl: icxW + name: Bl0rL2 +spec: + progressDeadlineSeconds: -1524384619 + replicas: null + revisionHistoryLimit: 1994939456 + selector: + matchLabels: + YQJWn90y: CaduGS6 + app.kubernetes.io/component: wN + app.kubernetes.io/instance: console + app.kubernetes.io/name: wN + ytV2tl: icxW + strategy: + type: RDNEX8T + template: + metadata: + annotations: + 1taGex8O: RBXE4 + A: uiKIoNCT + NtMz: b7Zk1GQ7 + creationTimestamp: null + labels: + YQJWn90y: CaduGS6 + app.kubernetes.io/component: wN + app.kubernetes.io/instance: console + app.kubernetes.io/name: wN + ytV2tl: icxW + spec: + affinity: + nodeAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - preference: + matchExpressions: + - key: ajGWX3E + operator: Ǫ囍 + values: + - HbIL2OUP + - q + matchFields: + - key: 453h + operator: DZƮìX莁Ǜ詍^屶K}豫ţoJ櫉 + values: + - h + - a4s + - key: Y1AE + operator: 4噸đƪǶS绲aģ序e$襫枠ÿ攒 + values: + - uVsu + weight: -280128439 + - preference: {} + weight: 46457932 + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: [] + podAffinity: {} + podAntiAffinity: null + containers: + - command: null + env: + - name: CONNECT_CONFIGURATION + value: |- + rest.advertised.port=660248664 + rest.port=660248664 + key.converter=org.apache.kafka.connect.converters.ByteArrayConverter + value.converter=org.apache.kafka.connect.converters.ByteArrayConverter + group.id= + offset.storage.topic=s0 + config.storage.topic=zpj + status.storage.topic=e3Caq + offset.storage.redpanda.remote.read=false + offset.storage.redpanda.remote.write=false + config.storage.redpanda.remote.read=true + config.storage.redpanda.remote.write=false + status.storage.redpanda.remote.read=true + status.storage.redpanda.remote.write=true + offset.storage.replication.factor=-551216099 + config.storage.replication.factor=181733785 + status.storage.replication.factor=894783312 + producer.linger.ms=-999496889 + producer.batch.size=221474765 + config.providers=file,secretsManager,env + config.providers.file.class=org.apache.kafka.common.config.provider.FileConfigProvider + config.providers.env.class=org.apache.kafka.common.config.provider.EnvVarConfigProvider + - name: CONNECT_ADDITIONAL_CONFIGURATION + value: s + - name: CONNECT_BOOTSTRAP_SERVERS + value: "" + - name: SCHEMA_REGISTRY_URL + value: W9TUtY + - name: CONNECT_GC_LOG_ENABLED + value: zIkzV8Ox + - name: CONNECT_HEAP_OPTS + value: -Xms256M -Xmx0 + - name: CONNECT_LOG_LEVEL + value: b + - name: CONNECT_TLS_ENABLED + value: "true" + - name: CONNECT_TRUSTED_CERTS + value: ca/REGD0a + - name: CONNECT_TLS_AUTH_CERT + value: cert/aG9QIiXqg + - name: CONNECT_TLS_AUTH_KEY + value: key/D + envFrom: + - configMapRef: + name: dx + optional: true + prefix: OgoO8WCa + secretRef: + optional: true + - configMapRef: + name: Kk + optional: false + prefix: 6Rdx + secretRef: + name: nM5Hn4S + optional: false + - configMapRef: + name: nQ + optional: true + prefix: z70 + secretRef: + name: C + optional: true + image: docker.redpanda.com/redpandadata/connectors:v1.0.29 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: -2044419963 + httpGet: + path: / + port: rest-api + scheme: HTTP + initialDelaySeconds: 888211900 + periodSeconds: -42722218 + successThreshold: 337318108 + timeoutSeconds: 1870975781 + name: connectors-cluster + ports: + - containerPort: 660248664 + name: rest-api + protocol: TCP + - containerPort: -1924603054 + name: V + protocol: TCP + readinessProbe: + failureThreshold: -2099739674 + httpGet: + path: /connectors + port: rest-api + scheme: HTTP + initialDelaySeconds: -359104350 + periodSeconds: 1897832932 + successThreshold: -962367820 + timeoutSeconds: -677019415 + resources: + limits: + cpu: "0" + memory: "0" + requests: + cpu: "0" + memory: "0" + securityContext: + allowPrivilegeEscalation: true + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + volumeMounts: + - mountPath: /opt/kafka/connect-certs/ca + name: truststore + - mountPath: /opt/kafka/connect-certs/cert + name: cert + - mountPath: /opt/kafka/connect-certs/key + name: key + - mountPath: 5aM + mountPropagation: Ěɲ'再ʖ|皑F9ĺOĆ|Oô + name: 2HGf2z + subPath: vuF7gt + subPathExpr: y6zTs2 + - mountPath: QU6 + mountPropagation: QǢx槱Sɼ湙Ȥ恑ñ鹒 + name: PbVBK + subPath: foAWHAo + subPathExpr: I8f + - mountPath: "" + mountPropagation: ƇNʆ¹¯檷AvdŜ踆ÿDȂ + name: cA + readOnly: true + subPath: y6Kasn + subPathExpr: DIUY0V + dnsPolicy: ClusterFirst + imagePullSecrets: + - name: LGwi + nodeSelector: + SFPTn: eN2 + restartPolicy: 爃ɥ90İĔ + schedulerName: i57b + securityContext: + fsGroup: 1520694499640274700 + fsGroupChangePolicy: 嫽Ǭ + runAsGroup: 3728458047896784400 + runAsNonRoot: false + runAsUser: -8957070032009945000 + sysctls: + - name: NBH + value: bXsgSc + - name: WTZnja + value: p4Du + serviceAccountName: 3m + terminationGracePeriodSeconds: 1122010486 + tolerations: [] + topologySpreadConstraints: + - labelSelector: + matchLabels: + YQJWn90y: CaduGS6 + app.kubernetes.io/component: wN + app.kubernetes.io/instance: console + app.kubernetes.io/name: wN + ytV2tl: icxW + maxSkew: 2113683386 + topologyKey: H1AWsSn + whenUnsatisfiable: VEpgY + volumes: + - name: truststore + secret: + defaultMode: 292 + secretName: ZFEDD + - name: cert + secret: + defaultMode: 292 + secretName: zrc5V + - name: key + secret: + defaultMode: 292 + secretName: dtIKjx4fd0k + - name: Cm + - name: eHp5 + - name: r1T +--- +# Source: connectors/templates/pod-monitor.yaml +apiVersion: monitoring.coreos.com/v1 +kind: PodMonitor +metadata: + annotations: + "": O + AFH4V: ga95qmjNhc + creationTimestamp: null + labels: + 9HWO7MGwhk: vGHnz6 + NNg3k: hbR + RXL: VxSIXgS + name: Bl0rL2 +spec: + namespaceSelector: + any: true + matchNames: + - WZxK8iNK2gdU + podMetricsEndpoints: + - bearerTokenSecret: + key: "" + path: / + port: prometheus + selector: + matchLabels: + YQJWn90y: CaduGS6 + app.kubernetes.io/component: wN + app.kubernetes.io/instance: console + app.kubernetes.io/name: wN + ytV2tl: icxW +-- testdata/case-048.yaml.golden -- +--- +# Source: connectors/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/component: r7G + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: r7G + helm.sh/chart: connectors-0.1.12 + x3: e1lz + name: w4DG +spec: + ipFamilies: + - IPv4 + ipFamilyPolicy: SingleStack + ports: + - name: rest-api + port: -2097692565 + protocol: TCP + targetPort: -2097692565 + - name: prometheus + port: 9404 + protocol: TCP + targetPort: 9404 + selector: + app.kubernetes.io/component: r7G + app.kubernetes.io/instance: console + app.kubernetes.io/name: r7G + x3: e1lz + sessionAffinity: None + type: ClusterIP +--- +# Source: connectors/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/component: r7G + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: r7G + helm.sh/chart: connectors-0.1.12 + x3: e1lz + name: xPmln +spec: + progressDeadlineSeconds: -1933689162 + replicas: null + revisionHistoryLimit: -1768466640 + selector: + matchLabels: + app.kubernetes.io/component: r7G + app.kubernetes.io/instance: console + app.kubernetes.io/name: r7G + x3: e1lz + strategy: + type: OMXfGqbFsWh + template: + metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/component: r7G + app.kubernetes.io/instance: console + app.kubernetes.io/name: r7G + x3: e1lz + spec: + affinity: + nodeAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - preference: + matchExpressions: + - key: b + operator: 鷘泝, + values: + - 0N3rqLJ + - "4" + - 1L + matchFields: + - key: gnmK + operator: '@D煡摡o昪ɼ柤斕ɲı58,tț>' + values: + - i1 + - 5PqjZCTW + weight: -1104761106 + - preference: + matchExpressions: + - key: dT + operator: 犘ijň鉻ĴɳǁȨD + values: + - XdGct + - key: 2BYB + operator: '}閂譗輸礯Ʊx' + values: + - MU2j1Vu + - "17" + - key: ypgFjkuHHfzj + operator: '`4ʫfƗ8鲙華ė' + values: + - "y" + - LHvKvSZf2 + matchFields: + - key: GImX3 + operator: "" + values: + - xQPC + - R4R + - 3Y0mxG + weight: -521155604 + - preference: + matchExpressions: + - key: ft5L + operator: ȗ垁屹3瞬铵烱#祟渥 + matchFields: + - key: Fx + operator: ǷɂZ + values: + - WT + weight: 677594922 + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: AwTQm2 + operator: 展ɏǀ襋k(ȴSǮ讶ʁ + values: + - 8i1 + - key: gQ1DB + operator: 汴F见Doĵw?Pc|昋階ʇ亸d灀麕ʞ + values: + - uqEzQKDpVw + - Q2 + - icCcpbp8 + - key: d9Z + operator: Ǽ船薲ɲĊbJĘƑƮOȄ鄹 + values: + - flK9jMt + - jt4 + - TSJ + - matchExpressions: + - key: Cf40pEWF + operator: ŌZ雯瘍 + values: + - "0" + - cSCIGvcwc + - Izvo0 + - key: mB4jp + operator: Í淙篝Hƨ_u误Ý + values: + - OTJJx + - KgWLC + - key: TxkO + operator: ȠȰsa'ʫƲ鑠 + values: + - 3gqlT + matchFields: + - key: l + operator: é糁v抯 + - key: QZFxqZ + operator: / + values: + - q0DJ + - M0 + - 6XMtos + - {} + podAffinity: {} + podAntiAffinity: null + containers: + - command: null + env: + - name: CONNECT_CONFIGURATION + value: |- + rest.advertised.port=-2097692565 + rest.port=-2097692565 + key.converter=org.apache.kafka.connect.converters.ByteArrayConverter + value.converter=org.apache.kafka.connect.converters.ByteArrayConverter + group.id=piupb6 + offset.storage.topic=ytzBE0 + config.storage.topic=FBdy5 + status.storage.topic=FHVut + offset.storage.redpanda.remote.read=false + offset.storage.redpanda.remote.write=false + config.storage.redpanda.remote.read=false + config.storage.redpanda.remote.write=true + status.storage.redpanda.remote.read=false + status.storage.redpanda.remote.write=false + offset.storage.replication.factor=864522858 + config.storage.replication.factor=-103098671 + status.storage.replication.factor=-1797067435 + producer.linger.ms=-1816218257 + producer.batch.size=-1479166006 + config.providers=file,secretsManager,env + config.providers.file.class=org.apache.kafka.common.config.provider.FileConfigProvider + config.providers.env.class=org.apache.kafka.common.config.provider.EnvVarConfigProvider + - name: CONNECT_ADDITIONAL_CONFIGURATION + value: stdaxfP + - name: CONNECT_BOOTSTRAP_SERVERS + value: fOZsu37vN + - name: SCHEMA_REGISTRY_URL + value: xg4Cxakw + - name: CONNECT_GC_LOG_ENABLED + value: Fu + - name: CONNECT_HEAP_OPTS + value: -Xms256M -Xmx0 + - name: CONNECT_LOG_LEVEL + value: QSl3 + - name: CONNECT_SASL_USERNAME + value: aXR + - name: CONNECT_SASL_MECHANISM + value: Xr + - name: CONNECT_SASL_PASSWORD_FILE + value: rc-credentials/password + - name: CONNECT_TLS_ENABLED + value: "true" + - name: CONNECT_TRUSTED_CERTS + value: ca/hln + - name: CONNECT_TLS_AUTH_CERT + value: cert/s47Hy + - name: CONNECT_TLS_AUTH_KEY + value: key/Wxw + envFrom: + - configMapRef: + name: w9vIEs + optional: true + prefix: oFWtF + secretRef: + name: Z1 + optional: true + - configMapRef: + name: 9wMxsz + optional: false + secretRef: + name: zLL2kR + optional: false + image: docker.redpanda.com/redpandadata/connectors:v1.0.29 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 1532121771 + httpGet: + path: / + port: rest-api + scheme: HTTP + initialDelaySeconds: -893256878 + periodSeconds: -674475842 + successThreshold: -1740698110 + timeoutSeconds: 326371790 + name: connectors-cluster + ports: + - containerPort: -2097692565 + name: rest-api + protocol: TCP + - containerPort: 9404 + name: prometheus + protocol: TCP + readinessProbe: + failureThreshold: -2100702858 + httpGet: + path: /connectors + port: rest-api + scheme: HTTP + initialDelaySeconds: 1930411693 + periodSeconds: 1985310483 + successThreshold: 769125679 + timeoutSeconds: -1364329005 + resources: + limits: + cpu: "0" + memory: "0" + requests: + cpu: "0" + memory: "0" + securityContext: + allowPrivilegeEscalation: true + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + volumeMounts: + - mountPath: /opt/kafka/connect-password/rc-credentials + name: rc-credentials + - mountPath: /opt/kafka/connect-certs/ca + name: truststore + - mountPath: /opt/kafka/connect-certs/cert + name: cert + - mountPath: /opt/kafka/connect-certs/key + name: key + - mountPath: FgUy2D + mountPropagation: ül幯wȅƑʀ,姅 + name: kUw2 + subPath: D0Qb + subPathExpr: EemIo6uDnv0 + - mountPath: r + mountPropagation: 剐ƥ<¶抿菋ɯ粦梘ȡ( + name: 15LL4 + readOnly: true + subPath: tcGS + subPathExpr: pwB + - mountPath: aC8MZYmVC + mountPropagation: ʢǮZ薽R擽ē1Xȭ硡衕卣A礖XÚY2 + name: "9" + subPath: qg + subPathExpr: cPz1rA + dnsPolicy: ClusterFirst + imagePullSecrets: + - name: P0 + - name: AoBx4D0STGS8Z + nodeSelector: + DdMU: TvKI + cxzoe: "41" + i6KwA0A6qU1g: E6j + restartPolicy: À潌貛ă貈懍Eŵɀȩ + schedulerName: RMki + securityContext: + fsGroup: -3162007349665637000 + fsGroupChangePolicy: F@AǶvĭȟū琐噌黣坩Ǚɮŀ + runAsGroup: 164107928150233300 + runAsNonRoot: false + runAsUser: -6374867922909643000 + serviceAccountName: YIo + terminationGracePeriodSeconds: 1025063088 + tolerations: + - effect: ƸL諟Hv餣A嶌ɣYƵ轝脡sT酉 + key: rvPW78A + tolerationSeconds: 2277475321707653600 + value: zmQU7sY + - effect: 瘅1Ʉ夆 + key: 0p + operator: 冂÷s廥肚Zj陎1aÚkĤɀǟR + tolerationSeconds: 1191004605682561500 + value: sZcoDHahsR79 + topologySpreadConstraints: + - labelSelector: + matchLabels: + app.kubernetes.io/component: r7G + app.kubernetes.io/instance: console + app.kubernetes.io/name: r7G + x3: e1lz + maxSkew: -1723926017 + topologyKey: KnB17 + whenUnsatisfiable: WpP6r0 + volumes: + - name: truststore + secret: + defaultMode: 292 + secretName: k5U1 + - name: cert + secret: + defaultMode: 292 + secretName: ljqjD + - name: key + secret: + defaultMode: 292 + secretName: icjt + - name: rc-credentials + secret: + defaultMode: 292 + secretName: i5 + - name: I0 +-- testdata/case-049.yaml.golden -- +--- +# Source: connectors/templates/serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + annotations: + "": 0h6QKRWo + ayiUDPgwgG9: Wh + creationTimestamp: null + labels: + AxgO: ie + a: xGJKP + app.kubernetes.io/component: pyCdF + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: pyCdF + helm.sh/chart: connectors-0.1.12 + wy9DijfF9: pY + name: zr1OY + namespace: default +--- +# Source: connectors/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + creationTimestamp: null + labels: + AxgO: ie + a: xGJKP + app.kubernetes.io/component: pyCdF + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: pyCdF + helm.sh/chart: connectors-0.1.12 + uH: o + wy9DijfF9: pY + name: 37ihe +spec: + ipFamilies: + - IPv4 + ipFamilyPolicy: SingleStack + ports: + - name: rest-api + port: -447671166 + protocol: TCP + targetPort: -447671166 + - name: prometheus + port: 9404 + protocol: TCP + targetPort: 9404 + selector: + AxgO: ie + a: xGJKP + app.kubernetes.io/component: pyCdF + app.kubernetes.io/instance: console + app.kubernetes.io/name: pyCdF + wy9DijfF9: pY + sessionAffinity: None + type: ClusterIP +-- testdata/custom-anti-affinity.yaml.golden -- +--- +# Source: connectors/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/component: connectors + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: connectors + helm.sh/chart: connectors-0.1.12 + name: console-connectors +spec: + ipFamilies: + - IPv4 + ipFamilyPolicy: SingleStack + ports: + - name: rest-api + port: 8083 + protocol: TCP + targetPort: 8083 + - name: prometheus + port: 9404 + protocol: TCP + targetPort: 9404 + selector: + app.kubernetes.io/component: connectors + app.kubernetes.io/instance: console + app.kubernetes.io/name: connectors + sessionAffinity: None + type: ClusterIP +--- +# Source: connectors/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/component: connectors + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: connectors + helm.sh/chart: connectors-0.1.12 + name: console-connectors +spec: + progressDeadlineSeconds: 600 + replicas: null + revisionHistoryLimit: 10 + selector: + matchLabels: + app.kubernetes.io/component: connectors + app.kubernetes.io/instance: console + app.kubernetes.io/name: connectors + strategy: + type: RollingUpdate + template: + metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/component: connectors + app.kubernetes.io/instance: console + app.kubernetes.io/name: connectors + spec: + affinity: + nodeAffinity: {} + podAffinity: {} + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchLabels: + foo: bar + topologyKey: "" + weight: 40 + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchLabels: + foo: bar + topologyKey: "" + containers: + - command: null + env: + - name: CONNECT_CONFIGURATION + value: |- + rest.advertised.port=8083 + rest.port=8083 + key.converter=org.apache.kafka.connect.converters.ByteArrayConverter + value.converter=org.apache.kafka.connect.converters.ByteArrayConverter + group.id=connectors-cluster + offset.storage.topic=_internal_connectors_offsets + config.storage.topic=_internal_connectors_configs + status.storage.topic=_internal_connectors_status + offset.storage.redpanda.remote.read=false + offset.storage.redpanda.remote.write=false + config.storage.redpanda.remote.read=false + config.storage.redpanda.remote.write=false + status.storage.redpanda.remote.read=false + status.storage.redpanda.remote.write=false + offset.storage.replication.factor=-1 + config.storage.replication.factor=-1 + status.storage.replication.factor=-1 + producer.linger.ms=1 + producer.batch.size=131072 + config.providers=file,secretsManager,env + config.providers.file.class=org.apache.kafka.common.config.provider.FileConfigProvider + config.providers.env.class=org.apache.kafka.common.config.provider.EnvVarConfigProvider + - name: CONNECT_ADDITIONAL_CONFIGURATION + value: "" + - name: CONNECT_BOOTSTRAP_SERVERS + value: "" + - name: CONNECT_GC_LOG_ENABLED + value: "false" + - name: CONNECT_HEAP_OPTS + value: -Xms256M -Xmx2G + - name: CONNECT_LOG_LEVEL + value: warn + - name: CONNECT_TLS_ENABLED + value: "false" + envFrom: [] + image: docker.redpanda.com/redpandadata/connectors:v1.0.29 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 3 + httpGet: + path: / + port: rest-api + scheme: HTTP + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + name: connectors-cluster + ports: + - containerPort: 8083 + name: rest-api + protocol: TCP + - containerPort: 9404 + name: prometheus + protocol: TCP + readinessProbe: + failureThreshold: 2 + httpGet: + path: /connectors + port: rest-api + scheme: HTTP + initialDelaySeconds: 60 + periodSeconds: 10 + successThreshold: 3 + timeoutSeconds: 5 + resources: + limits: + cpu: "1" + memory: 2350Mi + requests: + cpu: "1" + memory: 2350Mi + securityContext: + allowPrivilegeEscalation: false + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + volumeMounts: + - mountPath: /tmp + name: rp-connect-tmp + dnsPolicy: ClusterFirst + imagePullSecrets: [] + nodeSelector: {} + restartPolicy: Always + schedulerName: "" + securityContext: + fsGroup: 101 + fsGroupChangePolicy: OnRootMismatch + runAsUser: 101 + serviceAccountName: default + terminationGracePeriodSeconds: 30 + tolerations: [] + topologySpreadConstraints: + - labelSelector: + matchLabels: + app.kubernetes.io/component: connectors + app.kubernetes.io/instance: console + app.kubernetes.io/name: connectors + maxSkew: 1 + topologyKey: topology.kubernetes.io/zone + whenUnsatisfiable: ScheduleAnyway + volumes: + - emptyDir: + medium: Memory + sizeLimit: 5Mi + name: rp-connect-tmp +-- testdata/defaults.yaml.golden -- +--- +# Source: connectors/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/component: connectors + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: connectors + helm.sh/chart: connectors-0.1.12 + name: console-connectors +spec: + ipFamilies: + - IPv4 + ipFamilyPolicy: SingleStack + ports: + - name: rest-api + port: 8083 + protocol: TCP + targetPort: 8083 + - name: prometheus + port: 9404 + protocol: TCP + targetPort: 9404 + selector: + app.kubernetes.io/component: connectors + app.kubernetes.io/instance: console + app.kubernetes.io/name: connectors + sessionAffinity: None + type: ClusterIP +--- +# Source: connectors/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/component: connectors + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: connectors + helm.sh/chart: connectors-0.1.12 + name: console-connectors +spec: + progressDeadlineSeconds: 600 + replicas: null + revisionHistoryLimit: 10 + selector: + matchLabels: + app.kubernetes.io/component: connectors + app.kubernetes.io/instance: console + app.kubernetes.io/name: connectors + strategy: + type: RollingUpdate + template: + metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/component: connectors + app.kubernetes.io/instance: console + app.kubernetes.io/name: connectors + spec: + affinity: + nodeAffinity: {} + podAffinity: {} + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchLabels: + app.kubernetes.io/component: connectors + app.kubernetes.io/instance: console + app.kubernetes.io/name: connectors + namespaces: + - default + topologyKey: kubernetes.io/hostname + containers: + - command: null + env: + - name: CONNECT_CONFIGURATION + value: |- + rest.advertised.port=8083 + rest.port=8083 + key.converter=org.apache.kafka.connect.converters.ByteArrayConverter + value.converter=org.apache.kafka.connect.converters.ByteArrayConverter + group.id=connectors-cluster + offset.storage.topic=_internal_connectors_offsets + config.storage.topic=_internal_connectors_configs + status.storage.topic=_internal_connectors_status + offset.storage.redpanda.remote.read=false + offset.storage.redpanda.remote.write=false + config.storage.redpanda.remote.read=false + config.storage.redpanda.remote.write=false + status.storage.redpanda.remote.read=false + status.storage.redpanda.remote.write=false + offset.storage.replication.factor=-1 + config.storage.replication.factor=-1 + status.storage.replication.factor=-1 + producer.linger.ms=1 + producer.batch.size=131072 + config.providers=file,secretsManager,env + config.providers.file.class=org.apache.kafka.common.config.provider.FileConfigProvider + config.providers.env.class=org.apache.kafka.common.config.provider.EnvVarConfigProvider + - name: CONNECT_ADDITIONAL_CONFIGURATION + value: "" + - name: CONNECT_BOOTSTRAP_SERVERS + value: "" + - name: CONNECT_GC_LOG_ENABLED + value: "false" + - name: CONNECT_HEAP_OPTS + value: -Xms256M -Xmx2G + - name: CONNECT_LOG_LEVEL + value: warn + - name: CONNECT_TLS_ENABLED + value: "false" + envFrom: [] + image: docker.redpanda.com/redpandadata/connectors:v1.0.29 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 3 + httpGet: + path: / + port: rest-api + scheme: HTTP + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + name: connectors-cluster + ports: + - containerPort: 8083 + name: rest-api + protocol: TCP + - containerPort: 9404 + name: prometheus + protocol: TCP + readinessProbe: + failureThreshold: 2 + httpGet: + path: /connectors + port: rest-api + scheme: HTTP + initialDelaySeconds: 60 + periodSeconds: 10 + successThreshold: 3 + timeoutSeconds: 5 + resources: + limits: + cpu: "1" + memory: 2350Mi + requests: + cpu: "1" + memory: 2350Mi + securityContext: + allowPrivilegeEscalation: false + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + volumeMounts: + - mountPath: /tmp + name: rp-connect-tmp + dnsPolicy: ClusterFirst + imagePullSecrets: [] + nodeSelector: {} + restartPolicy: Always + schedulerName: "" + securityContext: + fsGroup: 101 + fsGroupChangePolicy: OnRootMismatch + runAsUser: 101 + serviceAccountName: default + terminationGracePeriodSeconds: 30 + tolerations: [] + topologySpreadConstraints: + - labelSelector: + matchLabels: + app.kubernetes.io/component: connectors + app.kubernetes.io/instance: console + app.kubernetes.io/name: connectors + maxSkew: 1 + topologyKey: topology.kubernetes.io/zone + whenUnsatisfiable: ScheduleAnyway + volumes: + - emptyDir: + medium: Memory + sizeLimit: 5Mi + name: rp-connect-tmp +-- testdata/hard-anti-affinity.yaml.golden -- +--- +# Source: connectors/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/component: connectors + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: connectors + helm.sh/chart: connectors-0.1.12 + name: console-connectors +spec: + ipFamilies: + - IPv4 + ipFamilyPolicy: SingleStack + ports: + - name: rest-api + port: 8083 + protocol: TCP + targetPort: 8083 + - name: prometheus + port: 9404 + protocol: TCP + targetPort: 9404 + selector: + app.kubernetes.io/component: connectors + app.kubernetes.io/instance: console + app.kubernetes.io/name: connectors + sessionAffinity: None + type: ClusterIP +--- +# Source: connectors/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/component: connectors + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: connectors + helm.sh/chart: connectors-0.1.12 + name: console-connectors +spec: + progressDeadlineSeconds: 600 + replicas: null + revisionHistoryLimit: 10 + selector: + matchLabels: + app.kubernetes.io/component: connectors + app.kubernetes.io/instance: console + app.kubernetes.io/name: connectors + strategy: + type: RollingUpdate + template: + metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/component: connectors + app.kubernetes.io/instance: console + app.kubernetes.io/name: connectors + spec: + affinity: + nodeAffinity: {} + podAffinity: {} + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchLabels: + app.kubernetes.io/component: connectors + app.kubernetes.io/instance: console + app.kubernetes.io/name: connectors + namespaces: + - default + topologyKey: kubernetes.io/hostname + containers: + - command: null + env: + - name: CONNECT_CONFIGURATION + value: |- + rest.advertised.port=8083 + rest.port=8083 + key.converter=org.apache.kafka.connect.converters.ByteArrayConverter + value.converter=org.apache.kafka.connect.converters.ByteArrayConverter + group.id=connectors-cluster + offset.storage.topic=_internal_connectors_offsets + config.storage.topic=_internal_connectors_configs + status.storage.topic=_internal_connectors_status + offset.storage.redpanda.remote.read=false + offset.storage.redpanda.remote.write=false + config.storage.redpanda.remote.read=false + config.storage.redpanda.remote.write=false + status.storage.redpanda.remote.read=false + status.storage.redpanda.remote.write=false + offset.storage.replication.factor=-1 + config.storage.replication.factor=-1 + status.storage.replication.factor=-1 + producer.linger.ms=1 + producer.batch.size=131072 + config.providers=file,secretsManager,env + config.providers.file.class=org.apache.kafka.common.config.provider.FileConfigProvider + config.providers.env.class=org.apache.kafka.common.config.provider.EnvVarConfigProvider + - name: CONNECT_ADDITIONAL_CONFIGURATION + value: "" + - name: CONNECT_BOOTSTRAP_SERVERS + value: "" + - name: CONNECT_GC_LOG_ENABLED + value: "false" + - name: CONNECT_HEAP_OPTS + value: -Xms256M -Xmx2G + - name: CONNECT_LOG_LEVEL + value: warn + - name: CONNECT_TLS_ENABLED + value: "false" + envFrom: [] + image: docker.redpanda.com/redpandadata/connectors:v1.0.29 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 3 + httpGet: + path: / + port: rest-api + scheme: HTTP + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + name: connectors-cluster + ports: + - containerPort: 8083 + name: rest-api + protocol: TCP + - containerPort: 9404 + name: prometheus + protocol: TCP + readinessProbe: + failureThreshold: 2 + httpGet: + path: /connectors + port: rest-api + scheme: HTTP + initialDelaySeconds: 60 + periodSeconds: 10 + successThreshold: 3 + timeoutSeconds: 5 + resources: + limits: + cpu: "1" + memory: 2350Mi + requests: + cpu: "1" + memory: 2350Mi + securityContext: + allowPrivilegeEscalation: false + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + volumeMounts: + - mountPath: /tmp + name: rp-connect-tmp + dnsPolicy: ClusterFirst + imagePullSecrets: [] + nodeSelector: {} + restartPolicy: Always + schedulerName: "" + securityContext: + fsGroup: 101 + fsGroupChangePolicy: OnRootMismatch + runAsUser: 101 + serviceAccountName: default + terminationGracePeriodSeconds: 30 + tolerations: [] + topologySpreadConstraints: + - labelSelector: + matchLabels: + app.kubernetes.io/component: connectors + app.kubernetes.io/instance: console + app.kubernetes.io/name: connectors + maxSkew: 1 + topologyKey: topology.kubernetes.io/zone + whenUnsatisfiable: ScheduleAnyway + volumes: + - emptyDir: + medium: Memory + sizeLimit: 5Mi + name: rp-connect-tmp +-- testdata/soft-anti-affinity.yaml.golden -- +--- +# Source: connectors/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/component: connectors + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: connectors + helm.sh/chart: connectors-0.1.12 + name: console-connectors +spec: + ipFamilies: + - IPv4 + ipFamilyPolicy: SingleStack + ports: + - name: rest-api + port: 8083 + protocol: TCP + targetPort: 8083 + - name: prometheus + port: 9404 + protocol: TCP + targetPort: 9404 + selector: + app.kubernetes.io/component: connectors + app.kubernetes.io/instance: console + app.kubernetes.io/name: connectors + sessionAffinity: None + type: ClusterIP +--- +# Source: connectors/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/component: connectors + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: connectors + helm.sh/chart: connectors-0.1.12 + name: console-connectors +spec: + progressDeadlineSeconds: 600 + replicas: null + revisionHistoryLimit: 10 + selector: + matchLabels: + app.kubernetes.io/component: connectors + app.kubernetes.io/instance: console + app.kubernetes.io/name: connectors + strategy: + type: RollingUpdate + template: + metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/component: connectors + app.kubernetes.io/instance: console + app.kubernetes.io/name: connectors + spec: + affinity: + nodeAffinity: {} + podAffinity: {} + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchLabels: + app.kubernetes.io/component: connectors + app.kubernetes.io/instance: console + app.kubernetes.io/name: connectors + namespaces: + - default + topologyKey: kubernetes.io/hostname + weight: 100 + containers: + - command: null + env: + - name: CONNECT_CONFIGURATION + value: |- + rest.advertised.port=8083 + rest.port=8083 + key.converter=org.apache.kafka.connect.converters.ByteArrayConverter + value.converter=org.apache.kafka.connect.converters.ByteArrayConverter + group.id=connectors-cluster + offset.storage.topic=_internal_connectors_offsets + config.storage.topic=_internal_connectors_configs + status.storage.topic=_internal_connectors_status + offset.storage.redpanda.remote.read=false + offset.storage.redpanda.remote.write=false + config.storage.redpanda.remote.read=false + config.storage.redpanda.remote.write=false + status.storage.redpanda.remote.read=false + status.storage.redpanda.remote.write=false + offset.storage.replication.factor=-1 + config.storage.replication.factor=-1 + status.storage.replication.factor=-1 + producer.linger.ms=1 + producer.batch.size=131072 + config.providers=file,secretsManager,env + config.providers.file.class=org.apache.kafka.common.config.provider.FileConfigProvider + config.providers.env.class=org.apache.kafka.common.config.provider.EnvVarConfigProvider + - name: CONNECT_ADDITIONAL_CONFIGURATION + value: "" + - name: CONNECT_BOOTSTRAP_SERVERS + value: "" + - name: CONNECT_GC_LOG_ENABLED + value: "false" + - name: CONNECT_HEAP_OPTS + value: -Xms256M -Xmx2G + - name: CONNECT_LOG_LEVEL + value: warn + - name: CONNECT_TLS_ENABLED + value: "false" + envFrom: [] + image: docker.redpanda.com/redpandadata/connectors:v1.0.29 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 3 + httpGet: + path: / + port: rest-api + scheme: HTTP + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + name: connectors-cluster + ports: + - containerPort: 8083 + name: rest-api + protocol: TCP + - containerPort: 9404 + name: prometheus + protocol: TCP + readinessProbe: + failureThreshold: 2 + httpGet: + path: /connectors + port: rest-api + scheme: HTTP + initialDelaySeconds: 60 + periodSeconds: 10 + successThreshold: 3 + timeoutSeconds: 5 + resources: + limits: + cpu: "1" + memory: 2350Mi + requests: + cpu: "1" + memory: 2350Mi + securityContext: + allowPrivilegeEscalation: false + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + volumeMounts: + - mountPath: /tmp + name: rp-connect-tmp + dnsPolicy: ClusterFirst + imagePullSecrets: [] + nodeSelector: {} + restartPolicy: Always + schedulerName: "" + securityContext: + fsGroup: 101 + fsGroupChangePolicy: OnRootMismatch + runAsUser: 101 + serviceAccountName: default + terminationGracePeriodSeconds: 30 + tolerations: [] + topologySpreadConstraints: + - labelSelector: + matchLabels: + app.kubernetes.io/component: connectors + app.kubernetes.io/instance: console + app.kubernetes.io/name: connectors + maxSkew: 1 + topologyKey: topology.kubernetes.io/zone + whenUnsatisfiable: ScheduleAnyway + volumes: + - emptyDir: + medium: Memory + sizeLimit: 5Mi + name: rp-connect-tmp diff --git a/charts/redpanda/redpanda/5.9.2/charts/connectors/testdata/template-cases.txtar b/charts/redpanda/redpanda/5.9.2/charts/connectors/testdata/template-cases.txtar new file mode 100644 index 000000000..f7c4acf38 --- /dev/null +++ b/charts/redpanda/redpanda/5.9.2/charts/connectors/testdata/template-cases.txtar @@ -0,0 +1,31 @@ +-- defaults -- +# Intentionally left blank (Default values) +-- hard-anti-affinity -- +deployment: + podAntiAffinity: + topologyKey: kubernetes.io/hostname + type: hard + weight: 100 + +-- soft-anti-affinity -- +deployment: + podAntiAffinity: + topologyKey: kubernetes.io/hostname + type: soft + weight: 100 + +-- custom-anti-affinity -- +deployment: + podAntiAffinity: + type: custom + custom: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchLabels: + foo: bar + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 40 + podAffinityTerm: + labelSelector: + matchLabels: + foo: bar diff --git a/charts/redpanda/redpanda/5.9.2/charts/connectors/values.go b/charts/redpanda/redpanda/5.9.2/charts/connectors/values.go new file mode 100644 index 000000000..e5f58544b --- /dev/null +++ b/charts/redpanda/redpanda/5.9.2/charts/connectors/values.go @@ -0,0 +1,212 @@ +// Licensed to the Apache Software Foundation (ASF) under one or more +// contributor license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright ownership. +// The ASF licenses this file to You under the Apache License, Version 2.0 +// (the "License"); you may not use this file except in compliance with +// the License. You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +// +// +gotohelm:filename=_values.go.tpl +package connectors + +import ( + _ "embed" + + monitoringv1 "github.com/prometheus-operator/prometheus-operator/pkg/apis/monitoring/v1" + "github.com/redpanda-data/helm-charts/pkg/gotohelm/helmette" + appsv1 "k8s.io/api/apps/v1" + corev1 "k8s.io/api/core/v1" + "k8s.io/apimachinery/pkg/api/resource" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" +) + +//go:embed values.yaml +var DefaultValuesYAML []byte + +type Values struct { + NameOverride string `json:"nameOverride"` + FullnameOverride string `json:"fullnameOverride"` + CommonLabels map[string]string `json:"commonLabels"` + Tolerations []corev1.Toleration `json:"tolerations"` + Image Image `json:"image"` + ImagePullSecrets []corev1.LocalObjectReference `json:"imagePullSecrets"` + Test Creatable `json:"test"` + Connectors Connectors `json:"connectors"` + Auth Auth `json:"auth"` + Logging Logging `json:"logging"` + Monitoring MonitoringConfig `json:"monitoring"` + Container Container `json:"container"` + Deployment DeploymentConfig `json:"deployment"` + Storage Storage `json:"storage"` + ServiceAccount ServiceAccountConfig `json:"serviceAccount"` + Service ServiceConfig `json:"service"` +} + +type Image struct { + Repository string `json:"repository"` + PullPolicy corev1.PullPolicy `json:"pullPolicy"` + Tag string `json:"tag"` +} + +type Connectors struct { + RestPort int32 `json:"restPort"` + BootstrapServers string `json:"bootstrapServers"` + SchemaRegistryURL string `json:"schemaRegistryURL"` + AdditionalConfiguration string `json:"additionalConfiguration"` + SecretManager SecretManager `json:"secretManager"` + ProducerBatchSize int32 `json:"producerBatchSize"` + ProducerLingerMS int32 `json:"producerLingerMS"` + Storage ConnectorsStorage `json:"storage"` + GroupID string `json:"groupID"` + BrokerTLS TLS `json:"brokerTLS"` +} + +type SecretManager struct { + Enabled bool `json:"enabled"` + Region string `json:"region"` + ConsolePrefix string `json:"consolePrefix"` + ConnectorsPrefix string `json:"connectorsPrefix"` +} + +type ConnectorsStorage struct { + ReplicationFactor struct { + Offset int32 `json:"offset"` + Config int32 `json:"config"` + Status int32 `json:"status"` + } `json:"replicationFactor"` + Remote struct { + Read struct { + Offset bool `json:"offset"` + Config bool `json:"config"` + Status bool `json:"status"` + } `json:"read"` + Write struct { + Offset bool `json:"offset"` + Config bool `json:"config"` + Status bool `json:"status"` + } `json:"write"` + } `json:"remote"` + Topic struct { + Offset string `json:"offset"` + Config string `json:"config"` + Status string `json:"status"` + } `json:"topic"` +} + +type TLS struct { + Enabled bool `json:"enabled"` + CA struct { + SecretRef string `json:"secretRef"` + SecretNameOverwrite string `json:"secretNameOverwrite"` + } `json:"ca"` + Cert struct { + SecretRef string `json:"secretRef"` + SecretNameOverwrite string `json:"secretNameOverwrite"` + } `json:"cert"` + Key struct { + SecretRef string `json:"secretRef"` + SecretNameOverwrite string `json:"secretNameOverwrite"` + } `json:"key"` +} + +type Auth struct { + SASL struct { + Enabled bool `json:"enabled"` + Mechanism string `json:"mechanism"` + SecretRef string `json:"secretRef"` + UserName string `json:"userName"` + } `json:"sasl"` +} + +func (c *Auth) SASLEnabled() bool { + saslEnabled := !helmette.Empty(c.SASL.UserName) + saslEnabled = saslEnabled && !helmette.Empty(c.SASL.Mechanism) + saslEnabled = saslEnabled && !helmette.Empty(c.SASL.SecretRef) + return saslEnabled +} + +type Logging struct { + Level string `json:"level"` +} + +type MonitoringConfig struct { + Enabled bool `json:"enabled"` + ScrapeInterval metav1.Duration `json:"scrapeInterval"` + Labels map[string]string `json:"labels"` + Annotations map[string]string `json:"annotations"` + NamespaceSelector monitoringv1.NamespaceSelector `json:"namespaceSelector"` +} + +type Container struct { + SecurityContext corev1.SecurityContext `json:"securityContext"` + Resources struct { + Request corev1.ResourceList `json:"request"` + Limits corev1.ResourceList `json:"limits"` + JavaMaxHeapSize *resource.Quantity `json:"javaMaxHeapSize"` + } `json:"resources"` + JavaGCLogEnabled string `json:"javaGCLogEnabled"` // XXX ugh - it ends up as an env var +} + +type DeploymentConfig struct { + Replicas *int32 `json:"replicas,omitempty"` + Create bool `json:"create"` + Command []string `json:"command,omitempty"` + Strategy appsv1.DeploymentStrategy `json:"strategy,omitempty"` + SchedulerName string `json:"schedulerName"` + Budget struct { + MaxUnavailable int32 `json:"maxUnavailable"` + } `json:"budget"` + Annotations map[string]string `json:"annotations"` + LivenessProbe *corev1.Probe `json:"livenessProbe,omitempty"` + ReadinessProbe *corev1.Probe `json:"readinessProbe,omitempty"` + ExtraEnv []corev1.EnvVar `json:"extraEnv"` + ExtraEnvFrom []corev1.EnvFromSource `json:"extraEnvFrom"` + ProgressDeadlineSeconds int32 `json:"progressDeadlineSeconds"` + RevisionHistoryLimit *int32 `json:"revisionHistoryLimit,omitempty"` + PodAffinity *corev1.PodAffinity `json:"podAffinity,omitempty"` + NodeAffinity *corev1.NodeAffinity `json:"nodeAffinity,omitempty"` + PodAntiAffinity *struct { + TopologyKey string `json:"topologyKey"` + Type string `json:"type"` + Weight *int32 `json:"weight,omitempty"` + Custom *corev1.PodAntiAffinity `json:"custom,omitempty"` + } `json:"podAntiAffinity,omitempty"` + NodeSelector map[string]string `json:"nodeSelector"` + PriorityClassName *string `json:"priorityClassName,omitempty"` // XXX uused in original template + Tolerations []corev1.Toleration `json:"tolerations"` + TopologySpreadConstraints []corev1.TopologySpreadConstraint `json:"topologySpreadConstraints,omitempty"` + SecurityContext *corev1.PodSecurityContext `json:"securityContext,omitempty"` + TerminationGracePeriodSeconds *int64 `json:"terminationGracePeriodSeconds,omitempty"` + RestartPolicy corev1.RestartPolicy `json:"restartPolicy"` +} + +type Storage struct { + Volume []corev1.Volume `json:"volume"` + VolumeMounts []corev1.VolumeMount `json:"volumeMounts"` +} + +type ServiceAccountConfig struct { + Create bool `json:"create"` + Annotations map[string]string `json:"annotations"` + Name string `json:"name"` +} + +type ServiceConfig struct { + Annotations map[string]string `json:"annotations"` + Name string `json:"name"` + Ports []struct { + Name string `json:"name"` + Port int32 `json:"port"` + } `json:"ports"` +} + +type Creatable struct { + Create bool `json:"create"` +} diff --git a/charts/redpanda/redpanda/5.9.2/charts/connectors/values.yaml b/charts/redpanda/redpanda/5.9.2/charts/connectors/values.yaml new file mode 100644 index 000000000..f230a84d3 --- /dev/null +++ b/charts/redpanda/redpanda/5.9.2/charts/connectors/values.yaml @@ -0,0 +1,311 @@ +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# This file contains values for variables referenced from yaml files in the templates directory. +# +# For further information on Helm templating see the documentation at: +# https://helm.sh/docs/chart_template_guide/values_files/ + +# +# >>> This chart requires Helm version 3.6.0 or greater <<< +# + +# Common settings +# +# -- Override `connectors.name` template. +nameOverride: "" +# -- Override `connectors.fullname` template. +fullnameOverride: "" +# -- Additional labels to add to all Kubernetes objects. +# For example, `my.k8s.service: redpanda`. +commonLabels: {} +# -- Taints to be tolerated by Pods. +# For details, +# see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/). +tolerations: [] + +# -- Redpanda Docker image settings. +image: + # -- Docker repository from which to pull the Redpanda Docker image. + repository: docker.redpanda.com/redpandadata/connectors + # -- The Redpanda version. + # See DockerHub for: + # [All stable versions](https://hub.docker.com/r/redpandadata/redpanda/tags) + # and [all unstable versions](https://hub.docker.com/r/redpandadata/redpanda-unstable/tags). + # @default -- `Chart.appVersion`. + tag: "" + # -- The imagePullPolicy. + # If `image.tag` is 'latest', the default is `Always`. + pullPolicy: IfNotPresent + +# -- Pull secrets may be used to provide credentials to image repositories +# See https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ +imagePullSecrets: [] + +test: + create: true + +connectors: + # -- The port on which the Kafka Connect REST API listens. The API is used for administrative tasks. + restPort: 8083 + # -- A comma-separated list of Redpanda broker addresses in the format of IP:Port or DNS:Port. Kafka Connect uses this to connect to the Redpanda/Kafka cluster. + bootstrapServers: "" + # A comma-separated list of Schema Registry addresses in the format IP:Port or DNS:Port. The Schema Registry is a service that manages the schemas used by producers and consumers. + schemaRegistryURL: "" + # -- A placeholder for any Java configuration settings for Kafka Connect that are not explicitly defined in this Helm chart. Java configuration settings are passed to the Kafka Connect startup script. + additionalConfiguration: "" + secretManager: + enabled: false + region: "" + consolePrefix: "" + connectorsPrefix: "" + # -- The number of bytes of records a producer will attempt to batch together before sending to Redpanda. Batching improves throughput. + producerBatchSize: 131072 + # -- The time, in milliseconds, that a producer will wait before sending a batch of records. Waiting allows the producer to gather more records in the same batch and improve throughput. + producerLingerMS: 1 + storage: + # -- The number of replicas for each of the internal topics that Kafka Connect uses. + replicationFactor: + # -- Replication factor for the offset topic. + offset: -1 + # -- Replication factor for the configuration topic. + config: -1 + # -- Replication factor for the status topic. + status: -1 + # -- Indicates if read and write operations for the respective topics are allowed remotely. + remote: + read: + offset: false + config: false + status: false + write: + offset: false + config: false + status: false + topic: + # -- The name of the internal topic that Kafka Connect uses to store source connector offsets. + offset: _internal_connectors_offsets + # -- The name of the internal topic that Kafka Connect uses to store connector and task configurations. + config: _internal_connectors_configs + # -- The name of the internal topic that Kafka Connect uses to store connector and task status updates. + status: _internal_connectors_status + # -- A unique string that identifies the Kafka Connect cluster. It's used in the formation of the internal topic names, ensuring that multiple Kafka Connect clusters can connect to the same Redpanda cluster without interfering with each other. + groupID: connectors-cluster + brokerTLS: + enabled: false + ca: + # -- The name of the Secret where the ca.crt file content is located. + secretRef: "" + # -- If `secretRef` points to a Secret where the certificate authority (CA) is not under the + # `ca.crt` key, use `secretNameOverwrite` to overwrite it e.g. `corp-ca.crt`. + secretNameOverwrite: "" + cert: + # -- The name of the secret where client signed certificate is located + secretRef: "" + # -- If secretRef points to secret where client signed certificate is not under + # tls.crt key then please use secretNameOverwrite to overwrite it e.g. corp-tls.crt + secretNameOverwrite: "" + key: + # -- The name of the secret where client private key is located + secretRef: "" + # -- If secretRef points to secret where client private key is not under + # tls.key key then please use secretNameOverwrite to overwrite it e.g. corp-tls.key + secretNameOverwrite: "" + +# -- Authentication settings. +# For details, +# see the [SASL documentation](https://docs.redpanda.com/docs/manage/kubernetes/security/sasl-kubernetes/). +# The first line of the secret file is used. So the first superuser is used to authenticate to the Redpanda cluster. +auth: + sasl: + enabled: false + # -- The authentication mechanism to use for the superuser. Options are `scram-sha-256` and `scram-sha-512`. + mechanism: scram-sha-512 + # -- A Secret that contains your SASL user password. + secretRef: "" + userName: "" + +# -- Log-level settings. +logging: + # -- Log level + # Valid values (from least to most verbose) are: `error`, `warn`, `info` and `debug`. + level: warn + +# -- Monitoring. +# When set to `true`, the Helm chart creates a PodMonitor that can be used by Prometheus-Operator or VictoriaMetrics-Operator to scrape the metrics. +monitoring: + enabled: false + scrapeInterval: 30s + labels: {} + annotations: {} + namespaceSelector: + any: true + +container: + # + # -- Security context for the Redpanda Connectors container. + # See also `deployment.securityContext` for Pod-level settings. + securityContext: + allowPrivilegeEscalation: false + # -- Pod resource management. + resources: + request: + # Numeric values here are also acceptable. + cpu: "1" + memory: 2350Mi + limits: + cpu: "1" + memory: 2350Mi + # -- Java maximum heap size must not be greater than `container.resources.limits.memory`. + javaMaxHeapSize: 2G + javaGCLogEnabled: "false" + +deployment: + # Replicas can be used to scale Deployment + # replicas + + create: true + # Customize the command to use as the entrypoint of the Deployment. + # command: [] + strategy: + type: RollingUpdate + schedulerName: "" + budget: + maxUnavailable: 1 + # -- Additional annotations to apply to the Pods of this Deployment. + annotations: {} + # -- Adjust the period for your probes to meet your needs. + # For details, + # see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes). + livenessProbe: + initialDelaySeconds: 10 + failureThreshold: 3 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + readinessProbe: + initialDelaySeconds: 60 + failureThreshold: 2 + periodSeconds: 10 + successThreshold: 3 + timeoutSeconds: 5 + + # -- Additional environment variables for the Pods. + extraEnv: [] + # - name: RACK_ID + # value: "1" + + # -- Configure extra environment variables from Secrets and ConfigMaps. + extraEnvFrom: [] + # - secretRef: + # name: my-secret + # - configMapRef: + # name: my-configmap + + # -- The maximum time in seconds for a deployment to make progress before it is + # considered to be failed. The deployment controller will continue to process + # failed deployments and a condition with a ProgressDeadlineExceeded reason + # will be surfaced in the deployment status. Note that progress will not be + # estimated during the time a deployment is paused. + progressDeadlineSeconds: 600 + + # -- The number of old ReplicaSets to retain to allow rollback. This is a pointer + # to distinguish between explicit zero and not specified. + revisionHistoryLimit: 10 + + # -- Inter-Pod Affinity rules for scheduling Pods of this Deployment. + # For details, + # see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#inter-pod-affinity-and-anti-affinity). + podAffinity: {} + # -- Node Affinity rules for scheduling Pods of this Deployment. + # The suggestion would be to spread Pods according to topology zone. + # For details, + # see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity). + nodeAffinity: {} + # -- Anti-affinity rules for scheduling Pods of this Deployment. + # For details, + # see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#inter-pod-affinity-and-anti-affinity). + # You may either edit the default settings for anti-affinity rules, + # or specify new anti-affinity rules to use instead of the defaults. + podAntiAffinity: + # -- The `topologyKey` to be used. + # Can be used to spread across different nodes, AZs, regions etc. + topologyKey: kubernetes.io/hostname + # -- Valid anti-affinity types are `soft`, `hard`, or `custom`. + # Use `custom` if you want to supply your own anti-affinity rules in the `podAntiAffinity.custom` object. + type: hard + # -- Weight for `soft` anti-affinity rules. + # Does not apply for other anti-affinity types. + weight: 100 + # -- Change `podAntiAffinity.type` to `custom` and provide your own podAntiAffinity rules here. + custom: {} + # -- Node selection constraints for scheduling Pods of this Deployment. + # These constraints override the global `nodeSelector` value. + # For details, + # see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector). + nodeSelector: {} + # -- PriorityClassName given to Pods of this Deployment. + # For details, + # see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass). + priorityClassName: "" + # -- Taints to be tolerated by Pods of this Deployment. + # These tolerations override the global tolerations value. + # For details, + # see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/). + tolerations: [] + # For details, + # see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/). + topologySpreadConstraints: + - maxSkew: 1 + topologyKey: topology.kubernetes.io/zone + whenUnsatisfiable: ScheduleAnyway + securityContext: + fsGroup: 101 + runAsUser: 101 + fsGroupChangePolicy: OnRootMismatch + terminationGracePeriodSeconds: 30 + restartPolicy: Always + +storage: + volume: + - emptyDir: + medium: Memory + sizeLimit: 5Mi + name: rp-connect-tmp + volumeMounts: + - mountPath: /tmp + name: rp-connect-tmp + +# -- ServiceAccount management. +serviceAccount: + # -- Specifies whether a ServiceAccount should be created. + create: false + # -- Annotations to add to the ServiceAccount. + annotations: {} + # -- The name of the ServiceAccount to use. + # If not set and `serviceAccount.create` is `true`, + # a name is generated using the `connectors.fullname` template. + name: "" + +# -- Service management. +service: + # -- Annotations to add to the Service. + annotations: {} + # -- The name of the service to use. + # If not set, a name is generated using the `connectors.fullname` template. + name: "" + ports: + - name: prometheus + port: 9404 diff --git a/charts/redpanda/redpanda/5.9.2/charts/connectors/values_partial.gen.go b/charts/redpanda/redpanda/5.9.2/charts/connectors/values_partial.gen.go new file mode 100644 index 000000000..e13a1b217 --- /dev/null +++ b/charts/redpanda/redpanda/5.9.2/charts/connectors/values_partial.gen.go @@ -0,0 +1,188 @@ +//go:build !generate + +// +gotohelm:ignore=true +// +// Code generated by genpartial DO NOT EDIT. +package connectors + +import ( + monitoringv1 "github.com/prometheus-operator/prometheus-operator/pkg/apis/monitoring/v1" + appsv1 "k8s.io/api/apps/v1" + corev1 "k8s.io/api/core/v1" + "k8s.io/apimachinery/pkg/api/resource" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" +) + +type PartialValues struct { + NameOverride *string "json:\"nameOverride,omitempty\"" + FullnameOverride *string "json:\"fullnameOverride,omitempty\"" + CommonLabels map[string]string "json:\"commonLabels,omitempty\"" + Tolerations []corev1.Toleration "json:\"tolerations,omitempty\"" + Image *PartialImage "json:\"image,omitempty\"" + ImagePullSecrets []corev1.LocalObjectReference "json:\"imagePullSecrets,omitempty\"" + Test *PartialCreatable "json:\"test,omitempty\"" + Connectors *PartialConnectors "json:\"connectors,omitempty\"" + Auth *PartialAuth "json:\"auth,omitempty\"" + Logging *PartialLogging "json:\"logging,omitempty\"" + Monitoring *PartialMonitoringConfig "json:\"monitoring,omitempty\"" + Container *PartialContainer "json:\"container,omitempty\"" + Deployment *PartialDeploymentConfig "json:\"deployment,omitempty\"" + Storage *PartialStorage "json:\"storage,omitempty\"" + ServiceAccount *PartialServiceAccountConfig "json:\"serviceAccount,omitempty\"" + Service *PartialServiceConfig "json:\"service,omitempty\"" +} + +type PartialImage struct { + Repository *string "json:\"repository,omitempty\"" + PullPolicy *corev1.PullPolicy "json:\"pullPolicy,omitempty\"" + Tag *string "json:\"tag,omitempty\"" +} + +type PartialCreatable struct { + Create *bool "json:\"create,omitempty\"" +} + +type PartialConnectors struct { + RestPort *int32 "json:\"restPort,omitempty\"" + BootstrapServers *string "json:\"bootstrapServers,omitempty\"" + SchemaRegistryURL *string "json:\"schemaRegistryURL,omitempty\"" + AdditionalConfiguration *string "json:\"additionalConfiguration,omitempty\"" + SecretManager *PartialSecretManager "json:\"secretManager,omitempty\"" + ProducerBatchSize *int32 "json:\"producerBatchSize,omitempty\"" + ProducerLingerMS *int32 "json:\"producerLingerMS,omitempty\"" + Storage *PartialConnectorsStorage "json:\"storage,omitempty\"" + GroupID *string "json:\"groupID,omitempty\"" + BrokerTLS *PartialTLS "json:\"brokerTLS,omitempty\"" +} + +type PartialAuth struct { + SASL *struct { + Enabled *bool "json:\"enabled,omitempty\"" + Mechanism *string "json:\"mechanism,omitempty\"" + SecretRef *string "json:\"secretRef,omitempty\"" + UserName *string "json:\"userName,omitempty\"" + } "json:\"sasl,omitempty\"" +} + +type PartialLogging struct { + Level *string "json:\"level,omitempty\"" +} + +type PartialMonitoringConfig struct { + Enabled *bool "json:\"enabled,omitempty\"" + ScrapeInterval *metav1.Duration "json:\"scrapeInterval,omitempty\"" + Labels map[string]string "json:\"labels,omitempty\"" + Annotations map[string]string "json:\"annotations,omitempty\"" + NamespaceSelector *monitoringv1.NamespaceSelector "json:\"namespaceSelector,omitempty\"" +} + +type PartialContainer struct { + SecurityContext *corev1.SecurityContext "json:\"securityContext,omitempty\"" + Resources *struct { + Request corev1.ResourceList "json:\"request,omitempty\"" + Limits corev1.ResourceList "json:\"limits,omitempty\"" + JavaMaxHeapSize *resource.Quantity "json:\"javaMaxHeapSize,omitempty\"" + } "json:\"resources,omitempty\"" + JavaGCLogEnabled *string "json:\"javaGCLogEnabled,omitempty\"" +} + +type PartialDeploymentConfig struct { + Replicas *int32 "json:\"replicas,omitempty\"" + Create *bool "json:\"create,omitempty\"" + Command []string "json:\"command,omitempty\"" + Strategy *appsv1.DeploymentStrategy "json:\"strategy,omitempty\"" + SchedulerName *string "json:\"schedulerName,omitempty\"" + Budget *struct { + MaxUnavailable *int32 "json:\"maxUnavailable,omitempty\"" + } "json:\"budget,omitempty\"" + Annotations map[string]string "json:\"annotations,omitempty\"" + LivenessProbe *corev1.Probe "json:\"livenessProbe,omitempty\"" + ReadinessProbe *corev1.Probe "json:\"readinessProbe,omitempty\"" + ExtraEnv []corev1.EnvVar "json:\"extraEnv,omitempty\"" + ExtraEnvFrom []corev1.EnvFromSource "json:\"extraEnvFrom,omitempty\"" + ProgressDeadlineSeconds *int32 "json:\"progressDeadlineSeconds,omitempty\"" + RevisionHistoryLimit *int32 "json:\"revisionHistoryLimit,omitempty\"" + PodAffinity *corev1.PodAffinity "json:\"podAffinity,omitempty\"" + NodeAffinity *corev1.NodeAffinity "json:\"nodeAffinity,omitempty\"" + PodAntiAffinity *struct { + TopologyKey *string "json:\"topologyKey,omitempty\"" + Type *string "json:\"type,omitempty\"" + Weight *int32 "json:\"weight,omitempty\"" + Custom *corev1.PodAntiAffinity "json:\"custom,omitempty\"" + } "json:\"podAntiAffinity,omitempty\"" + NodeSelector map[string]string "json:\"nodeSelector,omitempty\"" + PriorityClassName *string "json:\"priorityClassName,omitempty\"" + Tolerations []corev1.Toleration "json:\"tolerations,omitempty\"" + TopologySpreadConstraints []corev1.TopologySpreadConstraint "json:\"topologySpreadConstraints,omitempty\"" + SecurityContext *corev1.PodSecurityContext "json:\"securityContext,omitempty\"" + TerminationGracePeriodSeconds *int64 "json:\"terminationGracePeriodSeconds,omitempty\"" + RestartPolicy *corev1.RestartPolicy "json:\"restartPolicy,omitempty\"" +} + +type PartialStorage struct { + Volume []corev1.Volume "json:\"volume,omitempty\"" + VolumeMounts []corev1.VolumeMount "json:\"volumeMounts,omitempty\"" +} + +type PartialServiceAccountConfig struct { + Create *bool "json:\"create,omitempty\"" + Annotations map[string]string "json:\"annotations,omitempty\"" + Name *string "json:\"name,omitempty\"" +} + +type PartialServiceConfig struct { + Annotations map[string]string "json:\"annotations,omitempty\"" + Name *string "json:\"name,omitempty\"" + Ports []struct { + Name *string "json:\"name,omitempty\"" + Port *int32 "json:\"port,omitempty\"" + } "json:\"ports,omitempty\"" +} + +type PartialSecretManager struct { + Enabled *bool "json:\"enabled,omitempty\"" + Region *string "json:\"region,omitempty\"" + ConsolePrefix *string "json:\"consolePrefix,omitempty\"" + ConnectorsPrefix *string "json:\"connectorsPrefix,omitempty\"" +} + +type PartialConnectorsStorage struct { + ReplicationFactor *struct { + Offset *int32 "json:\"offset,omitempty\"" + Config *int32 "json:\"config,omitempty\"" + Status *int32 "json:\"status,omitempty\"" + } "json:\"replicationFactor,omitempty\"" + Remote *struct { + Read *struct { + Offset *bool "json:\"offset,omitempty\"" + Config *bool "json:\"config,omitempty\"" + Status *bool "json:\"status,omitempty\"" + } "json:\"read,omitempty\"" + Write *struct { + Offset *bool "json:\"offset,omitempty\"" + Config *bool "json:\"config,omitempty\"" + Status *bool "json:\"status,omitempty\"" + } "json:\"write,omitempty\"" + } "json:\"remote,omitempty\"" + Topic *struct { + Offset *string "json:\"offset,omitempty\"" + Config *string "json:\"config,omitempty\"" + Status *string "json:\"status,omitempty\"" + } "json:\"topic,omitempty\"" +} + +type PartialTLS struct { + Enabled *bool "json:\"enabled,omitempty\"" + CA *struct { + SecretRef *string "json:\"secretRef,omitempty\"" + SecretNameOverwrite *string "json:\"secretNameOverwrite,omitempty\"" + } "json:\"ca,omitempty\"" + Cert *struct { + SecretRef *string "json:\"secretRef,omitempty\"" + SecretNameOverwrite *string "json:\"secretNameOverwrite,omitempty\"" + } "json:\"cert,omitempty\"" + Key *struct { + SecretRef *string "json:\"secretRef,omitempty\"" + SecretNameOverwrite *string "json:\"secretNameOverwrite,omitempty\"" + } "json:\"key,omitempty\"" +} diff --git a/charts/redpanda/redpanda/5.9.2/charts/console/.helmignore b/charts/redpanda/redpanda/5.9.2/charts/console/.helmignore new file mode 100644 index 000000000..04ecd888b --- /dev/null +++ b/charts/redpanda/redpanda/5.9.2/charts/console/.helmignore @@ -0,0 +1,24 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +README.md.gotmpl +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/charts/redpanda/redpanda/5.9.2/charts/console/Chart.yaml b/charts/redpanda/redpanda/5.9.2/charts/console/Chart.yaml new file mode 100644 index 000000000..dd51b48d8 --- /dev/null +++ b/charts/redpanda/redpanda/5.9.2/charts/console/Chart.yaml @@ -0,0 +1,23 @@ +annotations: + artifacthub.io/images: | + - name: redpanda + image: docker.redpanda.com/redpandadata/console:v2.7.0 + artifacthub.io/license: Apache-2.0 + artifacthub.io/links: | + - name: Documentation + url: https://docs.redpanda.com + - name: "Helm (>= 3.6.0)" + url: https://helm.sh/docs/intro/install/ +apiVersion: v2 +appVersion: v2.7.0 +description: Helm chart to deploy Redpanda Console. +icon: https://images.ctfassets.net/paqvtpyf8rwu/3cYHw5UzhXCbKuR24GDFGO/73fb682e6157d11c10d5b2b5da1d5af0/skate-stand-panda.svg +kubeVersion: '>= 1.21.0-0' +maintainers: +- name: redpanda-data + url: https://github.com/orgs/redpanda-data/people +name: console +sources: +- https://github.com/redpanda-data/helm-charts +type: application +version: 0.7.29 diff --git a/charts/redpanda/redpanda/5.9.2/charts/console/README.md b/charts/redpanda/redpanda/5.9.2/charts/console/README.md new file mode 100644 index 000000000..9bd93425f --- /dev/null +++ b/charts/redpanda/redpanda/5.9.2/charts/console/README.md @@ -0,0 +1,353 @@ +# Redpanda Console Helm Chart Specification +--- +description: Find the default values and descriptions of settings in the Redpanda Console Helm chart. +--- + +![Version: 0.7.29](https://img.shields.io/badge/Version-0.7.29-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v2.7.0](https://img.shields.io/badge/AppVersion-v2.7.0-informational?style=flat-square) + +This page describes the official Redpanda Console Helm Chart. In particular, this page describes the contents of the chart’s [`values.yaml` file](https://github.com/redpanda-data/helm-charts/blob/main/charts/console/values.yaml). +Each of the settings is listed and described on this page, along with any default values. + +The Redpanda Console Helm chart is included as a subchart in the Redpanda Helm chart so that you can deploy and configure Redpanda and Redpanda Console together. +For instructions on how to install and use the chart, refer to the [deployment documentation](https://docs.redpanda.com/docs/deploy/deployment-option/self-hosted/kubernetes/kubernetes-deploy/). +For instructions on how to override and customize the chart’s values, see [Configure Redpanda Console](https://docs.redpanda.com/docs/manage/kubernetes/configure-helm-chart/#configure-redpanda-console). + +---------------------------------------------- +Autogenerated from chart metadata using [helm-docs v1.13.1](https://github.com/norwoodj/helm-docs/releases/v1.13.1) + +## Source Code + +* + +## Requirements + +Kubernetes: `>= 1.21.0-0` + +## Settings + +### [affinity](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=affinity) + +**Default:** `{}` + +### [annotations](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=annotations) + +Annotations to add to the deployment. + +**Default:** `{}` + +### [automountServiceAccountToken](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=automountServiceAccountToken) + +Automount API credentials for the Service Account into the pod. + +**Default:** `true` + +### [autoscaling.enabled](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=autoscaling.enabled) + +**Default:** `false` + +### [autoscaling.maxReplicas](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=autoscaling.maxReplicas) + +**Default:** `100` + +### [autoscaling.minReplicas](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=autoscaling.minReplicas) + +**Default:** `1` + +### [autoscaling.targetCPUUtilizationPercentage](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=autoscaling.targetCPUUtilizationPercentage) + +**Default:** `80` + +### [commonLabels](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=commonLabels) + +**Default:** `{}` + +### [configmap.create](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=configmap.create) + +**Default:** `true` + +### [console.config](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=console.config) + +Settings for the `Config.yaml` (required). For a reference of configuration settings, see the [Redpanda Console documentation](https://docs.redpanda.com/docs/reference/console/config/). + +**Default:** `{}` + +### [deployment.create](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=deployment.create) + +**Default:** `true` + +### [enterprise](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=enterprise) + +Settings for license key, as an alternative to secret.enterprise when a license secret is available + +**Default:** + +``` +{"licenseSecretRef":{"key":"","name":""}} +``` + +### [extraContainers](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=extraContainers) + +Add additional containers, such as for oauth2-proxy. + +**Default:** `[]` + +### [extraEnv](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=extraEnv) + +Additional environment variables for the Redpanda Console Deployment. + +**Default:** `[]` + +### [extraEnvFrom](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=extraEnvFrom) + +Additional environment variables for Redpanda Console mapped from Secret or ConfigMap. + +**Default:** `[]` + +### [extraVolumeMounts](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=extraVolumeMounts) + +Add additional volume mounts, such as for TLS keys. + +**Default:** `[]` + +### [extraVolumes](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=extraVolumes) + +Add additional volumes, such as for TLS keys. + +**Default:** `[]` + +### [fullnameOverride](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=fullnameOverride) + +Override `console.fullname` template. + +**Default:** `""` + +### [image](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=image) + +Redpanda Console Docker image settings. + +**Default:** + +``` +{"pullPolicy":"IfNotPresent","registry":"docker.redpanda.com","repository":"redpandadata/console","tag":""} +``` + +### [image.pullPolicy](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=image.pullPolicy) + +The imagePullPolicy. + +**Default:** `"IfNotPresent"` + +### [image.repository](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=image.repository) + +Docker repository from which to pull the Redpanda Docker image. + +**Default:** `"redpandadata/console"` + +### [image.tag](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=image.tag) + +The Redpanda Console version. See DockerHub for: [All stable versions](https://hub.docker.com/r/redpandadata/console/tags) and [all unstable versions](https://hub.docker.com/r/redpandadata/console-unstable/tags). + +**Default:** `Chart.appVersion` + +### [imagePullSecrets](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=imagePullSecrets) + +Pull secrets may be used to provide credentials to image repositories See https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + +**Default:** `[]` + +### [ingress.annotations](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=ingress.annotations) + +**Default:** `{}` + +### [ingress.className](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=ingress.className) + +**Default:** `nil` + +### [ingress.enabled](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=ingress.enabled) + +**Default:** `false` + +### [ingress.hosts[0].host](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=ingress.hosts[0].host) + +**Default:** `"chart-example.local"` + +### [ingress.hosts[0].paths[0].path](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=ingress.hosts[0].paths[0].path) + +**Default:** `"/"` + +### [ingress.hosts[0].paths[0].pathType](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=ingress.hosts[0].paths[0].pathType) + +**Default:** `"ImplementationSpecific"` + +### [ingress.tls](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=ingress.tls) + +**Default:** `[]` + +### [initContainers](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=initContainers) + +Any initContainers defined should be written here + +**Default:** `{"extraInitContainers":""}` + +### [initContainers.extraInitContainers](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=initContainers.extraInitContainers) + +Additional set of init containers + +**Default:** `""` + +### [livenessProbe](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=livenessProbe) + +Settings for liveness and readiness probes. For details, see the [Kubernetes documentation](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes). + +**Default:** + +``` +{"failureThreshold":3,"periodSeconds":10,"successThreshold":1,"timeoutSeconds":1} +``` + +### [nameOverride](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=nameOverride) + +Override `console.name` template. + +**Default:** `""` + +### [nodeSelector](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=nodeSelector) + +**Default:** `{}` + +### [podAnnotations](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=podAnnotations) + +**Default:** `{}` + +### [podLabels](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=podLabels) + +**Default:** `{}` + +### [podSecurityContext.fsGroup](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=podSecurityContext.fsGroup) + +**Default:** `99` + +### [podSecurityContext.runAsUser](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=podSecurityContext.runAsUser) + +**Default:** `99` + +### [priorityClassName](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=priorityClassName) + +PriorityClassName given to Pods. For details, see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass). + +**Default:** `""` + +### [readinessProbe.failureThreshold](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=readinessProbe.failureThreshold) + +**Default:** `3` + +### [readinessProbe.initialDelaySeconds](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=readinessProbe.initialDelaySeconds) + +Grant time to test connectivity to upstream services such as Kafka and Schema Registry. + +**Default:** `10` + +### [readinessProbe.periodSeconds](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=readinessProbe.periodSeconds) + +**Default:** `10` + +### [readinessProbe.successThreshold](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=readinessProbe.successThreshold) + +**Default:** `1` + +### [readinessProbe.timeoutSeconds](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=readinessProbe.timeoutSeconds) + +**Default:** `1` + +### [replicaCount](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=replicaCount) + +**Default:** `1` + +### [resources](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=resources) + +**Default:** `{}` + +### [secret](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=secret) + +Create a new Kubernetes Secret for all sensitive configuration inputs. Each provided Secret is mounted automatically and made available to the Pod. If you want to use one or more existing Secrets, you can use the `extraEnvFrom` list to mount environment variables from string and secretMounts to mount files such as Certificates from Secrets. + +**Default:** + +``` +{"create":true,"enterprise":{},"kafka":{},"login":{"github":{},"google":{},"jwtSecret":"","oidc":{},"okta":{}},"redpanda":{"adminApi":{}}} +``` + +### [secret.kafka](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=secret.kafka) + +Kafka Secrets. + +**Default:** `{}` + +### [secretMounts](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=secretMounts) + +SecretMounts is an abstraction to make a Secret available in the container's filesystem. Under the hood it creates a volume and a volume mount for the Redpanda Console container. + +**Default:** `[]` + +### [securityContext.runAsNonRoot](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=securityContext.runAsNonRoot) + +**Default:** `true` + +### [service.annotations](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=service.annotations) + +**Default:** `{}` + +### [service.port](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=service.port) + +**Default:** `8080` + +### [service.targetPort](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=service.targetPort) + +Override the value in `console.config.server.listenPort` if not `nil` + +**Default:** `nil` + +### [service.type](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=service.type) + +**Default:** `"ClusterIP"` + +### [serviceAccount.annotations](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=serviceAccount.annotations) + +Annotations to add to the service account. + +**Default:** `{}` + +### [serviceAccount.automountServiceAccountToken](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=serviceAccount.automountServiceAccountToken) + +Specifies whether a service account should automount API-Credentials + +**Default:** `true` + +### [serviceAccount.create](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=serviceAccount.create) + +Specifies whether a service account should be created. + +**Default:** `true` + +### [serviceAccount.name](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=serviceAccount.name) + +The name of the service account to use. If not set and `serviceAccount.create` is `true`, a name is generated using the `console.fullname` template + +**Default:** `""` + +### [strategy](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=strategy) + +**Default:** `{}` + +### [tests.enabled](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=tests.enabled) + +**Default:** `true` + +### [tolerations](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=tolerations) + +**Default:** `[]` + +### [topologySpreadConstraints](https://artifacthub.io/packages/helm/redpanda-data/console?modal=values&path=topologySpreadConstraints) + +**Default:** `[]` + diff --git a/charts/redpanda/redpanda/5.9.2/charts/console/chart_test.go b/charts/redpanda/redpanda/5.9.2/charts/console/chart_test.go new file mode 100644 index 000000000..0e652c13e --- /dev/null +++ b/charts/redpanda/redpanda/5.9.2/charts/console/chart_test.go @@ -0,0 +1,158 @@ +package console + +import ( + "encoding/json" + "fmt" + "os" + "regexp" + "slices" + "testing" + + fuzz "github.com/google/gofuzz" + "github.com/redpanda-data/helm-charts/pkg/helm" + "github.com/redpanda-data/helm-charts/pkg/testutil" + "github.com/santhosh-tekuri/jsonschema/v5" + "github.com/stretchr/testify/require" + "golang.org/x/tools/txtar" + corev1 "k8s.io/api/core/v1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "sigs.k8s.io/yaml" +) + +// TestValues asserts that the chart's values.yaml file can be losslessly +// loaded into our type [Values] struct. +// NB: values.yaml should round trip through [Values], not [PartialValues], as +// [Values]'s omitempty tags are models after values.yaml. +func TestValues(t *testing.T) { + var typedValues Values + var unstructuredValues map[string]any + + require.NoError(t, yaml.Unmarshal(DefaultValuesYAML, &typedValues)) + require.NoError(t, yaml.Unmarshal(DefaultValuesYAML, &unstructuredValues)) + + typedValuesJSON, err := json.Marshal(typedValues) + require.NoError(t, err) + + unstructuredValuesJSON, err := json.Marshal(unstructuredValues) + require.NoError(t, err) + + require.JSONEq(t, string(unstructuredValuesJSON), string(typedValuesJSON)) +} + +func TestTemplate(t *testing.T) { + ctx := testutil.Context(t) + client, err := helm.New(helm.Options{ConfigHome: testutil.TempDir(t)}) + require.NoError(t, err) + + casesArchive, err := txtar.ParseFile("testdata/template-cases.txtar") + require.NoError(t, err) + + generatedCasesArchive, err := txtar.ParseFile("testdata/template-cases-generated.txtar") + require.NoError(t, err) + + goldens := testutil.NewTxTar(t, "testdata/template-cases.golden.txtar") + + for _, tc := range append(casesArchive.Files, generatedCasesArchive.Files...) { + tc := tc + t.Run(tc.Name, func(t *testing.T) { + var values PartialValues + require.NoError(t, yaml.Unmarshal(tc.Data, &values)) + + out, err := client.Template(ctx, ".", helm.TemplateOptions{ + Name: "console", + Values: values, + Set: []string{ + // jwtSecret defaults to a random string. Can't have that + // in snapshot testing so set it to a static value. + "secret.login.jwtSecret=SECRETKEY", + }, + }) + require.NoError(t, err) + goldens.AssertGolden(t, testutil.YAML, fmt.Sprintf("testdata/%s.yaml.golden", tc.Name), out) + }) + } +} + +// TestGenerateCases is not a test case (sorry) but a test case generator for +// the console chart. +func TestGenerateCases(t *testing.T) { + // Nasty hack to avoid making a main function somewhere. Sorry not sorry. + if !slices.Contains(os.Args, fmt.Sprintf("-test.run=%s", t.Name())) { + t.Skipf("%s will only run if explicitly specified (-run %q)", t.Name(), t.Name()) + } + + // Makes strings easier to read. + asciiStrs := func(s *string, c fuzz.Continue) { + const alphabet = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789" + var x []byte + for i := 0; i < c.Intn(25); i++ { + x = append(x, alphabet[c.Intn(len(alphabet))]) + } + *s = string(x) + } + smallInts := func(s *int, c fuzz.Continue) { + *s = c.Intn(501) + } + + fuzzer := fuzz.New().NumElements(0, 3).SkipFieldsWithPattern( + regexp.MustCompile("^(SELinuxOptions|WindowsOptions|SeccompProfile|TCPSocket|HTTPHeaders|VolumeSource)$"), + ).Funcs( + asciiStrs, + smallInts, + func(t *corev1.ServiceType, c fuzz.Continue) { + types := []corev1.ServiceType{ + corev1.ServiceTypeClusterIP, + corev1.ServiceTypeExternalName, + corev1.ServiceTypeNodePort, + corev1.ServiceTypeLoadBalancer, + } + *t = types[c.Intn(len(types))] + }, + func(s *corev1.ResourceName, c fuzz.Continue) { asciiStrs((*string)(s), c) }, + func(_ *any, c fuzz.Continue) {}, + func(_ *[]corev1.ResourceClaim, c fuzz.Continue) {}, + func(_ *[]metav1.ManagedFieldsEntry, c fuzz.Continue) {}, + ) + + schema, err := jsonschema.CompileString("", string(ValuesSchemaJSON)) + require.NoError(t, err) + + nilChance := float64(0.8) + + files := make([]txtar.File, 0, 50) + for i := 0; i < 50; i++ { + // Every 5 iterations, decrease nil chance to ensure that we're biased + // towards exploring most cases. + if i%5 == 0 && nilChance > .1 { + nilChance -= .1 + } + + var values PartialValues + fuzzer.NilChance(nilChance).Fuzz(&values) + + out, err := yaml.Marshal(values) + require.NoError(t, err) + + merged, err := helm.MergeYAMLValues(t.TempDir(), DefaultValuesYAML, out) + require.NoError(t, err) + + // Ensure that our generated values comply with the schema set by the chart. + if err := schema.Validate(merged); err != nil { + t.Logf("Generated invalid values; trying again...\n%v", err) + i-- + continue + } + + files = append(files, txtar.File{ + Name: fmt.Sprintf("case-%03d", i), + Data: out, + }) + } + + archive := txtar.Format(&txtar.Archive{ + Comment: []byte(fmt.Sprintf(`Generated by %s`, t.Name())), + Files: files, + }) + + require.NoError(t, os.WriteFile("testdata/template-cases-generated.txtar", archive, 0o644)) +} diff --git a/charts/redpanda/redpanda/5.9.2/charts/console/configmap.go b/charts/redpanda/redpanda/5.9.2/charts/console/configmap.go new file mode 100644 index 000000000..c4fa38291 --- /dev/null +++ b/charts/redpanda/redpanda/5.9.2/charts/console/configmap.go @@ -0,0 +1,61 @@ +// Licensed to the Apache Software Foundation (ASF) under one or more +// contributor license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright ownership. +// The ASF licenses this file to You under the Apache License, Version 2.0 +// (the "License"); you may not use this file except in compliance with +// the License. You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +// +// +gotohelm:filename=_configmap.go.tpl +package console + +import ( + "fmt" + + "github.com/redpanda-data/helm-charts/pkg/gotohelm/helmette" + corev1 "k8s.io/api/core/v1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" +) + +func ConfigMap(dot *helmette.Dot) *corev1.ConfigMap { + values := helmette.Unwrap[Values](dot.Values) + + if !values.ConfigMap.Create { + return nil + } + + data := map[string]string{ + "config.yaml": fmt.Sprintf("# from .Values.console.config\n%s\n", helmette.Tpl(helmette.ToYaml(values.Console.Config), dot)), + } + + if len(values.Console.Roles) > 0 { + data["roles.yaml"] = helmette.Tpl(helmette.ToYaml(map[string]any{ + "roles": values.Console.Roles, + }), dot) + } + + if len(values.Console.RoleBindings) > 0 { + data["role-bindings.yaml"] = helmette.Tpl(helmette.ToYaml(map[string]any{ + "roleBindings": values.Console.RoleBindings, + }), dot) + } + + return &corev1.ConfigMap{ + TypeMeta: metav1.TypeMeta{ + APIVersion: "v1", + Kind: "ConfigMap", + }, + ObjectMeta: metav1.ObjectMeta{ + Name: Fullname(dot), + Labels: Labels(dot), + }, + Data: data, + } +} diff --git a/charts/redpanda/redpanda/5.9.2/charts/console/deployment.go b/charts/redpanda/redpanda/5.9.2/charts/console/deployment.go new file mode 100644 index 000000000..47537d40d --- /dev/null +++ b/charts/redpanda/redpanda/5.9.2/charts/console/deployment.go @@ -0,0 +1,535 @@ +// Licensed to the Apache Software Foundation (ASF) under one or more +// contributor license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright ownership. +// The ASF licenses this file to You under the Apache License, Version 2.0 +// (the "License"); you may not use this file except in compliance with +// the License. You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +// +// +gotohelm:filename=_deployment.go.tpl +package console + +import ( + "fmt" + + "github.com/redpanda-data/helm-charts/pkg/gotohelm/helmette" + appsv1 "k8s.io/api/apps/v1" + corev1 "k8s.io/api/core/v1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/util/intstr" + "k8s.io/utils/ptr" +) + +// Console's HTTP server Port. +// The port is defined from the provided config but can be overridden +// by setting service.targetPort and if that is missing defaults to 8080. +func ContainerPort(dot *helmette.Dot) int32 { + values := helmette.Unwrap[Values](dot.Values) + + listenPort := int32(8080) + if values.Service.TargetPort != nil { + listenPort = *values.Service.TargetPort + } + + configListenPort := helmette.Dig(values.Console.Config, nil, "server", "listenPort") + if asInt, ok := helmette.AsIntegral[int](configListenPort); ok { + return int32(asInt) + } + + return listenPort +} + +func Deployment(dot *helmette.Dot) *appsv1.Deployment { + values := helmette.Unwrap[Values](dot.Values) + + if !values.Deployment.Create { + return nil + } + + var replicas *int32 + if !values.Autoscaling.Enabled { + replicas = ptr.To(values.ReplicaCount) + } + + var initContainers []corev1.Container + if values.InitContainers.ExtraInitContainers != nil { + initContainers = helmette.UnmarshalYamlArray[corev1.Container](helmette.Tpl(*values.InitContainers.ExtraInitContainers, dot)) + } + + volumeMounts := []corev1.VolumeMount{ + { + Name: "configs", + MountPath: "/etc/console/configs", + ReadOnly: true, + }, + } + + if values.Secret.Create { + volumeMounts = append(volumeMounts, corev1.VolumeMount{ + Name: "secrets", + MountPath: "/etc/console/secrets", + ReadOnly: true, + }) + } + + for _, mount := range values.SecretMounts { + volumeMounts = append(volumeMounts, corev1.VolumeMount{ + Name: mount.Name, + MountPath: mount.Path, + SubPath: ptr.Deref(mount.SubPath, ""), + }) + } + + volumeMounts = append(volumeMounts, values.ExtraVolumeMounts...) + + return &appsv1.Deployment{ + TypeMeta: metav1.TypeMeta{ + APIVersion: "apps/v1", + Kind: "Deployment", + }, + ObjectMeta: metav1.ObjectMeta{ + Name: Fullname(dot), + Labels: Labels(dot), + Namespace: dot.Release.Namespace, + Annotations: values.Annotations, + }, + Spec: appsv1.DeploymentSpec{ + Replicas: replicas, + Selector: &metav1.LabelSelector{ + MatchLabels: SelectorLabels(dot), + }, + Strategy: values.Strategy, + Template: corev1.PodTemplateSpec{ + ObjectMeta: metav1.ObjectMeta{ + Annotations: helmette.Merge(map[string]string{ + "checksum/config": helmette.Sha256Sum(helmette.ToYaml(ConfigMap(dot))), + }, values.PodAnnotations), + Labels: helmette.Merge(SelectorLabels(dot), values.PodLabels), + }, + Spec: corev1.PodSpec{ + ImagePullSecrets: values.ImagePullSecrets, + ServiceAccountName: ServiceAccountName(dot), + AutomountServiceAccountToken: &values.AutomountServiceAccountToken, + SecurityContext: &values.PodSecurityContext, + NodeSelector: values.NodeSelector, + Affinity: &values.Affinity, + TopologySpreadConstraints: values.TopologySpreadConstraints, + PriorityClassName: values.PriorityClassName, + Tolerations: values.Tolerations, + Volumes: consolePodVolumes(dot), + InitContainers: initContainers, + Containers: append([]corev1.Container{ + { + Name: dot.Chart.Name, + Command: values.Deployment.Command, + Args: append([]string{ + "--config.filepath=/etc/console/configs/config.yaml", + }, values.Deployment.ExtraArgs...), + SecurityContext: &values.SecurityContext, + Image: containerImage(dot), + ImagePullPolicy: values.Image.PullPolicy, + Ports: []corev1.ContainerPort{ + { + Name: "http", + ContainerPort: ContainerPort(dot), + Protocol: corev1.ProtocolTCP, + }, + }, + VolumeMounts: volumeMounts, + LivenessProbe: &corev1.Probe{ + InitialDelaySeconds: values.LivenessProbe.InitialDelaySeconds, // TODO what to do with this?? + PeriodSeconds: values.LivenessProbe.PeriodSeconds, + TimeoutSeconds: values.LivenessProbe.TimeoutSeconds, + SuccessThreshold: values.LivenessProbe.SuccessThreshold, + FailureThreshold: values.LivenessProbe.FailureThreshold, + ProbeHandler: corev1.ProbeHandler{ + HTTPGet: &corev1.HTTPGetAction{ + Path: "/admin/health", + Port: intstr.FromString("http"), + }, + }, + }, + ReadinessProbe: &corev1.Probe{ + InitialDelaySeconds: values.ReadinessProbe.InitialDelaySeconds, + PeriodSeconds: values.ReadinessProbe.PeriodSeconds, + TimeoutSeconds: values.ReadinessProbe.TimeoutSeconds, + SuccessThreshold: values.ReadinessProbe.SuccessThreshold, + FailureThreshold: values.ReadinessProbe.FailureThreshold, + ProbeHandler: corev1.ProbeHandler{ + HTTPGet: &corev1.HTTPGetAction{ + Path: "/admin/health", + Port: intstr.FromString("http"), + }, + }, + }, + Resources: values.Resources, + Env: consoleContainerEnv(dot), + EnvFrom: values.ExtraEnvFrom, + }, + }, values.ExtraContainers...), + }, + }, + }, + } +} + +// ConsoleImage +func containerImage(dot *helmette.Dot) string { + values := helmette.Unwrap[Values](dot.Values) + + tag := dot.Chart.AppVersion + if !helmette.Empty(values.Image.Tag) { + tag = *values.Image.Tag + } + + image := fmt.Sprintf("%s:%s", values.Image.Repository, tag) + + if !helmette.Empty(values.Image.Registry) { + return fmt.Sprintf("%s/%s", values.Image.Registry, image) + } + + return image +} + +type PossibleEnvVar struct { + Value any + EnvVar corev1.EnvVar +} + +func consoleContainerEnv(dot *helmette.Dot) []corev1.EnvVar { + values := helmette.Unwrap[Values](dot.Values) + + if !values.Secret.Create { + vars := values.ExtraEnv + + if !helmette.Empty(values.Enterprise.LicenseSecretRef.Name) { + vars = append(values.ExtraEnv, corev1.EnvVar{ + Name: "LICENSE", + ValueFrom: &corev1.EnvVarSource{ + SecretKeyRef: &corev1.SecretKeySelector{ + LocalObjectReference: corev1.LocalObjectReference{ + Name: values.Enterprise.LicenseSecretRef.Name, + }, + Key: helmette.Default("enterprise-license", values.Enterprise.LicenseSecretRef.Key), + }, + }, + }) + } + + return vars + } + + possibleVars := []PossibleEnvVar{ + { + Value: values.Secret.Kafka.SASLPassword, + EnvVar: corev1.EnvVar{ + Name: "KAFKA_SASL_PASSWORD", + ValueFrom: &corev1.EnvVarSource{ + SecretKeyRef: &corev1.SecretKeySelector{ + LocalObjectReference: corev1.LocalObjectReference{ + Name: Fullname(dot), + }, + Key: "kafka-sasl-password", + }, + }, + }, + }, + { + Value: values.Secret.Kafka.ProtobufGitBasicAuthPassword, + EnvVar: corev1.EnvVar{ + Name: "KAFKA_PROTOBUF_GIT_BASICAUTH_PASSWORD", + ValueFrom: &corev1.EnvVarSource{ + SecretKeyRef: &corev1.SecretKeySelector{ + LocalObjectReference: corev1.LocalObjectReference{ + Name: Fullname(dot), + }, + Key: "kafka-protobuf-git-basicauth-password", + }, + }, + }, + }, + { + Value: values.Secret.Kafka.AWSMSKIAMSecretKey, + EnvVar: corev1.EnvVar{ + Name: "KAFKA_SASL_AWSMSKIAM_SECRETKEY", + ValueFrom: &corev1.EnvVarSource{ + SecretKeyRef: &corev1.SecretKeySelector{ + LocalObjectReference: corev1.LocalObjectReference{ + Name: Fullname(dot), + }, + Key: "kafka-sasl-aws-msk-iam-secret-key", + }, + }, + }, + }, + { + Value: values.Secret.Kafka.TLSCA, + EnvVar: corev1.EnvVar{ + Name: "KAFKA_TLS_CAFILEPATH", + Value: "/etc/console/secrets/kafka-tls-ca", + }, + }, + { + Value: values.Secret.Kafka.TLSCert, + EnvVar: corev1.EnvVar{ + Name: "KAFKA_TLS_CERTFILEPATH", + Value: "/etc/console/secrets/kafka-tls-cert", + }, + }, + { + Value: values.Secret.Kafka.TLSKey, + EnvVar: corev1.EnvVar{ + Name: "KAFKA_TLS_KEYFILEPATH", + Value: "/etc/console/secrets/kafka-tls-key", + }, + }, + { + Value: values.Secret.Kafka.SchemaRegistryTLSCA, + EnvVar: corev1.EnvVar{ + Name: "KAFKA_SCHEMAREGISTRY_TLS_CAFILEPATH", + Value: "/etc/console/secrets/kafka-schemaregistry-tls-ca", + }, + }, + { + Value: values.Secret.Kafka.SchemaRegistryTLSCert, + EnvVar: corev1.EnvVar{ + Name: "KAFKA_SCHEMAREGISTRY_TLS_CERTFILEPATH", + Value: "/etc/console/secrets/kafka-schemaregistry-tls-cert", + }, + }, + { + Value: values.Secret.Kafka.SchemaRegistryTLSKey, + EnvVar: corev1.EnvVar{ + Name: "KAFKA_SCHEMAREGISTRY_TLS_KEYFILEPATH", + Value: "/etc/console/secrets/kafka-schemaregistry-tls-key", + }, + }, + { + Value: values.Secret.Kafka.SchemaRegistryPassword, + EnvVar: corev1.EnvVar{ + Name: "KAFKA_SCHEMAREGISTRY_PASSWORD", + ValueFrom: &corev1.EnvVarSource{ + SecretKeyRef: &corev1.SecretKeySelector{ + LocalObjectReference: corev1.LocalObjectReference{ + Name: Fullname(dot), + }, + Key: "kafka-schema-registry-password", + }, + }, + }, + }, + { + Value: true, + EnvVar: corev1.EnvVar{ + Name: "LOGIN_JWTSECRET", + ValueFrom: &corev1.EnvVarSource{ + SecretKeyRef: &corev1.SecretKeySelector{ + LocalObjectReference: corev1.LocalObjectReference{ + Name: Fullname(dot), + }, + Key: "login-jwt-secret", + }, + }, + }, + }, + { + Value: values.Secret.Login.Google.ClientSecret, + EnvVar: corev1.EnvVar{ + Name: "LOGIN_GOOGLE_CLIENTSECRET", + ValueFrom: &corev1.EnvVarSource{ + SecretKeyRef: &corev1.SecretKeySelector{ + LocalObjectReference: corev1.LocalObjectReference{ + Name: Fullname(dot), + }, + Key: "login-google-oauth-client-secret", + }, + }, + }, + }, + + { + Value: values.Secret.Login.Google.GroupsServiceAccount, + EnvVar: corev1.EnvVar{ + Name: "LOGIN_GOOGLE_DIRECTORY_SERVICEACCOUNTFILEPATH", + Value: "/etc/console/secrets/login-google-groups-service-account.json", + }, + }, + { + Value: values.Secret.Login.Github.ClientSecret, + EnvVar: corev1.EnvVar{ + Name: "LOGIN_GITHUB_CLIENTSECRET", + ValueFrom: &corev1.EnvVarSource{ + SecretKeyRef: &corev1.SecretKeySelector{ + LocalObjectReference: corev1.LocalObjectReference{ + Name: Fullname(dot), + }, + Key: "login-github-oauth-client-secret", + }, + }, + }, + }, + { + Value: values.Secret.Login.Github.PersonalAccessToken, + EnvVar: corev1.EnvVar{ + Name: "LOGIN_GITHUB_DIRECTORY_PERSONALACCESSTOKEN", + ValueFrom: &corev1.EnvVarSource{ + SecretKeyRef: &corev1.SecretKeySelector{ + LocalObjectReference: corev1.LocalObjectReference{ + Name: Fullname(dot), + }, + Key: "login-github-personal-access-token", + }, + }, + }, + }, + { + Value: values.Secret.Login.Okta.ClientSecret, + EnvVar: corev1.EnvVar{ + Name: "LOGIN_OKTA_CLIENTSECRET", + ValueFrom: &corev1.EnvVarSource{ + SecretKeyRef: &corev1.SecretKeySelector{ + LocalObjectReference: corev1.LocalObjectReference{ + Name: Fullname(dot), + }, + Key: "login-okta-client-secret", + }, + }, + }, + }, + { + Value: values.Secret.Login.Okta.DirectoryAPIToken, + EnvVar: corev1.EnvVar{ + Name: "LOGIN_OKTA_DIRECTORY_APITOKEN", + ValueFrom: &corev1.EnvVarSource{ + SecretKeyRef: &corev1.SecretKeySelector{ + LocalObjectReference: corev1.LocalObjectReference{ + Name: Fullname(dot), + }, + Key: "login-okta-directory-api-token", + }, + }, + }, + }, + { + Value: values.Secret.Login.OIDC.ClientSecret, + EnvVar: corev1.EnvVar{ + Name: "LOGIN_OIDC_CLIENTSECRET", + ValueFrom: &corev1.EnvVarSource{ + SecretKeyRef: &corev1.SecretKeySelector{ + LocalObjectReference: corev1.LocalObjectReference{ + Name: Fullname(dot), + }, + Key: "login-oidc-client-secret", + }, + }, + }, + }, + { + Value: values.Secret.Enterprise.License, + EnvVar: corev1.EnvVar{ + Name: "LICENSE", + ValueFrom: &corev1.EnvVarSource{ + SecretKeyRef: &corev1.SecretKeySelector{ + LocalObjectReference: corev1.LocalObjectReference{ + Name: Fullname(dot), + }, + Key: "enterprise-license", + }, + }, + }, + }, + { + Value: values.Secret.Redpanda.AdminAPI.Password, + EnvVar: corev1.EnvVar{ + Name: "REDPANDA_ADMINAPI_PASSWORD", + ValueFrom: &corev1.EnvVarSource{ + SecretKeyRef: &corev1.SecretKeySelector{ + LocalObjectReference: corev1.LocalObjectReference{ + Name: Fullname(dot), + }, + Key: "redpanda-admin-api-password", + }, + }, + }, + }, + { + Value: values.Secret.Redpanda.AdminAPI.TLSCA, + EnvVar: corev1.EnvVar{ + Name: "REDPANDA_ADMINAPI_TLS_CAFILEPATH", + Value: "/etc/console/secrets/redpanda-admin-api-tls-ca", + }, + }, + { + Value: values.Secret.Redpanda.AdminAPI.TLSKey, + EnvVar: corev1.EnvVar{ + Name: "REDPANDA_ADMINAPI_TLS_KEYFILEPATH", + Value: "/etc/console/secrets/redpanda-admin-api-tls-key", + }, + }, + { + Value: values.Secret.Redpanda.AdminAPI.TLSCert, + EnvVar: corev1.EnvVar{ + Name: "REDPANDA_ADMINAPI_TLS_CERTFILEPATH", + Value: "/etc/console/secrets/redpanda-admin-api-tls-cert", + }, + }, + } + + vars := values.ExtraEnv + for _, possible := range possibleVars { + if !helmette.Empty(possible.Value) { + vars = append(vars, possible.EnvVar) + } + } + + return vars +} + +func consolePodVolumes(dot *helmette.Dot) []corev1.Volume { + values := helmette.Unwrap[Values](dot.Values) + + volumes := []corev1.Volume{ + { + Name: "configs", + VolumeSource: corev1.VolumeSource{ + ConfigMap: &corev1.ConfigMapVolumeSource{ + LocalObjectReference: corev1.LocalObjectReference{ + Name: Fullname(dot), + }, + }, + }, + }, + } + + if values.Secret.Create { + volumes = append(volumes, corev1.Volume{ + Name: "secrets", + VolumeSource: corev1.VolumeSource{ + Secret: &corev1.SecretVolumeSource{ + SecretName: Fullname(dot), + }, + }, + }) + } + + for _, mount := range values.SecretMounts { + volumes = append(volumes, corev1.Volume{ + Name: mount.Name, + VolumeSource: corev1.VolumeSource{ + Secret: &corev1.SecretVolumeSource{ + SecretName: mount.SecretName, + DefaultMode: mount.DefaultMode, + }, + }, + }) + } + + return append(volumes, values.ExtraVolumes...) +} diff --git a/charts/redpanda/redpanda/5.9.2/charts/console/examples/console-enterprise.yaml b/charts/redpanda/redpanda/5.9.2/charts/console/examples/console-enterprise.yaml new file mode 100644 index 000000000..dc3f29197 --- /dev/null +++ b/charts/redpanda/redpanda/5.9.2/charts/console/examples/console-enterprise.yaml @@ -0,0 +1,94 @@ +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +image: + tag: master-8fcce39 + +resources: + limits: + cpu: 1 + memory: 2Gi + requests: + cpu: 100m + memory: 512Mi + +console: + config: + kafka: + brokers: + - bootstrap.mybrokers.com:9092 + clientId: redpanda-console + sasl: + enabled: true + mechanism: SCRAM-SHA-256 + username: console + # password: set via Helm secret / Env variable + tls: + enabled: false + login: + google: + enabled: true + clientId: redacted.apps.googleusercontent.com + # clientSecret: set via Helm secret / Env variable + directory: + # serviceAccountFilepath: set via Helm secret / Env variable + targetPrincipal: admin@mycompany.com + enterprise: + rbac: + enabled: true + roleBindingsFilepath: /etc/console/configs/role-bindings.yaml + roleBindings: + - roleName: viewer + metadata: + # Metadata properties will be shown in the UI. You can omit it if you want to + name: Developers + subjects: + # You can specify all groups or users from different providers here which shall be bound to the same role + - kind: group + provider: Google + name: engineering@mycompany.com + - kind: user + provider: Google + name: singleuser@mycompany.com + - roleName: admin + metadata: + name: Admin + subjects: + - kind: user + provider: Google + name: adminperson@mycompany.com + +secret: + create: true + kafka: + saslPassword: "redacted" + enterprise: + license: "redacted" + login: + google: + clientSecret: "redacted" + groupsServiceAccount: | + { + "type": "service_account", + "project_id": "redacted", + "private_key_id": "redacted", + "private_key": "-----BEGIN PRIVATE KEY-----\nREDACTED\n-----END PRIVATE KEY-----\n", + "client_email": "redacted@projectid.iam.gserviceaccount.com", + "client_id": "redacted", + "auth_uri": "https://accounts.google.com/o/oauth2/auth", + "token_uri": "https://oauth2.googleapis.com/token", + "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs", + "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/redacted.iam.gserviceaccount.com" + } diff --git a/charts/redpanda/redpanda/5.9.2/charts/console/helpers.go b/charts/redpanda/redpanda/5.9.2/charts/console/helpers.go new file mode 100644 index 000000000..eed4aa711 --- /dev/null +++ b/charts/redpanda/redpanda/5.9.2/charts/console/helpers.go @@ -0,0 +1,84 @@ +// Licensed to the Apache Software Foundation (ASF) under one or more +// contributor license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright ownership. +// The ASF licenses this file to You under the Apache License, Version 2.0 +// (the "License"); you may not use this file except in compliance with +// the License. You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +// +// +gotohelm:filename=_helpers.go.tpl +package console + +import ( + "fmt" + "strings" + + "github.com/redpanda-data/helm-charts/pkg/gotohelm/helmette" +) + +// Expand the name of the chart. +func Name(dot *helmette.Dot) string { + values := helmette.Unwrap[Values](dot.Values) + + name := helmette.Default(dot.Chart.Name, values.NameOverride) + return cleanForK8s(name) +} + +// Create a default fully qualified app name. +// We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +// If release name contains chart name it will be used as a full name. +func Fullname(dot *helmette.Dot) string { + values := helmette.Unwrap[Values](dot.Values) + + if values.FullnameOverride != "" { + return cleanForK8s(values.FullnameOverride) + } + + name := helmette.Default(dot.Chart.Name, values.NameOverride) + + if helmette.Contains(name, dot.Release.Name) { + return cleanForK8s(dot.Release.Name) + } + + return cleanForK8s(fmt.Sprintf("%s-%s", dot.Release.Name, name)) +} + +// Create chart name and version as used by the chart label. +func Chart(dot *helmette.Dot) string { + chart := fmt.Sprintf("%s-%s", dot.Chart.Name, dot.Chart.Version) + return cleanForK8s(strings.ReplaceAll(chart, "+", "_")) +} + +// Common labels +func Labels(dot *helmette.Dot) map[string]string { + values := helmette.Unwrap[Values](dot.Values) + + labels := map[string]string{ + "helm.sh/chart": Chart(dot), + "app.kubernetes.io/managed-by": dot.Release.Service, + } + + if dot.Chart.AppVersion != "" { + labels["app.kubernetes.io/version"] = dot.Chart.AppVersion + } + + return helmette.Merge(labels, SelectorLabels(dot), values.CommonLabels) +} + +func SelectorLabels(dot *helmette.Dot) map[string]string { + return map[string]string{ + "app.kubernetes.io/name": Name(dot), + "app.kubernetes.io/instance": dot.Release.Name, + } +} + +func cleanForK8s(s string) string { + return helmette.TrimSuffix("-", helmette.Trunc(63, s)) +} diff --git a/charts/redpanda/redpanda/5.9.2/charts/console/hpa.go b/charts/redpanda/redpanda/5.9.2/charts/console/hpa.go new file mode 100644 index 000000000..3b0458cff --- /dev/null +++ b/charts/redpanda/redpanda/5.9.2/charts/console/hpa.go @@ -0,0 +1,82 @@ +// Licensed to the Apache Software Foundation (ASF) under one or more +// contributor license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright ownership. +// The ASF licenses this file to You under the Apache License, Version 2.0 +// (the "License"); you may not use this file except in compliance with +// the License. You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +// +// +gotohelm:filename=_hpa.go.tpl +package console + +import ( + "github.com/redpanda-data/helm-charts/pkg/gotohelm/helmette" + autoscalingv2 "k8s.io/api/autoscaling/v2" + corev1 "k8s.io/api/core/v1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/utils/ptr" +) + +func HorizontalPodAutoscaler(dot *helmette.Dot) *autoscalingv2.HorizontalPodAutoscaler { + values := helmette.Unwrap[Values](dot.Values) + + if !values.Autoscaling.Enabled { + return nil + } + + metrics := []autoscalingv2.MetricSpec{} + + if values.Autoscaling.TargetCPUUtilizationPercentage != nil { + metrics = append(metrics, autoscalingv2.MetricSpec{ + Type: "Resource", + Resource: &autoscalingv2.ResourceMetricSource{ + Name: corev1.ResourceCPU, + Target: autoscalingv2.MetricTarget{ + Type: autoscalingv2.UtilizationMetricType, + AverageUtilization: values.Autoscaling.TargetCPUUtilizationPercentage, + }, + }, + }) + } + + if values.Autoscaling.TargetMemoryUtilizationPercentage != nil { + metrics = append(metrics, autoscalingv2.MetricSpec{ + Type: "Resource", + Resource: &autoscalingv2.ResourceMetricSource{ + Name: corev1.ResourceMemory, + Target: autoscalingv2.MetricTarget{ + Type: autoscalingv2.UtilizationMetricType, + AverageUtilization: values.Autoscaling.TargetMemoryUtilizationPercentage, + }, + }, + }) + } + + return &autoscalingv2.HorizontalPodAutoscaler{ + TypeMeta: metav1.TypeMeta{ + APIVersion: "autoscaling/v2", + Kind: "HorizontalPodAutoscaler", + }, + ObjectMeta: metav1.ObjectMeta{ + Name: Fullname(dot), + Labels: Labels(dot), + }, + Spec: autoscalingv2.HorizontalPodAutoscalerSpec{ + ScaleTargetRef: autoscalingv2.CrossVersionObjectReference{ + APIVersion: "apps/v1", + Kind: "Deployment", + Name: Fullname(dot), + }, + MinReplicas: ptr.To(values.Autoscaling.MinReplicas), + MaxReplicas: values.Autoscaling.MaxReplicas, + Metrics: metrics, + }, + } +} diff --git a/charts/redpanda/redpanda/5.9.2/charts/console/ingress.go b/charts/redpanda/redpanda/5.9.2/charts/console/ingress.go new file mode 100644 index 000000000..926c286f1 --- /dev/null +++ b/charts/redpanda/redpanda/5.9.2/charts/console/ingress.go @@ -0,0 +1,88 @@ +// Licensed to the Apache Software Foundation (ASF) under one or more +// contributor license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright ownership. +// The ASF licenses this file to You under the Apache License, Version 2.0 +// (the "License"); you may not use this file except in compliance with +// the License. You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +// +// +gotohelm:filename=_ingress.go.tpl +package console + +import ( + "github.com/redpanda-data/helm-charts/pkg/gotohelm/helmette" + networkingv1 "k8s.io/api/networking/v1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" +) + +func Ingress(dot *helmette.Dot) *networkingv1.Ingress { + values := helmette.Unwrap[Values](dot.Values) + + if !values.Ingress.Enabled { + return nil + } + + var tls []networkingv1.IngressTLS + for _, t := range values.Ingress.TLS { + var hosts []string + for _, host := range t.Hosts { + hosts = append(hosts, helmette.Tpl(host, dot)) + } + tls = append(tls, networkingv1.IngressTLS{ + SecretName: t.SecretName, + Hosts: hosts, + }) + } + + var rules []networkingv1.IngressRule + for _, host := range values.Ingress.Hosts { + var paths []networkingv1.HTTPIngressPath + for _, path := range host.Paths { + paths = append(paths, networkingv1.HTTPIngressPath{ + Path: path.Path, + PathType: path.PathType, + Backend: networkingv1.IngressBackend{ + Service: &networkingv1.IngressServiceBackend{ + Name: Fullname(dot), + Port: networkingv1.ServiceBackendPort{ + Number: values.Service.Port, + }, + }, + }, + }) + } + + rules = append(rules, networkingv1.IngressRule{ + Host: helmette.Tpl(host.Host, dot), + IngressRuleValue: networkingv1.IngressRuleValue{ + HTTP: &networkingv1.HTTPIngressRuleValue{ + Paths: paths, + }, + }, + }) + } + + return &networkingv1.Ingress{ + TypeMeta: metav1.TypeMeta{ + Kind: "Ingress", + APIVersion: "networking.k8s.io/v1", + }, + ObjectMeta: metav1.ObjectMeta{ + Name: Fullname(dot), + Labels: Labels(dot), + Annotations: values.Ingress.Annotations, + }, + Spec: networkingv1.IngressSpec{ + IngressClassName: values.Ingress.ClassName, + TLS: tls, + Rules: rules, + }, + } +} diff --git a/charts/redpanda/redpanda/5.9.2/charts/console/notes.go b/charts/redpanda/redpanda/5.9.2/charts/console/notes.go new file mode 100644 index 000000000..1f652dbaf --- /dev/null +++ b/charts/redpanda/redpanda/5.9.2/charts/console/notes.go @@ -0,0 +1,67 @@ +// Licensed to the Apache Software Foundation (ASF) under one or more +// contributor license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright ownership. +// The ASF licenses this file to You under the Apache License, Version 2.0 +// (the "License"); you may not use this file except in compliance with +// the License. You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +// +// +gotohelm:filename=_notes.go.tpl +package console + +import ( + "fmt" + + "github.com/redpanda-data/helm-charts/pkg/gotohelm/helmette" +) + +func Notes(dot *helmette.Dot) []string { + values := helmette.Unwrap[Values](dot.Values) + + commands := []string{ + `1. Get the application URL by running these commands:`, + } + if values.Ingress.Enabled { + scheme := "http" + if len(values.Ingress.TLS) > 0 { + scheme = "https" + } + for _, host := range values.Ingress.Hosts { + for _, path := range host.Paths { + commands = append(commands, fmt.Sprintf("%s://%s%s", scheme, host.Host, path.Path)) + } + } + } else if helmette.Contains("NodePort", string(values.Service.Type)) { + commands = append( + commands, + fmt.Sprintf(` export NODE_PORT=$(kubectl get --namespace %s -o jsonpath="{.spec.ports[0].nodePort}" services %s)`, dot.Release.Namespace, Fullname(dot)), + fmt.Sprintf(` export NODE_IP=$(kubectl get nodes --namespace %s -o jsonpath="{.items[0].status.addresses[0].address}")`, dot.Release.Namespace), + " echo http://$NODE_IP:$NODE_PORT", + ) + } else if helmette.Contains("NodePort", string(values.Service.Type)) { + commands = append( + commands, + ` NOTE: It may take a few minutes for the LoadBalancer IP to be available.`, + fmt.Sprintf(` You can watch the status of by running 'kubectl get --namespace %s svc -w %s'`, dot.Release.Namespace, Fullname(dot)), + fmt.Sprintf(` export SERVICE_IP=$(kubectl get svc --namespace %s %s --template "{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}")`, dot.Release.Namespace, Fullname(dot)), + fmt.Sprintf(` echo http://$SERVICE_IP:%d`, values.Service.Port), + ) + } else if helmette.Contains("ClusterIP", string(values.Service.Type)) { + commands = append( + commands, + fmt.Sprintf(` export POD_NAME=$(kubectl get pods --namespace %s -l "app.kubernetes.io/name=%s,app.kubernetes.io/instance=%s" -o jsonpath="{.items[0].metadata.name}")`, dot.Release.Namespace, Name(dot), dot.Release.Name), + fmt.Sprintf(` export CONTAINER_PORT=$(kubectl get pod --namespace %s $POD_NAME -o jsonpath="{.spec.containers[0].ports[0].containerPort}")`, dot.Release.Namespace), + ` echo "Visit http://127.0.0.1:8080 to use your application"`, + fmt.Sprintf(` kubectl --namespace %s port-forward $POD_NAME 8080:$CONTAINER_PORT`, dot.Release.Namespace), + ) + } + + return commands +} diff --git a/charts/redpanda/redpanda/5.9.2/charts/console/secret.go b/charts/redpanda/redpanda/5.9.2/charts/console/secret.go new file mode 100644 index 000000000..d23951cbd --- /dev/null +++ b/charts/redpanda/redpanda/5.9.2/charts/console/secret.go @@ -0,0 +1,84 @@ +// Licensed to the Apache Software Foundation (ASF) under one or more +// contributor license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright ownership. +// The ASF licenses this file to You under the Apache License, Version 2.0 +// (the "License"); you may not use this file except in compliance with +// the License. You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +// +// +gotohelm:filename=_secret.go.tpl +package console + +import ( + "github.com/redpanda-data/helm-charts/pkg/gotohelm/helmette" + corev1 "k8s.io/api/core/v1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/utils/ptr" +) + +func Secret(dot *helmette.Dot) *corev1.Secret { + values := helmette.Unwrap[Values](dot.Values) + + if !values.Secret.Create { + return nil + } + + jwtSecret := values.Secret.Login.JWTSecret + if jwtSecret == "" { + jwtSecret = helmette.RandAlphaNum(32) + } + + return &corev1.Secret{ + TypeMeta: metav1.TypeMeta{ + APIVersion: "v1", + Kind: "Secret", + }, + ObjectMeta: metav1.ObjectMeta{ + Name: Fullname(dot), + Labels: Labels(dot), + }, + Type: corev1.SecretTypeOpaque, + StringData: map[string]string{ + // Set empty defaults, so that we can always mount them as env variable even if they are not used. + // For this reason we can't use `with` to change the scope. + + // Kafka + "kafka-sasl-password": ptr.Deref(values.Secret.Kafka.SASLPassword, ""), + "kafka-protobuf-git-basicauth-password": ptr.Deref(values.Secret.Kafka.ProtobufGitBasicAuthPassword, ""), + "kafka-sasl-aws-msk-iam-secret-key": ptr.Deref(values.Secret.Kafka.AWSMSKIAMSecretKey, ""), + "kafka-tls-ca": ptr.Deref(values.Secret.Kafka.TLSCA, ""), + "kafka-tls-cert": ptr.Deref(values.Secret.Kafka.TLSCert, ""), + "kafka-tls-key": ptr.Deref(values.Secret.Kafka.TLSKey, ""), + "kafka-schema-registry-password": ptr.Deref(values.Secret.Kafka.SchemaRegistryPassword, ""), + "kafka-schemaregistry-tls-ca": ptr.Deref(values.Secret.Kafka.SchemaRegistryTLSCA, ""), + "kafka-schemaregistry-tls-cert": ptr.Deref(values.Secret.Kafka.SchemaRegistryTLSCert, ""), + "kafka-schemaregistry-tls-key": ptr.Deref(values.Secret.Kafka.SchemaRegistryTLSKey, ""), + + // Login + "login-jwt-secret": jwtSecret, + "login-google-oauth-client-secret": ptr.Deref(values.Secret.Login.Google.ClientSecret, ""), + "login-google-groups-service-account.json": ptr.Deref(values.Secret.Login.Google.GroupsServiceAccount, ""), + "login-github-oauth-client-secret": ptr.Deref(values.Secret.Login.Github.ClientSecret, ""), + "login-github-personal-access-token": ptr.Deref(values.Secret.Login.Github.PersonalAccessToken, ""), + "login-okta-client-secret": ptr.Deref(values.Secret.Login.Okta.ClientSecret, ""), + "login-okta-directory-api-token": ptr.Deref(values.Secret.Login.Okta.DirectoryAPIToken, ""), + "login-oidc-client-secret": ptr.Deref(values.Secret.Login.OIDC.ClientSecret, ""), + + // Enterprise + "enterprise-license": ptr.Deref(values.Secret.Enterprise.License, ""), + + // Redpanda + "redpanda-admin-api-password": ptr.Deref(values.Secret.Redpanda.AdminAPI.Password, ""), + "redpanda-admin-api-tls-ca": ptr.Deref(values.Secret.Redpanda.AdminAPI.TLSCA, ""), + "redpanda-admin-api-tls-cert": ptr.Deref(values.Secret.Redpanda.AdminAPI.TLSCert, ""), + "redpanda-admin-api-tls-key": ptr.Deref(values.Secret.Redpanda.AdminAPI.TLSKey, ""), + }, + } +} diff --git a/charts/redpanda/redpanda/5.9.2/charts/console/service.go b/charts/redpanda/redpanda/5.9.2/charts/console/service.go new file mode 100644 index 000000000..65214bf3e --- /dev/null +++ b/charts/redpanda/redpanda/5.9.2/charts/console/service.go @@ -0,0 +1,60 @@ +// Licensed to the Apache Software Foundation (ASF) under one or more +// contributor license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright ownership. +// The ASF licenses this file to You under the Apache License, Version 2.0 +// (the "License"); you may not use this file except in compliance with +// the License. You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +// +// +gotohelm:filename=_service.go.tpl +package console + +import ( + "github.com/redpanda-data/helm-charts/pkg/gotohelm/helmette" + corev1 "k8s.io/api/core/v1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/util/intstr" +) + +func Service(dot *helmette.Dot) *corev1.Service { + values := helmette.Unwrap[Values](dot.Values) + + port := corev1.ServicePort{ + Name: "http", + Port: int32(values.Service.Port), + Protocol: corev1.ProtocolTCP, + } + + if values.Service.TargetPort != nil { + port.TargetPort = intstr.FromInt32(*values.Service.TargetPort) + } + + if helmette.Contains("NodePort", string(values.Service.Type)) && values.Service.NodePort != nil { + port.NodePort = *values.Service.NodePort + } + + return &corev1.Service{ + TypeMeta: metav1.TypeMeta{ + APIVersion: "v1", + Kind: "Service", + }, + ObjectMeta: metav1.ObjectMeta{ + Name: Fullname(dot), + Namespace: dot.Release.Namespace, + Labels: Labels(dot), + Annotations: values.Service.Annotations, + }, + Spec: corev1.ServiceSpec{ + Type: values.Service.Type, + Selector: SelectorLabels(dot), + Ports: []corev1.ServicePort{port}, + }, + } +} diff --git a/charts/redpanda/redpanda/5.9.2/charts/console/serviceaccount.go b/charts/redpanda/redpanda/5.9.2/charts/console/serviceaccount.go new file mode 100644 index 000000000..c23e5c92c --- /dev/null +++ b/charts/redpanda/redpanda/5.9.2/charts/console/serviceaccount.go @@ -0,0 +1,60 @@ +// Licensed to the Apache Software Foundation (ASF) under one or more +// contributor license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright ownership. +// The ASF licenses this file to You under the Apache License, Version 2.0 +// (the "License"); you may not use this file except in compliance with +// the License. You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +// +// +gotohelm:filename=_serviceaccount.go.tpl +package console + +import ( + "github.com/redpanda-data/helm-charts/pkg/gotohelm/helmette" + corev1 "k8s.io/api/core/v1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/utils/ptr" +) + +// Create the name of the service account to use +func ServiceAccountName(dot *helmette.Dot) string { + values := helmette.Unwrap[Values](dot.Values) + + if values.ServiceAccount.Create { + if values.ServiceAccount.Name != "" { + return values.ServiceAccount.Name + } + return Fullname(dot) + } + + return helmette.Default("default", values.ServiceAccount.Name) +} + +func ServiceAccount(dot *helmette.Dot) *corev1.ServiceAccount { + values := helmette.Unwrap[Values](dot.Values) + + if !values.ServiceAccount.Create { + return nil + } + + return &corev1.ServiceAccount{ + TypeMeta: metav1.TypeMeta{ + Kind: "ServiceAccount", + APIVersion: "v1", + }, + ObjectMeta: metav1.ObjectMeta{ + Name: ServiceAccountName(dot), + Labels: Labels(dot), + Namespace: dot.Release.Namespace, + Annotations: values.ServiceAccount.Annotations, + }, + AutomountServiceAccountToken: ptr.To(values.ServiceAccount.AutomountServiceAccountToken), + } +} diff --git a/charts/redpanda/redpanda/5.9.2/charts/console/templates/NOTES.txt b/charts/redpanda/redpanda/5.9.2/charts/console/templates/NOTES.txt new file mode 100644 index 000000000..7541881fc --- /dev/null +++ b/charts/redpanda/redpanda/5.9.2/charts/console/templates/NOTES.txt @@ -0,0 +1,20 @@ +{{/* +Licensed to the Apache Software Foundation (ASF) under one or more +contributor license agreements. See the NOTICE file distributed with +this work for additional information regarding copyright ownership. +The ASF licenses this file to You under the Apache License, Version 2.0 +(the "License"); you may not use this file except in compliance with +the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} +{{- $notes := (get ((include "console.Notes" (dict "a" (list .))) | fromJson) "r") -}} +{{- range $_, $note := $notes }} +{{ $note }} +{{- end }} diff --git a/charts/redpanda/redpanda/5.9.2/charts/console/templates/_configmap.go.tpl b/charts/redpanda/redpanda/5.9.2/charts/console/templates/_configmap.go.tpl new file mode 100644 index 000000000..14673b024 --- /dev/null +++ b/charts/redpanda/redpanda/5.9.2/charts/console/templates/_configmap.go.tpl @@ -0,0 +1,25 @@ +{{- /* Generated from "configmap.go" */ -}} + +{{- define "console.ConfigMap" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- if (not $values.configmap.create) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (coalesce nil)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $data := (dict "config.yaml" (printf "# from .Values.console.config\n%s\n" (tpl (toYaml $values.console.config) $dot)) ) -}} +{{- if (gt ((get (fromJson (include "_shims.len" (dict "a" (list $values.console.roles) ))) "r") | int) (0 | int)) -}} +{{- $_ := (set $data "roles.yaml" (tpl (toYaml (dict "roles" $values.console.roles )) $dot)) -}} +{{- end -}} +{{- if (gt ((get (fromJson (include "_shims.len" (dict "a" (list $values.console.roleBindings) ))) "r") | int) (0 | int)) -}} +{{- $_ := (set $data "role-bindings.yaml" (tpl (toYaml (dict "roleBindings" $values.console.roleBindings )) $dot)) -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) ) (mustMergeOverwrite (dict ) (dict "apiVersion" "v1" "kind" "ConfigMap" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" (get (fromJson (include "console.Fullname" (dict "a" (list $dot) ))) "r") "labels" (get (fromJson (include "console.Labels" (dict "a" (list $dot) ))) "r") )) "data" $data ))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + diff --git a/charts/redpanda/redpanda/5.9.2/charts/console/templates/_deployment.go.tpl b/charts/redpanda/redpanda/5.9.2/charts/console/templates/_deployment.go.tpl new file mode 100644 index 000000000..71696bb25 --- /dev/null +++ b/charts/redpanda/redpanda/5.9.2/charts/console/templates/_deployment.go.tpl @@ -0,0 +1,133 @@ +{{- /* Generated from "deployment.go" */ -}} + +{{- define "console.ContainerPort" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $listenPort := ((8080 | int) | int) -}} +{{- if (ne $values.service.targetPort (coalesce nil)) -}} +{{- $listenPort = $values.service.targetPort -}} +{{- end -}} +{{- $configListenPort := (dig "server" "listenPort" (coalesce nil) $values.console.config) -}} +{{- $tmp_tuple_1 := (get (fromJson (include "_shims.compact" (dict "a" (list (get (fromJson (include "_shims.asintegral" (dict "a" (list $configListenPort) ))) "r")) ))) "r") -}} +{{- $ok_2 := $tmp_tuple_1.T2 -}} +{{- $asInt_1 := ($tmp_tuple_1.T1 | int) -}} +{{- if $ok_2 -}} +{{- $_is_returning = true -}} +{{- (dict "r" ($asInt_1 | int)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $listenPort) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "console.Deployment" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- if (not $values.deployment.create) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (coalesce nil)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $replicas := (coalesce nil) -}} +{{- if (not $values.autoscaling.enabled) -}} +{{- $replicas = ($values.replicaCount | int) -}} +{{- end -}} +{{- $initContainers := (coalesce nil) -}} +{{- if (ne $values.initContainers.extraInitContainers (coalesce nil)) -}} +{{- $initContainers = (fromYamlArray (tpl $values.initContainers.extraInitContainers $dot)) -}} +{{- end -}} +{{- $volumeMounts := (list (mustMergeOverwrite (dict "name" "" "mountPath" "" ) (dict "name" "configs" "mountPath" "/etc/console/configs" "readOnly" true ))) -}} +{{- if $values.secret.create -}} +{{- $volumeMounts = (concat (default (list ) $volumeMounts) (list (mustMergeOverwrite (dict "name" "" "mountPath" "" ) (dict "name" "secrets" "mountPath" "/etc/console/secrets" "readOnly" true )))) -}} +{{- end -}} +{{- range $_, $mount := $values.secretMounts -}} +{{- $volumeMounts = (concat (default (list ) $volumeMounts) (list (mustMergeOverwrite (dict "name" "" "mountPath" "" ) (dict "name" $mount.name "mountPath" $mount.path "subPath" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $mount.subPath "") ))) "r") )))) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $volumeMounts = (concat (default (list ) $volumeMounts) (default (list ) $values.extraVolumeMounts)) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "spec" (dict "selector" (coalesce nil) "template" (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "spec" (dict "containers" (coalesce nil) ) ) "strategy" (dict ) ) "status" (dict ) ) (mustMergeOverwrite (dict ) (dict "apiVersion" "apps/v1" "kind" "Deployment" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" (get (fromJson (include "console.Fullname" (dict "a" (list $dot) ))) "r") "labels" (get (fromJson (include "console.Labels" (dict "a" (list $dot) ))) "r") "namespace" $dot.Release.Namespace "annotations" $values.annotations )) "spec" (mustMergeOverwrite (dict "selector" (coalesce nil) "template" (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "spec" (dict "containers" (coalesce nil) ) ) "strategy" (dict ) ) (dict "replicas" $replicas "selector" (mustMergeOverwrite (dict ) (dict "matchLabels" (get (fromJson (include "console.SelectorLabels" (dict "a" (list $dot) ))) "r") )) "strategy" $values.strategy "template" (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "spec" (dict "containers" (coalesce nil) ) ) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "annotations" (merge (dict ) (dict "checksum/config" (sha256sum (toYaml (get (fromJson (include "console.ConfigMap" (dict "a" (list $dot) ))) "r"))) ) $values.podAnnotations) "labels" (merge (dict ) (get (fromJson (include "console.SelectorLabels" (dict "a" (list $dot) ))) "r") $values.podLabels) )) "spec" (mustMergeOverwrite (dict "containers" (coalesce nil) ) (dict "imagePullSecrets" $values.imagePullSecrets "serviceAccountName" (get (fromJson (include "console.ServiceAccountName" (dict "a" (list $dot) ))) "r") "automountServiceAccountToken" $values.automountServiceAccountToken "securityContext" $values.podSecurityContext "nodeSelector" $values.nodeSelector "affinity" $values.affinity "topologySpreadConstraints" $values.topologySpreadConstraints "priorityClassName" $values.priorityClassName "tolerations" $values.tolerations "volumes" (get (fromJson (include "console.consolePodVolumes" (dict "a" (list $dot) ))) "r") "initContainers" $initContainers "containers" (concat (default (list ) (list (mustMergeOverwrite (dict "name" "" "resources" (dict ) ) (dict "name" $dot.Chart.Name "command" $values.deployment.command "args" (concat (default (list ) (list "--config.filepath=/etc/console/configs/config.yaml")) (default (list ) $values.deployment.extraArgs)) "securityContext" $values.securityContext "image" (get (fromJson (include "console.containerImage" (dict "a" (list $dot) ))) "r") "imagePullPolicy" $values.image.pullPolicy "ports" (list (mustMergeOverwrite (dict "containerPort" 0 ) (dict "name" "http" "containerPort" ((get (fromJson (include "console.ContainerPort" (dict "a" (list $dot) ))) "r") | int) "protocol" "TCP" ))) "volumeMounts" $volumeMounts "livenessProbe" (mustMergeOverwrite (dict ) (mustMergeOverwrite (dict ) (dict "httpGet" (mustMergeOverwrite (dict "port" 0 ) (dict "path" "/admin/health" "port" "http" )) )) (dict "initialDelaySeconds" ($values.livenessProbe.initialDelaySeconds | int) "periodSeconds" ($values.livenessProbe.periodSeconds | int) "timeoutSeconds" ($values.livenessProbe.timeoutSeconds | int) "successThreshold" ($values.livenessProbe.successThreshold | int) "failureThreshold" ($values.livenessProbe.failureThreshold | int) )) "readinessProbe" (mustMergeOverwrite (dict ) (mustMergeOverwrite (dict ) (dict "httpGet" (mustMergeOverwrite (dict "port" 0 ) (dict "path" "/admin/health" "port" "http" )) )) (dict "initialDelaySeconds" ($values.readinessProbe.initialDelaySeconds | int) "periodSeconds" ($values.readinessProbe.periodSeconds | int) "timeoutSeconds" ($values.readinessProbe.timeoutSeconds | int) "successThreshold" ($values.readinessProbe.successThreshold | int) "failureThreshold" ($values.readinessProbe.failureThreshold | int) )) "resources" $values.resources "env" (get (fromJson (include "console.consoleContainerEnv" (dict "a" (list $dot) ))) "r") "envFrom" $values.extraEnvFrom )))) (default (list ) $values.extraContainers)) )) )) )) ))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "console.containerImage" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $tag := $dot.Chart.AppVersion -}} +{{- if (not (empty $values.image.tag)) -}} +{{- $tag = $values.image.tag -}} +{{- end -}} +{{- $image := (printf "%s:%s" $values.image.repository $tag) -}} +{{- if (not (empty $values.image.registry)) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (printf "%s/%s" $values.image.registry $image)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $image) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "console.consoleContainerEnv" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- if (not $values.secret.create) -}} +{{- $vars := $values.extraEnv -}} +{{- if (not (empty $values.enterprise.licenseSecretRef.name)) -}} +{{- $vars = (concat (default (list ) $values.extraEnv) (list (mustMergeOverwrite (dict "name" "" ) (dict "name" "LICENSE" "valueFrom" (mustMergeOverwrite (dict ) (dict "secretKeyRef" (mustMergeOverwrite (dict "key" "" ) (mustMergeOverwrite (dict ) (dict "name" $values.enterprise.licenseSecretRef.name )) (dict "key" (default "enterprise-license" $values.enterprise.licenseSecretRef.key) )) )) )))) -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $vars) | toJson -}} +{{- break -}} +{{- end -}} +{{- $possibleVars := (list (mustMergeOverwrite (dict "Value" (coalesce nil) "EnvVar" (dict "name" "" ) ) (dict "Value" $values.secret.kafka.saslPassword "EnvVar" (mustMergeOverwrite (dict "name" "" ) (dict "name" "KAFKA_SASL_PASSWORD" "valueFrom" (mustMergeOverwrite (dict ) (dict "secretKeyRef" (mustMergeOverwrite (dict "key" "" ) (mustMergeOverwrite (dict ) (dict "name" (get (fromJson (include "console.Fullname" (dict "a" (list $dot) ))) "r") )) (dict "key" "kafka-sasl-password" )) )) )) )) (mustMergeOverwrite (dict "Value" (coalesce nil) "EnvVar" (dict "name" "" ) ) (dict "Value" $values.secret.kafka.protobufGitBasicAuthPassword "EnvVar" (mustMergeOverwrite (dict "name" "" ) (dict "name" "KAFKA_PROTOBUF_GIT_BASICAUTH_PASSWORD" "valueFrom" (mustMergeOverwrite (dict ) (dict "secretKeyRef" (mustMergeOverwrite (dict "key" "" ) (mustMergeOverwrite (dict ) (dict "name" (get (fromJson (include "console.Fullname" (dict "a" (list $dot) ))) "r") )) (dict "key" "kafka-protobuf-git-basicauth-password" )) )) )) )) (mustMergeOverwrite (dict "Value" (coalesce nil) "EnvVar" (dict "name" "" ) ) (dict "Value" $values.secret.kafka.awsMskIamSecretKey "EnvVar" (mustMergeOverwrite (dict "name" "" ) (dict "name" "KAFKA_SASL_AWSMSKIAM_SECRETKEY" "valueFrom" (mustMergeOverwrite (dict ) (dict "secretKeyRef" (mustMergeOverwrite (dict "key" "" ) (mustMergeOverwrite (dict ) (dict "name" (get (fromJson (include "console.Fullname" (dict "a" (list $dot) ))) "r") )) (dict "key" "kafka-sasl-aws-msk-iam-secret-key" )) )) )) )) (mustMergeOverwrite (dict "Value" (coalesce nil) "EnvVar" (dict "name" "" ) ) (dict "Value" $values.secret.kafka.tlsCa "EnvVar" (mustMergeOverwrite (dict "name" "" ) (dict "name" "KAFKA_TLS_CAFILEPATH" "value" "/etc/console/secrets/kafka-tls-ca" )) )) (mustMergeOverwrite (dict "Value" (coalesce nil) "EnvVar" (dict "name" "" ) ) (dict "Value" $values.secret.kafka.tlsCert "EnvVar" (mustMergeOverwrite (dict "name" "" ) (dict "name" "KAFKA_TLS_CERTFILEPATH" "value" "/etc/console/secrets/kafka-tls-cert" )) )) (mustMergeOverwrite (dict "Value" (coalesce nil) "EnvVar" (dict "name" "" ) ) (dict "Value" $values.secret.kafka.tlsKey "EnvVar" (mustMergeOverwrite (dict "name" "" ) (dict "name" "KAFKA_TLS_KEYFILEPATH" "value" "/etc/console/secrets/kafka-tls-key" )) )) (mustMergeOverwrite (dict "Value" (coalesce nil) "EnvVar" (dict "name" "" ) ) (dict "Value" $values.secret.kafka.schemaRegistryTlsCa "EnvVar" (mustMergeOverwrite (dict "name" "" ) (dict "name" "KAFKA_SCHEMAREGISTRY_TLS_CAFILEPATH" "value" "/etc/console/secrets/kafka-schemaregistry-tls-ca" )) )) (mustMergeOverwrite (dict "Value" (coalesce nil) "EnvVar" (dict "name" "" ) ) (dict "Value" $values.secret.kafka.schemaRegistryTlsCert "EnvVar" (mustMergeOverwrite (dict "name" "" ) (dict "name" "KAFKA_SCHEMAREGISTRY_TLS_CERTFILEPATH" "value" "/etc/console/secrets/kafka-schemaregistry-tls-cert" )) )) (mustMergeOverwrite (dict "Value" (coalesce nil) "EnvVar" (dict "name" "" ) ) (dict "Value" $values.secret.kafka.schemaRegistryTlsKey "EnvVar" (mustMergeOverwrite (dict "name" "" ) (dict "name" "KAFKA_SCHEMAREGISTRY_TLS_KEYFILEPATH" "value" "/etc/console/secrets/kafka-schemaregistry-tls-key" )) )) (mustMergeOverwrite (dict "Value" (coalesce nil) "EnvVar" (dict "name" "" ) ) (dict "Value" $values.secret.kafka.schemaRegistryPassword "EnvVar" (mustMergeOverwrite (dict "name" "" ) (dict "name" "KAFKA_SCHEMAREGISTRY_PASSWORD" "valueFrom" (mustMergeOverwrite (dict ) (dict "secretKeyRef" (mustMergeOverwrite (dict "key" "" ) (mustMergeOverwrite (dict ) (dict "name" (get (fromJson (include "console.Fullname" (dict "a" (list $dot) ))) "r") )) (dict "key" "kafka-schema-registry-password" )) )) )) )) (mustMergeOverwrite (dict "Value" (coalesce nil) "EnvVar" (dict "name" "" ) ) (dict "Value" true "EnvVar" (mustMergeOverwrite (dict "name" "" ) (dict "name" "LOGIN_JWTSECRET" "valueFrom" (mustMergeOverwrite (dict ) (dict "secretKeyRef" (mustMergeOverwrite (dict "key" "" ) (mustMergeOverwrite (dict ) (dict "name" (get (fromJson (include "console.Fullname" (dict "a" (list $dot) ))) "r") )) (dict "key" "login-jwt-secret" )) )) )) )) (mustMergeOverwrite (dict "Value" (coalesce nil) "EnvVar" (dict "name" "" ) ) (dict "Value" $values.secret.login.google.clientSecret "EnvVar" (mustMergeOverwrite (dict "name" "" ) (dict "name" "LOGIN_GOOGLE_CLIENTSECRET" "valueFrom" (mustMergeOverwrite (dict ) (dict "secretKeyRef" (mustMergeOverwrite (dict "key" "" ) (mustMergeOverwrite (dict ) (dict "name" (get (fromJson (include "console.Fullname" (dict "a" (list $dot) ))) "r") )) (dict "key" "login-google-oauth-client-secret" )) )) )) )) (mustMergeOverwrite (dict "Value" (coalesce nil) "EnvVar" (dict "name" "" ) ) (dict "Value" $values.secret.login.google.groupsServiceAccount "EnvVar" (mustMergeOverwrite (dict "name" "" ) (dict "name" "LOGIN_GOOGLE_DIRECTORY_SERVICEACCOUNTFILEPATH" "value" "/etc/console/secrets/login-google-groups-service-account.json" )) )) (mustMergeOverwrite (dict "Value" (coalesce nil) "EnvVar" (dict "name" "" ) ) (dict "Value" $values.secret.login.github.clientSecret "EnvVar" (mustMergeOverwrite (dict "name" "" ) (dict "name" "LOGIN_GITHUB_CLIENTSECRET" "valueFrom" (mustMergeOverwrite (dict ) (dict "secretKeyRef" (mustMergeOverwrite (dict "key" "" ) (mustMergeOverwrite (dict ) (dict "name" (get (fromJson (include "console.Fullname" (dict "a" (list $dot) ))) "r") )) (dict "key" "login-github-oauth-client-secret" )) )) )) )) (mustMergeOverwrite (dict "Value" (coalesce nil) "EnvVar" (dict "name" "" ) ) (dict "Value" $values.secret.login.github.personalAccessToken "EnvVar" (mustMergeOverwrite (dict "name" "" ) (dict "name" "LOGIN_GITHUB_DIRECTORY_PERSONALACCESSTOKEN" "valueFrom" (mustMergeOverwrite (dict ) (dict "secretKeyRef" (mustMergeOverwrite (dict "key" "" ) (mustMergeOverwrite (dict ) (dict "name" (get (fromJson (include "console.Fullname" (dict "a" (list $dot) ))) "r") )) (dict "key" "login-github-personal-access-token" )) )) )) )) (mustMergeOverwrite (dict "Value" (coalesce nil) "EnvVar" (dict "name" "" ) ) (dict "Value" $values.secret.login.okta.clientSecret "EnvVar" (mustMergeOverwrite (dict "name" "" ) (dict "name" "LOGIN_OKTA_CLIENTSECRET" "valueFrom" (mustMergeOverwrite (dict ) (dict "secretKeyRef" (mustMergeOverwrite (dict "key" "" ) (mustMergeOverwrite (dict ) (dict "name" (get (fromJson (include "console.Fullname" (dict "a" (list $dot) ))) "r") )) (dict "key" "login-okta-client-secret" )) )) )) )) (mustMergeOverwrite (dict "Value" (coalesce nil) "EnvVar" (dict "name" "" ) ) (dict "Value" $values.secret.login.okta.directoryApiToken "EnvVar" (mustMergeOverwrite (dict "name" "" ) (dict "name" "LOGIN_OKTA_DIRECTORY_APITOKEN" "valueFrom" (mustMergeOverwrite (dict ) (dict "secretKeyRef" (mustMergeOverwrite (dict "key" "" ) (mustMergeOverwrite (dict ) (dict "name" (get (fromJson (include "console.Fullname" (dict "a" (list $dot) ))) "r") )) (dict "key" "login-okta-directory-api-token" )) )) )) )) (mustMergeOverwrite (dict "Value" (coalesce nil) "EnvVar" (dict "name" "" ) ) (dict "Value" $values.secret.login.oidc.clientSecret "EnvVar" (mustMergeOverwrite (dict "name" "" ) (dict "name" "LOGIN_OIDC_CLIENTSECRET" "valueFrom" (mustMergeOverwrite (dict ) (dict "secretKeyRef" (mustMergeOverwrite (dict "key" "" ) (mustMergeOverwrite (dict ) (dict "name" (get (fromJson (include "console.Fullname" (dict "a" (list $dot) ))) "r") )) (dict "key" "login-oidc-client-secret" )) )) )) )) (mustMergeOverwrite (dict "Value" (coalesce nil) "EnvVar" (dict "name" "" ) ) (dict "Value" $values.secret.enterprise.License "EnvVar" (mustMergeOverwrite (dict "name" "" ) (dict "name" "LICENSE" "valueFrom" (mustMergeOverwrite (dict ) (dict "secretKeyRef" (mustMergeOverwrite (dict "key" "" ) (mustMergeOverwrite (dict ) (dict "name" (get (fromJson (include "console.Fullname" (dict "a" (list $dot) ))) "r") )) (dict "key" "enterprise-license" )) )) )) )) (mustMergeOverwrite (dict "Value" (coalesce nil) "EnvVar" (dict "name" "" ) ) (dict "Value" $values.secret.redpanda.adminApi.password "EnvVar" (mustMergeOverwrite (dict "name" "" ) (dict "name" "REDPANDA_ADMINAPI_PASSWORD" "valueFrom" (mustMergeOverwrite (dict ) (dict "secretKeyRef" (mustMergeOverwrite (dict "key" "" ) (mustMergeOverwrite (dict ) (dict "name" (get (fromJson (include "console.Fullname" (dict "a" (list $dot) ))) "r") )) (dict "key" "redpanda-admin-api-password" )) )) )) )) (mustMergeOverwrite (dict "Value" (coalesce nil) "EnvVar" (dict "name" "" ) ) (dict "Value" $values.secret.redpanda.adminApi.tlsCa "EnvVar" (mustMergeOverwrite (dict "name" "" ) (dict "name" "REDPANDA_ADMINAPI_TLS_CAFILEPATH" "value" "/etc/console/secrets/redpanda-admin-api-tls-ca" )) )) (mustMergeOverwrite (dict "Value" (coalesce nil) "EnvVar" (dict "name" "" ) ) (dict "Value" $values.secret.redpanda.adminApi.tlsKey "EnvVar" (mustMergeOverwrite (dict "name" "" ) (dict "name" "REDPANDA_ADMINAPI_TLS_KEYFILEPATH" "value" "/etc/console/secrets/redpanda-admin-api-tls-key" )) )) (mustMergeOverwrite (dict "Value" (coalesce nil) "EnvVar" (dict "name" "" ) ) (dict "Value" $values.secret.redpanda.adminApi.tlsCert "EnvVar" (mustMergeOverwrite (dict "name" "" ) (dict "name" "REDPANDA_ADMINAPI_TLS_CERTFILEPATH" "value" "/etc/console/secrets/redpanda-admin-api-tls-cert" )) ))) -}} +{{- $vars := $values.extraEnv -}} +{{- range $_, $possible := $possibleVars -}} +{{- if (not (empty $possible.Value)) -}} +{{- $vars = (concat (default (list ) $vars) (list $possible.EnvVar)) -}} +{{- end -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $vars) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "console.consolePodVolumes" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $volumes := (list (mustMergeOverwrite (dict "name" "" ) (mustMergeOverwrite (dict ) (dict "configMap" (mustMergeOverwrite (dict ) (mustMergeOverwrite (dict ) (dict "name" (get (fromJson (include "console.Fullname" (dict "a" (list $dot) ))) "r") )) (dict )) )) (dict "name" "configs" ))) -}} +{{- if $values.secret.create -}} +{{- $volumes = (concat (default (list ) $volumes) (list (mustMergeOverwrite (dict "name" "" ) (mustMergeOverwrite (dict ) (dict "secret" (mustMergeOverwrite (dict ) (dict "secretName" (get (fromJson (include "console.Fullname" (dict "a" (list $dot) ))) "r") )) )) (dict "name" "secrets" )))) -}} +{{- end -}} +{{- range $_, $mount := $values.secretMounts -}} +{{- $volumes = (concat (default (list ) $volumes) (list (mustMergeOverwrite (dict "name" "" ) (mustMergeOverwrite (dict ) (dict "secret" (mustMergeOverwrite (dict ) (dict "secretName" $mount.secretName "defaultMode" $mount.defaultMode )) )) (dict "name" $mount.name )))) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (concat (default (list ) $volumes) (default (list ) $values.extraVolumes))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + diff --git a/charts/redpanda/redpanda/5.9.2/charts/console/templates/_helpers.go.tpl b/charts/redpanda/redpanda/5.9.2/charts/console/templates/_helpers.go.tpl new file mode 100644 index 000000000..88b00025d --- /dev/null +++ b/charts/redpanda/redpanda/5.9.2/charts/console/templates/_helpers.go.tpl @@ -0,0 +1,82 @@ +{{- /* Generated from "helpers.go" */ -}} + +{{- define "console.Name" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $name := (default $dot.Chart.Name $values.nameOverride) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (get (fromJson (include "console.cleanForK8s" (dict "a" (list $name) ))) "r")) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "console.Fullname" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- if (ne $values.fullnameOverride "") -}} +{{- $_is_returning = true -}} +{{- (dict "r" (get (fromJson (include "console.cleanForK8s" (dict "a" (list $values.fullnameOverride) ))) "r")) | toJson -}} +{{- break -}} +{{- end -}} +{{- $name := (default $dot.Chart.Name $values.nameOverride) -}} +{{- if (contains $name $dot.Release.Name) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (get (fromJson (include "console.cleanForK8s" (dict "a" (list $dot.Release.Name) ))) "r")) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (get (fromJson (include "console.cleanForK8s" (dict "a" (list (printf "%s-%s" $dot.Release.Name $name)) ))) "r")) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "console.Chart" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $chart := (printf "%s-%s" $dot.Chart.Name $dot.Chart.Version) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (get (fromJson (include "console.cleanForK8s" (dict "a" (list (replace "+" "_" $chart)) ))) "r")) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "console.Labels" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $labels := (dict "helm.sh/chart" (get (fromJson (include "console.Chart" (dict "a" (list $dot) ))) "r") "app.kubernetes.io/managed-by" $dot.Release.Service ) -}} +{{- if (ne $dot.Chart.AppVersion "") -}} +{{- $_ := (set $labels "app.kubernetes.io/version" $dot.Chart.AppVersion) -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (merge (dict ) $labels (get (fromJson (include "console.SelectorLabels" (dict "a" (list $dot) ))) "r") $values.commonLabels)) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "console.SelectorLabels" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $_is_returning = true -}} +{{- (dict "r" (dict "app.kubernetes.io/name" (get (fromJson (include "console.Name" (dict "a" (list $dot) ))) "r") "app.kubernetes.io/instance" $dot.Release.Name )) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "console.cleanForK8s" -}} +{{- $s := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $_is_returning = true -}} +{{- (dict "r" (trimSuffix "-" (trunc (63 | int) $s))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + diff --git a/charts/redpanda/redpanda/5.9.2/charts/console/templates/_helpers.tpl b/charts/redpanda/redpanda/5.9.2/charts/console/templates/_helpers.tpl new file mode 100644 index 000000000..ee2ab5d9b --- /dev/null +++ b/charts/redpanda/redpanda/5.9.2/charts/console/templates/_helpers.tpl @@ -0,0 +1,25 @@ +{{/* +Expand the name of the chart. +Used by tests/test-connection.yaml +*/}} +{{- define "console.name" -}} +{{- get ((include "console.Name" (dict "a" (list .))) | fromJson) "r" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +Used by tests/test-connection.yaml +*/}} +{{- define "console.fullname" -}} +{{- get ((include "console.Fullname" (dict "a" (list .))) | fromJson) "r" }} +{{- end }} + +{{/* +Common labels +Used by tests/test-connection.yaml +*/}} +{{- define "console.labels" -}} +{{- (get ((include "console.Labels" (dict "a" (list .))) | fromJson) "r") | toYaml -}} +{{- end }} diff --git a/charts/redpanda/redpanda/5.9.2/charts/console/templates/_hpa.go.tpl b/charts/redpanda/redpanda/5.9.2/charts/console/templates/_hpa.go.tpl new file mode 100644 index 000000000..5957633d2 --- /dev/null +++ b/charts/redpanda/redpanda/5.9.2/charts/console/templates/_hpa.go.tpl @@ -0,0 +1,25 @@ +{{- /* Generated from "hpa.go" */ -}} + +{{- define "console.HorizontalPodAutoscaler" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- if (not $values.autoscaling.enabled) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (coalesce nil)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $metrics := (list ) -}} +{{- if (ne $values.autoscaling.targetCPUUtilizationPercentage (coalesce nil)) -}} +{{- $metrics = (concat (default (list ) $metrics) (list (mustMergeOverwrite (dict "type" "" ) (dict "type" "Resource" "resource" (mustMergeOverwrite (dict "name" "" "target" (dict "type" "" ) ) (dict "name" "cpu" "target" (mustMergeOverwrite (dict "type" "" ) (dict "type" "Utilization" "averageUtilization" $values.autoscaling.targetCPUUtilizationPercentage )) )) )))) -}} +{{- end -}} +{{- if (ne $values.autoscaling.targetMemoryUtilizationPercentage (coalesce nil)) -}} +{{- $metrics = (concat (default (list ) $metrics) (list (mustMergeOverwrite (dict "type" "" ) (dict "type" "Resource" "resource" (mustMergeOverwrite (dict "name" "" "target" (dict "type" "" ) ) (dict "name" "memory" "target" (mustMergeOverwrite (dict "type" "" ) (dict "type" "Utilization" "averageUtilization" $values.autoscaling.targetMemoryUtilizationPercentage )) )) )))) -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "spec" (dict "scaleTargetRef" (dict "kind" "" "name" "" ) "maxReplicas" 0 ) "status" (dict "desiredReplicas" 0 "currentMetrics" (coalesce nil) ) ) (mustMergeOverwrite (dict ) (dict "apiVersion" "autoscaling/v2" "kind" "HorizontalPodAutoscaler" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" (get (fromJson (include "console.Fullname" (dict "a" (list $dot) ))) "r") "labels" (get (fromJson (include "console.Labels" (dict "a" (list $dot) ))) "r") )) "spec" (mustMergeOverwrite (dict "scaleTargetRef" (dict "kind" "" "name" "" ) "maxReplicas" 0 ) (dict "scaleTargetRef" (mustMergeOverwrite (dict "kind" "" "name" "" ) (dict "apiVersion" "apps/v1" "kind" "Deployment" "name" (get (fromJson (include "console.Fullname" (dict "a" (list $dot) ))) "r") )) "minReplicas" ($values.autoscaling.minReplicas | int) "maxReplicas" ($values.autoscaling.maxReplicas | int) "metrics" $metrics )) ))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + diff --git a/charts/redpanda/redpanda/5.9.2/charts/console/templates/_ingress.go.tpl b/charts/redpanda/redpanda/5.9.2/charts/console/templates/_ingress.go.tpl new file mode 100644 index 000000000..0df05e870 --- /dev/null +++ b/charts/redpanda/redpanda/5.9.2/charts/console/templates/_ingress.go.tpl @@ -0,0 +1,46 @@ +{{- /* Generated from "ingress.go" */ -}} + +{{- define "console.Ingress" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- if (not $values.ingress.enabled) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (coalesce nil)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $tls := (coalesce nil) -}} +{{- range $_, $t := $values.ingress.tls -}} +{{- $hosts := (coalesce nil) -}} +{{- range $_, $host := $t.hosts -}} +{{- $hosts = (concat (default (list ) $hosts) (list (tpl $host $dot))) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $tls = (concat (default (list ) $tls) (list (mustMergeOverwrite (dict ) (dict "secretName" $t.secretName "hosts" $hosts )))) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $rules := (coalesce nil) -}} +{{- range $_, $host := $values.ingress.hosts -}} +{{- $paths := (coalesce nil) -}} +{{- range $_, $path := $host.paths -}} +{{- $paths = (concat (default (list ) $paths) (list (mustMergeOverwrite (dict "pathType" (coalesce nil) "backend" (dict ) ) (dict "path" $path.path "pathType" $path.pathType "backend" (mustMergeOverwrite (dict ) (dict "service" (mustMergeOverwrite (dict "name" "" "port" (dict ) ) (dict "name" (get (fromJson (include "console.Fullname" (dict "a" (list $dot) ))) "r") "port" (mustMergeOverwrite (dict ) (dict "number" ($values.service.port | int) )) )) )) )))) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $rules = (concat (default (list ) $rules) (list (mustMergeOverwrite (dict ) (mustMergeOverwrite (dict ) (dict "http" (mustMergeOverwrite (dict "paths" (coalesce nil) ) (dict "paths" $paths )) )) (dict "host" (tpl $host.host $dot) )))) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "spec" (dict ) "status" (dict "loadBalancer" (dict ) ) ) (mustMergeOverwrite (dict ) (dict "kind" "Ingress" "apiVersion" "networking.k8s.io/v1" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" (get (fromJson (include "console.Fullname" (dict "a" (list $dot) ))) "r") "labels" (get (fromJson (include "console.Labels" (dict "a" (list $dot) ))) "r") "annotations" $values.ingress.annotations )) "spec" (mustMergeOverwrite (dict ) (dict "ingressClassName" $values.ingress.className "tls" $tls "rules" $rules )) ))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + diff --git a/charts/redpanda/redpanda/5.9.2/charts/console/templates/_notes.go.tpl b/charts/redpanda/redpanda/5.9.2/charts/console/templates/_notes.go.tpl new file mode 100644 index 000000000..6b58b21ef --- /dev/null +++ b/charts/redpanda/redpanda/5.9.2/charts/console/templates/_notes.go.tpl @@ -0,0 +1,40 @@ +{{- /* Generated from "notes.go" */ -}} + +{{- define "console.Notes" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $commands := (list `1. Get the application URL by running these commands:`) -}} +{{- if $values.ingress.enabled -}} +{{- $scheme := "http" -}} +{{- if (gt ((get (fromJson (include "_shims.len" (dict "a" (list $values.ingress.tls) ))) "r") | int) (0 | int)) -}} +{{- $scheme = "https" -}} +{{- end -}} +{{- range $_, $host := $values.ingress.hosts -}} +{{- range $_, $path := $host.paths -}} +{{- $commands = (concat (default (list ) $commands) (list (printf "%s://%s%s" $scheme $host.host $path.path))) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- else -}}{{- if (contains "NodePort" (toString $values.service.type)) -}} +{{- $commands = (concat (default (list ) $commands) (list (printf ` export NODE_PORT=$(kubectl get --namespace %s -o jsonpath="{.spec.ports[0].nodePort}" services %s)` $dot.Release.Namespace (get (fromJson (include "console.Fullname" (dict "a" (list $dot) ))) "r")) (printf ` export NODE_IP=$(kubectl get nodes --namespace %s -o jsonpath="{.items[0].status.addresses[0].address}")` $dot.Release.Namespace) " echo http://$NODE_IP:$NODE_PORT")) -}} +{{- else -}}{{- if (contains "NodePort" (toString $values.service.type)) -}} +{{- $commands = (concat (default (list ) $commands) (list ` NOTE: It may take a few minutes for the LoadBalancer IP to be available.` (printf ` You can watch the status of by running 'kubectl get --namespace %s svc -w %s'` $dot.Release.Namespace (get (fromJson (include "console.Fullname" (dict "a" (list $dot) ))) "r")) (printf ` export SERVICE_IP=$(kubectl get svc --namespace %s %s --template "{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}")` $dot.Release.Namespace (get (fromJson (include "console.Fullname" (dict "a" (list $dot) ))) "r")) (printf ` echo http://$SERVICE_IP:%d` ($values.service.port | int)))) -}} +{{- else -}}{{- if (contains "ClusterIP" (toString $values.service.type)) -}} +{{- $commands = (concat (default (list ) $commands) (list (printf ` export POD_NAME=$(kubectl get pods --namespace %s -l "app.kubernetes.io/name=%s,app.kubernetes.io/instance=%s" -o jsonpath="{.items[0].metadata.name}")` $dot.Release.Namespace (get (fromJson (include "console.Name" (dict "a" (list $dot) ))) "r") $dot.Release.Name) (printf ` export CONTAINER_PORT=$(kubectl get pod --namespace %s $POD_NAME -o jsonpath="{.spec.containers[0].ports[0].containerPort}")` $dot.Release.Namespace) ` echo "Visit http://127.0.0.1:8080 to use your application"` (printf ` kubectl --namespace %s port-forward $POD_NAME 8080:$CONTAINER_PORT` $dot.Release.Namespace))) -}} +{{- end -}} +{{- end -}} +{{- end -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $commands) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + diff --git a/charts/redpanda/redpanda/5.9.2/charts/console/templates/_secret.go.tpl b/charts/redpanda/redpanda/5.9.2/charts/console/templates/_secret.go.tpl new file mode 100644 index 000000000..49e628993 --- /dev/null +++ b/charts/redpanda/redpanda/5.9.2/charts/console/templates/_secret.go.tpl @@ -0,0 +1,22 @@ +{{- /* Generated from "secret.go" */ -}} + +{{- define "console.Secret" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- if (not $values.secret.create) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (coalesce nil)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $jwtSecret := $values.secret.login.jwtSecret -}} +{{- if (eq $jwtSecret "") -}} +{{- $jwtSecret = (randAlphaNum (32 | int)) -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) ) (mustMergeOverwrite (dict ) (dict "apiVersion" "v1" "kind" "Secret" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" (get (fromJson (include "console.Fullname" (dict "a" (list $dot) ))) "r") "labels" (get (fromJson (include "console.Labels" (dict "a" (list $dot) ))) "r") )) "type" "Opaque" "stringData" (dict "kafka-sasl-password" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.secret.kafka.saslPassword "") ))) "r") "kafka-protobuf-git-basicauth-password" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.secret.kafka.protobufGitBasicAuthPassword "") ))) "r") "kafka-sasl-aws-msk-iam-secret-key" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.secret.kafka.awsMskIamSecretKey "") ))) "r") "kafka-tls-ca" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.secret.kafka.tlsCa "") ))) "r") "kafka-tls-cert" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.secret.kafka.tlsCert "") ))) "r") "kafka-tls-key" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.secret.kafka.tlsKey "") ))) "r") "kafka-schema-registry-password" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.secret.kafka.schemaRegistryPassword "") ))) "r") "kafka-schemaregistry-tls-ca" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.secret.kafka.schemaRegistryTlsCa "") ))) "r") "kafka-schemaregistry-tls-cert" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.secret.kafka.schemaRegistryTlsCert "") ))) "r") "kafka-schemaregistry-tls-key" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.secret.kafka.schemaRegistryTlsKey "") ))) "r") "login-jwt-secret" $jwtSecret "login-google-oauth-client-secret" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.secret.login.google.clientSecret "") ))) "r") "login-google-groups-service-account.json" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.secret.login.google.groupsServiceAccount "") ))) "r") "login-github-oauth-client-secret" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.secret.login.github.clientSecret "") ))) "r") "login-github-personal-access-token" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.secret.login.github.personalAccessToken "") ))) "r") "login-okta-client-secret" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.secret.login.okta.clientSecret "") ))) "r") "login-okta-directory-api-token" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.secret.login.okta.directoryApiToken "") ))) "r") "login-oidc-client-secret" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.secret.login.oidc.clientSecret "") ))) "r") "enterprise-license" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.secret.enterprise.License "") ))) "r") "redpanda-admin-api-password" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.secret.redpanda.adminApi.password "") ))) "r") "redpanda-admin-api-tls-ca" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.secret.redpanda.adminApi.tlsCa "") ))) "r") "redpanda-admin-api-tls-cert" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.secret.redpanda.adminApi.tlsCert "") ))) "r") "redpanda-admin-api-tls-key" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.secret.redpanda.adminApi.tlsKey "") ))) "r") ) ))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + diff --git a/charts/redpanda/redpanda/5.9.2/charts/console/templates/_service.go.tpl b/charts/redpanda/redpanda/5.9.2/charts/console/templates/_service.go.tpl new file mode 100644 index 000000000..64cef3f8d --- /dev/null +++ b/charts/redpanda/redpanda/5.9.2/charts/console/templates/_service.go.tpl @@ -0,0 +1,20 @@ +{{- /* Generated from "service.go" */ -}} + +{{- define "console.Service" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $port := (mustMergeOverwrite (dict "port" 0 "targetPort" 0 ) (dict "name" "http" "port" (($values.service.port | int) | int) "protocol" "TCP" )) -}} +{{- if (ne $values.service.targetPort (coalesce nil)) -}} +{{- $_ := (set $port "targetPort" $values.service.targetPort) -}} +{{- end -}} +{{- if (and (contains "NodePort" (toString $values.service.type)) (ne $values.service.nodePort (coalesce nil))) -}} +{{- $_ := (set $port "nodePort" $values.service.nodePort) -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "spec" (dict ) "status" (dict "loadBalancer" (dict ) ) ) (mustMergeOverwrite (dict ) (dict "apiVersion" "v1" "kind" "Service" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" (get (fromJson (include "console.Fullname" (dict "a" (list $dot) ))) "r") "namespace" $dot.Release.Namespace "labels" (get (fromJson (include "console.Labels" (dict "a" (list $dot) ))) "r") "annotations" $values.service.annotations )) "spec" (mustMergeOverwrite (dict ) (dict "type" $values.service.type "selector" (get (fromJson (include "console.SelectorLabels" (dict "a" (list $dot) ))) "r") "ports" (list $port) )) ))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + diff --git a/charts/redpanda/redpanda/5.9.2/charts/console/templates/_serviceaccount.go.tpl b/charts/redpanda/redpanda/5.9.2/charts/console/templates/_serviceaccount.go.tpl new file mode 100644 index 000000000..5a49ba3fd --- /dev/null +++ b/charts/redpanda/redpanda/5.9.2/charts/console/templates/_serviceaccount.go.tpl @@ -0,0 +1,39 @@ +{{- /* Generated from "serviceaccount.go" */ -}} + +{{- define "console.ServiceAccountName" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- if $values.serviceAccount.create -}} +{{- if (ne $values.serviceAccount.name "") -}} +{{- $_is_returning = true -}} +{{- (dict "r" $values.serviceAccount.name) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (get (fromJson (include "console.Fullname" (dict "a" (list $dot) ))) "r")) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (default "default" $values.serviceAccount.name)) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "console.ServiceAccount" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- if (not $values.serviceAccount.create) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (coalesce nil)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) ) (mustMergeOverwrite (dict ) (dict "kind" "ServiceAccount" "apiVersion" "v1" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" (get (fromJson (include "console.ServiceAccountName" (dict "a" (list $dot) ))) "r") "labels" (get (fromJson (include "console.Labels" (dict "a" (list $dot) ))) "r") "namespace" $dot.Release.Namespace "annotations" $values.serviceAccount.annotations )) "automountServiceAccountToken" $values.serviceAccount.automountServiceAccountToken ))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + diff --git a/charts/redpanda/redpanda/5.9.2/charts/console/templates/_shims.tpl b/charts/redpanda/redpanda/5.9.2/charts/console/templates/_shims.tpl new file mode 100644 index 000000000..e3bb40e41 --- /dev/null +++ b/charts/redpanda/redpanda/5.9.2/charts/console/templates/_shims.tpl @@ -0,0 +1,289 @@ +{{- /* Generated from "bootstrap.go" */ -}} + +{{- define "_shims.typetest" -}} +{{- $typ := (index .a 0) -}} +{{- $value := (index .a 1) -}} +{{- $zero := (index .a 2) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- if (typeIs $typ $value) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (list $value true)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (list $zero false)) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "_shims.typeassertion" -}} +{{- $typ := (index .a 0) -}} +{{- $value := (index .a 1) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- if (not (typeIs $typ $value)) -}} +{{- $_ := (fail (printf "expected type of %q got: %T" $typ $value)) -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $value) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "_shims.dicttest" -}} +{{- $m := (index .a 0) -}} +{{- $key := (index .a 1) -}} +{{- $zero := (index .a 2) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- if (hasKey $m $key) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (list (index $m $key) true)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (list $zero false)) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "_shims.compact" -}} +{{- $args := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $out := (dict ) -}} +{{- range $i, $e := $args -}} +{{- $_ := (set $out (printf "T%d" ((add (1 | int) $i) | int)) $e) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $out) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "_shims.deref" -}} +{{- $ptr := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- if (eq $ptr (coalesce nil)) -}} +{{- $_ := (fail "nil dereference") -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $ptr) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "_shims.len" -}} +{{- $m := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- if (eq $m (coalesce nil)) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (0 | int)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (len $m)) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "_shims.ptr_Deref" -}} +{{- $ptr := (index .a 0) -}} +{{- $def := (index .a 1) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- if (ne $ptr (coalesce nil)) -}} +{{- $_is_returning = true -}} +{{- (dict "r" $ptr) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $def) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "_shims.ptr_Equal" -}} +{{- $a := (index .a 0) -}} +{{- $b := (index .a 1) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- if (and (eq $a (coalesce nil)) (eq $b (coalesce nil))) -}} +{{- $_is_returning = true -}} +{{- (dict "r" true) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (eq $a $b)) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "_shims.lookup" -}} +{{- $apiVersion := (index .a 0) -}} +{{- $kind := (index .a 1) -}} +{{- $namespace := (index .a 2) -}} +{{- $name := (index .a 3) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $result := (lookup $apiVersion $kind $namespace $name) -}} +{{- if (empty $result) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (list (coalesce nil) false)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (list $result true)) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "_shims.asnumeric" -}} +{{- $value := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- if (typeIs "float64" $value) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (list $value true)) | toJson -}} +{{- break -}} +{{- end -}} +{{- if (typeIs "int64" $value) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (list $value true)) | toJson -}} +{{- break -}} +{{- end -}} +{{- if (typeIs "int" $value) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (list $value true)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (list (0 | int) false)) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "_shims.asintegral" -}} +{{- $value := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- if (or (typeIs "int64" $value) (typeIs "int" $value)) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (list $value true)) | toJson -}} +{{- break -}} +{{- end -}} +{{- if (and (typeIs "float64" $value) (eq (floor $value) $value)) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (list $value true)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (list (0 | int) false)) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "_shims.parseResource" -}} +{{- $repr := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- if (typeIs "float64" $repr) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (list (float64 $repr) 1.0)) | toJson -}} +{{- break -}} +{{- end -}} +{{- if (not (typeIs "string" $repr)) -}} +{{- $_ := (fail (printf "invalid Quantity expected string or float64 got: %T (%v)" $repr $repr)) -}} +{{- end -}} +{{- if (not (regexMatch `^[0-9]+(\.[0-9]{0,6})?(k|m|M|G|T|P|Ki|Mi|Gi|Ti|Pi)?$` $repr)) -}} +{{- $_ := (fail (printf "invalid Quantity: %q" $repr)) -}} +{{- end -}} +{{- $reprStr := (toString $repr) -}} +{{- $unit := (regexFind "(k|m|M|G|T|P|Ki|Mi|Gi|Ti|Pi)$" $repr) -}} +{{- $numeric := (float64 (substr (0 | int) ((sub ((get (fromJson (include "_shims.len" (dict "a" (list $reprStr) ))) "r") | int) ((get (fromJson (include "_shims.len" (dict "a" (list $unit) ))) "r") | int)) | int) $reprStr)) -}} +{{- $tmp_tuple_1 := (get (fromJson (include "_shims.compact" (dict "a" (list (get (fromJson (include "_shims.dicttest" (dict "a" (list (dict "" 1.0 "m" 0.001 "k" (1000 | int) "M" (1000000 | int) "G" (1000000000 | int) "T" (1000000000000 | int) "P" (1000000000000000 | int) "Ki" (1024 | int) "Mi" (1048576 | int) "Gi" (1073741824 | int) "Ti" (1099511627776 | int) "Pi" (1125899906842624 | int) ) $unit (coalesce nil)) ))) "r")) ))) "r") -}} +{{- $ok := $tmp_tuple_1.T2 -}} +{{- $scale := ($tmp_tuple_1.T1 | float64) -}} +{{- if (not $ok) -}} +{{- $_ := (fail (printf "unknown unit: %q" $unit)) -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (list $numeric $scale)) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "_shims.resource_MustParse" -}} +{{- $repr := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $tmp_tuple_2 := (get (fromJson (include "_shims.compact" (dict "a" (list (get (fromJson (include "_shims.parseResource" (dict "a" (list $repr) ))) "r")) ))) "r") -}} +{{- $scale := ($tmp_tuple_2.T2 | float64) -}} +{{- $numeric := ($tmp_tuple_2.T1 | float64) -}} +{{- $strs := (list "" "m" "k" "M" "G" "T" "P" "Ki" "Mi" "Gi" "Ti" "Pi") -}} +{{- $scales := (list 1.0 0.001 (1000 | int) (1000000 | int) (1000000000 | int) (1000000000000 | int) (1000000000000000 | int) (1024 | int) (1048576 | int) (1073741824 | int) (1099511627776 | int) (1125899906842624 | int)) -}} +{{- $idx := -1 -}} +{{- range $i, $s := $scales -}} +{{- if (eq ($s | float64) ($scale | float64)) -}} +{{- $idx = $i -}} +{{- break -}} +{{- end -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- if (eq $idx -1) -}} +{{- $_ := (fail (printf "unknown scale: %v" $scale)) -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (printf "%s%s" (toString $numeric) (index $strs $idx))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "_shims.resource_Value" -}} +{{- $repr := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $tmp_tuple_3 := (get (fromJson (include "_shims.compact" (dict "a" (list (get (fromJson (include "_shims.parseResource" (dict "a" (list $repr) ))) "r")) ))) "r") -}} +{{- $scale := ($tmp_tuple_3.T2 | float64) -}} +{{- $numeric := ($tmp_tuple_3.T1 | float64) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (int64 (ceil ((mulf $numeric $scale) | float64)))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "_shims.resource_MilliValue" -}} +{{- $repr := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $tmp_tuple_4 := (get (fromJson (include "_shims.compact" (dict "a" (list (get (fromJson (include "_shims.parseResource" (dict "a" (list $repr) ))) "r")) ))) "r") -}} +{{- $scale := ($tmp_tuple_4.T2 | float64) -}} +{{- $numeric := ($tmp_tuple_4.T1 | float64) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (int64 (ceil ((mulf ((mulf $numeric 1000.0) | float64) $scale) | float64)))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "_shims.render-manifest" -}} +{{- $tpl := (index . 0) -}} +{{- $dot := (index . 1) -}} +{{- $manifests := (get ((include $tpl (dict "a" (list $dot))) | fromJson) "r") -}} +{{- if not (typeIs "[]interface {}" $manifests) -}} +{{- $manifests = (list $manifests) -}} +{{- end -}} +{{- range $_, $manifest := $manifests -}} +{{- if ne $manifest nil }} +--- +{{toYaml (unset (unset $manifest "status") "creationTimestamp")}} +{{- end -}} +{{- end -}} +{{- end -}} diff --git a/charts/redpanda/redpanda/5.9.2/charts/console/templates/configmap.yaml b/charts/redpanda/redpanda/5.9.2/charts/console/templates/configmap.yaml new file mode 100644 index 000000000..cffd69938 --- /dev/null +++ b/charts/redpanda/redpanda/5.9.2/charts/console/templates/configmap.yaml @@ -0,0 +1,17 @@ +{{/* +Licensed to the Apache Software Foundation (ASF) under one or more +contributor license agreements. See the NOTICE file distributed with +this work for additional information regarding copyright ownership. +The ASF licenses this file to You under the Apache License, Version 2.0 +(the "License"); you may not use this file except in compliance with +the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} +{{- include "_shims.render-manifest" (list "console.ConfigMap" .) -}} diff --git a/charts/redpanda/redpanda/5.9.2/charts/console/templates/deployment.yaml b/charts/redpanda/redpanda/5.9.2/charts/console/templates/deployment.yaml new file mode 100644 index 000000000..48a149041 --- /dev/null +++ b/charts/redpanda/redpanda/5.9.2/charts/console/templates/deployment.yaml @@ -0,0 +1,17 @@ +{{/* +Licensed to the Apache Software Foundation (ASF) under one or more +contributor license agreements. See the NOTICE file distributed with +this work for additional information regarding copyright ownership. +The ASF licenses this file to You under the Apache License, Version 2.0 +(the "License"); you may not use this file except in compliance with +the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} +{{- include "_shims.render-manifest" (list "console.Deployment" .) -}} diff --git a/charts/redpanda/redpanda/5.9.2/charts/console/templates/hpa.yaml b/charts/redpanda/redpanda/5.9.2/charts/console/templates/hpa.yaml new file mode 100644 index 000000000..9cfc4a132 --- /dev/null +++ b/charts/redpanda/redpanda/5.9.2/charts/console/templates/hpa.yaml @@ -0,0 +1,17 @@ +{{/* +Licensed to the Apache Software Foundation (ASF) under one or more +contributor license agreements. See the NOTICE file distributed with +this work for additional information regarding copyright ownership. +The ASF licenses this file to You under the Apache License, Version 2.0 +(the "License"); you may not use this file except in compliance with +the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} +{{- include "_shims.render-manifest" (list "console.HorizontalPodAutoscaler" .) -}} diff --git a/charts/redpanda/redpanda/5.9.2/charts/console/templates/ingress.yaml b/charts/redpanda/redpanda/5.9.2/charts/console/templates/ingress.yaml new file mode 100644 index 000000000..ef3867869 --- /dev/null +++ b/charts/redpanda/redpanda/5.9.2/charts/console/templates/ingress.yaml @@ -0,0 +1,17 @@ +{{/* +Licensed to the Apache Software Foundation (ASF) under one or more +contributor license agreements. See the NOTICE file distributed with +this work for additional information regarding copyright ownership. +The ASF licenses this file to You under the Apache License, Version 2.0 +(the "License"); you may not use this file except in compliance with +the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} +{{- include "_shims.render-manifest" (list "console.Ingress" .) -}} diff --git a/charts/redpanda/redpanda/5.9.2/charts/console/templates/secret.yaml b/charts/redpanda/redpanda/5.9.2/charts/console/templates/secret.yaml new file mode 100644 index 000000000..aeeeba25e --- /dev/null +++ b/charts/redpanda/redpanda/5.9.2/charts/console/templates/secret.yaml @@ -0,0 +1,17 @@ +{{/* +Licensed to the Apache Software Foundation (ASF) under one or more +contributor license agreements. See the NOTICE file distributed with +this work for additional information regarding copyright ownership. +The ASF licenses this file to You under the Apache License, Version 2.0 +(the "License"); you may not use this file except in compliance with +the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} +{{- include "_shims.render-manifest" (list "console.Secret" .) -}} diff --git a/charts/redpanda/redpanda/5.9.2/charts/console/templates/service.yaml b/charts/redpanda/redpanda/5.9.2/charts/console/templates/service.yaml new file mode 100644 index 000000000..0f1621faf --- /dev/null +++ b/charts/redpanda/redpanda/5.9.2/charts/console/templates/service.yaml @@ -0,0 +1,17 @@ +{{/* +Licensed to the Apache Software Foundation (ASF) under one or more +contributor license agreements. See the NOTICE file distributed with +this work for additional information regarding copyright ownership. +The ASF licenses this file to You under the Apache License, Version 2.0 +(the "License"); you may not use this file except in compliance with +the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} +{{- include "_shims.render-manifest" (list "console.Service" .) -}} diff --git a/charts/redpanda/redpanda/5.9.2/charts/console/templates/serviceaccount.yaml b/charts/redpanda/redpanda/5.9.2/charts/console/templates/serviceaccount.yaml new file mode 100644 index 000000000..9215af70e --- /dev/null +++ b/charts/redpanda/redpanda/5.9.2/charts/console/templates/serviceaccount.yaml @@ -0,0 +1,17 @@ +{{/* +Licensed to the Apache Software Foundation (ASF) under one or more +contributor license agreements. See the NOTICE file distributed with +this work for additional information regarding copyright ownership. +The ASF licenses this file to You under the Apache License, Version 2.0 +(the "License"); you may not use this file except in compliance with +the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} +{{- include "_shims.render-manifest" (list "console.ServiceAccount" .) -}} diff --git a/charts/redpanda/redpanda/5.9.2/charts/console/templates/tests/test-connection.yaml b/charts/redpanda/redpanda/5.9.2/charts/console/templates/tests/test-connection.yaml new file mode 100644 index 000000000..de17fb2b1 --- /dev/null +++ b/charts/redpanda/redpanda/5.9.2/charts/console/templates/tests/test-connection.yaml @@ -0,0 +1,22 @@ +{{- if .Values.tests.enabled }} +apiVersion: v1 +kind: Pod +metadata: + name: "{{ include "console.fullname" . }}-test-connection" + namespace: {{ .Release.Namespace | quote }} + labels: + {{- include "console.labels" . | nindent 4 }} + annotations: + "helm.sh/hook": test +spec: +{{- with .Values.imagePullSecrets }} + imagePullSecrets: {{- toYaml . | nindent 4 }} +{{- end }} + containers: + - name: wget + image: busybox + command: ['wget'] + args: ['{{ include "console.fullname" . }}:{{ .Values.service.port }}'] + restartPolicy: Never + priorityClassName: {{ .Values.priorityClassName }} +{{- end }} \ No newline at end of file diff --git a/charts/redpanda/redpanda/5.9.2/charts/console/testdata/template-cases-generated.txtar b/charts/redpanda/redpanda/5.9.2/charts/console/testdata/template-cases-generated.txtar new file mode 100644 index 000000000..7fd56f9de --- /dev/null +++ b/charts/redpanda/redpanda/5.9.2/charts/console/testdata/template-cases-generated.txtar @@ -0,0 +1,22208 @@ +Generated by TestGenerateCases +-- case-000 -- +affinity: {} +annotations: + Q9AVJD4: G9TEnp +autoscaling: + maxReplicas: 206 + minReplicas: 312 + targetCPUUtilizationPercentage: 41 + targetMemoryUtilizationPercentage: 72 +commonLabels: + "": 31q1Pbz +extraEnv: +- name: Z2BpO + value: 0ggF3ha7D +extraVolumes: +- name: 7iCCax +- name: meEH +- name: xYVSV +fullnameOverride: hvGoJL +livenessProbe: + failureThreshold: 1028486626 + httpGet: + host: AOZs + path: YKi + port: Q8C3tKEBBI + scheme: ćpʔS欻鯡 + initialDelaySeconds: 1713123405 + periodSeconds: -1411200119 + successThreshold: -1362510905 + timeoutSeconds: 1375594715 +nameOverride: "n" +podAnnotations: + lyW: mn + pjq6fDr: YA2w301 + uXvFB: VQ5gP9 +priorityClassName: vQhDS +replicaCount: 387 +resources: + limits: + x0StjCjt: "0" +securityContext: {} +serviceAccount: + automountServiceAccountToken: false + create: true + name: HRoLg +strategy: + type: Ò泆A +-- case-001 -- +automountServiceAccountToken: true +extraContainers: +- image: LlCU3if + imagePullPolicy: RɷVȄ×ʤǫĠ侻Ɏźx跻Å榜 + lifecycle: {} + name: l0 + resources: {} + securityContext: + allowPrivilegeEscalation: true + privileged: true + startupProbe: + exec: {} + failureThreshold: -1510490758 + initialDelaySeconds: 112782468 + periodSeconds: -738545847 + successThreshold: -1801864225 + timeoutSeconds: 1026753125 + terminationMessagePath: gCG + terminationMessagePolicy: hmƂÚÕʏ疅耪鯉瓉Ɏ煐8qĺ + tty: true + workingDir: ixD7Jq +extraEnv: +- name: 3Nf + value: vATdo0CH + valueFrom: + configMapKeyRef: + key: IRw5 + name: fa + fieldRef: + apiVersion: 93Fjhay + fieldPath: LRa2I +- name: T0 + value: trXO4 +- name: P9hPooVH + value: yii5lolb + valueFrom: + configMapKeyRef: + key: spAKa + name: U0EYAAe0 +fullnameOverride: T50cZi +initContainers: + extraInitContainers: qur +nameOverride: Sh +priorityClassName: NyOpfr +replicaCount: 414 +resources: {} +tolerations: +- effect: Mǣ鍙x奬Ø裗Ʈ唿踣ʘ)ɒâÄ + key: AWx + operator: yīÄLJʑʢ避 + value: cO +- effect: ï楡ɜƐf鱖À夹ǙȤK + key: Gk23T + operator: è6槈$_ȋ6}rvĕ曉¸顋ŀÓ + value: DCkzy +- effect: 蠯u牰ŇɔnÜȎĤ原H + key: qSC + operator: "n" + tolerationSeconds: -7696192156323826068 + value: z +-- case-002 -- +deployment: {} +enterprise: {} +extraEnvFrom: +- prefix: cfVf + secretRef: + name: ha +- prefix: i2E2Jvnc +extraVolumeMounts: +- mountPath: Y40 + mountPropagation: $寕洦敬苖ēRõøȀ + name: vn5hd + readOnly: true + subPath: oXCY9 + subPathExpr: p +fullnameOverride: xZty +imagePullSecrets: +- {} +- name: YPVBzxvx +nameOverride: vN4yH7I +podAnnotations: + 8vRMfVroYC2: QXbUbLea + VV4w: s4sL + upwTMuIqflmD: 9J0H45zXX +priorityClassName: TeCy +replicaCount: 417 +resources: + limits: + 27ywV: "0" + nMnjjF4kM: "0" + xar2JX: "0" +service: + nodePort: 292 + port: 413 + targetPort: 267 + type: ILpSX2Cy +serviceAccount: + automountServiceAccountToken: true + name: R1Yar8 +tolerations: +- effect: ǩ趥螏|F8ǻĬ嵍Ğ错ʂĺƠǷ俆峻噸 + key: b + operator: wąȹV{İ刡嚮ȜJ + value: ZuTw +- effect: D稕栥[Ǟ$焫昲 + key: NnhmxYy + operator: Xʀ + value: v65W +- effect: 岂bĤ晏#DĢº + key: MOgT + operator: 礩懜蹻ǍBȟvɸ堊 + value: 3iXh +-- case-003 -- +annotations: + 6HCwaF8XIH: uIbMN + MRwga: Fq5s + mgpV: 4f +autoscaling: + maxReplicas: 411 + minReplicas: 432 + targetCPUUtilizationPercentage: 169 + targetMemoryUtilizationPercentage: 155 +configmap: + create: false +deployment: + create: false +extraVolumes: +- name: 1CIX +fullnameOverride: 8nE +ingress: + className: EqUYi + enabled: true + hosts: + - host: bKQCmfZ + - host: djItx5GtejC6 + - host: 2wLaQU8 + tls: + - hosts: + - V8BpuMCig + - 7LqG4w92 + - el3u4v + secretName: nUlu5bMwB8 + - hosts: + - 4HLzq + - 2i4g + secretName: lSgQIKwj5 +nameOverride: w6 +podSecurityContext: + fsGroup: 1512968668502336058 + runAsUser: -2578305880243425477 +priorityClassName: HNqN9h2 +replicaCount: 17 +resources: {} +secret: + create: true + kafka: + awsMskIamSecretKey: SrYY84t + protobufGitBasicAuthPassword: Fb + saslPassword: xCc3TeVY + schemaRegistryPassword: ovCqxwz9Bf + schemaRegistryTlsCa: JL + schemaRegistryTlsCert: cS + schemaRegistryTlsKey: UMwYx4F + tlsCa: HFpsnPdw + tlsCert: hseIt + tlsPassphrase: Wc0 +-- case-004 -- +affinity: + nodeAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - preference: {} + weight: -1713447377 + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: null + podAntiAffinity: {} +commonLabels: + "": PtQ7JxIAdPjt +fullnameOverride: "" +nameOverride: YMl +podAnnotations: + 1iK8Ic: Qo3FCg9qi + 63SsVxDT: v + A1Q4J4: U9jygY2t1F +priorityClassName: JT0MK +replicaCount: 261 +secretMounts: +- defaultMode: 197 + name: QmzFlXE + path: Oj + secretName: 7gi +service: + nodePort: 366 + port: 112 + targetPort: 173 + type: dO7eovC +strategy: + type: ɡv?ĨJ姯ɚƟć匪cb +-- case-005 -- +autoscaling: + enabled: false + maxReplicas: 26 + minReplicas: 380 + targetCPUUtilizationPercentage: 395 + targetMemoryUtilizationPercentage: 140 +configmap: + create: false +deployment: {} +extraVolumeMounts: +- mountPath: JU4z + name: QEJyD + subPath: ZBEy2m0m + subPathExpr: S1Kk +- mountPath: RjUw5sX7NP + name: ett1n + subPath: NmZKwz + subPathExpr: QOMT +fullnameOverride: pN +image: + registry: 7iw15D + repository: RnJFs0 + tag: OQDirE +imagePullSecrets: +- name: ATcT6Hd +- name: l15Hhw +initContainers: + extraInitContainers: Me +livenessProbe: + exec: + command: + - AJd + - HZf + - YHivxIsAJ738b5Q + failureThreshold: -1921365096 + initialDelaySeconds: -1548958176 + periodSeconds: -1952555242 + successThreshold: -1289242499 + timeoutSeconds: -265051013 +nameOverride: MW +priorityClassName: KnLhcy2cw +replicaCount: 396 +secret: + create: true + login: + github: + clientSecret: R4Zj + personalAccessToken: N85av + jwtSecret: g + oidc: + clientSecret: enei1WIcV +tests: {} +-- case-006 -- +affinity: + podAffinity: {} + podAntiAffinity: {} +configmap: + create: true +console: {} +enterprise: {} +extraVolumeMounts: +- mountPath: 5uhd1qMX + mountPropagation: ȵS鈛ZQì暗 + name: "N" + readOnly: true + subPath: lbeciOZZ + subPathExpr: Pd88cwE +- mountPath: yVo + mountPropagation: ÑƇ[嫨ĸŁ幵鿯它(ȡ~嘶ƌO情=į臺 + name: Z + readOnly: true + subPath: Nrqx + subPathExpr: Q4ChfT +fullnameOverride: rzd +image: + registry: zT38Q + repository: V + tag: iSGm6MT1 +ingress: + className: XOZv8 + enabled: false + hosts: + - host: WGn + paths: + - path: NVV + pathType: 0DK + - host: "" +initContainers: + extraInitContainers: SCgmJTj +nameOverride: gCH15URsJZr +podAnnotations: + s2D: DMU7 +podLabels: + CoBI: 20aOZaZvs + e0xqmoOD: Nb5V + ylGQE: p +priorityClassName: 1x11c0q +replicaCount: 176 +resources: + requests: + PY: "0" +secret: + enterprise: + licenseSecretRef: + key: eF + name: fQ02KR + kafka: + awsMskIamSecretKey: 1tq + protobufGitBasicAuthPassword: G + saslPassword: K8kPgIp6 + schemaRegistryPassword: "" + schemaRegistryTlsCa: Zr + schemaRegistryTlsCert: KN + schemaRegistryTlsKey: t + tlsCa: CQ + tlsCert: 6xZ8 + tlsPassphrase: JpScAmVx6 +serviceAccount: + automountServiceAccountToken: false + create: true + name: nd7TSb2mNTS +tests: + enabled: false +-- case-007 -- +commonLabels: + cV05TKdtF: 55lItpeJD + h: 1Y7dqm4wZL +configmap: {} +console: + roleBindings: + - "": null + 5w1YcAu: null +extraEnv: +- name: qY0f + value: Wu +- name: 9zVp + value: g +extraEnvFrom: +- configMapRef: + name: OUS + optional: true + prefix: YWvtgT +- configMapRef: + name: 4xZZ + prefix: Djbp99U +extraVolumes: +- name: dCz +fullnameOverride: "y" +initContainers: + extraInitContainers: RiAu +livenessProbe: + exec: + command: + - 3Ujf + - EOmDk + failureThreshold: 1105213631 + grpc: + port: -199686432 + service: H + initialDelaySeconds: -1727299217 + periodSeconds: -579129147 + successThreshold: -1278687101 + terminationGracePeriodSeconds: 7570283898099180047 + timeoutSeconds: -603846855 +nameOverride: HWL +nodeSelector: + CAy: 19kW + R2z: OpcDywz9x +podSecurityContext: + fsGroupChangePolicy: 驸Ǩiµ慷泱世 + runAsGroup: 6873387834465682841 + runAsUser: 7937848737866681002 + sysctls: + - name: mp + value: SkIvFN + - name: E + value: RknyuPB + - name: kcY + value: us1 +priorityClassName: rs +readinessProbe: + failureThreshold: 114758306 + grpc: + port: 774513900 + service: GICRd2O + initialDelaySeconds: 457836757 + periodSeconds: -1914503008 + successThreshold: 1926018786 + timeoutSeconds: 458769630 +replicaCount: 103 +resources: + requests: + 4P1f3: "0" + DmuY: "0" +secret: + login: + google: + clientSecret: Ln0 + groupsServiceAccount: gp + jwtSecret: 2j6NF + okta: + clientSecret: 3A593BjCuu + directoryApiToken: mSSz8MZ + redpanda: + adminApi: + password: t + tlsCa: QD1x71f + tlsCert: 744Ysvi + tlsKey: 56VaHh +service: + nodePort: 238 + port: 286 + targetPort: 404 + type: Vvrvx +serviceAccount: + automountServiceAccountToken: false + name: RFjc7 +-- case-008 -- +annotations: + hfXF: v4uLEC6f8m +automountServiceAccountToken: false +console: {} +deployment: {} +fullnameOverride: GbgHqD +ingress: + className: XfqwM +livenessProbe: + failureThreshold: 1421249778 + initialDelaySeconds: 1194618095 + periodSeconds: 1245060237 + successThreshold: -641096828 + timeoutSeconds: -617099936 +nameOverride: RW +podAnnotations: + BTlN: z8t + a: Pqjhw +podSecurityContext: + fsGroupChangePolicy: ǶȚ/廻 + runAsGroup: 3241750191956122115 + runAsNonRoot: false + runAsUser: 2693812519144067821 + supplementalGroups: + - -7558357415363805139 + - -9152494874115651655 + - -906805565867492888 + sysctls: + - name: CBe8XsS + value: bh + - name: pUYyG9c + value: xPm1 +priorityClassName: 0fXQqWA96 +readinessProbe: + failureThreshold: -10750427 + httpGet: + host: yftc + path: 7MDOtCNf + port: -1919050774 + scheme: ȧ楢谚 + initialDelaySeconds: 208988771 + periodSeconds: -2096658971 + successThreshold: -233405863 + timeoutSeconds: 2042765580 +replicaCount: 475 +secret: + create: false + enterprise: + licenseSecretRef: + key: "" + name: vGB +securityContext: + procMount: ȃ蘗ʮǺ踰蒐佛桸gɋ + readOnlyRootFilesystem: false + runAsGroup: 5367218369967093267 +serviceAccount: + create: true + name: YcV5zP8 +strategy: + rollingUpdate: {} + type: 堯飉J侚桤 合w犌ŝ|#è:(蹝Ƀy輐 +topologySpreadConstraints: +- maxSkew: -722842418 + nodeTaintsPolicy: uã链掎ŏȅ噘籥邟澶N3-昃嗽(七|犘 + topologyKey: vq + whenUnsatisfiable: Ȭť'Ùt苷ŲĤ蘝 +- labelSelector: {} + maxSkew: 1436245353 + nodeAffinityPolicy: 0ʠƃ氁ʆZ + topologyKey: t + whenUnsatisfiable: x叾džʜƽ耨 +- labelSelector: {} + matchLabelKeys: + - 6T2 + - FqrwFd + maxSkew: -172720268 + nodeAffinityPolicy: 觏败TʙȎ喧5婬ȑªgȢ'!ÅWp襎 + nodeTaintsPolicy: ÛB¹]ʐ梳Ě + topologyKey: VyU9 + whenUnsatisfiable: 烹wɹȐN坿¨叻ʊ鴥/Ŭ屎釽C欼 +-- case-009 -- +affinity: + nodeAffinity: {} + podAffinity: {} + podAntiAffinity: {} +automountServiceAccountToken: true +configmap: + create: false +deployment: {} +fullnameOverride: l1Bnpx +imagePullSecrets: +- name: x42RbB4KLm +livenessProbe: + failureThreshold: -1420734522 + httpGet: + host: fFkzqM8 + path: aVVHbe + port: TkNE + scheme: ǂɷ烷Į~鼹ǵǃ楅ǰ + initialDelaySeconds: 753838163 + periodSeconds: -444344576 + successThreshold: -1003403229 + timeoutSeconds: -172453343 +nameOverride: BKV +nodeSelector: + OBRBvRK: hMXDLGN5 + ky: sv +podSecurityContext: + fsGroupChangePolicy: 灆Zeɪ霅ǭɒ<ǖ韆 + runAsGroup: -2394155475284911371 + runAsNonRoot: true + supplementalGroups: + - 802667379359895872 + - 8316082600801371691 +priorityClassName: p0ShP6Yru +readinessProbe: + failureThreshold: -286281002 + initialDelaySeconds: 138566964 + periodSeconds: -361700659 + successThreshold: 422528479 + terminationGracePeriodSeconds: 495828610939530481 + timeoutSeconds: 352721839 +replicaCount: 315 +secret: {} +secretMounts: +- defaultMode: 414 + name: yWBr98zs1 + path: xShE + secretName: YMpib3J +- defaultMode: 402 + name: qUQ5 + path: Wnbf + secretName: Pw8 +- defaultMode: 410 + name: hpqapQJQ + path: fgV + secretName: 1JLIOjZI8 +service: + annotations: + efgehQaV5UI0y: GymqDudh + nodePort: 75 + port: 229 + targetPort: 85 + type: yZy +topologySpreadConstraints: +- maxSkew: -73453467 + minDomains: 326628755 + nodeAffinityPolicy: "" + topologyKey: zWgGRC + whenUnsatisfiable: 黚堳ʈ¡ +-- case-010 -- +affinity: + nodeAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - preference: + matchExpressions: + - key: hu5a9Q0m + operator: Ʊ飁Ɲŗʫf + values: + - fDVpOP + - fUBu2Zhz + matchFields: + - key: zOA + operator: 豔|Ĺ霱鑕yȮM錕陰蔆 + - key: uqlr1 + operator: ʏ + weight: -157546286 + - preference: + matchExpressions: + - key: yI2tB1c6Om + operator: 槼湝@)萢=\Ɇ剋Ś>(.aC俥?蔔 + values: + - 5QB3 + - C + - key: IhL2k3 + operator: "" + matchFields: + - key: Kn1 + operator: q'ʏC効L¶ƋMʐģƥƝnĤe + weight: -1818860211 + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - {} + podAffinity: {} +configmap: + create: false +console: + roles: + - null +deployment: + create: true +enterprise: + licenseSecretRef: + key: 6Y + name: juyv +extraContainers: +- env: + - name: nE8 + value: hFfGzdv + valueFrom: + configMapKeyRef: + key: 9Sc + name: kviW + fieldRef: + fieldPath: bzL + resourceFieldRef: + containerName: ky9X6 + divisor: "0" + resource: RgwF + image: mEMnGhDi + imagePullPolicy: <Ǐ(嬘箓閁1_Y.脯鮉娇腾1 + name: ZyDivTyKOX + readinessProbe: + failureThreshold: 368214623 + initialDelaySeconds: 1711545214 + periodSeconds: -1669571514 + successThreshold: 830602444 + timeoutSeconds: -1406663042 + resources: + requests: + Ta: "0" + restartPolicy: M#L粓Ojw+ĸɊcƗ镃聆琮ǘ滂W + stdin: true + terminationMessagePath: 7hyobl + terminationMessagePolicy: gŜĶ蔓林驲%嶄ʚ轿竷 + volumeDevices: + - devicePath: zlgauG + name: Uy7Ds5N + - devicePath: pturCrgNMxS + name: "1" + volumeMounts: + - mountPath: 2ftw3U97pI + mountPropagation: ǮmW + name: NeLq9zvIQ + subPath: 5XYnpNAb + subPathExpr: rAeHuQk + - mountPath: aOj5TCBKn + name: DWFR + subPath: G + - mountPath: ovoJMYcQZ7 + mountPropagation: ɷ&娈瘱 + name: o6QaPD8 + subPath: rIo + subPathExpr: j0F1wa + workingDir: tj +- env: + - name: KO7zek + value: AE8r + valueFrom: {} + envFrom: + - prefix: T4nvtH0yCoJCx + - prefix: KaMGNcK + image: m + imagePullPolicy: 牀 + lifecycle: + preStop: + exec: {} + sleep: + seconds: -1229802121654850448 + livenessProbe: + failureThreshold: 1036399450 + grpc: + port: 1383801223 + service: nm0jd39Ta + httpGet: + host: VhafGy + path: CP9 + port: BnhNd + scheme: hxu崚奵Y + initialDelaySeconds: 141265356 + periodSeconds: 251484282 + successThreshold: 257415096 + terminationGracePeriodSeconds: 3476093234934519616 + timeoutSeconds: -1657896181 + name: UCZJ + ports: + - containerPort: 574867450 + hostPort: 156179933 + name: 0re + protocol: 頶韜»釟ţKFƂƄp錴畗~[禬B琡9 + - containerPort: -374880824 + hostPort: 1342282100 + name: OeyfSkg3EJIuD + protocol: 佃ŦŬ穷唂&2ŌĜ,gF躊貀j寝ô + readinessProbe: + failureThreshold: 978947885 + httpGet: + host: A + path: Ngfyt + port: "" + scheme: Í蠕窩獙 + initialDelaySeconds: 60101484 + periodSeconds: 1102760384 + successThreshold: 1260060937 + terminationGracePeriodSeconds: 1157546254675437089 + timeoutSeconds: -465800822 + resizePolicy: + - resourceName: P6b56 + restartPolicy: 冿÷Ý萦{[P貍ȕ,Sɕ錼 + - resourceName: azLsfqbuYlr + restartPolicy: 蒃Ký阹ǒ1T獽蛍峸伦ƨ(Ƭ-央á + - resourceName: skOpL + restartPolicy: 鸿dŶ徥w^ȏ嘳Ƙ唓Ęɸ-ɫ鷠C + resources: {} + terminationMessagePath: vmp + terminationMessagePolicy: Ƒh庛ʘ$8L藑奾ń4說 + workingDir: rgrA +extraVolumeMounts: +- mountPath: C3nMA + name: 0sxSVsP + readOnly: true + subPath: V + subPathExpr: 1E5cYdMw +fullnameOverride: ivK +image: + pullPolicy: "" + registry: 4A + repository: 0YeLdES + tag: 1a4iH +nameOverride: JFcK +priorityClassName: x0ISc2 +readinessProbe: + exec: {} + failureThreshold: 1992527736 + initialDelaySeconds: 1233698472 + periodSeconds: 1177961840 + successThreshold: -1634725396 + terminationGracePeriodSeconds: 236063688080704715 + timeoutSeconds: -1493252430 +replicaCount: 250 +secret: + create: false + enterprise: {} + kafka: + awsMskIamSecretKey: K + protobufGitBasicAuthPassword: HMiCm9 + saslPassword: dlWblwkM + schemaRegistryPassword: DQXNeX + schemaRegistryTlsCa: Xe1cT2AuIi + schemaRegistryTlsCert: gaHcYjD + schemaRegistryTlsKey: 96V + tlsCa: "" + tlsCert: WEDNhiC + tlsPassphrase: lP2w1T + login: + github: + clientSecret: vpO + personalAccessToken: pn05iLc53z + google: + clientSecret: OX + groupsServiceAccount: LB64mTpyF + jwtSecret: GQ0Yw + redpanda: {} +serviceAccount: + annotations: + TTsn5: s3xEhO + tZiUN: CtjX + create: true + name: kIzbDF +-- case-011 -- +affinity: + podAffinity: {} + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: {} + matchLabelKeys: + - E9nCu6aLM + topologyKey: PfPCGvStt + weight: -1379963896 + - podAffinityTerm: + namespaceSelector: {} + topologyKey: CgA4 + weight: -726546395 + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: ijh1hJb + operator: ƏŧD續筚朊 + values: + - BOfF5xB + - 3iu4 + - key: "93" + operator: Dij%{欬ɽ + - key: NEd + operator: ÿD + values: + - r + - B7E1BoYQ4Njb + - BTV + matchLabelKeys: + - FuyLvc + - Lh60qi + namespaceSelector: + matchExpressions: + - key: w + operator: 嘑 + - key: eQ6nY99xw + operator: H辄萟蘎Ÿ塪²;暃 + - key: 8JrCFA + operator: "" + values: + - wVO + topologyKey: ByO + - namespaceSelector: {} + topologyKey: b21 + - namespaces: + - Ifv + topologyKey: F9j5 +annotations: + pJ: f0brcnhV +automountServiceAccountToken: true +autoscaling: + enabled: false + maxReplicas: 239 + minReplicas: 83 + targetCPUUtilizationPercentage: 68 + targetMemoryUtilizationPercentage: 468 +commonLabels: + JwK5MKTa: WW + v7E: 1g6JB +console: {} +deployment: {} +extraEnv: +- name: XW + value: PCPsJt + valueFrom: + configMapKeyRef: + key: Zk0vTu6kC + name: d9zm3 + optional: false + secretKeyRef: + key: mRF + name: CW + optional: false +- name: loir2K + value: Ti0q +- name: lAxIKF7cbLlc + value: 1ksS + valueFrom: + fieldRef: + apiVersion: 8i2Z + fieldPath: vD7H + resourceFieldRef: + containerName: yqY + divisor: "0" + resource: ebRDAl + secretKeyRef: + key: E9514U + name: g3Rbzs + optional: false +extraEnvFrom: +- configMapRef: + name: d + prefix: Fl1 + secretRef: + name: X8xDu + optional: true +- prefix: M + secretRef: + name: 10or1C2m + optional: false +- configMapRef: + name: BBj + optional: false + prefix: Xy + secretRef: + name: ZA3 +extraVolumeMounts: +- mountPath: O + mountPropagation: ŜQLhlkU穒´宕Ïůŝƪ + name: JeSPIB + readOnly: true + subPath: RTiJ + subPathExpr: wad +- mountPath: QV6Kf + name: Pj7R + subPath: qBOd + subPathExpr: kN3Uujt +fullnameOverride: hbe +image: + registry: gjR + repository: U + tag: Tl0EP +initContainers: + extraInitContainers: OgPf +livenessProbe: + failureThreshold: 653767212 + grpc: + port: -53435273 + service: fv5J + initialDelaySeconds: 832425522 + periodSeconds: -1810991482 + successThreshold: 1954581711 + terminationGracePeriodSeconds: 1550995604326825538 + timeoutSeconds: -574178850 +nameOverride: Cy9eHCiP +nodeSelector: + HC7: EI8 +podLabels: + "2": RgUAFm + D2V: V80aQ +podSecurityContext: + fsGroup: 4103142176308445041 + fsGroupChangePolicy: Ő6­撱悤ÅC`碸 + runAsUser: 9170579519391070953 + sysctls: + - name: 4OKA + value: P7ouRq + - name: iD9Oz + value: gL6ARE +priorityClassName: sJXoA3V +readinessProbe: + exec: {} + failureThreshold: 1745353710 + grpc: + port: -2051399147 + service: G + initialDelaySeconds: 1504484890 + periodSeconds: -846859037 + successThreshold: -1564014824 + terminationGracePeriodSeconds: 7625838354502176909 + timeoutSeconds: 888372342 +replicaCount: 65 +resources: + requests: + "Y": "0" +secretMounts: +- defaultMode: 12 + name: n4BPeF + path: 2Qy8k + secretName: auIr +service: + annotations: + "": NbuyvXjW + 2CTz: vRGLHMO53rD + yLzpKqz: uBjXvD + nodePort: 83 + port: 478 + targetPort: 90 + type: sl +-- case-012 -- +affinity: {} +annotations: + v: D +configmap: {} +console: {} +enterprise: + licenseSecretRef: + key: oG0N9s8 + name: fmqBE +extraContainers: +- command: + - "" + - 7yJE + envFrom: + - prefix: kRXk + secretRef: + name: TJsCapqoxl + - prefix: ucUEP + secretRef: + name: 1zCfpPiVt9o + optional: true + image: hwJ + imagePullPolicy: dh + name: Ody4zqt + readinessProbe: + exec: {} + failureThreshold: 1607990521 + grpc: + port: 2033135747 + service: "" + initialDelaySeconds: -889776869 + periodSeconds: -35190825 + successThreshold: -958310065 + terminationGracePeriodSeconds: 3166888730011246345 + timeoutSeconds: 806015074 + resources: + requests: + mg2KyOVo97: "0" + restartPolicy: 档媘řĖ焘傐Yʮ,+Ƽ梽讫ƭ焇 + securityContext: + readOnlyRootFilesystem: true + runAsGroup: -2035296945120192462 + stdinOnce: true + terminationMessagePolicy: '*.Q' + workingDir: 0g9 +- command: + - ktel2 + - 2gO + image: Kq1K2HexLL + imagePullPolicy: 蟫黳jª0狫ĝ| + lifecycle: + postStart: + exec: + command: + - I + name: XmcrosJ9Art + resizePolicy: + - resourceName: 8dOXgKMh + restartPolicy: T@罞 + resources: + limits: + Qf424: "0" + UkBWyCgR: "0" + yS9FH: "0" + securityContext: + allowPrivilegeEscalation: true + capabilities: + drop: + - Ǐ蟯ƛU賊稁uv/u讎胗< + - 1湹 + privileged: false + readOnlyRootFilesystem: false + runAsGroup: -281571585037868414 + runAsUser: 8469885005475493831 + stdin: true + stdinOnce: true + terminationMessagePath: 6ii28 + terminationMessagePolicy: ȊGī3慺Ŏ + volumeDevices: + - devicePath: "" + name: lqvpF + - devicePath: 3vTez + name: pD6EOo + workingDir: QEqnPlY6YE +- args: + - eiyTiCxBp + envFrom: + - configMapRef: + name: uxUzs + prefix: 0Oq + secretRef: + name: ahghhjB + - configMapRef: + name: yjx + prefix: cOCr6ajjpSTT + - configMapRef: + name: "4" + prefix: 0XtWv + secretRef: + name: oKDQ + image: PV + imagePullPolicy: d?遼gŜT纬ɷšǧ餝Ƨ + livenessProbe: + exec: {} + failureThreshold: 746140291 + grpc: + port: 1197495917 + service: "" + httpGet: + host: x78yAB + path: P5mSLs + port: Cb2 + scheme: 儰试9ȷǴ燀ǃ¦籇射,ǠöcƲ伙 + initialDelaySeconds: 1418617842 + periodSeconds: 187037501 + successThreshold: -1821323321 + timeoutSeconds: -894994792 + name: ToH + resizePolicy: + - resourceName: 7Ut8kM + restartPolicy: gěǏ* + - resourceName: gvoJz7 + restartPolicy: ł0Iɷ»u诎żȋ貏C炭 + - resourceName: VpTvtNnJOw + restartPolicy: 阠eR'k.Ơ糦啮ŋ睷N譺 + resources: + limits: + cYhO6a: "0" + startupProbe: + exec: {} + failureThreshold: -1040244189 + grpc: + port: 1921669257 + service: Me + httpGet: + host: 5fL4Z + path: BwLac + port: SKrb2z + scheme: ľ<Ƽ浳s剪ɍ + initialDelaySeconds: -1064995957 + periodSeconds: 230643461 + successThreshold: -1865926881 + timeoutSeconds: 1102271416 + terminationMessagePath: ZbnnI + terminationMessagePolicy: 阳壀ɀS强pŇȆDž鹩 + tty: true + volumeDevices: + - devicePath: pP2eHwth + name: S9Sy + workingDir: Z +extraEnvFrom: +- prefix: RyT9JuZ +fullnameOverride: tmn2Kt +initContainers: + extraInitContainers: SIhGa +livenessProbe: + failureThreshold: 666524470 + grpc: + port: 1398516128 + service: "" + httpGet: + host: bR1aDlNV + path: yDJgyD4 + port: PU8gXWTBf + scheme: 8BƔ7, + initialDelaySeconds: 1841184951 + periodSeconds: 465079780 + successThreshold: -1928046688 + terminationGracePeriodSeconds: -4709298711736612221 + timeoutSeconds: 1377323766 +nameOverride: Qr03ts +podLabels: + "": S7BNyT + r1F: Fsc + yeY4LjT: MRlwtd +priorityClassName: vMcB +replicaCount: 407 +resources: {} +securityContext: + allowPrivilegeEscalation: false + privileged: true + readOnlyRootFilesystem: false + runAsGroup: -6536894786619939509 + runAsNonRoot: false +strategy: + rollingUpdate: {} + type: 9Cɠ+餌µ骽O惠LƬɇɦ鉍挶 +tests: {} +-- case-013 -- +automountServiceAccountToken: true +enterprise: {} +extraContainers: +- env: + - name: bNyX + value: DpJ + valueFrom: + secretKeyRef: + key: r3ZL + name: GM2zRN8 + optional: false + - name: dS + value: u2CpI14PZ + - name: JVoNndPj + value: eCfRy + image: 9nkfM + imagePullPolicy: v洓p褾NJ翛Y/笸i洞偀fX綤鰐 + livenessProbe: + exec: + command: + - TzQ + - 5tBBhynsjV + failureThreshold: -1613952147 + httpGet: + host: gYV + path: 9qC2GovT + port: Gh + initialDelaySeconds: 1651935443 + periodSeconds: -1307313312 + successThreshold: 1553368137 + terminationGracePeriodSeconds: -4575724788805099082 + timeoutSeconds: -499895377 + name: aOBSLF + readinessProbe: + failureThreshold: 687754614 + initialDelaySeconds: -1880005074 + periodSeconds: 794268536 + successThreshold: -1510519942 + terminationGracePeriodSeconds: 3334702514671978014 + timeoutSeconds: -178867660 + resources: + requests: + hiWTQ: "0" + m7CDU: "0" + stdin: true + terminationMessagePath: Yj9V + terminationMessagePolicy: js$昦夁糎fț + tty: true + volumeMounts: + - mountPath: Xaoy + name: XuLXzMm + readOnly: true + subPath: NI8v + subPathExpr: nPRuyC + - mountPath: S + mountPropagation: ĜX鴮璫ȓĢ + name: c2o + readOnly: true + subPath: DEcziG + subPathExpr: 7UjF6H + workingDir: yPE +extraVolumeMounts: +- mountPath: DVlVa1jiDIh5G + name: zaV + subPath: lXnque8 + subPathExpr: aFzzfyzr +- mountPath: 7VmD + name: bNuYmK + readOnly: true + subPath: zsTvmtU0 + subPathExpr: uNyQSZ +- mountPath: p + name: q3 + readOnly: true + subPathExpr: k4yfc0H +fullnameOverride: RttlJN +initContainers: + extraInitContainers: Gnt +nameOverride: dDkIKgMwXv +priorityClassName: BDUfm1wSRDI +readinessProbe: + exec: {} + failureThreshold: -225696508 + initialDelaySeconds: 1573121125 + periodSeconds: -1561542711 + successThreshold: 1804677264 + terminationGracePeriodSeconds: 5224127779959308812 + timeoutSeconds: -1540252725 +replicaCount: 412 +resources: + limits: + f7Jr: "0" + fl: "0" + requests: + Q4O7nA: "0" +secret: + enterprise: {} + redpanda: {} +securityContext: + privileged: true + readOnlyRootFilesystem: false + runAsUser: -8804799239371185443 +tolerations: +- effect: ƞ嬂 + key: wnH + operator: Ā蔥ąʏƅȑǚ缗'r~熐{Ǎ楯&鑫咂] + value: LYZYjeFUmK29wdL +- effect: 硞撤幅娰tȬ婒ĎɕÏǜ蚭馸諄W)偒½ + key: e2 + operator: bƤrZ + value: 8ssobF8u +-- case-014 -- +autoscaling: + maxReplicas: 297 + minReplicas: 375 + targetCPUUtilizationPercentage: 161 + targetMemoryUtilizationPercentage: 154 +console: + roleBindings: + - null +deployment: + create: false +extraContainers: +- args: + - Z62Is + - Hbh02LW4 + env: + - name: YW1G + value: 0GWAuZSLomGzW + valueFrom: + configMapKeyRef: + key: G23Iugy + name: TkEMhJ + secretKeyRef: + key: BTU + name: g1 + optional: false + - name: uL + value: FFIE5os + valueFrom: + configMapKeyRef: + key: "Y" + name: auRMap + resourceFieldRef: + containerName: q0II1T + divisor: "0" + resource: HT + secretKeyRef: + key: dzuljE + name: G7WQLg + envFrom: + - prefix: gP + secretRef: + name: OVJe + optional: false + image: rJIHfr2OEa135 + imagePullPolicy: YÙ姯?斕_9xŠɏɉɬ脸埫窿 + name: AH0Q + ports: + - containerPort: 228562644 + hostIP: IoQ1 + hostPort: -1878543188 + name: Rfal + - containerPort: -894592742 + hostIP: WL1wuF + hostPort: -1156574467 + name: kaBC3xQ4W + protocol: ǀw黽Ɂ態y歳饏S鰚醭 + readinessProbe: + exec: + command: + - SSKDo + failureThreshold: 2133132404 + grpc: + port: 1749726411 + service: mXvc + httpGet: + host: pc5My + path: Xb4w6 + port: 478437545 + scheme: X甡蓸^qĠ屘g槛雍d伨ɾ + initialDelaySeconds: -966001365 + periodSeconds: 714178271 + successThreshold: -1714884162 + timeoutSeconds: 152300629 + resources: + limits: + QD: "0" + eQShuVrO: "0" + requests: + xWdhFr9: "0" + restartPolicy: 吥蓔ȫ唿瀘V輇f蓵犆Ȑ]œʢ鶍MƧ樤_ + startupProbe: + exec: {} + failureThreshold: 623319858 + grpc: + port: -1442127150 + service: C6 + initialDelaySeconds: 128345274 + periodSeconds: -1861677604 + successThreshold: 1112169900 + timeoutSeconds: 120934069 + stdin: true + stdinOnce: true + terminationMessagePath: CVFCc8 + terminationMessagePolicy: 欥ɻ斩隫0撊GƲ{ + tty: true + workingDir: IZB +- image: DOt5K + imagePullPolicy: Q燢Ƈʃǻĝ + lifecycle: + postStart: + sleep: + seconds: -2443463859616450892 + preStop: + exec: + command: + - 74I + - RU + sleep: + seconds: -3090258659267849140 + livenessProbe: + failureThreshold: -1269681865 + grpc: + port: -1568193429 + service: X1LyDnjv64JEDb + initialDelaySeconds: -1309179527 + periodSeconds: -1814451145 + successThreshold: -2073223886 + terminationGracePeriodSeconds: -7380892635099163371 + timeoutSeconds: 2123408205 + name: QbUkrjO + readinessProbe: + failureThreshold: -1858848657 + grpc: + port: 349774039 + service: jxJ + httpGet: + path: aAkRuN + port: AGGDH + scheme: Aʝ詷Cţm憻菁裰ś + initialDelaySeconds: -1986091889 + periodSeconds: -775693671 + successThreshold: 930243436 + terminationGracePeriodSeconds: -4158765076015214976 + timeoutSeconds: -1930165730 + resources: + limits: + QL: "0" + startupProbe: + failureThreshold: 79584809 + httpGet: + host: IYI + path: jpfp + port: h + scheme: ÎŲ媱5\æ}QQǤoƲ^8%嵕_踽 + initialDelaySeconds: 1384447753 + periodSeconds: 364207137 + successThreshold: 1778504178 + timeoutSeconds: 1437969450 + stdinOnce: true + terminationMessagePath: z + terminationMessagePolicy: ūJ + tty: true + workingDir: RQkvQON +fullnameOverride: htymHJ +image: + pullPolicy: 袪Ȓ緶Ð菝ȋ擮@Ŧ + registry: ulLeWQWUJdjnk + repository: J + tag: KQ +initContainers: + extraInitContainers: JvUWbM +nameOverride: Vi2vH +podAnnotations: + Tt: CHbO7BF +podSecurityContext: + fsGroupChangePolicy: A%Âȁµ郞星懐,t语Ā詘IJÊ铮Q + runAsUser: -4832235381641550418 +priorityClassName: rcxHoi +replicaCount: 424 +resources: + limits: + AS: "0" +service: + nodePort: 66 + port: 41 + targetPort: 168 + type: Oiwzbmtjpb +serviceAccount: + create: true + name: h6eHrUr +tests: {} +tolerations: +- effect: 鞼CÞŲɮȧɖņ魉**護Å岴hFʎ篅2 + key: ffSN + operator: 葓C巰qĩŹ脠~蒵 + value: fkh +- effect: ȯ绸 + key: meTpNZ + operator: ĥ恃精hw"蘄谇H潔ʎȴ豅©嫗笨 + value: uyTD +-- case-015 -- +affinity: + podAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: 7eVqbmnw4 + operator: 屈ǧȔŗS#~¸Dd馔uÈ飏ƌĔ魼ȓ + values: + - eZapFDhb + - dBr2cD + - key: Z13Kq48NE0 + operator: ª + values: + - 03LE6GE + - key: s + operator: 箱+ʑ圼;0丢顃M媆熋熼妄瞬 + values: + - E + - jC2mNBN + matchLabels: + 4tdQRoO: Tgv + 7Apxz: EPl5 + bPvG5Bf: sCS + namespaceSelector: {} + namespaces: + - bkN0U + topologyKey: haPJ + weight: -1043017794 + - podAffinityTerm: + labelSelector: + matchLabels: + PP8DxAPJwUzY: z9RL6 + U1a: J + due4: eRc0tKn + namespaceSelector: + matchExpressions: + - key: "y" + operator: 霮ʡ`罵瀖Kʓa嚃*Q`UV邠想ɷġ + namespaces: + - M2GNeyD + - eDNVdz1ne46 + topologyKey: kQ + weight: -1134437930 + - podAffinityTerm: + namespaceSelector: + matchExpressions: + - key: SnD + operator: 6愔ȶ獧:öȰ浻珼»ǰs睑,s頀旓eX + - key: yt197hBb + operator: ȒǦ^(á咟獐赠5ĺĜ嶜庌愖V揺ɞ\Ș + values: + - pu5 + - Ywv1TEhK + - pAo + matchLabels: + "": rZ + topologyKey: WSD + weight: 613733383 + requiredDuringSchedulingIgnoredDuringExecution: + - topologyKey: 4b6nMCalUl1 +annotations: + 2V: 50l + jFB7K: 5ZqGXdsD94 +autoscaling: + maxReplicas: 483 + minReplicas: 178 + targetCPUUtilizationPercentage: 362 + targetMemoryUtilizationPercentage: 33 +commonLabels: + B0Pmybnj: gh8 + MdyMnFBP0Cd1: UUVRKbjhv + ShHkukRGF9k: KlIyX6upO +enterprise: + licenseSecretRef: + key: 5MWDqlE + name: UoZ4 +extraEnv: +- name: iQE + value: Aj6RWPJE +- name: QwMCc + value: N9g6bDNI +- name: U5Qg5Qc0NWE + valueFrom: + configMapKeyRef: + key: R + name: n8 + optional: false + fieldRef: + apiVersion: zg0 + fieldPath: fNjpqJ + secretKeyRef: + key: MlF + name: h +extraVolumeMounts: +- mountPath: y5BZm9v9L5 + name: mE9WF + readOnly: true + subPathExpr: 3vKqLj2 +fullnameOverride: 9RweMGWqBs +image: + pullPolicy: '&Ŕ<駄AG' + registry: FezgEM + repository: b4CZb + tag: OoX +ingress: + annotations: + "": ZKQ6I + ES: uo + className: x7Um + enabled: true + tls: + - secretName: Ye6 + - hosts: + - nNQW2NL + - g + - "N" + secretName: YQl +initContainers: + extraInitContainers: FZnnB +nameOverride: KD8DmV +nodeSelector: + vy4h: rk +podLabels: + FlwBgvWNMrbg5: YKgnz8q + TGDbR: 4egH + Xr8XMOk: 1DAii +podSecurityContext: + fsGroupChangePolicy: ¶鮬眴帘ʥb豚DIĂ + runAsGroup: 4190388773600423895 + supplementalGroups: + - 6652209348598506050 + - 5521245057591625878 + - 6754698685787706527 + sysctls: + - name: "7" + value: vp +priorityClassName: "68" +readinessProbe: + exec: {} + failureThreshold: 398655641 + httpGet: + host: NaspK + path: Bgdl + port: 1587383135 + scheme: ǰ|鬩E橴s + initialDelaySeconds: 1516319657 + periodSeconds: -635156272 + successThreshold: 1338596793 + terminationGracePeriodSeconds: 6302545905526400855 + timeoutSeconds: -905426079 +replicaCount: 128 +resources: + requests: + I: "0" + b7jbi: "0" + r1cN: "0" +securityContext: + privileged: false + procMount: d聉l蝲ɓH>狱(Ȁ胄hʍy龝Ȼ埓Y + readOnlyRootFilesystem: false + runAsGroup: 2951274493718237098 + runAsUser: -1772317555576666168 +serviceAccount: + annotations: + IH: 3W + K5hNNf: "" + r: 9cmm + automountServiceAccountToken: true + name: zmr +tests: {} +tolerations: +- effect: '#U媷ɑɥ±箑妌RɱfÈB矅蒟(' + key: g + operator: Řg~歟1ƹ,纙蝝垺 + tolerationSeconds: -9038490283678033542 + value: x6T1NM +- effect: ė{ɼ 5;^ʤàOKv泣0ƫ¢ + key: wdW6LI1a5 + operator: ú4ʫ-哖ýȻȣŦiĩġ膳". + tolerationSeconds: -5247520709138794849 + value: NXt +topologySpreadConstraints: +- labelSelector: + matchExpressions: + - key: dme + operator: )\鹮İ又Ȥ鏥Ĝ + matchLabels: + Cdk: atEBel + PhEVPxOjN: QTW4 + fC0YTiwm: fdAQN8t + maxSkew: 472867304 + minDomains: 1802867157 + nodeAffinityPolicy: ʈǔ聿ŶŹ&y鰜# + nodeTaintsPolicy: '"篍Ɛɰl鄱' + topologyKey: fqmSu + whenUnsatisfiable: äƟĻ鍣ųø啼ǫǷ" +- labelSelector: + matchExpressions: + - key: BEj + operator: Ɠ墳 + values: + - qBJ + - KZbk + - key: 9wxm2wFXlY + operator: ì蠁{\媽;ě8ɠ + values: + - yiuVv9DzzRse + - "N" + - z + - key: SWu + operator: Ī½曖1șWb3 + maxSkew: 774109577 + minDomains: -110979462 + nodeAffinityPolicy: 醿卨¬婾豜ʦKd` + topologyKey: 4iskW3Hbv + whenUnsatisfiable: ǮXƞ棤Ǘ +-- case-016 -- +affinity: + nodeAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - preference: + matchExpressions: + - key: 2Ldss9 + operator: ?霏ƦxǰA7ȇ(堃R + values: + - Ce7pGgB5o + - B8EWZ + - key: pJKw3VVY5 + operator: 2wq6JK?Ȏ惙徵r儊ǒ嵀匫W + matchFields: + - key: EQvFQjoLm1 + operator: «/o咑澇ƉɑȨŞƙ|5時 + weight: -508343495 + - preference: + matchExpressions: + - key: VRoHsoMNa + operator: cƄábŊɕg追ĦǙȿ男)hŬ + values: + - tcCIpd9m + - FsoFrK + - key: ReH4ocoZ + operator: "" + values: + - bnUyPckbz + - AE + - njW + - key: fZBGR + operator: 租ǜ藇錼 + weight: -1003115262 + podAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + namespaceSelector: + matchLabels: + qGlBCw: zUBwqj2xV + zlHLG: TDTkLQOC + namespaces: + - QWFH + - TEzgQKPSQ + topologyKey: "" + weight: 682123393 + - podAffinityTerm: + labelSelector: {} + matchLabelKeys: + - 1MiHrQ + namespaceSelector: + matchExpressions: + - key: JUYumiiJFrY + operator: .ƽCDZo& + values: + - t3wDXa + - 70HCTbI6g + - C + - key: ik + operator: Œ8v + values: + - Wp + - Zf + - c2q7e + topologyKey: Sc1Q + weight: 869908297 + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: ore + operator: ?ɴ$瀜蝪ĪźȀŐƌS莣幮屒n×U锇Ľ + values: + - mJM + - oc + - aU + - key: SQmv + operator: ȥī+ūĬ诧犂¹ + - key: Hh1r9 + operator: h蓟x蹵D¨谧罬 + matchLabelKeys: + - mDk + - Hki8 + topologyKey: x2q0Rx1f1N + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + namespaceSelector: + matchExpressions: + - key: H1Ni + operator: Ȧ厜OŊ + values: + - UWzAFu2 + - key: M + operator: 罐hĹ;'ǫ貉yĊ啉刉DzQį + - key: zZ + operator: 颉śĴJ|@W補A篐S献;ɾ[_鶙ȱ + values: + - 4BL + namespaces: + - Thgfgf7Z + topologyKey: XBju19e + weight: 1392601493 +automountServiceAccountToken: false +console: + roleBindings: + - Q0kslM: null + - null +deployment: {} +extraContainers: +- command: + - opIk + - v9eJ + - 4V + env: + - name: 5Q + value: o + envFrom: + - prefix: eBWmLK + secretRef: + name: FedJi + optional: false + - configMapRef: + name: M + optional: false + prefix: vUvV7W8k0 + secretRef: + name: IA + image: T4SYV + imagePullPolicy: Ƈ祃ǗǤɈ遖竀壙/ + livenessProbe: + failureThreshold: 20929095 + grpc: + port: -1775507003 + service: UZ6BT7NDI + httpGet: + host: QFkZxI6kA + path: tzQ + port: "" + scheme: Ƞ揞á惗É莏6XȪ/ʡ忨償 + initialDelaySeconds: 1046895310 + periodSeconds: -1971173139 + successThreshold: -476756841 + terminationGracePeriodSeconds: 144861231583008737 + timeoutSeconds: 814968592 + name: gEB + ports: + - containerPort: 2060914354 + hostIP: 9IXWKx38q5 + hostPort: -1191426039 + name: 5Mw7k + protocol: 悛ķ鳉ɍ恽j頔Œ6Eʮnx + resources: {} + restartPolicy: 樦ýȃ梪ĵ + stdin: true + stdinOnce: true + terminationMessagePath: c0e +fullnameOverride: 6maz +image: + registry: PYDGV + repository: HV3 + tag: cI8TzaYkws +ingress: + className: JpoCC + hosts: + - host: mE + paths: + - path: znvL + pathType: u4c1 +livenessProbe: + exec: + command: + - 1aqSw0 + - A277oB + failureThreshold: 713465020 + grpc: + port: 1803086428 + service: h1wwv + initialDelaySeconds: 1849009003 + periodSeconds: 2079209425 + successThreshold: 1679782943 + terminationGracePeriodSeconds: 4331994492414219168 + timeoutSeconds: 2000039211 +nameOverride: SC +podAnnotations: + JYLUc483y: gTnWiG +podSecurityContext: + fsGroup: -1425599568169885252 + fsGroupChangePolicy: ƶ Ÿ恢 + runAsGroup: -8737472966684836915 + supplementalGroups: + - 809809813702093180 + - 6124706841582844730 + - 6159358527003037747 +priorityClassName: XtKq +replicaCount: 331 +securityContext: + allowPrivilegeEscalation: false + procMount: 垮Ř2 + readOnlyRootFilesystem: true + runAsGroup: 5797501600954334245 + runAsUser: -8444673787636983397 +serviceAccount: + automountServiceAccountToken: true + name: DdF7ALq +strategy: + rollingUpdate: {} + type: ŀ剭º(;ƍ4兖ȇ +tests: {} +topologySpreadConstraints: +- labelSelector: {} + maxSkew: 972537130 + minDomains: -499606767 + topologyKey: q5 + whenUnsatisfiable: 鳯°ôŕƨʪuɘ"h貇榧0?cɉjA蜝 +- labelSelector: + matchExpressions: + - key: lAV + operator: 嵖xߟ擱ʄ衯"xɂ + - key: U6 + operator: =换J+Ř:嫚ʥ畠餐ǒŃ + values: + - Vj + - snF6cyZ + - 0sW9y4T5 + matchLabelKeys: + - 2wCjBs + maxSkew: -324080521 + minDomains: 695322418 + nodeAffinityPolicy: ʖ[兘Ũ鬎盦İƲ + topologyKey: z5y4Q8jyHH + whenUnsatisfiable: =Y~É.J樢ȃŤƫ甶Ȍ* +- labelSelector: {} + maxSkew: -1720129802 + minDomains: 1017048856 + nodeTaintsPolicy: 龨9猶e僦ɻ髧Ȍc + topologyKey: qKf6Ef3o + whenUnsatisfiable: ʂ?$鳴寘ŧ6脹餗ſ媷,峇埽 +-- case-017 -- +annotations: + J5Z: aLYd149 + LCqYvOjK: Qsk + bU: "" +automountServiceAccountToken: false +autoscaling: + enabled: false + maxReplicas: 164 + minReplicas: 101 + targetCPUUtilizationPercentage: 355 + targetMemoryUtilizationPercentage: 310 +console: + roles: + - JlwOk: null + QUzHpm: null + ch3WnNF: null + - {} + - null +extraContainers: +- args: + - Bd + command: + - QwtEp + - lLi7 + - kxB1 + image: RpMWaJ + imagePullPolicy: ~崆Ǭe侊k + livenessProbe: + exec: {} + failureThreshold: -2101638962 + grpc: + port: -208999597 + service: jICxjA + initialDelaySeconds: 925230214 + periodSeconds: -996383814 + successThreshold: 152844544 + terminationGracePeriodSeconds: -7802949917649733275 + timeoutSeconds: -188255799 + name: qwOkQZ + ports: + - containerPort: -255758148 + hostIP: R + hostPort: 316791912 + name: 09i3b5oQR + protocol: 腴醗9-鐶 + - containerPort: 247145105 + hostIP: L4 + hostPort: 1727912240 + name: bz7Y1N7 + protocol: 暄璎 + readinessProbe: + exec: + command: + - 2fQQ + failureThreshold: -873648342 + grpc: + port: 889903834 + service: C3 + httpGet: + host: IPHal + path: 5Nb6iW9 + port: tkqo + scheme: m说Ď盐2Ƹ,约h鰥Ȕť3 + initialDelaySeconds: 1391319902 + periodSeconds: -1638942635 + successThreshold: 644454270 + timeoutSeconds: -553602240 + resources: + requests: + 0XxId: "0" + VsY2R9: "0" + ZLtS2: "0" + restartPolicy: ų蓶Lj,g珯i'Sû竒 + terminationMessagePath: Mx7V + terminationMessagePolicy: =Jƈ乚貃庪ș¯ÑVȯ6筌巨华ɀ(v + tty: true + workingDir: nKFDPLJvOh +- args: + - AV3kjV + - Gwq78lY2 + - wq + command: + - D + - EI + - fY5J + env: + - name: eCtpNU + value: jLkcq8S + - name: rynLbx + value: CdqgJabHhM + valueFrom: + configMapKeyRef: + key: uBUH5 + name: Uxei4G1 + optional: false + fieldRef: + apiVersion: Ul9al + fieldPath: vtGid + resourceFieldRef: + containerName: Oc + divisor: "0" + resource: "" + - name: GmDNpa0 + value: 7VJM2XsPm8N + valueFrom: + configMapKeyRef: + key: x3J0PMWE + resourceFieldRef: + containerName: x9Q + divisor: "0" + resource: EKFgoq + secretKeyRef: + key: lOZRvK9 + name: V + image: 1xn6 + imagePullPolicy: ɀ稤¼Mɻ«鐾6Ú{ŬtŮ鄖SSɌ戲 + lifecycle: + postStart: + exec: {} + httpGet: + host: sT2dWyT + path: vvbIxNVANZ + port: aCK8 + scheme: 昿孊卿昤軒JYƜÁ嶠şe灶 + sleep: + seconds: -3542823673709563150 + preStop: + exec: + command: + - "N" + - qkHmJ + - HupYy + httpGet: + host: 137dx + path: y3u7HE + port: -1357399425 + scheme: '@济ɉ鳛讧跕(#7NJɓũǸ]ɨ梊sj' + sleep: + seconds: -2408406850575106311 + name: J6VFtJd3giFt + resources: + requests: + 3dqK0M: "0" + restartPolicy: 70ʆ氶応爱怙鉉塼tƗhY嚇 + securityContext: + allowPrivilegeEscalation: false + capabilities: {} + privileged: false + procMount: ȚƼ提瀴t8oƥc + startupProbe: + exec: {} + failureThreshold: 1782005431 + grpc: + port: 676289916 + service: 3xqeCsf + httpGet: + host: YDL1TP + path: "8" + port: lLWR + scheme: BKō筹 + initialDelaySeconds: 134613881 + periodSeconds: 1547524591 + successThreshold: 1778605907 + terminationGracePeriodSeconds: -7593859121613942317 + timeoutSeconds: 2026260743 + terminationMessagePath: E + terminationMessagePolicy: 碓 + workingDir: kl +- command: + - "" + env: + - name: TG1HQA + value: 5X + valueFrom: + fieldRef: + apiVersion: Vhn + fieldPath: jluMkQnv9 + resourceFieldRef: + containerName: rLfbH + divisor: "0" + resource: "" + - name: "" + value: TOTyqqGn + valueFrom: + fieldRef: + apiVersion: 0CAdSa + fieldPath: LWMRC + resourceFieldRef: + divisor: "0" + resource: G5eZP4R + secretKeyRef: + key: xYOgJL + name: vMTywG + image: 2Z + imagePullPolicy: z.鎸ƦʖFNj棪Ƃ鯌b抵#Dzr + lifecycle: + postStart: + exec: {} + httpGet: + host: k8z + path: TxNa2e + port: -573570086 + scheme: oɌdǹ[M灙螮伪芛探塢庖Njȕ仸 + sleep: + seconds: 4118046687980193779 + preStop: + exec: + command: + - 6iZbF + - OeZTW + httpGet: + host: rbqq + path: sno + port: -429531729 + scheme: s璙Ȼȗ榛ǵ0ƿ.忋闳溨 + name: Cms + ports: + - containerPort: -211101225 + hostIP: 8v + hostPort: 1994344080 + name: kyMvksZa + protocol: fȞ蚊悘ū錩Ȩ龒ċŴ + - containerPort: -806313867 + hostIP: Ky2F2 + hostPort: 1605736520 + name: oe0nMMl + protocol: 慿)"Ǒ3浹襈}(VE-B³閪叒k1绝 + readinessProbe: + exec: {} + failureThreshold: 1398486074 + grpc: + port: 1157090744 + service: oFrTS0 + httpGet: + host: 5pfrE + port: TJb4 + scheme: 畢î + initialDelaySeconds: -1830121652 + periodSeconds: -1398007905 + successThreshold: 1183454316 + timeoutSeconds: 1797763090 + resizePolicy: + - resourceName: hzxTj + restartPolicy: 渣箢樳掯ȉÏǼ店喘©g + resources: + limits: + zGvF9poISMtK: "0" + requests: + lUp3T: "0" + restartPolicy: '}賩6''V霟足''È''*F÷ƙǕ' + stdin: true + terminationMessagePath: 4tn + terminationMessagePolicy: ɢ荵鯴庡ǁ婛埽猜犝笖á7譃ǁ¦GɖC + volumeDevices: + - devicePath: eGfD9B + name: G3Bd + - devicePath: x + name: TB + workingDir: iKksE1 +extraEnv: +- name: Z + value: 1PasJFATvz + valueFrom: + configMapKeyRef: + key: Out + name: Z +- name: pUN + value: QTGN + valueFrom: + configMapKeyRef: + key: BLzs5FKV + name: xsgY3vBvZ + optional: true + fieldRef: + apiVersion: 5Ng + fieldPath: Psowh + resourceFieldRef: + containerName: pMz + divisor: "0" + resource: "" + secretKeyRef: + key: IY9s0 + optional: false +extraEnvFrom: +- prefix: oK16T1 +- configMapRef: + name: GxM9 + optional: false + prefix: Hj8 + secretRef: + name: o5P67 +fullnameOverride: 9XG3SZW +image: + pullPolicy: k痿蹒 + registry: 3s + repository: kPWhaC + tag: BcBi +ingress: + className: N91gS + hosts: + - host: ucSBH + - host: "" + - host: tmOhOR +nameOverride: tPiY +podLabels: + LBQpbD: AHB4hNVL + ey1GpAHh: fA +priorityClassName: qcIlT +readinessProbe: + exec: {} + failureThreshold: 738983906 + grpc: + port: 832752600 + service: 3tLbx + initialDelaySeconds: -1729478206 + periodSeconds: 902558671 + successThreshold: 989047880 + timeoutSeconds: -402268186 +replicaCount: 173 +resources: + limits: + 0fvc8: "0" + W19cC: "0" + loZ4: "0" +secret: + create: true + enterprise: + licenseSecretRef: + key: cjqTR + name: e + login: + github: + clientSecret: jw6tY22 + personalAccessToken: JvG1jx + jwtSecret: DwgaGI + oidc: + clientSecret: MalR2 + okta: + clientSecret: mDILgPMjOS9 + directoryApiToken: M2ywAiP +secretMounts: +- defaultMode: 442 + name: 3SwG7HrS + path: TLaWLIiD + secretName: VR +- defaultMode: 383 + name: Bfv9SGjlbgN + path: dXXPfK + secretName: T +- defaultMode: 13 + name: wz4K9oIYM + path: YEOA49 + secretName: WzM +securityContext: + capabilities: + add: + - "" + - 鸼ǀɛ_Y + - 利ƯǢ謼Ŀʇ佔4銣 + privileged: false + procMount: 頿ū詁ǎTɁ¯PlFd只鶗ƝǛƤ臃 + readOnlyRootFilesystem: true + runAsNonRoot: true +tests: + enabled: false +tolerations: +- effect: 懻 + key: JifsKW + operator: 檧űÊǮȡ廄儱RəȏĮ顪ÅÞ + tolerationSeconds: 4501363800484543116 + value: KkCBzwToBMjJ +- effect: B囧ƉOß + key: Q3cj + operator: ɲ朁ß栢 + tolerationSeconds: 4944598504260379086 + value: Z5 +- effect: 敘愰ɰuƪ晐 + key: K8wM + operator: ș + tolerationSeconds: 8375376960471889043 + value: TnWS +-- case-018 -- +affinity: + nodeAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - preference: {} + weight: -37659402 + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: [] + podAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + matchLabelKeys: + - ajbCE + - Y0MRgpE8 + namespaceSelector: + matchExpressions: + - key: Auai + operator: ùfƽÜQķɨ逑ʒÅģ + values: + - Q + - key: 1S2Nfq + operator: 臺瑷tƎ鍤p}滳`竦ÙǾ晖ǃʏȵ + namespaces: + - 4GTSAZF + topologyKey: NS733 + weight: -968286112 + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: eyt3TPSYPBWDt + operator: e偁&蔄癳.ŚƘ + matchLabelKeys: + - eE7PA8D + - cKalkvb + mismatchLabelKeys: + - Lan + topologyKey: v + weight: -2133598054 + - podAffinityTerm: + mismatchLabelKeys: + - "5" + namespaceSelector: + matchExpressions: + - key: UrrD + operator: ƞ + - key: rkfCsnUcx + operator: ȇ睾¦棌鉝-m糤LPjX.;Ğ× + - key: kla + operator: '"竮壣祠ł9抵墙' + namespaces: + - gyF + topologyKey: ZG + weight: -428742233 + requiredDuringSchedulingIgnoredDuringExecution: + - matchLabelKeys: + - tZZj + namespaces: + - VuG + - I5XU + topologyKey: V2CZqa + - labelSelector: {} + mismatchLabelKeys: + - "" + - q9L4 + - C4YJ57 + namespaces: + - 8xRk06ngy + - WeZO2 + - 7tbTFK + topologyKey: rnpto +annotations: + "": 3E5rtKA +automountServiceAccountToken: false +autoscaling: + maxReplicas: 140 + minReplicas: 91 + targetCPUUtilizationPercentage: 499 + targetMemoryUtilizationPercentage: 324 +configmap: + create: false +console: + roleBindings: + - "": null + DlOD: null + - null + - cDJiV: null + eO: null + qlokva4: null + roles: + - 0E2l1K3: null + pIu5qwn: null +enterprise: + licenseSecretRef: + key: oqyc + name: HL +extraContainers: +- envFrom: + - prefix: EVZ + secretRef: + name: MxD + optional: true + - configMapRef: + name: A + optional: false + prefix: HuqxI + secretRef: + name: A + optional: true + image: SU + imagePullPolicy: 禵7璙p + lifecycle: + postStart: + httpGet: + host: YZMjhOUO8IS + path: nzYfH + port: Fcx + scheme: 矪Q9 + sleep: + seconds: 3463625415546708077 + livenessProbe: + failureThreshold: -560403806 + grpc: + port: 1751268094 + service: I + httpGet: + host: 0Sb + path: Utm2X + port: 395973041 + scheme: 醆蚎忨ŕ縨ƍ爋釬šÒ暺ƒŎO記岣 + initialDelaySeconds: -1011110535 + periodSeconds: -1229381750 + successThreshold: 260149510 + timeoutSeconds: 74546945 + name: e + resizePolicy: + - resourceName: XNKV + restartPolicy: ì焹.¬哄ȾŢȎȴe$p尶m`飻Ȭ + - resourceName: "" + restartPolicy: 閭I哗.寢荨ʪɛ侭ȵ(8 + resources: + requests: + 3nUsL: "0" + securityContext: + allowPrivilegeEscalation: false + privileged: false + readOnlyRootFilesystem: false + runAsGroup: -8616852535795885155 + terminationMessagePath: FjZ + terminationMessagePolicy: ÿb熿3,ćp寫ʃ#叺渍ƣș + volumeDevices: + - devicePath: Xvjm + name: 7yLA + - devicePath: 1Ci + name: Y0AloAQS + - devicePath: Gt + name: ZMKKc + workingDir: Mh +extraEnvFrom: +- prefix: hg + secretRef: + name: eLM59WyoAXO +fullnameOverride: ExFU3 +image: + pullPolicy: 螣暛擂ɾ#鏲*胭8饭1胠 + registry: iCFSIwyDtoG + repository: 6V6 + tag: 6uR +imagePullSecrets: +- name: vlnGQbo3y +nameOverride: 1qyLP36T +nodeSelector: + Vckw: ifBZ9p7 +priorityClassName: 6jxv +replicaCount: 297 +resources: + limits: + QZqMxIAt: "0" + SUsu9: "0" + requests: + EMOXCuje: "0" + EzKKMIR: "0" +secret: + kafka: + awsMskIamSecretKey: 8GlUc + protobufGitBasicAuthPassword: IsvQ9 + saslPassword: Vb + schemaRegistryPassword: UJ7Zl + schemaRegistryTlsCa: T1Q + schemaRegistryTlsCert: 17r + schemaRegistryTlsKey: O44 + tlsCa: n8k9 + tlsCert: aK + tlsPassphrase: Qk8 + login: + github: + clientSecret: t6z0n + personalAccessToken: "" + google: + clientSecret: h + groupsServiceAccount: fpuCEFLL + jwtSecret: 7J + oidc: + clientSecret: t + okta: + clientSecret: 3CcKl + directoryApiToken: AZt8H77 + redpanda: + adminApi: + password: NUkb3zIpwAR + tlsCa: t + tlsCert: zttTAvj + tlsKey: "" +service: + nodePort: 270 + port: 415 + targetPort: 489 + type: 2cM +serviceAccount: + annotations: + X7E: CRSzr + lPi: bGP + name: uAvlOXf +strategy: + rollingUpdate: {} + type: ɬ搢.Ƒ躂ɻɅȄ莨qc婔Åå +tolerations: +- effect: č喅Ȳ崥ï{禙ÊÿC逻準?霘2 + key: YJE + operator: 珟 + tolerationSeconds: 3838637075734495592 + value: 1VemeDTEk1 +- effect: 艋Ƿ淛襀|Ǽ&矠Ģ凍J賜ɰō + key: ggxS8L + operator: 閞判ŏ + tolerationSeconds: -2249155605077506227 + value: m3c +- effect: 'Ljə]IŴ:' + key: 4BkJSo + value: Le +topologySpreadConstraints: +- matchLabelKeys: + - uyTA + - rJcqdY3 + maxSkew: 1887613958 + nodeAffinityPolicy: u鞝侠轁蛃6Ơfrt迄ʇQ勭ĶÇǻě + topologyKey: 3f9j + whenUnsatisfiable: µ +-- case-019 -- +annotations: + lgiIA: u + wK8: JrSfKH +automountServiceAccountToken: true +configmap: + create: true +console: {} +enterprise: + licenseSecretRef: + key: Nr8uSKR + name: nucerZE +extraEnv: +- name: pJ + value: whmTukCTD + valueFrom: + configMapKeyRef: + key: OHk + name: "3" + fieldRef: + apiVersion: TSp7 + fieldPath: mEUVMSp7vUo + resourceFieldRef: + containerName: bBDw + divisor: "0" + resource: tIcs3z + secretKeyRef: + key: jIR5V + name: "9" +- name: ZCEPmHP + value: FhwE4R + valueFrom: + fieldRef: + apiVersion: Nv + fieldPath: WMXeIjk + resourceFieldRef: + containerName: Hbt + divisor: "0" + resource: mo7F +extraVolumeMounts: +- mountPath: UF6 + mountPropagation: ĻsŸ氂ǐ钋鮠Ĺ咳渼.pɫ + name: W1LIZa3 + subPath: qdDtjk + subPathExpr: Ew +fullnameOverride: NZ7h9 +image: + pullPolicy: 韃ĝ + registry: GNXgFQ + repository: W3 + tag: 2vPed +initContainers: + extraInitContainers: "" +livenessProbe: + exec: + command: + - Vc01z + failureThreshold: -1736131786 + initialDelaySeconds: 538755540 + periodSeconds: -937262167 + successThreshold: 2014961170 + timeoutSeconds: -614674118 +nameOverride: 8MIg +priorityClassName: FERw +readinessProbe: + exec: + command: + - 96w + failureThreshold: -1936056692 + grpc: + port: 939760843 + service: "" + httpGet: + host: K + path: dIrFM + port: GfrdWiqgUZBPW + scheme: 芧ʒȔ堌 + initialDelaySeconds: -2019126091 + periodSeconds: -1696700553 + successThreshold: 398361977 + timeoutSeconds: -184667912 +replicaCount: 79 +securityContext: + allowPrivilegeEscalation: true + capabilities: + drop: + - 狞濮噞饅烥H}湛m=U+卓Ǭï呣8Ú + privileged: true + runAsUser: -471077223001866506 +strategy: + type: 鎦v財ɕŪ +tests: {} +tolerations: +- effect: 飝壊%ǂP胅ɂǏ趸疷擁鹒DŽ营風顺z拇 + key: Ku2m + operator: ŲǪFTǗǔȟʥȰȎǎo玼Ü + value: 1u +- effect: 雾Ź歘ɇƇ昨OČƑɎ騨Ŗ=Ì楯 + key: 12vKa + operator: ( + value: u +-- case-020 -- +affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - {} + - matchExpressions: + - key: a23jbG + operator: yb庇ɍ闒ǰPâƟVsJu + values: + - "" + - 1lQmmGa8 + - XzVleDXV4YoRc + - key: 3Gwd9r + operator: 4Nj7Ġ$Ea狆Ö絞Ƙ殈廔as知 + - key: 7C4FjM + operator: ɩ.叧¬ʧ倒 + matchFields: + - key: H + operator: Ğų* + values: + - 0i + - qK + - key: 7ocDt + operator: 餯ǚ璗汭槰<ƤƐ評ź膹棅珢ȹ3鮑 + values: + - g5Aa1Hm + - LKNvXrtO + - key: o + operator: ŎJ甧鷓 + values: + - vJQQjLRrqIK + - Isj + - 6EBsy + - matchFields: + - key: H0oh1dBCg + operator: 鉔qƿ氵[' + initialDelaySeconds: 1994767434 + periodSeconds: 1832245274 + successThreshold: 598112607 + timeoutSeconds: 1119900418 + name: "" + ports: + - containerPort: -330026000 + hostIP: lrMGYnI5Nd + hostPort: -823142941 + name: zuZWb + protocol: Ȳ + resources: + requests: + 4gK: "0" + restartPolicy: 腼癋ğÑ;漘傩鶷 + securityContext: + privileged: true + procMount: ʍ/O9*:zb飯Gɱ朵醴#ŌKp9嬡 + readOnlyRootFilesystem: true + runAsNonRoot: false + startupProbe: + exec: + command: + - "4" + failureThreshold: -950017148 + grpc: + port: -1475121627 + service: 8veUJnWU5 + initialDelaySeconds: 2007069941 + periodSeconds: -1193308189 + successThreshold: 22288729 + timeoutSeconds: -1492112511 + stdin: true + terminationMessagePath: HIj0kQ + terminationMessagePolicy: ȔNj + volumeDevices: + - devicePath: M + name: sDeN + workingDir: V +- args: + - "" + - ihLoishU + command: + - 8Jx + - j + env: + - name: IDOQ6d + value: 12G + image: b4Wv84l + imagePullPolicy: n暨e懔)k + lifecycle: + postStart: + exec: {} + httpGet: + host: Zl2z + path: pzUIO + port: faRx + scheme: 痣甘 + sleep: + seconds: -632399399483384435 + preStop: + exec: {} + httpGet: + host: pklCf2clqD + path: wk27n2gw1L + port: Ufz19 + scheme: ɷņƑG m刡Ęj敂鏸eāa + livenessProbe: + exec: + command: + - Ar2msVeG + - Uzq6cRL + - dujaQs + failureThreshold: -1776611485 + grpc: + port: 835455646 + service: t + httpGet: + host: hri + path: "Y" + port: 1115673796 + scheme: ʟɏķLYÆŨŔ+Č`4Đl + initialDelaySeconds: -739643640 + periodSeconds: -343509466 + successThreshold: -1698086578 + terminationGracePeriodSeconds: 1800922741783400611 + timeoutSeconds: 1182031959 + name: Bq5FHOsB11r + readinessProbe: + exec: + command: + - XaJ8ft + - 57jh + - sAD + failureThreshold: -1798651306 + grpc: + port: -1714447694 + service: ETY + httpGet: + host: V5DSH + path: g8Ygrn + port: Yp9d22 + initialDelaySeconds: 1612392972 + periodSeconds: 1418157100 + successThreshold: -1106593780 + timeoutSeconds: -1970400805 + resizePolicy: + - resourceName: 93At9v + restartPolicy: 涭ɍƍ蕂 + resources: + limits: + 9g69: "0" + h20A4o: "0" + jh: "0" + requests: + h: "0" + ub364wL: "0" + restartPolicy: Ǎ\ƽţ(鄑鴋Őńy餲ÍwWÅ + startupProbe: + failureThreshold: -513807271 + grpc: + port: -788679788 + service: 3vt1qVexq + httpGet: + host: As + path: gG3Jyf6fQ5R + port: 1058443669 + scheme: I?ʐɡ湚犭檚蚗į*o + initialDelaySeconds: 2034517113 + periodSeconds: 2103822699 + successThreshold: 343263788 + timeoutSeconds: 264518020 + stdin: true + stdinOnce: true + terminationMessagePath: AAYYpB1c + terminationMessagePolicy: 贌.[ĉ熶7dzRVç^'谣蔨d搇ĺÎ + tty: true + volumeDevices: + - devicePath: "8" + name: KZo0u22qdit + - devicePath: Fahm + name: lmO + workingDir: tGNhx3deFLdC +extraEnvFrom: +- prefix: 7DB9SS + secretRef: + name: 5rl + optional: true +- configMapRef: {} + prefix: hPVGtWNNR +- configMapRef: + name: FYMIJ1 + prefix: TEtFB3 +extraVolumes: +- name: 2LSr +- name: J +fullnameOverride: Wpq +image: + pullPolicy: M鉃裹Ú&蚑ƈñĎdzɢ/Ɲ9Ws棝 + registry: 0aw5q + repository: PTy + tag: fclX4 +imagePullSecrets: +- name: p95GzFm3JP +ingress: + annotations: + aH: YQ3 + className: IPc + tls: + - secretName: Ec4sB + - secretName: txdIkdw4sg8IB4i9 + - hosts: + - ypg9XtRg8 + - "3" + secretName: DNdM +livenessProbe: + exec: {} + failureThreshold: 913752382 + grpc: + port: 1322195744 + service: iQNfI + initialDelaySeconds: -1439870739 + periodSeconds: 178258715 + successThreshold: -1591263857 + terminationGracePeriodSeconds: 2751522374216629585 + timeoutSeconds: -1117637199 +nameOverride: aD +nodeSelector: + WUADh: 2ruBNaWxT +podLabels: + Avs0UCvd6: "" + LSaZFj: "" + N3gEYOpkd: zqsd +priorityClassName: 2v89v +readinessProbe: + failureThreshold: 1842275861 + grpc: + port: -1389426650 + service: 0bSW249 + httpGet: + host: 0T + path: RnP5zy + port: -514153800 + scheme: k*x"!掫瘑Ʀ扄]Ĝʅƭȑ + initialDelaySeconds: -1077422490 + periodSeconds: 666536934 + successThreshold: 1405066396 + terminationGracePeriodSeconds: -3980601911100433183 + timeoutSeconds: 665413705 +replicaCount: 330 +secret: + create: false + kafka: + awsMskIamSecretKey: 48EJ + protobufGitBasicAuthPassword: U4TfI + saslPassword: xbKdWIc + schemaRegistryPassword: C + schemaRegistryTlsCa: vACi + schemaRegistryTlsCert: l2SQ + schemaRegistryTlsKey: QXTWL2 + tlsCa: sxqA + tlsCert: MZR + tlsPassphrase: Bf18k +secretMounts: +- defaultMode: 278 + name: Vk + path: HIDtODq + secretName: ycVDxFmgC +service: + nodePort: 413 + port: 310 + targetPort: 265 + type: uvupqC6hE4 +strategy: + rollingUpdate: {} + type: ü +tests: {} +tolerations: +- effect: ƛ=åM綁塈'Ʈ7 + key: X + operator: Y葞ęŊ6ùųŗQ膼芏棔ĿF綩 + tolerationSeconds: -7958891124471630696 + value: iw +-- case-025 -- +affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - {} + - matchFields: + - key: Jdk + operator: '''妋ū摺wȋ½骭枰ux' + values: + - L3vrBo + - key: AJyvPdo + operator: QBǏ揅饹\欤ĩ# + values: + - KA4X87 + - kAynjW + - key: INtaCgB9Suw + operator: '"' + values: + - sT5QAUbIK + - matchExpressions: + - key: B1ivFyT + operator: ıD芌ʪÌʡ6坨LʞQ蓠kl + values: + - ZM3ncD + - MaDZJN23 + - nQDH + - key: j1 + operator: ^{Q唤涭 + - key: FMwYRC4 + operator: 構ÁHƲ)ǹō + values: + - tc + - 5w4tJ + - gNCNm5J4 + matchFields: + - key: pIsVqr + operator: j@RUȃfǘ·ɏ!Ǖ灃Ņǟ + podAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + matchLabelKeys: + - oNBV + - ZW2Upd + mismatchLabelKeys: + - XpmujYp + - zQUvv + - o + namespaces: + - xAojOZ + - 53d1p + topologyKey: wupaWwF + weight: -813250565 + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: hRMf + operator: 璢ɂo豢埆o + - key: gByq + operator: '|藐Ç钃[qȂřÜ{南湹裻ßŗyŪ赉' + mismatchLabelKeys: + - 4aBT9oEi8 + topologyKey: "" + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - matchLabelKeys: + - qDyyFpFgn0 + - qAR2Fz8Jbiq9oz + namespaceSelector: {} + namespaces: + - NKeVvij2 + topologyKey: 7OPEY5MMS +annotations: + 7YN: WjRdnTY + J0Eg: alDk +automountServiceAccountToken: false +configmap: + create: false +console: + roles: + - BU: null + - {} +deployment: {} +enterprise: + licenseSecretRef: + key: 3UhYW + name: Ooxn6uesqBg8 +extraContainers: +- args: + - zj + - Z5D + command: + - QfnH4gn + - B1xl + env: + - name: 4X + value: Bw + valueFrom: + configMapKeyRef: + key: Pdqw0Fl3V + name: v3KgbGdzsLvC + optional: true + fieldRef: + apiVersion: NUZjeNE + fieldPath: 9HRTR + resourceFieldRef: + containerName: p + divisor: "0" + resource: shkxnjmC2 + - name: 2i + value: Zxb + valueFrom: + configMapKeyRef: + key: w + name: WzK6UiO + fieldRef: + apiVersion: GnFqZ3 + fieldPath: W + resourceFieldRef: + containerName: 7JDYpnHIpM + divisor: "0" + resource: vt2RbP + secretKeyRef: + key: yl + name: 36xB2Q + optional: true + envFrom: + - configMapRef: + name: V2xmAgfwBn1 + optional: true + prefix: seW + secretRef: + name: Nt + optional: true + - configMapRef: + name: IluKDPq + prefix: N6Uhe + secretRef: + name: TvN6Z3p + image: 3fh + imagePullPolicy: Ǜmʥ薑ōB愌熹g樿ƒ畬ʙ襫,PD + lifecycle: + postStart: + exec: + command: + - wIfuPiat + sleep: + seconds: 6128979882442257912 + name: 0U + ports: + - containerPort: -975012330 + hostIP: nNpK2 + hostPort: -554886438 + name: aE + - containerPort: -2098096147 + hostIP: FeG8 + hostPort: -651932845 + name: xKI1Tv + protocol: :鿅Ǐ!Ʋ卫_ʕȼʗ壷薮蒰NJŌ + - containerPort: 520035268 + hostIP: GyA + hostPort: -1998834660 + name: PR61 + protocol: ŗ蜥aɝWCb锨ȐsO忷ODž)Ŗʃ觃輘 + readinessProbe: + failureThreshold: 1975710195 + grpc: + port: 8949492 + service: USXa + httpGet: + host: 6J2Mk51 + path: FL4SJXOTR + port: c2vVT + scheme: B哰Hȼ涪Ÿȣę + initialDelaySeconds: 1164971701 + periodSeconds: -1267122769 + successThreshold: -102609571 + terminationGracePeriodSeconds: 6799552209277780019 + timeoutSeconds: -995107635 + resources: + requests: + 2j: "0" + restartPolicy: V牜(p + securityContext: + allowPrivilegeEscalation: true + privileged: false + procMount: '@' + readOnlyRootFilesystem: true + runAsGroup: 8605999305673537166 + runAsUser: 1347603438902927360 + startupProbe: + exec: + command: + - JZX + failureThreshold: 1080874840 + grpc: + port: 1467429214 + service: NWBu1S + httpGet: + host: 4ta7S + path: RcBu6 + port: RapJB5x + scheme: ']襰騊缜ă4蘆Ȓ0礓厨獸枓8D' + initialDelaySeconds: -2008822207 + periodSeconds: -614674587 + successThreshold: -402818223 + terminationGracePeriodSeconds: -7949916801988602426 + timeoutSeconds: 209096121 + stdin: true + stdinOnce: true + terminationMessagePath: KRYz + terminationMessagePolicy: Âǚ凍ʄĒ(#Ñ狶8脍ÅdɅș妙觶.祍 + volumeMounts: + - mountPath: LdSrOQ + mountPropagation: Ɗ?ǚ[澆槱ɢ丗7鍚6A + name: sqOobya + subPath: JZEkD + subPathExpr: eJU + - mountPath: K4kwb + mountPropagation: "" + name: YNNb + readOnly: true + subPath: Z0mne + subPathExpr: ngxE + - mountPath: E2GSzT0 + mountPropagation: ȝ註鴔 + name: fRhgta + subPath: y6Y3BdtA + subPathExpr: P0gcNQL + workingDir: rCAtq +- args: + - tJjzGKfki2 + - "" + - furHsPXM1J + command: + - DK3Wlo2n + env: + - name: ud + value: FOyG7u4mv + - name: YM + value: T8mzKDDU + valueFrom: + configMapKeyRef: + key: "" + name: YlrM + optional: true + fieldRef: + apiVersion: TysS9Olq + fieldPath: RX4 + resourceFieldRef: + containerName: o + divisor: "0" + resource: HVzew + secretKeyRef: + key: moOz + name: 9IePG + optional: true + image: hy6X7dY + imagePullPolicy: 秊q魷讍暳ɁiitǦ梒Ʀ疗ǘt + lifecycle: + postStart: + exec: {} + httpGet: + host: 1bv + path: 3IXIEBTRQc + port: dHTyBrOPT + scheme: hƉǤ\ɯ竔}gŘ + sleep: + seconds: 3802753693240438477 + name: mieVkOhQ4 + ports: + - containerPort: 1406294206 + hostIP: XrMHc + hostPort: 1756733537 + name: xrlM3Cv9 + protocol: ^箅瑦|ȭ,Ī憘ʓ焯 + - containerPort: 1867162726 + hostIP: p8Zguos + hostPort: 1052086554 + name: NCa4 + protocol: Ǽ丝等I塸)kɹ~颁!跼S薒SrM + - containerPort: 1770363328 + hostIP: WPUeJ + hostPort: -1882733223 + name: gAUfp + protocol: u舨[ķ獚m灑朷ƶ慹Ʀ + resources: + requests: + CK: "0" + c6WG16NOR: "0" + restartPolicy: 欣ƎȄŚ&廚FË倔Ŋ寬Lw秮x捨 + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - Ƶəʣ饅ōǧ营Sȑ粴ƞȜj嬷俋箊ʫ + - Yǻ)Iƕƺ:檂躡J勬垒ď%ɦ + drop: + - f{2Ƭɢ~lĕ猆å~? + - 曣晜Ȅ笛 + - 牧 =鄅銣閦ʜ(lȏ + privileged: true + procMount: Âȼ + readOnlyRootFilesystem: true + runAsGroup: -5895892166477051871 + runAsNonRoot: false + startupProbe: + exec: {} + failureThreshold: 1512924080 + grpc: + port: -55537357 + service: 9KQ + initialDelaySeconds: 1472203720 + periodSeconds: 1367361112 + successThreshold: -1486557603 + terminationGracePeriodSeconds: 2382050275815801400 + timeoutSeconds: 246291848 + stdin: true + terminationMessagePath: E7wMC + terminationMessagePolicy: h僊冢ʐȑ + volumeMounts: + - mountPath: "" + mountPropagation: uÞ揶椬=L>ȕ凭Śȅ3džȿȳ + name: xYM + subPath: nMMkHAUoYIsN + subPathExpr: 579Yn2LXk + - mountPath: 5z + mountPropagation: Ƀ陪7k惿Ɏǚ霤ƨƱ«ɤ»ȣ薥頠媉fʠ + name: KIX5g + readOnly: true + subPath: CGOswgk + subPathExpr: oxiB23ZW2KX + workingDir: IzOAr +- args: + - jrZTvs + env: + - name: jxl5Q + value: fm2F7DzZA + image: r7sTpTP8N + imagePullPolicy: 眒弿 + lifecycle: + preStop: + httpGet: + host: WEBUk + path: "1" + port: -377365982 + scheme: 娖阋顿|儴Éȱ鋦 + livenessProbe: + exec: + command: + - 2j + failureThreshold: -1631622345 + grpc: + port: -188887701 + service: s + httpGet: + host: "6" + path: 07rm4AD + port: DCtZ5 + scheme: ʼnK襡5殛鯙ȋʛ稲(C姓 + initialDelaySeconds: -1011676147 + periodSeconds: -1141844037 + successThreshold: -1528778970 + terminationGracePeriodSeconds: 422553046190448128 + timeoutSeconds: 99607263 + name: rhg + ports: + - containerPort: 1265703793 + hostIP: lYiq + hostPort: -931710582 + name: r2OdlKyZ + protocol: ŌK4Ʒ霖R婧,Ģ墤ʠ_Ƒ亽vĨO + - containerPort: -1093198499 + hostIP: xHuDhI2 + hostPort: 1423992590 + name: WdH + protocol: K嚜pn犓ɯ`劮ƫķPLm + resizePolicy: + - resourceName: M3EK5NW + restartPolicy: Ɲ囩 + resources: + limits: + 4zeCyo: "0" + PgUjG: "0" + requests: + IseC3: "0" + WHgRSz: "0" + yzZn: "0" + restartPolicy: ijƞ墫噌L诠=脳%Ɗ + securityContext: + privileged: false + readOnlyRootFilesystem: false + runAsGroup: -1074724161449891976 + runAsUser: 8255497511479977438 + startupProbe: + exec: {} + failureThreshold: -1172398717 + grpc: + port: 1919051215 + service: "" + initialDelaySeconds: 2020291403 + periodSeconds: 450860281 + successThreshold: 193397000 + timeoutSeconds: -665894379 + stdin: true + terminationMessagePath: MCVu + terminationMessagePolicy: ŷÍ:+壩ùI賎Rɜ卮cɣS惕mIɭ + tty: true + workingDir: 2L97y +extraEnvFrom: +- configMapRef: + name: Es + optional: false + prefix: sb4Y + secretRef: + name: 5boSPUJ +extraVolumeMounts: +- mountPath: "" + mountPropagation: ė1)ʩ瀚汋跁撯 + name: jFvwz + readOnly: true + subPath: JP5wgP3 + subPathExpr: J +extraVolumes: +- name: Jq0CSftnp +- name: QMHGzzYC2HW +- name: 1PkbzhfK +fullnameOverride: Uo +image: + registry: gFOwHIo + repository: tdq9GJrg + tag: J +imagePullSecrets: +- name: iA1C +- name: ZOdo +- name: qTOK0W +initContainers: + extraInitContainers: UHL +livenessProbe: + exec: {} + failureThreshold: 1473046311 + httpGet: + host: z + path: qQEf + port: -1047428780 + scheme: ȭ龙ğ疹ǜ"ȹȫ怆Ȉiʊ泹牫綖K + initialDelaySeconds: 272400025 + periodSeconds: -1682707125 + successThreshold: -2007433775 + terminationGracePeriodSeconds: 7823760182761119586 + timeoutSeconds: 2024118005 +nameOverride: Mh +podAnnotations: + bHXzf: nOiRsvEXH +podSecurityContext: + fsGroup: -6946946538076897241 + fsGroupChangePolicy: 呆ɔȂwijà + runAsGroup: 3944693697856007637 + runAsNonRoot: true + runAsUser: -732766343758518304 + supplementalGroups: + - -5691922089175975080 +priorityClassName: 0bGHQk7gL +readinessProbe: + exec: {} + failureThreshold: 1554150391 + grpc: + port: -2094102439 + service: 0dg5DO + initialDelaySeconds: -564389480 + periodSeconds: -266349500 + successThreshold: -428571163 + terminationGracePeriodSeconds: -4351299803972335390 + timeoutSeconds: 1803246595 +replicaCount: 345 +resources: + limits: + LxNMXlMD: "0" +secret: + create: false + enterprise: {} + kafka: + awsMskIamSecretKey: SDPuUt + protobufGitBasicAuthPassword: nq + saslPassword: TLAP + schemaRegistryPassword: AFn + schemaRegistryTlsCa: KbZhZV + schemaRegistryTlsCert: dGfweV + schemaRegistryTlsKey: X2B + tlsCa: Zmu + tlsCert: Lv4BgewmU + tlsPassphrase: bCygOn9yJR + redpanda: + adminApi: + password: AE + tlsCa: CEhIkvxe10u + tlsCert: mjaN + tlsKey: j2mDL +serviceAccount: + automountServiceAccountToken: true + name: H5TDAALUdD +tolerations: +- effect: 媄 + key: IQD9Yww8 + operator: bǾå鱍 + tolerationSeconds: -7454358062612206872 + value: odxS1Q2Sd +- effect: Ɣv璔}oȡʞ¤ + key: ySGX + operator: ƪ渺¸貗ȹV廋ȉňu増嬎Ë韍ǘz茩Ƹ怯 + tolerationSeconds: -1083807005557333468 + value: bAy +-- case-026 -- +affinity: + nodeAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - preference: + matchExpressions: + - key: GP94 + operator: 駑Ŀ峇[ɕdž0 + values: + - jjNFKv8 + - uG7Rs + - ApO075 + weight: -549077137 + - preference: + matchExpressions: + - key: R88 + operator: Dzv)bôȏ磜覐橮波赘T^ + values: + - DscaGMdgXV + - uy + - N3d + - key: "" + operator: 誮Vw!/毴Z匌忶ª渆 + values: + - 4mX0s + - key: byy + operator: 鿟y馡錥HJ鶟b左Ő*čt顭塶 + values: + - 6oQ + - 9r22TM + matchFields: + - key: fNLkt + operator: "" + values: + - tW + - M03GnpfhQn + - key: WQQs + operator: 騡(Í芝x焍麅ɰ窓ɶÜò鵹 + weight: 579622465 + podAffinity: {} + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: {} + namespaceSelector: + matchLabels: + IYAfjz: GloAc + namespaces: + - hfFjlR + - KWIdaP11Y + - 3Dn + topologyKey: UB + - labelSelector: + matchExpressions: + - key: B7LSh + operator: ɉ邦夝ɷ1傹Þ袳@ɲ鉴 + matchLabelKeys: + - "n" + namespaceSelector: {} + namespaces: + - 88M + - fIEJUewFK + topologyKey: i +autoscaling: + maxReplicas: 86 + minReplicas: 445 + targetCPUUtilizationPercentage: 362 + targetMemoryUtilizationPercentage: 8 +commonLabels: + "": h0uSAPIi + kuKPk7: "" +configmap: + create: false +console: + roleBindings: + - null + - 9T: null + fxu2XaR: null +extraVolumeMounts: +- mountPath: q + mountPropagation: 跐ʩ4鄧SD炿ɜǚhU + name: "" + subPath: SCLzbAMUW3x + subPathExpr: nzFw +- mountPath: cX8U + mountPropagation: b幈簇@艭K + name: b + readOnly: true + subPath: u5fY + subPathExpr: TRymQ +extraVolumes: +- name: LeIYAb +- name: 176OvjD +- name: b6NpMGfVo1N +fullnameOverride: qhaD +ingress: + annotations: + Lftu: PjroKEh + qvZJNWSzR: Jpoyc0 + className: cAir + enabled: true + hosts: + - host: o + - host: i18Wi + paths: + - path: apsXYvp + pathType: 7q5 + - host: 8eBXg + paths: + - path: cMbMbCQl + pathType: gJT + - path: XvfTwH + pathType: 4se + tls: + - hosts: + - fqD + - JDOgIG + secretName: vzUD + - hosts: + - M6H + - T + - twxgtsi + secretName: lg5siLdo +initContainers: + extraInitContainers: 9KiOC +livenessProbe: + exec: + command: + - 0gsq + - "" + failureThreshold: 1372450161 + grpc: + port: 347104155 + service: Vtf + httpGet: + host: 3Is + path: mFQXEnm + port: -207107285 + scheme: u + initialDelaySeconds: -913177144 + periodSeconds: 912808843 + successThreshold: -765941931 + terminationGracePeriodSeconds: 220495921853460964 + timeoutSeconds: 1174210794 +nameOverride: vLjrafvp +nodeSelector: + ggwC: SQ + rIwToCbB: tUBM5 +podAnnotations: + LtAjph: 8Q + MiPvJub: 0x + j: xR98FRh +podSecurityContext: + fsGroup: -2594082004410587315 + fsGroupChangePolicy: 'ċV1鯍E ' + runAsGroup: -880388195249084168 + runAsNonRoot: false + runAsUser: -9051010573896129766 + supplementalGroups: + - -2777109499517677979 +priorityClassName: JnI8 +readinessProbe: + exec: + command: + - GZAhRFJb + failureThreshold: 1666039794 + grpc: + port: 1689867278 + service: eUJ + httpGet: + host: 6M6GMp + path: hr5gg + port: -751083361 + scheme: 戉窻¦ǃ楓Ëʆ張ǛȤʊLȉŐX5 + initialDelaySeconds: 989921147 + periodSeconds: 536392931 + successThreshold: 1020018972 + terminationGracePeriodSeconds: -955330372102946036 + timeoutSeconds: 1790731281 +replicaCount: 78 +secret: + create: false + enterprise: + licenseSecretRef: + key: yi3 + name: "" + kafka: + awsMskIamSecretKey: J36kR7z6r + protobufGitBasicAuthPassword: xf + saslPassword: jW + schemaRegistryPassword: Z5gF2 + schemaRegistryTlsCa: eGSsHDQm + schemaRegistryTlsCert: NmVf1RW + schemaRegistryTlsKey: DKqtW + tlsCa: 8WuqzUG + tlsCert: yrd + tlsPassphrase: swQ7r + redpanda: + adminApi: + password: mN1ZSR + tlsCa: hrjyEhM + tlsCert: YozBWkwcZ + tlsKey: 1p2 +secretMounts: +- defaultMode: 45 + name: ooYxXE + path: U6f3w + secretName: LyH9zvv +- defaultMode: 429 + name: Hmms9 + path: qzOMXCl + secretName: zvR +- defaultMode: 39 + name: "" + path: dXa6uPxR + secretName: PC2Ms7 +securityContext: + capabilities: + drop: + - ɿX齀蹪 + privileged: true + procMount: Ƚ[孠犥ƶʒ)遷U竕 + runAsGroup: 5229411704597623894 + runAsNonRoot: true +serviceAccount: + annotations: + "": tWl + 5mzy: 4t87VKeHA + a: UqD3iv5LoNYP + automountServiceAccountToken: false + create: true + name: Utu8ZHG2 +strategy: + rollingUpdate: {} + type: I6终j2炅ȲbȻ +tests: + enabled: false +topologySpreadConstraints: +- labelSelector: {} + maxSkew: -154369657 + minDomains: -319419210 + nodeTaintsPolicy: '#Vʅ糗斬ƈ橮IJȶ纀' + topologyKey: dTnKex + whenUnsatisfiable: '@OȤ驮Ʀ琓' +-- case-027 -- +automountServiceAccountToken: true +autoscaling: + maxReplicas: 432 + minReplicas: 265 + targetCPUUtilizationPercentage: 239 + targetMemoryUtilizationPercentage: 130 +commonLabels: + Q0: "" + T4ZmAFi: nfIb0b +configmap: + create: false +console: + roleBindings: + - ElN: null + roles: + - DZcCdT: null + imlLddN: null + - null + - 0MFHoDlkID: null + Xe: null + daS: null +deployment: + create: false +enterprise: {} +extraContainers: +- command: + - WY + - F9X2FePO + env: + - name: MbWT2gynlq + value: S + valueFrom: + fieldRef: + apiVersion: 4msaX + fieldPath: XvlI + resourceFieldRef: + containerName: LEQ + divisor: "0" + resource: oHigE + secretKeyRef: + key: feJnSFqmYy + name: m3lrGM + optional: false + - name: omlZ5 + value: w + valueFrom: + configMapKeyRef: + key: w3iwXnte + name: LqORIZ + fieldRef: + apiVersion: D + fieldPath: bG + secretKeyRef: + key: UeU9m8 + name: 1asSl0l + optional: true + envFrom: + - prefix: HYy4 + secretRef: + name: Q2DTvNx + optional: false + image: jqvBPfz + imagePullPolicy: 庛Ƴ2ɥÔǦ /d2&xȉLJǸAƟ + lifecycle: + postStart: + exec: {} + sleep: + seconds: -1579243177624029331 + livenessProbe: + exec: {} + failureThreshold: 1986638671 + grpc: + port: -1841897347 + service: iUEc + httpGet: + host: CN + path: Dg + port: SYkYMHB + scheme: Ě緷8ĸ)=©ʢ昆ſ9 + initialDelaySeconds: 1029653594 + periodSeconds: 1999066162 + successThreshold: 1106634015 + terminationGracePeriodSeconds: -9022596879374385638 + timeoutSeconds: -809472655 + name: 4D + readinessProbe: + exec: + command: + - iBTD4t + - MY + - Nf + failureThreshold: -1222179068 + httpGet: + host: kgZUkVZPDf + path: hM0yLfiTS7 + port: 846109331 + initialDelaySeconds: 1673719989 + periodSeconds: 1380685354 + successThreshold: -606822450 + terminationGracePeriodSeconds: 2325612573519357970 + timeoutSeconds: 1351631713 + resizePolicy: + - resourceName: KQTh + restartPolicy: 變ȶjȤðʂȈE9ȹɵ礌蓍p殗Ɏ$蟙預 + - resourceName: BATAmUasox + restartPolicy: G寄7]^v腘 + resources: + limits: + 1mn: "0" + 8dnmgn7Vur: "0" + QUXI: "0" + restartPolicy: Ė + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - 餋Ƹ + - ǂnlș + - VLJ2範足诮ÈƋʡĻ + procMount: u¸`TE擴弌/yƦ6帜ǏT鱷潈ř蚒 + readOnlyRootFilesystem: true + runAsGroup: -2334732936143374752 + runAsNonRoot: true + runAsUser: 8673583599260752552 + stdin: true + terminationMessagePath: M934 + terminationMessagePolicy: VF¾弎6a巭ġʥţƟ贯Ǐ飙卮ǥĤȸ + tty: true + volumeMounts: + - mountPath: DzNFL + mountPropagation: 单嶃ɠȕƢ砩寢烕TnǣɅƩ帳 + name: "75" + subPath: Up5FB + subPathExpr: 6nD + - mountPath: qj1c9JPX8 + name: 1K + readOnly: true + subPath: H + subPathExpr: LEVSxozubwU + - mountPath: Ll8X + mountPropagation: '@ï禺pƱ=庶ŊJĤ那[:晙dYĸ獘' + name: PGcOpQ3CM + subPath: 1eBZtMIP + subPathExpr: CRyBKRO + workingDir: s +extraEnv: +- name: k7DjEACXyN + value: Pa4mYEUC + valueFrom: + configMapKeyRef: + key: "" + name: RHdV76r + optional: false + fieldRef: + apiVersion: wxIgM + fieldPath: aBDwplYtr + resourceFieldRef: + containerName: xIL7REN8 + divisor: "0" + resource: QCgp9k + secretKeyRef: + key: ag7Jr1e0 + name: I8vGzsJX + optional: true +- name: pG + value: yTh3djvsV +- name: fjV8k4J8 + value: KHKYS + valueFrom: + configMapKeyRef: + key: DFyBHQO + name: s + resourceFieldRef: + containerName: vd0tsh + divisor: "0" + resource: IgH + secretKeyRef: + key: F + name: a34HcjMyaQ +extraVolumes: +- name: "n" +fullnameOverride: 61hunk +imagePullSecrets: +- name: jkqm +ingress: + annotations: + "": ZtbWlWc + y1ML9Hmg: d6h9 + className: Ijdd3 + enabled: true + tls: + - secretName: x + - secretName: aSf1 +initContainers: + extraInitContainers: vN +livenessProbe: + exec: {} + failureThreshold: 302661968 + grpc: + port: -418561550 + service: kQV1xc + httpGet: + host: UlBEGBj3 + path: qjxTH + port: n7 + scheme: '''(旆PT馷J溠F斃ɦ娴含Q嘱\t9' + initialDelaySeconds: -1367097431 + periodSeconds: 2073795341 + successThreshold: -1800407036 + terminationGracePeriodSeconds: -3519876905947517853 + timeoutSeconds: 1644960855 +nameOverride: h9P +nodeSelector: + B1PiWrl0VUETb: x + DhTxFTV: 3O4Y106 + i8QiXusZ: YBeiJfZK9g +podLabels: + Zrl6: 0D0M + wbG: ZcWnb +podSecurityContext: + fsGroup: 3334237787347678751 + runAsGroup: -5325418670707949502 + runAsNonRoot: true + supplementalGroups: + - -2717337443247240979 + sysctls: + - name: "" + value: R +priorityClassName: bpi +readinessProbe: + exec: + command: + - xz + - e2gf + failureThreshold: -1765420422 + grpc: + port: 879468582 + service: bqFsvC9nR0 + httpGet: + host: CrL + path: 9Jt + port: 7Y + scheme: )ǔ軛醲]8z傏$荸觖稄鱑Í朹s狑Ȱ螪;ǃ嘲 + values: + - gIlS + - 5lD7AvT7I + - "8" + podAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: hi0zfFEN + operator: 裧禿 + values: + - SymXRnv + - iKr + mismatchLabelKeys: + - wesfXhv + - Z78yvK + namespaceSelector: + matchExpressions: + - key: jqHt + operator: ûų:碃;ė燱5ìb-垢xźɆ + values: + - u8cOuqy + matchLabels: + "8": nCrnu + Fd: 5YhLJD3 + r5sMi70hp4TeB: KrDX7d + namespaces: + - LOH + - 9EvOI7HWh + - 5sHJp + topologyKey: "" + weight: 403248696 + - podAffinityTerm: + mismatchLabelKeys: + - Vrf + namespaceSelector: + matchExpressions: + - key: 5w + operator: '|泀ŏ咙ƚ' + matchLabels: + 4vRvwhR: Nz + T6uTCUGiwx: lS + ZuFER: Db8xhFevK + topologyKey: K7NA + weight: 249855905 + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: No2 + operator: Ɗ]鿇躠骐 + matchLabels: + 7nohEoAMei: WrMV + ddLK: 2ehkh + qtrhf: EAAqHFcrjgT + mismatchLabelKeys: + - DrrBoq + - Nh + namespaceSelector: + matchExpressions: + - key: BEXHPr1wQ + operator: 傝魦voȪwć撈 + values: + - i3 + - gUU + - 7nmbvkGs + matchLabels: + Rh65F: rKR + namespaces: + - 1x9DGG + - xKj137E + topologyKey: CSNQy1M + - labelSelector: + matchExpressions: + - key: psq4G + operator: ɓƦ + - key: 3IlNf + operator: ćȬ4鏉1, + values: + - L0 + namespaceSelector: + matchExpressions: + - key: nVgt + operator: ɤ湿ŭò-ɋ鼴)箥Ȅ鋖ʄBK + - key: GD7 + operator: 峄9ƚ涙閉ʃ謩云飠:鎂玚wƁȖ] + values: + - i8cg6A + - TeOYSsj + topologyKey: rEB + - labelSelector: + matchLabels: + s0PrY366si5H: Qwj + ytBgNf0: e + mismatchLabelKeys: + - eylzvu + - q + namespaceSelector: + matchExpressions: + - key: os4H6DpxQ + operator: 5õċ鋵葿葄痄ɍ览逪ȋ`j + matchLabels: + vL3arho: gPmLG + namespaces: + - PjQTIWTFeK + - g5HCelWpMjnF + - QN3mXW + topologyKey: I5osiWTrzhb +annotations: + WVwaqt: gTMC + s6HZpOA: bc0 + sZaCXy: LXRQNTghxb1 +automountServiceAccountToken: true +autoscaling: + maxReplicas: 404 + minReplicas: 186 + targetCPUUtilizationPercentage: 200 + targetMemoryUtilizationPercentage: 383 +commonLabels: + HzuQ: mCfbHBQ + xi7L: ibI45 +console: + roles: + - null + - null +deployment: + create: true +enterprise: + licenseSecretRef: + key: 8MG + name: 83OH +extraContainers: +- args: + - K9 + - 02olyp + env: + - name: F + value: rhVGTadjT + valueFrom: + configMapKeyRef: + key: 3TA0cg2R2 + name: DLZ + fieldRef: + apiVersion: s + fieldPath: Ux + resourceFieldRef: + containerName: avop + divisor: "0" + resource: itl5J4xK4 + secretKeyRef: + key: Av9eKok + optional: false + - name: QaOLYDLT + value: FQu + image: 1MFnpZG + imagePullPolicy: 脓 + livenessProbe: + exec: + command: + - lH4S + failureThreshold: 1311534645 + grpc: + port: 1048835191 + service: p5EtELTs + httpGet: + path: Zjrv + port: Ypah5av + scheme: þʙ龠ȉ%Vę皓ŏ蟝ǙĿìɋN + initialDelaySeconds: 1980070741 + periodSeconds: -728109708 + successThreshold: 1412960079 + terminationGracePeriodSeconds: 4797597904045467368 + timeoutSeconds: -1164059804 + name: oron + readinessProbe: + failureThreshold: -1734715333 + grpc: + port: -673781482 + service: 20iHh + initialDelaySeconds: 270804414 + periodSeconds: 1240219458 + successThreshold: 957649997 + terminationGracePeriodSeconds: -7921460752123720147 + timeoutSeconds: 2069469191 + resizePolicy: + - resourceName: M29 + restartPolicy: tL + - resourceName: WK + restartPolicy: T軂>ȋ1觫蚴Ș + resources: + limits: + KS: "0" + ZDx: "0" + kIjQHQZ: "0" + requests: + BSB: "0" + restartPolicy: LJW獮 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ɺ嚹晐囕胐ƻ + - ņɹ桴O塾q6賤呋f铰}Ʒ輽ʁ[顝 + runAsGroup: 6868723237582569296 + runAsNonRoot: true + runAsUser: 433131246318901172 + startupProbe: + exec: + command: + - mB6 + - Om9w + - "" + failureThreshold: -1184477652 + grpc: + port: -1276243610 + service: m6d + httpGet: + host: VzPuwIiTpY + path: C + port: 0NYj1C + scheme: V=@彆鈂t³Ɉµs斾m蛊ɲ + initialDelaySeconds: -898287287 + periodSeconds: -413255468 + successThreshold: -1510482870 + terminationGracePeriodSeconds: 4884332649151510354 + timeoutSeconds: -1445193311 + stdinOnce: true + terminationMessagePath: DQTH7 + terminationMessagePolicy: ÈɁ;ň);ɑI×ĕ觫'ɣ + volumeDevices: + - devicePath: v + name: AZ6wCimJFM + - devicePath: ZtIx + name: GFe3 + volumeMounts: + - mountPath: tt + mountPropagation: 侮E墝調cé攊疀" + name: UJ + readOnly: true + subPath: JlqP + subPathExpr: lA2v + workingDir: OV90 +- command: + - 8jHRuz + envFrom: + - configMapRef: + optional: false + prefix: yfl3PI + secretRef: + name: r7eR + optional: true + image: m4Etaoz8Bf + imagePullPolicy: okÛļ閷YƗzƄǧ + lifecycle: + postStart: + exec: {} + httpGet: + host: zu9aQLsX + path: xIFogzAoC + port: 1MjUE + scheme: 斔疏ʟn菝 + preStop: + exec: {} + livenessProbe: + failureThreshold: -1399917612 + grpc: + port: -876522011 + service: 2y + httpGet: + host: X9nNdf + path: 8mVJlz + port: 220487349 + scheme: 兇)hr裳ǔ湟钑>ȓn厠tū晣颊 + initialDelaySeconds: -968878635 + periodSeconds: 411754743 + successThreshold: 2083381130 + terminationGracePeriodSeconds: 2736468416107855115 + timeoutSeconds: -423937148 + name: Or + readinessProbe: + failureThreshold: 1628351372 + grpc: + port: -1466105410 + service: b + httpGet: + host: 8kOz + path: IhSlrBw8tiX + port: 1Vd + scheme: qV·dƖ> + initialDelaySeconds: 735135195 + periodSeconds: -175995819 + successThreshold: 1379601279 + terminationGracePeriodSeconds: 386635447886660712 + timeoutSeconds: 125503732 + resources: + limits: + LuudLJ9i: "0" + iXpYUWY: "0" + mHi: "0" + requests: + XLnFU: "0" + mSq9e3u: "0" + t6WYwzmga: "0" + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - ɭ鎣肪綢ȀNj8)屫鈄骸嗢æ憰qWTƶ剡 + - "n" + - OwkʙƝk}ɾ丧< + drop: + - Ť<嶼ȯ愉9宆嵧pɡ%ɐxė鹞鸵鏞 + - ƅgʆ炊ƞąÙ$Ǯ帶SȔ黌畕ǦƖȫV9 + - Ŏʠ羮ɍ痘摬 + privileged: true + runAsGroup: 5710532895986022625 + runAsUser: -7207500526873245606 + startupProbe: + failureThreshold: 2053062827 + grpc: + port: -1076044334 + service: s8s7 + initialDelaySeconds: 7348194 + periodSeconds: 889500482 + successThreshold: -645465298 + terminationGracePeriodSeconds: 4356974427366499939 + timeoutSeconds: 136481601 + stdinOnce: true + terminationMessagePath: t4pW + terminationMessagePolicy: ƣ + volumeDevices: + - devicePath: Df8O3UFZ + name: QL93u + - devicePath: WKg + name: nD4H + volumeMounts: + - mountPath: xs9 + mountPropagation: e羝ș+oũ蘘汉 + name: grr + readOnly: true + subPath: aUYSuUM6f + subPathExpr: mm773yL + workingDir: o +extraVolumeMounts: +- mountPath: P + name: zBgE7HVQ + subPath: hw6PBLgv5R + subPathExpr: YAI5mPj5 +extraVolumes: +- name: "" +- name: SXJ +fullnameOverride: HK +image: + registry: nZ5PG + repository: 5q2qCT + tag: z10JAfCu +ingress: + className: fq2w +initContainers: + extraInitContainers: DVbGC0v6g +livenessProbe: + exec: {} + failureThreshold: -1989869025 + grpc: + port: -580257384 + service: xF + httpGet: + host: EFelM2 + path: NL + port: -1619787350 + scheme: eƌ閽2溧估槞 + initialDelaySeconds: 56050789 + periodSeconds: 193173949 + successThreshold: -1606638368 + terminationGracePeriodSeconds: 9170924509557781641 + timeoutSeconds: -1117024654 +nameOverride: 3Wh +nodeSelector: + Jy9: v + VcMeUW2U: xOwcDQYY + wkI: TbemvxUUg +podAnnotations: + IVy: ho3qpcI +podSecurityContext: + runAsGroup: -9040107238323408835 + runAsNonRoot: false +priorityClassName: sLkcwZ +readinessProbe: + exec: {} + failureThreshold: -509957017 + grpc: + port: -1088874416 + service: kVlcoq + httpGet: + host: yJj + path: SWu6bW + port: V + initialDelaySeconds: 1816814831 + periodSeconds: 406466643 + successThreshold: 450108513 + timeoutSeconds: -1862950899 +replicaCount: 385 +resources: {} +securityContext: + allowPrivilegeEscalation: true + capabilities: + drop: + - 邻ȸNJ"纴ý汫篤訙铵寄貹Z[逗ą弣 + - lǀ敕ɖ + privileged: true + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 3375680259081538534 +service: + annotations: + 33Yi: tesf5 + nodePort: 286 + port: 389 + targetPort: 52 + type: sIQBZD +serviceAccount: + annotations: + 0E6ZFg: nO7Yr55 + 8JN3: B + create: false + name: 43zobnL +strategy: + rollingUpdate: {} +tolerations: +- effect: 蜆³Ə抴璖獍ä鷲炥/=霒0ǷU伀稂ı + key: EMvrrkeG3 + operator: Ȓǒs夃Ȑɉ鋄蛓m÷,旂 + value: yd +- effect: 旌;"ȡ媟窐:ljʥh蓭殰Ȩƴ邃ȬIȻL + key: n87GpiB + operator: '偵~ȥʢȈ珎ſ龕5sʠŇưT4-§Ƀ ' + value: TUaznROmQffrRe1 +-- case-030 -- +affinity: + nodeAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - preference: + matchExpressions: + - key: i3NrGin + operator: LȜɯı偎鵬ćƾ輨ɒ诏Ƞ韾ʂɅ袅 + values: + - ceEnH + - hk + - key: NcZdG + operator: 4# + matchFields: + - key: iJJ + operator: 椤甏Q"dč膌嶁ŵ + values: + - pqbO2v + weight: -888291486 + - preference: + matchExpressions: + - key: 6yk + operator: +[`¥鯦Kqlǣ詆繉ĔNjUƆ + values: + - 9jizdnZ + - 1HUyNhM + - qxDTvf + matchFields: + - key: hCPEY + operator: Ɇ>隣,讽鬓捍+瞶媘暺ɭEƙ + values: + - Ripsc + - CqS + - key: DVFDiRmz7 + operator: U[ + weight: 1468051205 + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: v + operator: 舘LJwMa煗 + values: + - 8yax8 + - acSVUNTfJ + - "" + - key: oeJI7K + operator: Ȩ岵Ư塠ŕ惆^ȹ]Ǥ(蓂心[6 + values: + - VT3avr + - 1sP4V + - key: INgeGc + operator: 7ȋ_ƫ俾NīÂ缷 + values: + - K6yWR + - matchExpressions: + - key: s + operator: ǖ鱝U9y,ijO<ǯŹ斔ɥɍQŝŘ + values: + - V7Cj8gd672O + - Jxq7EqU + - "" + - key: gYq6n + operator: J30ǂ涉Ǖ絜拃Ȃ隰韤Ko + values: + - cFfLM2a + - cmwJ5 + - NvVSgzPk0K + - key: ha1vIvxMS + operator: 鹶ƦÍR\Y + values: + - kno2LivX + - ZBSIfmJ1 + - Xy + - matchFields: + - key: cGJbcb + operator: M$铯但ƙ崍0塁7ɔ籇ȏč3ţħ + - key: t9tN + operator: ĴĹApŰƎyģ+7ɬ5 + - key: q + operator: ĂǮȅ魥ď疪@ɓ擼 + values: + - GHyvS63U + - lupcwbTbly + podAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchLabels: + q: oY6el1mi0 + w: C7Cxyx + matchLabelKeys: + - HMg6IP + namespaceSelector: + matchExpressions: + - key: Crz + operator: əɃ笕P頔ɾ絿ɟ秜Ć冦Ǒ钹圤|讪ɩ + values: + - Dtei + - 1zhZl + - bd + - key: RjH6F + operator: æ監F箂Ñ9 + values: + - n91j6BXw + - 3RLy + - m + namespaces: + - N0Oqq32Q + - TJpJ52Je1Ikj + - "" + topologyKey: HeJdmR + weight: -259316091 + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: R + operator: 麦谐ƺɐqNJ7篐瘘ƊƧR菴qȃ + values: + - 8p + matchLabels: + WW: GL0oC8Fkf + mismatchLabelKeys: + - cdHA3 + namespaceSelector: + matchExpressions: + - key: ar9Y3Br + operator: pK屨鑊聫翶鲔举腏熝ɴ鷏žŝ + namespaces: + - U9UV + topologyKey: cpw + weight: -400075332 + - podAffinityTerm: + labelSelector: + matchLabels: + hYm: "" + mismatchLabelKeys: + - fCOHEas + - uHnZlu + - zhGS + namespaceSelector: + matchExpressions: + - key: HZEOkit1i + operator: '@ÍȪ蟔ʖ' + values: + - t9Xj + matchLabels: + "": so + topologyKey: "" + weight: 2103394856 + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: 5LP9ZW14 + operator: "" + values: + - O4Urq + - key: f3f + operator: õǷ膀3堢ƧŸ + values: + - GJnsN0 + - key: MOJiCs9Qi + operator: Ȥ:危L昝×秲d3ğd曱窸 + values: + - 3keSh + - Uyy + matchLabels: + R: dUyJ0OOVapc + mismatchLabelKeys: + - Xjqx8f + - I5k + - wq0 + namespaceSelector: + matchExpressions: + - key: UP + operator: ȡ畅fȐiú鍿6+襄懬Uċ + values: + - NmZvVOQ + - key: P0hfM + operator: 黣`倴Ŝʪ鰷淸 + values: + - 0GsglT + - MMOe + - uU7Q9 + - key: qnv + operator: æ钹eťǧI薶瘃預ʑ歪yʖb7IwɄ + values: + - McuTAiUq + - XvSAD + - 4e9Vd4vq4 + matchLabels: + "": 4O2glzZ + namespaces: + - wblXzeT2 + - qKILJo + - lPV + topologyKey: Jnwfpfk + - labelSelector: {} + matchLabelKeys: + - tMph8mi + - Ry31wp + mismatchLabelKeys: + - tBHze4gtm0s + namespaceSelector: + matchExpressions: + - key: RpYdzfZ + operator: 攆KRɮõ涸WæĥŽ¡犇fʼn利$蘁干 + values: + - 8Pxd + - V50 + - key: I0O + operator: w"ʈö褥屑ɣAR(憍Nj松趯ĩȁ + values: + - "" + - 6yt2J + - key: fR7 + operator: GǼ舿 + values: + - gP + - LxpC1 + - brLBqM + matchLabels: + "": D5eSOeauL + namespaces: + - xrd20T0 + - GVD45 + - UU3YxE + topologyKey: augu3G + - labelSelector: + matchExpressions: + - key: c17UgoCbg + operator: -蟁楉mƸ赢UȇEŏ + values: + - cr + - CSYe + - key: FM6GBGy + operator: ;疩Ȯ慫ʂy_Ɛ碷ʩʀđ忮 + matchLabels: + Q4hS: 2Z + w: pvyR + matchLabelKeys: + - PLi + - G2W4IV + namespaceSelector: + matchExpressions: + - key: 8Z + operator: Ȩ卭閃N弲ʠǠ驯Ɩ8Ýʊ + values: + - rEFXZ1 + - oXxjjBM + - iovjqaN7g + matchLabels: + 3ZwMBixAo: QeYp0O + topologyKey: AH3A + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchLabels: + 7hX7: uCFlimRES0ZJ + matchLabelKeys: + - CxxMt + namespaceSelector: + matchExpressions: + - key: Xra0M + operator: ʙƤ潯ɔ + - key: "" + operator: 8媮­Ů籌<ǫ + values: + - RsIq + - wqR2cm + - key: ottvJh4 + operator: ¢M&<叇誆戛!Ʒ"(Z氇z錉¬$ + values: + - 5sMUIY + - SV + matchLabels: + iciKwm: xkq + vPG: oQs + namespaces: + - AtM4 + - rZdQ + topologyKey: 9FnG + weight: 1109931313 +annotations: + 5ya: nNowhQY2Bp +automountServiceAccountToken: false +autoscaling: + enabled: true + maxReplicas: 10 + minReplicas: 306 + targetCPUUtilizationPercentage: 227 + targetMemoryUtilizationPercentage: 477 +commonLabels: + T: f0 + jwrBMvwfg: K6I5HsI5 + nk8eJc: nS +configmap: + create: false +console: + roleBindings: + - E: null + W67WBz: null + nYCT7q9: null + - 2S0: null + Nx24C: null + WacOKFS1: null + roles: + - i5oc: null + - {} +deployment: + create: false +enterprise: + licenseSecretRef: + key: ZJGo + name: oxACi6X0cy +extraContainers: +- env: + - name: rV6MouQf3 + value: E21XoHIB + valueFrom: + configMapKeyRef: + key: LDu + name: Flu + optional: false + fieldRef: + apiVersion: Rc8broTqb + fieldPath: "6" + resourceFieldRef: + containerName: VPb + divisor: "0" + resource: PUL + secretKeyRef: + key: xwKJr5 + name: 8K3IIl70g + optional: false + image: d3e1 + imagePullPolicy: 梅E垉丿ȁƘg/§Oaq嵌艷ɖ½飚 + lifecycle: + postStart: + exec: {} + httpGet: + host: WyIob + path: sVvxO + port: SivnsYEe + scheme: Ǖɜsk煨a% + sleep: + seconds: -5241114468416153504 + preStop: + exec: + command: + - h0 + - PbwM + - xML1a5IbGl + httpGet: + host: i8l7K + path: v0TIlzugj + port: UO1j5 + scheme: 痍´荭鲪 + sleep: + seconds: -5262918982231100330 + livenessProbe: + exec: + command: + - MAKziqqn2 + - RtC + failureThreshold: 301723627 + grpc: + port: 1522990624 + service: Y2uF8U + httpGet: + host: 8E6hLWDfL + path: ptr + port: -819495670 + scheme: 畊傲Ā5ʇġ杭ăïƺƢh]薰 + initialDelaySeconds: 975121998 + periodSeconds: 1462200965 + successThreshold: -1868145610 + terminationGracePeriodSeconds: 438373319570860757 + timeoutSeconds: -992167018 + name: xGfw + ports: + - containerPort: 1210092140 + hostIP: aXzKT + hostPort: -1118392417 + name: A5VIRuB0ki + protocol: 巔B兓汳LDŽ5ǒʛ岹璜ʂá&Ɠ + - containerPort: -1184047055 + hostIP: nLlzZ + hostPort: 1916025056 + name: CSeXd7M + protocol: 朿! + readinessProbe: + exec: + command: + - AfVsN7lM + - SoZ + - yZ2uB93C + failureThreshold: -1305050809 + grpc: + port: -1574571534 + service: vhf8x + httpGet: + host: 2zqRpIh + path: ZRe + port: 1109632462 + scheme: '*h嶳椗痢%īƺ' + initialDelaySeconds: 157767030 + periodSeconds: -538159566 + successThreshold: -909232559 + terminationGracePeriodSeconds: -1089882796882580867 + timeoutSeconds: 1392958383 + resizePolicy: + - resourceName: JCDaktfU + restartPolicy: 鈇Hƣv蘺 + - resourceName: "" + restartPolicy: 魔ţv毇俺ɚ + resources: + requests: + DA9: "0" + XdW14: "0" + lUcQG: "0" + restartPolicy: 淣遦髺tMőƤ橷僟 + securityContext: + allowPrivilegeEscalation: true + capabilities: + add: + - 兪q6赀覱勯痜.I膴6+V旱Ő佀 + - 焤Ċʐæ舁ŕ齸Ġ + - uo妿Iǥ2JǟAŊ訖ʆD + privileged: true + procMount: Ɋ胘ſȾ鞣殦ơɧ­ǶǴU譶 + readOnlyRootFilesystem: false + runAsGroup: 5199515302292266073 + runAsNonRoot: false + runAsUser: -7335995488954570305 + startupProbe: + exec: {} + failureThreshold: -777300462 + grpc: + port: 2095052331 + service: bfVTOPN1hv + httpGet: + host: Kp + path: b1bcG9oDl + port: 1383634294 + scheme: 谳涿v衃$Ơʓȳ浲呯 + initialDelaySeconds: -1373123738 + periodSeconds: -1183287381 + successThreshold: 685684993 + terminationGracePeriodSeconds: -4093444870298300516 + timeoutSeconds: -1903691809 + terminationMessagePath: olo1u + terminationMessagePolicy: 怚PʢŸiųŞv嶷宇ƏȌ¥ƀ + volumeDevices: + - devicePath: qFB10P + name: "" + volumeMounts: + - mountPath: YW9lWgZeNE + mountPropagation: 鰛8Ȗ×ʞ + name: Tot + subPath: Ty + subPathExpr: spiOgT0A + - mountPath: SgUmz6Q + mountPropagation: Ă別Z醰棘纀C蘂× + name: ddMHT + readOnly: true + subPath: 8J3YB + subPathExpr: K + workingDir: OQ4 +- args: + - bAsse7O + - u + command: + - MzlyVYHO2w + - oRBJF + - Nafr + env: + - name: U + value: RNGsZ + valueFrom: + configMapKeyRef: + key: YX6H + name: ab92 + optional: true + fieldRef: + fieldPath: 1SR7mfWfzFL + resourceFieldRef: + containerName: C92ipM + divisor: "0" + resource: x4S7 + secretKeyRef: + key: WhzPa + name: lAvfz + optional: true + image: nP + imagePullPolicy: ǫyɮȯ + lifecycle: + postStart: + exec: + command: + - ucft + - K8XaCG + httpGet: + host: rza + path: JhnYc + port: e0 + sleep: + seconds: 6253871176572388811 + preStop: + exec: + command: + - Uiuiougu + - "" + - 3Gx5Gu + httpGet: + host: VQzMXk + path: ws + port: -474919374 + scheme: w媦÷帹ȅW閫ĭ# + sleep: + seconds: 4571098797230986244 + livenessProbe: + exec: + command: + - pHp + - MDPb7 + failureThreshold: 871873843 + grpc: + port: -422130433 + service: nC + httpGet: + host: M + path: p00iJRicrG + port: bS0X1wo + scheme: m鈎Z趟樥R%飅 + initialDelaySeconds: -604803912 + periodSeconds: 1886242291 + successThreshold: -1386436865 + terminationGracePeriodSeconds: 3067492874024630757 + timeoutSeconds: -1583378445 + name: Si46O7YRR + ports: + - containerPort: 1700510643 + hostPort: 251260843 + name: JkZyRGNq + protocol: ȅz,ǹ昉 + - containerPort: -1859013382 + hostIP: NHKaXL + hostPort: 831309722 + name: y9vWUO + protocol: ʡƊX| + - containerPort: -2125300283 + hostIP: jj3qc4 + hostPort: -278349921 + name: Aa + protocol: 耛v6]jç錛洘¶緛uȁ竿 + readinessProbe: + exec: + command: + - "" + failureThreshold: -784645974 + grpc: + port: 1390591548 + service: "" + httpGet: + host: lNyXDdzed + path: W9q4gnCB + port: 4YUq5drSLjLPw + scheme: 唡家調Ô蘓狥ć4^謋遭ŧ厑Ƕ¤ + initialDelaySeconds: -315867707 + periodSeconds: -1221044118 + successThreshold: -2057597685 + terminationGracePeriodSeconds: 8064296597671882818 + timeoutSeconds: -1128414965 + resizePolicy: + - resourceName: MA + restartPolicy: tÜ榋ɼ + - resourceName: bwI + restartPolicy: 斪4瓏鍣ĊYƞ睽%ü劘ĥÑC­ + resources: {} + restartPolicy: ǫ歩ʏ朄DŽ8Ǫȩ;毆|ȕ潆Zʚ輘殈ɔ + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - '*驲' + - 纒寻$KŞ菤Ľ恎eɈ鏽 + - ě宭`羧\LƝ攅嫜ɫʡɞǍ緭p誂 + privileged: true + procMount: 楛钞óŰ)5鞊tY榋肦Ȓ + readOnlyRootFilesystem: true + runAsGroup: -3200847944437364683 + runAsNonRoot: true + runAsUser: -5188355058620722927 + startupProbe: + exec: {} + failureThreshold: -718122732 + grpc: + port: -2045013242 + service: Zg34 + httpGet: + host: slqfokZ + path: SlStyexr + port: 101605170 + scheme: Ȅ.隊ou纾ƙŨ`aʭ + initialDelaySeconds: -467990622 + periodSeconds: 446042771 + successThreshold: -504446684 + terminationGracePeriodSeconds: 1811254130314346303 + timeoutSeconds: -1983992134 + stdin: true + terminationMessagePath: zLDb + terminationMessagePolicy: ōe谕ńg"qy暵ȵ抷¬Ʃ蔚盓 + values: + - tQP + - lAyg + - "" + - key: qaIUADOI + operator: '&Ɗ³ĵLJ鎌ɝǏ縉j' + values: + - 6ot8DTU + weight: 969637277 + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: j9Rzed0C + operator: Ò + - key: 02b + operator: "" + matchFields: + - key: "0" + operator: 9Š篅)笕Õ^ɤ疫ɜȬ + values: + - "n" + - key: 96k + operator: 觱踊ĝğOɎʁ胳}$g鄈ʮ誦Ň鱝炠抡凓 + values: + - pJdgL + - 00uMch + - key: pz1WHTJ + operator: 濐r! + values: + - i4rsr5 + - PI8GPtiCkkahh + - matchFields: + - key: oTjdt + operator: $ƹȔLj硍čȒŪ涏ȰŞdų悋ĶA + values: + - KOyvX + - 6JNFdnH + - e59WgamF + - key: lu3OH + operator: ǽəơȽĬt嶫cŭ + values: + - 9SKaOYPiL + - 1ioL + - pZde + - key: Jd6LB + operator: ']洔璗3NZ貦ʞ%ȮǵȺ絥ņ' + values: + - dKyLtzFaqg + - yCg + podAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: siTiGS + operator: ʐȱe峫LJ鐻cȚEqkwt!ģ + values: + - "" + matchLabels: + Aj: V + P5zpV: 8hC + mismatchLabelKeys: + - 4wtTpNGnV + namespaceSelector: + matchExpressions: + - key: K2ZsAt + operator: 妗巪Wɱ鲵Ǯ洭 + values: + - jxl5gm5E + - X2 + matchLabels: + ly6r: 9k + o0G: "Y" + namespaces: + - Q + - XpXqm + topologyKey: Qrt + weight: -1221853228 + - podAffinityTerm: + labelSelector: + matchLabels: + Jc9: Ftx4sR + Zi0PNgVi: EUuTsR + dQt607d6aSO: RSEoObj9yY + matchLabelKeys: + - odAAyA + - ZUwkRz709gR + namespaceSelector: + matchLabels: + Ag0Kix1n: laC2fYO + topologyKey: izD + weight: 600976747 + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: {} + matchLabelKeys: + - QRHiPYut + - KfMAojY + - Vww + mismatchLabelKeys: + - TTnksi7Ob70 + - gGyPv + namespaceSelector: + matchExpressions: + - key: XYpda + operator: q砐ʌƭʩ烬P§Ǩ + values: + - k7 + - SKn + - eefGAA + namespaces: + - ZYe + - nivMj26 + - OhZ6 + topologyKey: xIpuYH7 + weight: -1130732649 + - podAffinityTerm: + labelSelector: + matchLabels: + ApF: Gsyd94h39Q + H: r + mismatchLabelKeys: + - aWHz7q + - xuzLo + - 5ASY1R + namespaceSelector: + matchExpressions: + - key: Zg + operator: 篃b + values: + - vh + - Rgd3V6 + - key: PNqIEbD + operator: \Ų叢T'ɰď乁ʤ駧ɧ + matchLabels: + ugZKNnsp: bUttL + topologyKey: GRNlK86 + weight: 1964668305 + - podAffinityTerm: + labelSelector: + matchLabels: + t2lvLczlk: um + wjQbQIYB: zsr5i + matchLabelKeys: + - "" + - 7H2Kg1N + - NE + namespaceSelector: + matchExpressions: + - key: 2AEBOqKWel + operator: É$íĨ鯖 + values: + - "7" + - S6PWc + - key: c9NGgT2 + operator: Dǥž駗驕咜2 + values: + - WFDcdOBg + - 8akPt + - key: v5V + operator: 苯Dzŏ趘Ɏ蹰ƦȃDz俑I^ģ鄔ĥƁ鲎硹. + values: + - Ro + namespaces: + - rrn + - Gko + - D + topologyKey: 5GfcY + weight: 1374611901 + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: 9BEvWF + operator: 箁梄òǣf舢ɉ N + - key: DoJZDVpdUKV + operator: '|痤"纇繁Ơ¹Rnl' + values: + - M1FUy7H + - PmETea + - key: fZB9p + operator: 艨ë寨t^ + values: + - 6SbUQEl9IF + - grOZ + - awRdbXsbbO + matchLabelKeys: + - QbnYiVnjIDt + mismatchLabelKeys: + - dzq3fg + - EHB2 + - E + namespaceSelector: + matchExpressions: + - key: C + operator: 泤煇JĀȅs滚硚ƾĐLJɚ<嗢 + values: + - qweN + - cmGvYLL9 + - key: ftTKd17 + operator: ïǸfǛD + values: + - 3Qp + - 97WXhHH + - QLVxS + - key: X + operator: x Ƙš + values: + - X7mWp + - 4YUDIL + matchLabels: + 2pOyqtJ: X5kt + DqZU: lA7g + yydzgHSxH: mX + namespaces: + - PnB + topologyKey: O2bIu + - labelSelector: + matchExpressions: + - key: lR5v3DP + operator: 8ȈDŽG弪żf[j盠zğ? + values: + - oX28u + - fcVl + - l + matchLabels: + D1CEy: o9m2rVKHK1i + q9TAhY: UxxABL + matchLabelKeys: + - gZSueHOl + mismatchLabelKeys: + - yKwrju + - OmHbxfoV + - p + namespaceSelector: + matchExpressions: + - key: y4jen13nM + operator: '}J;ƴȳ鹓ÿ莂ú' + values: + - 4Fe5y + - BrR + - key: O47QYt11Bl + operator: ıCƾ?9Ìx毧Ƿ + values: + - co + - A7y9 + matchLabels: + "8": 7mV4YD + namespaces: + - vi + topologyKey: sRbXgEn +annotations: + lZ: e +automountServiceAccountToken: true +autoscaling: + enabled: true + maxReplicas: 25 + minReplicas: 20 + targetCPUUtilizationPercentage: 460 + targetMemoryUtilizationPercentage: 169 +commonLabels: + q4ZdG9q: IJWaYu9mhun + sFTTcyl: qVyaa0ULC +configmap: + create: true +console: + roleBindings: + - {} + - {} + roles: + - {} +deployment: + create: false +enterprise: + licenseSecretRef: + key: qYIzRhBP + name: lkd8afL +extraEnv: +- name: 6aAK + value: C + valueFrom: + configMapKeyRef: + key: hSSIqC + name: QPNl + optional: true + fieldRef: + apiVersion: LhfAND6hW + fieldPath: g2J7 + resourceFieldRef: + containerName: BDRH4s + divisor: "0" + resource: "" + secretKeyRef: + key: LfIX + name: vI2UB + optional: true +- name: qUw9kXv + value: WEGTagf + valueFrom: + configMapKeyRef: + key: ejuXsJ1 + name: MYu4 + optional: false + fieldRef: + apiVersion: 9PzuPIkT3 + fieldPath: oa8Oe + resourceFieldRef: + containerName: IuMHr6gt9 + divisor: "0" + resource: dazyeM + secretKeyRef: + key: ludRIp + name: 1RhUa7B + optional: false +- name: UIdv4fEDhnwvUs + value: ZhJ + valueFrom: + configMapKeyRef: + key: 9CIrVsxQ + name: bYh + optional: false + fieldRef: + apiVersion: Fv + fieldPath: W3lmjz5mnuz + resourceFieldRef: + divisor: "0" + resource: 8sULBf + secretKeyRef: + key: mjbYsz + name: ZzZ4TUcp + optional: false +extraVolumeMounts: +- mountPath: TpG9eA0 + mountPropagation: "" + name: XFmsoqjlB + readOnly: true + subPath: rJznnSzpn + subPathExpr: kYhNPw7T1 +- mountPath: rhHVxSG + mountPropagation: Ħɔq + name: zucf + readOnly: true + subPath: rhOyK4f + subPathExpr: dxfS2ISRGUw +extraVolumes: +- name: Py +- name: Wq +- name: "N" +fullnameOverride: 59cQ0qKLI +image: + pullPolicy: 賅5尬Ƕktʈ漻`楾Ő抚@瞹%Ř忞崗Y + registry: gAh7r + repository: VvT9aH5 + tag: "" +imagePullSecrets: +- name: 2Ry3vDGf6 +- name: PE5R +- name: uWsoZ +ingress: + annotations: + Q: 3KXvHleq + YUY: BD + mdCRk: Ilk9wDjAw + className: GuB1VTCp + enabled: true + hosts: + - host: WsTbK7W + paths: + - path: MKCR56 + pathType: hEV + - path: "6" + pathType: pv + - path: rNv + pathType: L0CY1c8 + - host: OxFD + - host: Ojx + tls: + - hosts: + - C + - wxjmQWXDn + secretName: ESgom5IBQR +initContainers: + extraInitContainers: AN4 +livenessProbe: + exec: + command: + - 5m + - 1hj + failureThreshold: 1710421008 + grpc: + port: -1758154628 + service: "" + httpGet: + host: AbGz9Ql + path: 6HPb6FQP + port: 1834140801 + initialDelaySeconds: -1805305530 + periodSeconds: 580837556 + successThreshold: 1568498137 + terminationGracePeriodSeconds: 6055624087283515610 + timeoutSeconds: 1393862090 +nameOverride: xknw +nodeSelector: + "": O +podAnnotations: + IserdW: Y8zC + rKlqh6W: s9dR +podLabels: + 7yc3n: Cmh + bASmPL: XHGF + e1: s0B +podSecurityContext: + fsGroup: -6352604564338413284 + fsGroupChangePolicy: ¥ɬ屛ɀ裕量7ȅLJI/煿I庮\LÌ0 + runAsGroup: -629752081807497066 + runAsNonRoot: false + runAsUser: -7150506011583335552 + supplementalGroups: + - -2079681094590514497 + - 4310353567816636623 + sysctls: + - name: "" + value: 6bg1 + - name: v54yJPXG + value: BNnF0A + - name: DU + value: J +priorityClassName: mFg +readinessProbe: + exec: + command: + - 1A7AuNqZgrO + - 0Dv9uT + - mi + failureThreshold: -1374895470 + grpc: + port: -974870340 + service: rLr6 + httpGet: + host: ZjH9W0Mw2N7wDlEl + path: A1mi + port: VL + scheme: '''Z悁Ţ瘿ª簳Ʀx.ʞ鳃峚5ƫw牑諥ǁ' + initialDelaySeconds: -1507178072 + periodSeconds: 59289443 + successThreshold: 873349641 + terminationGracePeriodSeconds: 3372950661886875571 + timeoutSeconds: -77680726 +replicaCount: 424 +resources: {} +secret: + create: false + enterprise: + licenseSecretRef: + key: 8NBr7XfH + name: UG4to + kafka: + awsMskIamSecretKey: iq3sT9 + protobufGitBasicAuthPassword: TmKaYoY + saslPassword: 41jeqaQ + schemaRegistryPassword: lo1 + schemaRegistryTlsCa: 6ugJXi + schemaRegistryTlsCert: Dfxzy + schemaRegistryTlsKey: s6Wq0 + tlsCa: xiXLxgIB1uY + tlsCert: BoJ + tlsPassphrase: ERo + login: + github: + clientSecret: 6FsPPUCqFaQN9Z + personalAccessToken: mQjpC + google: + clientSecret: zEoO + groupsServiceAccount: sJYwU + jwtSecret: nN8l8K5 + oidc: + clientSecret: t + okta: + clientSecret: uW9S + directoryApiToken: UF7 + redpanda: + adminApi: + password: hkp2 + tlsCa: Hv + tlsCert: YIT6XYEg + tlsKey: gVxUg +secretMounts: +- defaultMode: 217 + name: 84iLClLVXmt + path: z5a16ev9 + secretName: DBNf +securityContext: + allowPrivilegeEscalation: true + capabilities: + add: + - Ò4^|wƙJ3ɀªʭ÷齹æc8ǺơG + drop: + - 罩Ɵ + - 凘~蹆縇W偓Ȓ鵇膓咰ɲ俹îS泑 + privileged: true + procMount: 'č #m繰:¿ċY3扙缗_MǮJw' + readOnlyRootFilesystem: true + runAsGroup: -3419647664540135091 + runAsNonRoot: true + runAsUser: -7389132079103631330 +service: + nodePort: 398 + port: 112 + targetPort: 375 + type: N9chrF +serviceAccount: + annotations: + 4Fkdkgg: xGzY0KvisI + WBAEgggZ: v + sCN: cru + automountServiceAccountToken: true + create: false + name: REj +strategy: + rollingUpdate: {} + type: rÂ秘鲊ơ煥ËI5ɠv蜺 +tests: + enabled: true +tolerations: +- effect: Ɍ + key: P5n9NT + operator: hKW塀Bʊ祆aTɋw + tolerationSeconds: 4112555560826291604 + value: WHYsAK +- effect: Ŵ夀D朩儿 + key: QW09kcw + operator: K嗂ɩ + tolerationSeconds: 1977367920031301876 + value: FxI4 +- effect: 虻~ƤɟŪm繒敏嗕?ʅ着é殮领 + key: nkzGJU9 + operator: M鏫ɮ噀屗pq)ɋɎN + tolerationSeconds: 1704904114127412585 + value: AgyEeU +-- case-032 -- +affinity: + nodeAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - preference: {} + weight: 735732238 + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: cFkyLM + operator: 岊B + - key: V3cKSq + operator: ǟ濈1ɑÎ"孲ȀŨFhŲ + values: + - hz + - matchExpressions: + - key: 8N + operator: 9´敤T + values: + - amWROpS + matchFields: + - key: 7hmWbsKS + operator: "" + values: + - lS + - slkOyX + - YlwPcdVh + - matchExpressions: + - key: n5YD + operator: Əüʢ軾ŚũɳnŒ + values: + - 5s4eD6x + - WMkZIzS40rxp + - zCnW + - key: JawyIOLo + operator: 巳c習Gnƛ{ɩ¯Ĭ枺lȜʩ泿趏ǙĊi + values: + - Fvzyw13fUZC + - 4w9T3GeG + - mVj9N + matchFields: + - key: 4amyTWvhx + operator: Ąŵ8雌%ɸ*W褒卒S + values: + - cPr0Nm2WFo1dBq + - a + podAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: XgsMMBS + operator: ȗ諹 + values: + - foI + - NN1yiUNR + matchLabels: + Qq: VB19aUlI + mismatchLabelKeys: + - hcD + namespaceSelector: + matchLabels: + vMT90cNq3PYf2z: upe + topologyKey: RSVn9W + weight: 603398420 + - podAffinityTerm: + labelSelector: {} + mismatchLabelKeys: + - 4IL0rEe9 + - yY0RMU2 + namespaceSelector: + matchExpressions: + - key: tIka9jS + operator: 7怘xə4ÏɦW + values: + - l + - ajs6c + - hkYj + - key: Qu + operator: ʊ鏀ɑ蒀刹gE + values: + - 2UvY + - hRB1wKXyHi9 + topologyKey: ZKWyn5kI + weight: -1674108352 + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: KQfZ4 + operator: ġȁAu盝ȭƈŦ齬{z + values: + - itNS0T + - jL + - key: q0HemjU + operator: e銳ȇ葁õDÏ筃 + values: + - M5yeE + - gJJY + - HInHzXgX + - key: d1LKZ1 + operator: Q + matchLabels: + XElv: QGJ + nD: kNCk5qe + wUtw34v: sCjj5z + matchLabelKeys: + - ej9hOPjp7W + mismatchLabelKeys: + - lhU9gP + - T7rMlvu + namespaceSelector: {} + namespaces: + - ii3aa + topologyKey: 8U7 + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: CkQsu4fS + operator: 鄦&ɲȅ + values: + - RVnwZ + - EVk + - key: yt + operator: 傓N嬅宠H^÷ + values: + - 1L + - rVQPs + - dUHOKQ + - key: hQ1Tl + operator: ɣë筁尻!絜辩^riʨ莠8dƋ + values: + - 4D6Y + - 5TXh + - 8RH + matchLabels: + "9": jb2X + IdL: PQj0N + iB09Upiijt: JpN + matchLabelKeys: + - rKS9p8 + - sK8p + namespaceSelector: + matchExpressions: + - key: KQ6 + operator: '篛I6ÝBŘ F媍/:' + values: + - NXP47Fm + - Z0Qh2Y4 + - JeWX + - key: Yh + operator: '!j3W' + values: + - mTm5dkO58H + - "" + - key: 6q + operator: 景¨Sŝvo/ + values: + - TrgtrP + - zqIsId + matchLabels: + 7E3A1K: "7" + 63IlVL: aSxc + W1hP: 1H9k3O + namespaces: + - "" + - 2Ma + topologyKey: FFqt + - labelSelector: + matchLabels: + "": wklJJ + C8JZ: LP + U1pz: kAE1l4 + matchLabelKeys: + - shj5V + - oU074y + - Ufq2w + mismatchLabelKeys: + - oBzMiOSgd + - iSF + namespaceSelector: + matchExpressions: + - key: fCbLu + operator: 塊衅m鑀ȣ戢ŭ阻蹯ȟ獇ɨ + values: + - B6TgQ75 + - FAHTEOSesQ + - Ms2Kw7XQ + - key: 133fMqId + operator: "" + values: + - pJc0Zu8 + - T1PEuV0uism + matchLabels: + 1rfPa2b4Ny: cemR + Np9l: lcX + SjNYy4: VZX + namespaces: + - 7W + - umFBWrpUDHv + - "" + topologyKey: pPUIqPXo +annotations: + xpNWT: MpOZ +automountServiceAccountToken: true +autoscaling: + enabled: true + maxReplicas: 459 + minReplicas: 198 + targetCPUUtilizationPercentage: 497 + targetMemoryUtilizationPercentage: 146 +commonLabels: + B19ue: 8W + Kxm5R1: R + e3Cx: MIAO +configmap: + create: true +console: + roleBindings: + - K8wnWSD: null + bwYE7: null + y4j: null + - GvFfKdgL: null + enU8G4: null + wvnJcOn: null + - td7: null + roles: + - YQBucbbDX2R: null + - 2UuDKjR: null + IV0Yus9: null + ci20SljQkhw: null +deployment: + create: true +enterprise: + licenseSecretRef: + key: bujGpO7D0C + name: V +extraContainers: +- args: + - T + - Pvf1yAamEa + - jQE8UakuY + env: + - name: 3g + value: JexRP + valueFrom: + configMapKeyRef: + key: QZ + name: QcC + optional: true + fieldRef: + apiVersion: Iv + fieldPath: d7xQ + resourceFieldRef: + containerName: jLpJ + divisor: "0" + resource: m + secretKeyRef: + key: Quhh + name: HUhzPAEo85 + optional: true + - name: ehSBff + value: nHu + valueFrom: + configMapKeyRef: + key: v3Icanu + name: dNPJ8 + optional: false + fieldRef: + apiVersion: xO7UQDq0 + fieldPath: gAyGB6Nj4 + resourceFieldRef: + containerName: Bs2D + divisor: "0" + resource: xJCQsH + secretKeyRef: + key: 3T6tjIQWa0C + name: 8TvRbhP + optional: false + envFrom: + - configMapRef: + name: mf + optional: false + prefix: pZxp + secretRef: + name: v + optional: true + - configMapRef: + name: wosjc9 + optional: true + prefix: ehhmFeLY + secretRef: + name: Ll + optional: false + image: kZ8UUm + imagePullPolicy: Ɓ + lifecycle: + postStart: + exec: {} + httpGet: + host: K29SzZPo + path: y2bQL8 + port: Cr + scheme: 轂Ì蕏ʋ + sleep: + seconds: -3765902632580054640 + preStop: + exec: + command: + - 1pT5X + httpGet: + host: NouEQF + path: WITzSW + port: 1565482371 + scheme: ƒ塒廛鎐藽瀫 + sleep: + seconds: 1831382645860081979 + livenessProbe: + exec: {} + failureThreshold: -1525719681 + grpc: + port: 99688681 + service: xa0sl3k5KM + httpGet: + host: prjHPqf + path: RHwZIE + port: 2UZ7hXI + scheme: 瑀ċ廤ȵ + initialDelaySeconds: -1367665605 + periodSeconds: -1023789296 + successThreshold: 206844073 + terminationGracePeriodSeconds: -3901072071078889022 + timeoutSeconds: 1670691424 + name: t + ports: + - containerPort: 2046398071 + hostIP: pJg + hostPort: -1247541550 + name: DrYeHQ6 + protocol: ²ȑBŸ + readinessProbe: + exec: {} + failureThreshold: 852505381 + grpc: + port: 8093048 + service: "N" + httpGet: + host: uuaPC + path: Mpxk6p + port: -297149767 + scheme: 這伦礗鯪àe]雚腴k£ɂ闧ɦĚH鏰浳 + initialDelaySeconds: 296244720 + periodSeconds: 1237321103 + successThreshold: 722306410 + terminationGracePeriodSeconds: 7739978307238029730 + timeoutSeconds: -2129506856 + resizePolicy: + - resourceName: NBfNOBC + restartPolicy: ƞdWǝi鎠R殩杜Ś晚尒尧ǐ; + - resourceName: oDw8xEb + restartPolicy: ja侬ƕ + resources: + limits: + BJcVkW: "0" + Ub5Spt: "0" + nWi63TNlCyM: "0" + requests: + e5vcw0H: "0" + eKz0z: "0" + gK: "0" + restartPolicy: 嗈ǒɟNǭ臥穥Ť + securityContext: + allowPrivilegeEscalation: true + capabilities: + add: + - $拷霒Ø耖} + - ijĸN藬?w粯痵餒薃辕5勅ů + - 幒Ƹʁòĺǂ浼GX + drop: + - 宖 + privileged: true + procMount: 凝 + readOnlyRootFilesystem: false + runAsGroup: -7000080292188880782 + runAsNonRoot: false + runAsUser: 9107304642056618949 + startupProbe: + exec: {} + failureThreshold: -208121509 + grpc: + port: 133215347 + service: pj4Kw + httpGet: + path: hGLW3 + port: -239286046 + scheme: YsÌǮŦʁ¡ē峪3 + initialDelaySeconds: -817672524 + periodSeconds: 1846655614 + successThreshold: -243958761 + terminationGracePeriodSeconds: 4190490525804645179 + timeoutSeconds: -973067987 + terminationMessagePath: 9vMe3Y + terminationMessagePolicy: 雍Wȯ嘷台厃$Țʍ13b霞两e + tty: true + volumeMounts: + - mountPath: yZbL + mountPropagation: 鲫絎Q(銞ÎÕX堙Ľ銃曅注t锋ɮj覧« + name: UFfAqsgd + subPath: wSo + subPathExpr: bIsBP3O + workingDir: DYBcINRq +- command: + - wgBryFN + image: NorbK + imagePullPolicy: 鉓Ĕʠ;兮)Frë + lifecycle: + postStart: + exec: {} + httpGet: + host: Z + path: 3v + port: W1vDkt + scheme: ŷ索gp=ŵāǼ餆嬦Ƹl媓R}豟ɠĖ. + sleep: + seconds: 1583583004300077159 + preStop: + exec: + command: + - XztEol6So + - GveA + - H4aUl + httpGet: + host: 75LDW + path: nu + port: I + scheme: 胛Uȁ¬ + sleep: + seconds: 4617693270470586770 + livenessProbe: + exec: {} + failureThreshold: 1423393786 + grpc: + port: 2097410769 + service: "" + httpGet: + host: W7 + path: PyPprD6 + port: dHwCyz + initialDelaySeconds: -1439644816 + periodSeconds: 182024489 + successThreshold: -1861505070 + terminationGracePeriodSeconds: -4166230023615503394 + timeoutSeconds: -704907360 + name: sFz5 + ports: + - containerPort: 1977465061 + hostIP: kxqRig + hostPort: 393211643 + name: DRO + protocol: ķǔȈ + readinessProbe: + exec: + command: + - mn + - 4TZCjrWPW18 + failureThreshold: 972699487 + grpc: + port: -1384519737 + service: IY5quWWV4JC + httpGet: + host: wq91i + path: Zy + port: -1192576969 + scheme: Á^_ + initialDelaySeconds: 2107832874 + periodSeconds: 1041520026 + successThreshold: -118135340 + terminationGracePeriodSeconds: -4946782594204672541 + timeoutSeconds: -1933961678 + resizePolicy: + - resourceName: MG7PMkMMObJJU + restartPolicy: §觫困Ȏ龝ƃȃɩ芴ÎĽ + resources: + requests: + I4: "0" + zLy: "0" + restartPolicy: 粛醑綇蝙Ɣò犁鶓A + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - 掀ǃA颺LnFąɏ動 + drop: + - 输6sĺ宯hĢ + - ĨƨO檔暰z + - Neɬ慿Ȁ0ɳ蠈ǚǦO¸Ğ崔ʂ¢剚 + privileged: false + procMount: 翄怉DžǬ?胉獄ǙƊɚx虉F + readOnlyRootFilesystem: false + runAsGroup: -1943526545280953812 + runAsNonRoot: true + runAsUser: -7089742793545456579 + startupProbe: + exec: + command: + - hDj + - ONyz91fkTFY9t3 + - ynDWkO + failureThreshold: -5561223 + grpc: + port: -1069825885 + service: oQmy + httpGet: + path: l4sWc + port: 53AhP + scheme: ȩ + initialDelaySeconds: -6165070 + periodSeconds: 1844899228 + successThreshold: 903779261 + terminationGracePeriodSeconds: -3909221818854749789 + timeoutSeconds: 746670574 + stdinOnce: true + terminationMessagePath: egr00cLki + terminationMessagePolicy: ɯ2鰌^坪yN蠏Ĵ + tty: true + volumeMounts: + - mountPath: YOyu1MjxN2 + mountPropagation: :鸛o鮓L`<]ơ1b忙n鲃{< + name: dODfVz + subPath: ZknFq + subPathExpr: oX1n + - mountPath: 4TEsoc + mountPropagation: 帺Õ斯剅ƫf鳌麓HƸŘÂ瘖?謾軌 + name: hau + subPath: w24Wq4e + subPathExpr: i2TEix + - mountPath: uuujj + mountPropagation: 氻ʃ2NFJ啼铗"O{À-ŧLJ弟 + name: klnXhhnxKk + subPath: SEx + subPathExpr: CK2FmmyYThL + workingDir: NCvZAa +extraEnvFrom: +- configMapRef: + name: nJXDn + optional: true + prefix: g3ZpAEUJC + secretRef: + name: 5Yin + optional: true +- configMapRef: + name: spYG9o0 + optional: false + prefix: Wv01 + secretRef: + name: BxDbe + optional: true +extraVolumes: +- name: 1zZI6J +- name: D +- name: OUqOnvjvba +fullnameOverride: llK4G +image: + pullPolicy: "" + registry: mU + repository: xY76Tj + tag: AgKh6S1 +ingress: + annotations: + Lhm: f24CRNEJvs + pk6fq: "2" + className: EXqR + enabled: true + tls: + - hosts: + - xEciJGskt + - pBxfBltrqACoat + - INyj + secretName: Qy + - hosts: + - F6sf + - EHuJ + - 95my0 + secretName: XOIr +initContainers: + extraInitContainers: nNSsTt6 +livenessProbe: + exec: + command: + - poXliUr + - PT + failureThreshold: 1396135036 + grpc: + port: -224883306 + service: 3pE97 + httpGet: + host: aUivZn75m + path: ELvTnGaV + port: uLGz4AgHb + scheme: ʟ#ĭ輑槳桓ȡȰ-o廕óʒÉ帇ʗ + initialDelaySeconds: 1526591550 + periodSeconds: -972224922 + successThreshold: -39437670 + terminationGracePeriodSeconds: 2216517890191965292 + timeoutSeconds: -1229662908 +nameOverride: wB +nodeSelector: + ih: xT3Dk3PXT + xhq: vu + zLR9: wFjrfu +podLabels: + So: waKMMvnY + VXPE0: 8ExVsj + ip1RGEzt4t6: "1" +podSecurityContext: + fsGroup: 7101468120327600630 + fsGroupChangePolicy: ȴ鳁ƨ殳h`熡ƍʊ0ŀ擳琗图.AƱX滋 + runAsGroup: 4262945102741076844 + runAsNonRoot: false + runAsUser: -9214274730002703336 + supplementalGroups: + - 4135587743067906306 + - -2908166639165702539 + sysctls: + - name: Yo9 + value: zak2 +priorityClassName: WeB9y8 +readinessProbe: + exec: {} + failureThreshold: 1061708880 + grpc: + port: 241985990 + service: 4id9HdK + httpGet: + host: PcSuBI + path: X5YjgFI2n + port: -1395013021 + scheme: Ȁ/ŚDŽR²庭$ê-d蟄Ä + initialDelaySeconds: 1618839364 + periodSeconds: -2098998213 + successThreshold: -846859522 + terminationGracePeriodSeconds: -4028618433241851907 + timeoutSeconds: 1824930679 +replicaCount: 371 +resources: {} +secret: + create: false + enterprise: + licenseSecretRef: + key: "" + name: be + kafka: + awsMskIamSecretKey: fs + protobufGitBasicAuthPassword: pUSXv + saslPassword: 1tdj + schemaRegistryPassword: iEgQQMH + schemaRegistryTlsCa: TlBV301 + schemaRegistryTlsCert: fRDnVgKC + schemaRegistryTlsKey: 0yblU + tlsCa: 4tIzJcND + tlsCert: NLnN + tlsPassphrase: iI + login: + github: + clientSecret: WHD + personalAccessToken: 9B7Wu + google: + clientSecret: UZnD3r + groupsServiceAccount: 9b + jwtSecret: cdvBine + oidc: + clientSecret: rQyq1alKY + okta: + clientSecret: ED1 + directoryApiToken: p + redpanda: + adminApi: + password: CWqwAXxFtl + tlsCa: gDQRbrAC8l + tlsCert: EDjU6 + tlsKey: Zm +securityContext: + allowPrivilegeEscalation: true + capabilities: + drop: + - 退晦Ţ鲛 + - '}ʄ攏嫫;Mǐ豒ɇf,搅Ð貑ș|Óf' + privileged: false + procMount: D + readOnlyRootFilesystem: false + runAsGroup: 1564095685271138849 + runAsNonRoot: true + runAsUser: -3929576237300142573 +service: + nodePort: 312 + port: 418 + targetPort: 486 + type: aaIqePq +serviceAccount: + annotations: + QHMG: ur9Qr + ZQRGr8gxPSL: BzNE1Ja0avq + yKwL8DJSG: SRC + automountServiceAccountToken: false + create: false + name: zpH +strategy: + rollingUpdate: {} + type: ȁ进辫fu +tests: + enabled: true +-- case-033 -- +affinity: + nodeAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - preference: + matchFields: + - key: 1O + operator: 拺5ř(Ƅ餕ʟ{鐻Ƈ + weight: -2070567569 + - preference: + matchFields: + - key: JlGR + operator: 脱?ĶA蛜頒ǽGǷ藸 , + values: + - 8zZEVom + - TY + - FSSQQ + - key: w3C + operator: sɯeM^筘褑 + values: + - Q + - i48uKb + weight: -1969968900 + - preference: + matchExpressions: + - key: ZsgVr + operator: Eȗ + - key: RfMZL + operator: "" + - key: r + operator: džɬ毿鵮V町iAÉ橁zy题ʔu7ÆO9 + values: + - uj8h + matchFields: + - key: "" + operator: :止褮Ȃ宸 + values: + - 9h + - Do + weight: 1160212382 + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: nmW + operator: '%U<Ȫk7家fƥ降]:' + values: + - e4hDXWb9G8Qi + - SynNDfUn + - C8kz + matchFields: + - key: QO0Q + operator: l!m0ʒbƹ豫ň + values: + - eh + - key: VE5mZtP + operator: ~x蹵#ÂvǗRɩ啭Ö澭肞¤7跜庛Ɍ + values: + - yT + - key: 1Cony + operator: 阃 + values: + - ahj6j + - matchExpressions: + - key: TvhlZutK + operator: 5叹ùz + values: + - rog + - key: qLPNTFw8 + operator: 藘鸘Œé溇ʄsoɷƱǺȾ蹾K混īl軇 + - key: F + operator: 則Yǹ郰饉貓伜ſ0|麊 az襽准 + matchFields: + - key: VcfFwmb + operator: WJMU狰槃žiǶq挿} + values: + - b7G + - "" + - wzxeij27DD + - key: "" + operator: 殀ǥ + values: + - "9" + - 0E3EkrfSX + - vzth + - key: omoz + operator: e´Ģ桇适TŽǤʈ + values: + - TVj0W7 + - 7HjUt2w + podAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: nN1614M7 + operator: '鰺/堅ý髉铊ɇƴ2友凇3 ' + values: + - D0tt + - sG9E + matchLabelKeys: + - l + mismatchLabelKeys: + - vqTKCL2D + namespaceSelector: + matchLabels: + LIgB: qqC9YL + namespaces: + - BLdVDzfY + - eq + - qB + topologyKey: qwces + weight: 899210618 + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: hIz8wo + operator: ĥ\{ė + values: + - ZwYh1 + - 4l9U + - Q5Io + - key: sd3eCUDob + operator: 蒴ǚ<灁Q柷娸颂嘃üĸƢı + values: + - U0 + - "" + - WXJjoBRKrfEY + matchLabels: + QSrEl7t0: hxsiSGCubb + mismatchLabelKeys: + - PiUy + - VhBWFCyx6C + namespaceSelector: + matchLabels: + G: 07tU6 + ZCO1QQK: b + uq: HISLIo9ZC + topologyKey: 87eQuI + weight: 1750437304 + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: nK0RSDE + operator: R(陛m诜ȯơȴ豨躻 + matchLabels: + CE9: u8FukDT + U5N: "y" + matchLabelKeys: + - 5I6wiiY + - JDZsP + - zGyW + mismatchLabelKeys: + - 4WZHZ + namespaceSelector: + matchExpressions: + - key: N9E9 + operator: ȅ)礯占鷨ʫɩfǡnʎə掅Ux曶HŁ遐 + values: + - JdC + - 3NS25HFHxU + - key: "" + operator: ı獗& + - key: q + operator: 髢£Ȋ泽ZwVfc剻Ţ嬊j + topologyKey: "" + - labelSelector: + matchExpressions: + - key: Tof0 + operator: ĥM:ɑȏF叆綯炩藁û漄f + values: + - jTpj + - gYZ8IIq + - key: avL + operator: ɼƌ壟.敾¦ + matchLabels: + P1w: Nb9t3e + matchLabelKeys: + - TkIx94Dmu + - 8KVE + - UEJW + namespaceSelector: + matchExpressions: + - key: gQOOR5Pz + operator: Ȁ蛝畆粔辧殤,ǔžɨʜ + values: + - MiGt + topologyKey: nn1x + - labelSelector: + matchExpressions: + - key: C + operator: 瘎%瑧¹$兤 + values: + - p5TR + matchLabels: + c9PNRTZ: L + matchLabelKeys: + - 9xrNO + - saFgUzTD530EV + namespaceSelector: + matchExpressions: + - key: "" + operator: 琨j貙ŰĤ煾骣ƢƐ肾Q`ĥ?舶 + values: + - "7" + - T4pSI + - key: u0lbHcT + operator: čÉ壶霻*ǻ蠦Źê潡%!Ȱʁr.ň沀痊 + values: + - voUu0X + namespaces: + - tX + - uDgtoDt + topologyKey: "1" +automountServiceAccountToken: true +autoscaling: + enabled: false + maxReplicas: 264 + minReplicas: 267 + targetCPUUtilizationPercentage: 341 + targetMemoryUtilizationPercentage: 404 +commonLabels: + gZ85uw3T: e + qO: F4dqLo67vKYZ +configmap: + create: true +console: + roleBindings: + - 7x: null + Ia1K2tdRuYi: null + j6c9: null + roles: + - {} + - 6Vndf: null + f: null +deployment: + create: true +enterprise: + licenseSecretRef: + key: 9y6KmPZ + name: QM +extraContainers: +- args: + - 3OUsoZkVHy + - Gn3 + command: + - NLtY + env: + - name: 51Xcm68sAs + value: PUTq + valueFrom: + configMapKeyRef: + key: udLx6h9 + name: wSgnPbc + optional: false + fieldRef: + apiVersion: oVPbc + fieldPath: CGK + resourceFieldRef: + containerName: Ind7j + divisor: "0" + resource: 9tlZc + secretKeyRef: + key: z2i + name: aloI0W + optional: true + - name: nGb + value: I91 + valueFrom: + configMapKeyRef: + key: Ft8IZO4DX + name: 7PY9CO1 + optional: false + fieldRef: + apiVersion: DysSUO + fieldPath: M + resourceFieldRef: + containerName: i + divisor: "0" + resource: mbVAnrQ + secretKeyRef: + key: ZVD + name: 4gLX + optional: true + - name: SEd7KC2 + value: I0 + valueFrom: + configMapKeyRef: + key: 71k + name: B + optional: true + fieldRef: + apiVersion: vJE + fieldPath: nvSzEcQ + resourceFieldRef: + divisor: "0" + resource: fYaXGkFYlrz + secretKeyRef: + key: xDT4Uhi + name: a + optional: false + image: NLoqH + imagePullPolicy: U肵銨龋搁}ŗ=;ī篱ɺ頁掆薑 + lifecycle: + postStart: + exec: + command: + - NAmBp8Ijy9vgKS + httpGet: + path: GukCZ + port: umdXEe + scheme: ɭL莒ƠĦZ¢.0tȠȴF梩¯牏GȐ + sleep: + seconds: 2463489515348869616 + preStop: + exec: + command: + - RAP7lxh + - 0WRf37xLvaEE + httpGet: + host: Xi + port: 395093084 + scheme: '}Ä*諓懚泾ıɥ磀>ȃÓ愍瘞5' + sleep: + seconds: -2989387296528249021 + livenessProbe: + exec: + command: + - AondI + - CvX + - X9Dwm + failureThreshold: -1669443788 + grpc: + port: 1602861347 + service: 5dF71q + httpGet: + host: yOYLS + path: m99M + port: 1421693426 + scheme: cǶ嫙x勬´筮 + initialDelaySeconds: -348887387 + periodSeconds: -855526929 + successThreshold: -1868658835 + terminationGracePeriodSeconds: 7220662525875543964 + timeoutSeconds: -893266456 + name: 62y7 + ports: + - containerPort: 41082986 + hostIP: H + hostPort: -671022955 + name: Q + protocol: Ģ + - containerPort: -676585553 + hostIP: jdTqIIXMX + hostPort: 441858691 + name: bam + protocol: ã鯑 + readinessProbe: + exec: {} + failureThreshold: -1607827734 + grpc: + port: -732628448 + service: d + httpGet: + host: q2uSglvPX + path: 5YB9kNfy37 + port: -425352890 + scheme: ZʇįʔÌ玫Ʊ儝$緀ƥǣ鮀 + initialDelaySeconds: 1646541382 + periodSeconds: 597275764 + successThreshold: 1444783765 + terminationGracePeriodSeconds: -4224719974242331571 + timeoutSeconds: 1778484407 + resizePolicy: + - resourceName: YWwAdc + restartPolicy: 蓊ƽqs洊蛀Ƴ澠誉 + resources: + limits: + 9c5: "0" + DJI: "0" + uyw: "0" + requests: + 7livK1: "0" + PWZFD5fFpVA: "0" + restartPolicy: ǐ踊丸y苡汎0塛yM眗酊L攚dzyÚmG + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - țƒ摨1娣Q札遢ʌā4魯 + drop: + - W~ + - ȮnLv|麬O稕Ʉ幖0Ţ&揵¸ + - àPĪɉɯ鋹芨ȲƿƛĞx + privileged: false + procMount: ɉq$|ŀ蘨寱彣ɎȈORe]O掓I + readOnlyRootFilesystem: false + runAsGroup: -2438856757446632999 + runAsNonRoot: false + runAsUser: -8511671649189408390 + startupProbe: + exec: + command: + - "" + failureThreshold: 157629836 + grpc: + port: -20533111 + service: vASy4b + httpGet: + host: 94HpH + path: t70 + port: W59mpID + scheme: ħ6琏 + initialDelaySeconds: -146258274 + periodSeconds: 47385732 + successThreshold: -1646222325 + terminationGracePeriodSeconds: -5575789846018254584 + timeoutSeconds: -351943504 + terminationMessagePath: r0ZY2 + terminationMessagePolicy: 傂G嶃a橢抴=Ȃĺ庆ɏ鬹揖絴鹥ɣ¸Ȫs + tty: true + workingDir: XFFilzd +- command: + - VSuU6yfyc8y + - gLgP + env: + - name: PSOr4 + value: m2ujo1f4 + valueFrom: + configMapKeyRef: + key: B9Gc + name: BaR3c + optional: true + fieldRef: + apiVersion: OFu + fieldPath: Pydi + resourceFieldRef: + containerName: jPiF + divisor: "0" + resource: jyp8A7uPD + secretKeyRef: + key: fcGCM + name: Hs + optional: false + - name: Ax9HfRa4p + value: S3R2 + valueFrom: + configMapKeyRef: + key: ZDzzhFD + name: soDgOej + optional: false + fieldRef: + apiVersion: iSfQ + fieldPath: Plzxy53z + resourceFieldRef: + containerName: DfBt3S + divisor: "0" + resource: 757s44h + secretKeyRef: + key: bn2IGjj + name: x8E + optional: false + - name: r + value: PmO + valueFrom: + configMapKeyRef: + key: Htzib1 + name: gfbsiTcDY + optional: true + fieldRef: + apiVersion: Frhab7p2yh + fieldPath: K6XKg + resourceFieldRef: + containerName: CLX + divisor: "0" + resource: cq + secretKeyRef: + key: R + name: zPHkUHXQ + optional: false + image: bSZCow + lifecycle: + postStart: + exec: + command: + - "y" + httpGet: + host: 2cDO + path: L5m + port: yhJI + sleep: + seconds: 6222265361848815058 + preStop: + exec: + command: + - yVT + httpGet: + host: Ibt0C5XF + path: Kf7kW1 + port: Tlj66QW + scheme: 砰僮 + sleep: + seconds: 4926532563180301873 + livenessProbe: + exec: {} + failureThreshold: 982752870 + grpc: + port: -257993986 + service: XKTDj + httpGet: + host: 7vfaAybCd + path: GuTTi + port: 1952486193 + scheme: 馾耼qȩ罔磙ɮƥŴ²叇yēņȮ藺 + initialDelaySeconds: -817095459 + periodSeconds: 603211453 + successThreshold: -1693358568 + terminationGracePeriodSeconds: 3002071779676478929 + timeoutSeconds: 992801771 + name: 9QZX + ports: + - containerPort: -1838828544 + hostIP: cQQMftB + hostPort: -321659395 + name: XBD7a + protocol: '>V>ŝO随;YƁ' + - containerPort: -439290918 + hostIP: Bp0lf + hostPort: 431013681 + name: WQ5qc + protocol: 髄Ĝ估螗ȳ鎷ʫh + readinessProbe: + exec: + command: + - PjwAB3G + - k + failureThreshold: -2015478850 + grpc: + port: 156976837 + service: RSgDfH + httpGet: + host: Yi7aQ + path: 8Ql9 + port: 1150587533 + scheme: C箿i綔ȍȢ ŅŴ娒燸孆5乬瓤Ɛ + initialDelaySeconds: -486757233 + periodSeconds: -994300453 + successThreshold: 2128356439 + terminationGracePeriodSeconds: 4683705418302064343 + timeoutSeconds: 1635565784 + resizePolicy: + - resourceName: deutsepb + restartPolicy: õ崑o¾oɞø°ŮƑ欩Ʋ + - resourceName: WaO + restartPolicy: ±蜊ư蕭材y昍U + resources: + limits: + XiOokB: "0" + gxJ8zn4y: "0" + requests: + "": "0" + RFaH: "0" + restartPolicy: 7岻ðȸɉo熮燍ȉ=n + securityContext: + allowPrivilegeEscalation: true + capabilities: + add: + - 迠譚綞撪颫,ʖʃ佞诌Ŧ丞śɧ璯PʥT + privileged: false + procMount: 荞£DS + readOnlyRootFilesystem: true + runAsGroup: 6728166770219183734 + runAsNonRoot: true + runAsUser: 2918288689668335051 + startupProbe: + exec: + command: + - o + failureThreshold: -949081542 + grpc: + port: 220928812 + service: EIuHGNT4 + httpGet: + host: 21BmFcJ50ov + path: WC7WP + port: njQtxPF + scheme: 鲰ʌȱ卹烛橇淃ō雀)缅tb憅棔JǓ*ɒ + initialDelaySeconds: 1631334347 + periodSeconds: -785602818 + successThreshold: -1111896125 + terminationGracePeriodSeconds: -8014749222013301241 + timeoutSeconds: 795835881 + stdinOnce: true + terminationMessagePath: m08AZSt + terminationMessagePolicy: 盛P1砦ǚ瀱#Ʌ穇嘜\Ɍ + volumeDevices: + - devicePath: NdQPZme + name: uHcdGnKv + volumeMounts: + - mountPath: IX + mountPropagation: diȔiN6ļɃƐ釭卬O + name: fPg + subPath: iY + subPathExpr: U + - mountPath: E + mountPropagation: 1ĵ氓ŝ瘛o扬=[蟗 + name: xt + readOnly: true + subPath: 2KRhR + subPathExpr: Vm0HMwn + workingDir: jusEo +- args: + - Ejt + - DYgNM8X + env: + - name: HkwQ + value: fpHbv + valueFrom: + configMapKeyRef: + key: 3e + name: Q + optional: true + fieldRef: + apiVersion: lh + fieldPath: "" + resourceFieldRef: + containerName: E1uEhn3 + divisor: "0" + resource: 0Pa + secretKeyRef: + key: co85cv7H + name: KL1I3G + optional: false + - name: 5MQMJhqUni + value: 34PEKwUkR + valueFrom: + configMapKeyRef: + key: ABhM + name: qq5b + optional: false + fieldRef: + apiVersion: vCLN + fieldPath: tge3Z + resourceFieldRef: + containerName: ST + divisor: "0" + resource: qFS8 + secretKeyRef: + key: Am + name: BLI353a5GI + optional: false + envFrom: + - configMapRef: + name: KBum1 + optional: false + prefix: 56g + secretRef: + name: zt5 + optional: true + image: XgUFG + imagePullPolicy: 锄ģnj[眈例ƚ淍ƁĐ~ + lifecycle: + postStart: + exec: {} + httpGet: + host: Yp7F87b + path: "y" + port: OtElY + scheme: ǐʮŕ + sleep: + seconds: 640752187186511134 + preStop: + exec: + command: + - 4GYkI2pQ + - QB + httpGet: + host: DFjlmWGAFM + path: qLfFaRePdtA + port: GTUH4 + scheme: 罛&ĥ顱Ƌ + sleep: + seconds: -1289822532228205848 + livenessProbe: + exec: + command: + - youyR + - J + - IiK3AJ + failureThreshold: 527043957 + grpc: + port: -1790391516 + service: wFKNeu + httpGet: + host: TjItsuCL + path: Lo07CoiEpmJ + port: 1449812891 + scheme: 聗œdz_x忔8 + initialDelaySeconds: -923296146 + periodSeconds: -920279093 + successThreshold: 1372003156 + terminationGracePeriodSeconds: 4545671926845562588 + timeoutSeconds: -1730135112 + name: ouxZOTiA7 + ports: + - containerPort: 365499724 + hostIP: c3z3 + hostPort: -1622732613 + name: jfpQ + protocol: 鬍匤<ɔɟǜ鼴`ʃ荞ɗ线亮Ô¼ + - containerPort: 387750436 + hostIP: 7OF + hostPort: -922470687 + name: 20ZoNWnefc + - containerPort: -1003650010 + hostIP: yK31 + hostPort: -479225666 + name: 1Up + protocol: 郣-齡^c艃7ɑU牌驀墭:煞 + readinessProbe: + exec: {} + failureThreshold: -189409295 + grpc: + port: -880806937 + service: N1zEO + httpGet: + host: vN9 + path: n8TKqPF + port: -995680865 + initialDelaySeconds: -2090855365 + periodSeconds: 1849358636 + successThreshold: 811072097 + terminationGracePeriodSeconds: -5833095732594202880 + timeoutSeconds: -65186305 + resizePolicy: + - resourceName: 9rUpDkTFnW + restartPolicy: KSʮ1ĩ`乀_Ɠ颩紵 慒¨ƶ挢¸s诡 + resources: + limits: + MYEa: "0" + ngW: "0" + requests: + 174vfq: "0" + restartPolicy: 軵ƿǽ嚢遳E + securityContext: + allowPrivilegeEscalation: true + capabilities: {} + privileged: true + procMount: Ő\烔Z座畄睸zɩCɎx簫S悍a + readOnlyRootFilesystem: false + runAsGroup: -6410700953715650696 + runAsNonRoot: true + runAsUser: -8187102783441071897 + startupProbe: + exec: {} + failureThreshold: 1640672315 + grpc: + port: -799307372 + service: w9KE22PLk + httpGet: + host: e6Zo4rWs + path: tscGwI + port: 2071839677 + scheme: '&ǂȞ<辳)9撆ʚ6&U}P%捸`y' + initialDelaySeconds: 652003075 + periodSeconds: 1077051101 + successThreshold: 1528128815 + terminationGracePeriodSeconds: -2176015428967645191 + timeoutSeconds: -998563216 + stdinOnce: true + terminationMessagePath: P + terminationMessagePolicy: 8痃v7ȱ噣愜Å%Ġ3 + volumeDevices: + - devicePath: k8uvc + name: GL + - devicePath: 31O9l + name: ivY + workingDir: PtgSFsc1GvC +extraEnv: +- name: RTz9f + value: kK5WtZCFpsl + valueFrom: + configMapKeyRef: + key: CB1UV + name: 0pF + optional: false + fieldRef: + apiVersion: xO4s + fieldPath: n2G + resourceFieldRef: + containerName: GmnwMQ + divisor: "0" + resource: yX30Dke4u + secretKeyRef: + key: vPbHh + name: oBAn1EoZmPzN + optional: true +extraEnvFrom: +- configMapRef: + name: lo + optional: false + prefix: mSdySXyKqEkl + secretRef: + name: t4daT3 + optional: true +- configMapRef: + name: IFTvBGq + optional: false + prefix: qKk6o + secretRef: + name: "4" + optional: true +extraVolumeMounts: +- mountPath: gRGvu + mountPropagation: Ŋ4ǔ盍薟惮睌ȿ濍ȯȀüƳ$ + name: oJv65V + readOnly: true + subPath: P20XHtoR + subPathExpr: SzD +- mountPath: xhuwGvn + mountPropagation: 搛悈nj鰣*颵俠Ʀ慫灗岵ȆǴ騔Ė栢č)q + name: ebDa1q2nKt + readOnly: true + subPath: "6" + subPathExpr: N0xOT +- mountPath: xHTM + mountPropagation: 0關ɮUeŪ + name: P8noEsWy3t + subPath: y5E + subPathExpr: oP2A6C +extraVolumes: +- name: MqQb15NA +fullnameOverride: foGC +image: + pullPolicy: 躂Qʢ瞶CǁȮ + registry: JWsGq + repository: JAUpWzFL + tag: 3WF1aV +imagePullSecrets: +- name: s1B +- name: R54rm +ingress: + annotations: + "71": 1aSj + B3N4dn: hsJR8Fl + S9: x8u + className: xm + enabled: false + tls: + - hosts: + - 6PBjnokDE5 + - df + - SMIi + secretName: VVeSdJP + - hosts: + - kY + - VSdS4nZ + secretName: rR5tuP +initContainers: + extraInitContainers: DZkf1 +livenessProbe: + exec: + command: + - b5k + - "8" + - 74zV7hI + failureThreshold: 604102540 + grpc: + port: 1351493068 + service: a + httpGet: + host: pbTe + path: l3E3mpnq + port: nBQsx + scheme: . + initialDelaySeconds: 93396392 + periodSeconds: 1323534907 + successThreshold: 2044410955 + terminationGracePeriodSeconds: -5171571423145940595 + timeoutSeconds: -725304614 +nameOverride: bCPeYVWao +nodeSelector: + TDma3: eGasO + cs6G: CyEFp0L + r: xdylcKb +podLabels: + 1bb6: "" + 3U: mfPv + T: Q +podSecurityContext: + fsGroup: -4412504815274791692 + fsGroupChangePolicy: Ȯƭhjb糯妔ȂǑʜ胴}轣 + runAsGroup: 3860793197532219812 + runAsNonRoot: true + runAsUser: -1963293898483195295 + supplementalGroups: + - 2429921255984048344 + - -2773566751575632894 + - 5629450590441918989 + sysctls: + - name: h + value: zKVw + - name: D5ekUqS2 + value: 5FxU + - name: dgHyyau + value: o +priorityClassName: uHKqx +readinessProbe: + exec: {} + failureThreshold: -1216486926 + grpc: + port: -173591622 + service: CPUt + httpGet: + host: hry + path: KRRaps9O + port: W + scheme: ƈ;黷ç駵P!瘠瘀/ǹ + initialDelaySeconds: -1636119248 + periodSeconds: -1587206371 + successThreshold: 1085720843 + terminationGracePeriodSeconds: 788084162692446331 + timeoutSeconds: 1603673472 +replicaCount: 390 +resources: + limits: + HS: "0" + sspp8OAsyF: "0" +secret: + create: false + enterprise: + licenseSecretRef: + key: enS + name: "" + kafka: + awsMskIamSecretKey: 6Rpozk + protobufGitBasicAuthPassword: b9bAHSr + saslPassword: xFMbXwVAO + schemaRegistryPassword: wMc7l + schemaRegistryTlsCa: Iqy + schemaRegistryTlsCert: B2Y5 + schemaRegistryTlsKey: ooeFo3mZ4 + tlsCa: YCVA9R6f + tlsCert: b5AAaCcgXX + tlsPassphrase: HVdFrCml + login: + github: + clientSecret: JWVOWiL + personalAccessToken: B6DA + google: + clientSecret: lk1l + groupsServiceAccount: KFTHdrXBq + jwtSecret: IfZ3S + oidc: + clientSecret: 33jad4PG + okta: + clientSecret: pEYKMXqE + directoryApiToken: S5N6 + redpanda: + adminApi: + password: cNTmA + tlsCa: Ymp + tlsCert: 5Xquj + tlsKey: f2AsWMK +secretMounts: +- defaultMode: 64 + name: v1bEam0d + path: WfYQ + secretName: FOCtz7x +- defaultMode: 494 + name: 2keqwtlu + path: hpZaUwi + secretName: 1dug +- defaultMode: 354 + name: RAI0g6yvn + path: bCeiaipj + secretName: "2" +securityContext: + allowPrivilegeEscalation: true + capabilities: + drop: + - ɇǎȬ+丰DZ}薞ɎƐ + privileged: false + procMount: Ȧ杖煃a/ɓ<3ő+笽pȗdzSj + readOnlyRootFilesystem: true + runAsGroup: 8336843233603802952 + runAsNonRoot: true + runAsUser: 956863148985923497 +service: + annotations: + lrtdFF: 60R7 + nodePort: 446 + port: 229 + targetPort: 59 + type: 2K35 +serviceAccount: + annotations: + M: 37JLL + TSllzWgI: ZA + gOSHO: 00aEHRLh + automountServiceAccountToken: false + create: false + name: S9Bk +strategy: + rollingUpdate: {} + type: 呇弰$腕煴贔棳軀+œʃǀŖ* +tests: + enabled: false +tolerations: +- effect: 酼駘宁ì<^ʉ逐GM¼韹宅劑圦ȢN鵸; + key: LjdOPUZjJ + operator: 窃銥ɺ嘭t緯ȇw,[t捻S麨vɂ閰 + tolerationSeconds: 1714321621775966634 + value: Uvm9nY3 +topologySpreadConstraints: +- labelSelector: + matchExpressions: + - key: AUro1 + operator: 聘 + values: + - x5E03owNK1 + - 61u06hoBRErcl + matchLabels: + HMA: 7iZSaiF + jCP15v: ksLC1iD + matchLabelKeys: + - cp + - CZpJKgP + maxSkew: 644443933 + minDomains: 1722624609 + nodeAffinityPolicy: ú(ʆɴȾ狍lfĒHȉ嫔7ix壿 + nodeTaintsPolicy: 遡lşř门Ǣl + topologyKey: qP + whenUnsatisfiable: "" +- labelSelector: + matchExpressions: + - key: i8xDfgO + operator: ʖĝ#烕ɋřĊI + values: + - bOA4n + - ByUsK + - key: 6fCdAFtmFF + operator: 靕ƭ錒Ĕ + values: + - JIMC2Pc + - a7wA08 + - key: xMn + operator: "" + values: + - gSa5XT + - 50IS6 + - "8" + matchLabels: + DoGCwvltR: vVXQcZcxdz + JLmhsQlh: L3AY0Pv + X9: U + maxSkew: -2038040013 + minDomains: -1884001920 + nodeAffinityPolicy: 嵋磋ɹ:ɢ慚TA烁.X幰 + nodeTaintsPolicy: 奒)ʅm=矕郔o鬻鴊ȵɯt债CŔ儤 + topologyKey: qkx4gKx7 + whenUnsatisfiable: 匊aO卞肝喚覕Ȭnr說ɉƢ/Æȧ婡賛 +-- case-034 -- +affinity: + nodeAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - preference: {} + weight: -982889256 + - preference: + matchFields: + - key: XhG + operator: 萎Nc汏帞 + values: + - CY + - key: SQm3as + operator: :g憓痳ʑ^荔ĚE慮ǫ鶉 + values: + - gKNU + - "4" + weight: -2081315042 + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchFields: + - key: "" + operator: '[棉' + - matchExpressions: + - key: YgpJq + operator: ës曬¡岹V瀈ȭ岅mK + - key: HKYARp + operator: '完RQ\u穩[憄籎禨 ' + values: + - 2wfWZQ9 + - key: M0 + operator: 酺縿Ȼ慭苾Ʉ6Ʀ + values: + - xr7e9 + matchFields: + - key: O + operator: 笿眷ē睡党ǎf鴋Ɗ給 + values: + - HjtABxYy + - key: TD8D + operator: Ȃ顈筻ůȳM!剢nZÁx.}鯡L颗eĵ + values: + - xDTUGq1 + - 9xI + - key: 2B + operator: ']ţ峝輴{ȳ鬻ŶøU)ŢŤ' + values: + - 8hQz + - BtJ6XJwj8 + - bB1HqX + podAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: QrP50c0 + operator: 2蕦!#ɺĠȿLy2ǽǃƝFʡ + - key: sh4AX + operator: '"ă粸Ǘ筽齣zƪƭŰ''鴚ǝʠƲy>A' + - key: AyAj1WrXn2nZbf + operator: 郥m,攃 + values: + - xuX0t + mismatchLabelKeys: + - 94CSmERwUUu + - "" + - 3lJqWyss + namespaceSelector: + matchLabels: + XPKK9buQTkk: hK + c6yMPKCuDUW: NaXtSSb31Vtc + topologyKey: 4IWq1 + weight: 1215591736 + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: bKgv7w5BLU9 + operator: 佱$Ɛɯȳǚ½ȴk + values: + - Rc6Akw + matchLabelKeys: + - nj2vCk + - GT7VEmkOiP + - D81b9yrN + mismatchLabelKeys: + - xrrln + - "" + namespaceSelector: + matchExpressions: + - key: Okpa0 + operator: ȳɃ互B¸砂霿枹蔪 + - key: bG + operator: "" + values: + - 9Az3OOsKzxT + - qufp1g + - hPp0e + namespaces: + - ia + - wpgLWCg + topologyKey: t9 + weight: 1536631188 + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: xCMZF2V + operator: p仯F寃Rm慽財Ū-宩>ɗ呈3嚱Y + values: + - 2IrEZ + - ox + - S1NOR4go + - key: M + operator: ƙ岉 ʛZ3 + values: + - 61kg + - gCY32n2G + - key: z7jqw + operator: '´鋁k透 ' + values: + - 3bI7Mo + - V15M6 + - Elw2un19FO + matchLabels: + "1": jTzLL + E3HVo8p: 8mRx + tHPA: X + mismatchLabelKeys: + - sA + - eKQcaD + - 67tHuF + namespaceSelector: + matchExpressions: + - key: CrZYZ + operator: FWɺŮ + - key: K7SRYb + operator: .ØƣƎ 對猣#倳s7Ǵ栔Ħn4 + - key: k2Bz + operator: "" + matchLabels: + r6: SsE6YhO00w + namespaces: + - bECP + - nZT + topologyKey: ATU + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: T8nB5f + operator: 虁Iɂ飇ě + values: + - bTYBHU + - PWWBtWcP + - key: BJo + operator: 焜Eâ簋@ʘ芮暸UĖ + values: + - DI + - dh9e + - 0hiMkvD + matchLabels: + 7TSrj3: t4aVDF0 + P8L: liB + TkxKc: 4k + matchLabelKeys: + - C + - Uxzu6ju3L0 + mismatchLabelKeys: + - 7JBQmr5 + - K2WwmaMb + - ZGo5q7x + namespaceSelector: + matchExpressions: + - key: "603" + operator: 溝ʫ"zNĂ + values: + - 217W38 + - DjaFqo + - 34Dd6xS + matchLabels: + Le1shqQ: q6Ra + jocxC9: 1wwizZ9OUc3 + t9v: p7 + namespaces: + - tNw7r0z + topologyKey: WB + weight: -695352638 + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: Et + operator: "N" + values: + - iXi + - AZpWUZE + - bB + - key: 6e8xewD + operator: 拒D挼霘%Ǧ珕 + values: + - cLLOT + - LzhXzKVG + matchLabelKeys: + - v1hg0Fb0 + mismatchLabelKeys: + - i + - vh3C0ZF + - i694fjp + namespaceSelector: + matchExpressions: + - key: Rt + operator: 4%{ź*妻=舉佸EǩɛW杚察ű + values: + - gx + - x + - M0 + - key: S1J9kEl0 + operator: 湻膴L鮠#桽 + values: + - Lpx + - key: QzUh3 + operator: 閛V;Ĝ棱碗闃{竀%狮闀ʩE腡¹#C + values: + - qh0l + - Jgu1EIM + matchLabels: + tZ: y7 + u7: jkFA4i + namespaces: + - httsx + topologyKey: wNV2 + weight: -441999969 +annotations: + "": kBVzs + JKJQy: g8k + Zcnpm: TWUNV +automountServiceAccountToken: false +autoscaling: + enabled: false + maxReplicas: 23 + minReplicas: 122 + targetCPUUtilizationPercentage: 266 + targetMemoryUtilizationPercentage: 92 +commonLabels: + 0fz: qRhpB + blGSa: Hnim0SflkfpF +configmap: + create: true +console: + roleBindings: + - zktoFv: null + - BnTf: null + N30: null + O: null + - "5": null + up6oELWDxO: null + roles: + - 3vFSt6CV6h: null + - zwoEunAfS: null + - "": null + Kz: null +deployment: + create: false +enterprise: + licenseSecretRef: + key: wTtzVK + name: f +extraContainers: +- command: + - fbGgvGkx + - edBIWrM + env: + - name: 8jJnT7Zj + value: Mq + valueFrom: + configMapKeyRef: + key: JC + name: sVkSiknR2xCa3 + optional: true + fieldRef: + apiVersion: wANryBKXLB + fieldPath: NyZCECkxJ + resourceFieldRef: + containerName: OZ8 + divisor: "0" + resource: cmCxr + secretKeyRef: + key: DwO8j5 + name: B + optional: false + - name: EHh + value: QCji0tC6i + valueFrom: + configMapKeyRef: + key: WAw2dVgj1 + name: Ay + optional: false + fieldRef: + apiVersion: Qi + fieldPath: gpyTLtuoWjh2y + resourceFieldRef: + containerName: lU + divisor: "0" + resource: eblZRy9ULY2IzA + secretKeyRef: + key: mv + name: j + optional: false + - name: aUVmiB + value: kpqOP + valueFrom: + configMapKeyRef: + key: s + name: bQ6 + optional: false + fieldRef: + apiVersion: SdqbUuwjM + fieldPath: 2l + resourceFieldRef: + containerName: tw3t5LDN + divisor: "0" + resource: rwu + secretKeyRef: + key: 4BhlrEVh0 + optional: true + envFrom: + - configMapRef: + name: Hjuj9nlmmK + optional: false + prefix: 1f + secretRef: + name: ZAvqr + optional: true + - configMapRef: + name: xM7XvJNDv + optional: true + prefix: a3u3 + secretRef: + name: cvRqlow + optional: true + - configMapRef: + name: bRyp + optional: false + prefix: 5mEO + secretRef: + name: axWGwhmN + optional: false + image: EszTqv + imagePullPolicy: 輧脙ĭr恐荌ǩ\ȓȫ訷鿍湲瑁u楊禅ɤ& + lifecycle: + postStart: + exec: + command: + - WMJ1Vj + - bt + - UpuoW2L + httpGet: + host: ZQUCS + path: XvmuYh + port: p + scheme: 瘿ā|^k*雗 + sleep: + seconds: -4794985278116558932 + preStop: + exec: + command: + - fNY + - Rk + httpGet: + path: vcHj + port: 94X + scheme: ʕ煤}f + sleep: + seconds: -572101244460663065 + livenessProbe: + exec: + command: + - HoQxW7Nhx + - 1vL7TCk + failureThreshold: 1202856974 + grpc: + port: -177653984 + service: dd + httpGet: + host: cFj8k7 + path: l91YUo + port: -205856494 + scheme: '''朔6嚍¹*¢ɰȯK' + initialDelaySeconds: -1838390355 + periodSeconds: -2089935919 + successThreshold: 745930955 + terminationGracePeriodSeconds: 651854435833106407 + timeoutSeconds: -451727064 + name: LUkN + ports: + - containerPort: 52213129 + hostIP: pBen4iN + hostPort: -1605812710 + name: embL6 + protocol: 隠:ʀǙƴ茝鞝剟蚓遆積ǯ槦黽虼m + - containerPort: -1355336717 + hostIP: Vq9h1OAN6 + hostPort: 1469157628 + name: DgLmxr8 + protocol: ơ阆Ƃ + readinessProbe: + exec: {} + failureThreshold: 1404262379 + grpc: + port: 617847874 + service: wZ + httpGet: + host: 7f + path: 4gU9kDN5 + port: MXWfnK + scheme: 鬮ŵVƉ + initialDelaySeconds: -498539377 + periodSeconds: 1569378042 + successThreshold: 1909376148 + terminationGracePeriodSeconds: -3310812073755566654 + timeoutSeconds: 957960925 + resources: + limits: + 5k: "0" + wIlp6Km9XNo: "0" + requests: + RaT: "0" + restartPolicy: 车WđƜ嚓Ŭ罀ǑȪ + securityContext: + allowPrivilegeEscalation: true + capabilities: + add: + - w}ɼ簖#s>腭hWɘnj嗠/ʜ墭呣lj + - dT劍Il捝s+;暷ƻņʖ馺ª贐 + drop: + - '*¢炐96ʑ叛z¢á5ɏeEɢ@Ƨ' + - ƭ樯Ɉ>ƈ@Ɨ + - ńɜʢnij咓ƹ灀}¿\ + privileged: false + procMount: 堲渢)#珯犠ƙYĮ鷝Ƈ蚈_ + readOnlyRootFilesystem: true + runAsGroup: 5272751894835649479 + runAsNonRoot: true + runAsUser: -777021971579066284 + startupProbe: + exec: {} + failureThreshold: 48102716 + grpc: + port: -1093646129 + service: bIKooEs + httpGet: + host: Mv + path: fstI2uQ + port: Qd + scheme: dzLBʖ飐吃ê傧靲dz + initialDelaySeconds: -187921670 + periodSeconds: -217914776 + successThreshold: -664446049 + terminationGracePeriodSeconds: 8083333456613274947 + timeoutSeconds: 399455066 + terminationMessagePath: jqUx + tty: true + volumeDevices: + - devicePath: LLB2W + name: kDDD + - devicePath: 9DhP1 + name: aW0PgFJODCAEF + volumeMounts: + - mountPath: "4" + mountPropagation: ;bŊcN啲;蜩½ǒ朒Q"EƙȌ{甐岊 + name: c + subPath: c + subPathExpr: cXqUzbd + - mountPath: NY + mountPropagation: ʋS溸呖Ä翫ɧȐ{豒lÔș:ľ玠3íw + name: 7nseZUY + readOnly: true + subPath: itHF + subPathExpr: eHexIOW + workingDir: BZZ6 +- args: + - 5cCg + - E7 + - iFP6rZ + env: + - name: qEiC5K + value: HE + valueFrom: + configMapKeyRef: + key: Q4ff + name: c6s + optional: false + fieldRef: + apiVersion: jBI6X + fieldPath: zpTUfYD + resourceFieldRef: + containerName: mzmkl8 + divisor: "0" + resource: 81k8LI + secretKeyRef: + key: "" + name: N9yqj + optional: false + envFrom: + - configMapRef: + optional: false + prefix: WYG + secretRef: + name: DFBRLWb + optional: false + image: Z + imagePullPolicy: ǂAM鳘墊šéDz!迒A + lifecycle: + postStart: + exec: + command: + - r + - RbH + httpGet: + host: FG + path: gzf4kd + port: 813947014 + scheme: '&X垮Ą:S褦慺ʛ竆閃_m鑙òó' + sleep: + seconds: -1141547218815402249 + preStop: + exec: {} + httpGet: + host: ZA8qVd + path: 9ooQ + port: -271801527 + scheme: 鏡稂;ňȓRH愦Ƚ + sleep: + seconds: -8502483422139801966 + livenessProbe: + exec: + command: + - I4WNnF + failureThreshold: -637772395 + grpc: + port: -1513640963 + service: CpWh0e + httpGet: + host: JrZk + path: YCnQ4z + port: 13mIiI + scheme: 鏘 + initialDelaySeconds: -200843985 + periodSeconds: -502259067 + successThreshold: 1719668769 + terminationGracePeriodSeconds: 6044193620909725026 + timeoutSeconds: -388757192 + name: Vem + readinessProbe: + exec: {} + failureThreshold: 1932036046 + grpc: + port: 940655155 + service: h5HN + httpGet: + host: H + path: G1p4WFvGD + port: iMuM + scheme: ŗ颁njNą筵 + initialDelaySeconds: 271733079 + periodSeconds: 1483111043 + successThreshold: -1186732202 + terminationGracePeriodSeconds: 8539189418162863572 + timeoutSeconds: 1565787262 + resources: + limits: + AfrFB6Ne: "0" + UFzEjwa: "0" + regGR: "0" + requests: + 30st: "0" + restartPolicy: Ǫ豥ɗ槻T+Ĕʓȣ+卮Ȱ + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - 1蒟顨ƽėȰ + values: + - TGv + - VVtqHApm + - 7Mub + matchLabels: + PI: elzxW + Wd1Q: MYEPScu1su + i: uENdc + topologyKey: QlwUBoDWM +automountServiceAccountToken: true +autoscaling: + enabled: false + maxReplicas: 367 + minReplicas: 105 + targetCPUUtilizationPercentage: 126 + targetMemoryUtilizationPercentage: 500 +commonLabels: + 5NU: UG7t + 6NmZI: QxuTdplvdDdc + BYcISWrd5: YZbXA +configmap: + create: true +console: + roles: + - CSJ: null + - 0hM2tbS5: null + ZhG3M: null +deployment: + create: true +enterprise: + licenseSecretRef: + key: xLO4B2BCZUJ + name: BQR2Y +extraContainers: +- command: + - DlBCuc8xa + - X2hi8Mp + image: 00GQ5 + imagePullPolicy: 賎ʂG}Ƌ煚6ūaĠ腻f + lifecycle: + postStart: + exec: + command: + - mVlE + - cFmlozRTJ + - "" + httpGet: + host: RIzcOYFo + path: eZge9wzJjW + port: ugY08 + scheme: 讣Ɨƶ"ɇǘƓƮ + sleep: + seconds: -5362042555365295319 + preStop: + exec: + command: + - "" + httpGet: + host: hLxRfJhv + path: JA8kOIY + port: tpH1 + scheme: '''k:嘡葊佒ďȏǓɡ毫/视倴ĩ}Ɓ u' + sleep: + seconds: -915316715834475044 + livenessProbe: + exec: {} + failureThreshold: 1628387875 + grpc: + port: -119747124 + service: 3cnWKI + httpGet: + host: 6Wzb9 + path: Af + port: RAzYX + scheme: 嘾Q經f + initialDelaySeconds: 4951530 + periodSeconds: 1309655668 + successThreshold: 918641827 + terminationGracePeriodSeconds: -3073080783253286451 + timeoutSeconds: -1896420637 + name: yML27O + ports: + - containerPort: 509868797 + hostIP: XMFIjyy7MNejY + hostPort: 2083818454 + name: gd + protocol: 槏 R¨ƽT³簑ƤA$<猿.0d + - containerPort: -164866787 + hostIP: eh + hostPort: 1842390272 + name: H7 + protocol: y擫`/洄]ʢÓ7Ā紐ǟ塋 + readinessProbe: + exec: + command: + - 5MrELPMn + - 23x1a + failureThreshold: 1394382122 + grpc: + port: -96138878 + service: DBq + httpGet: + host: 60SrHkgc + path: OwZeja1P + port: 721461548 + scheme: ' `$ħ' + initialDelaySeconds: -2125734502 + periodSeconds: 66441733 + successThreshold: 130216629 + terminationGracePeriodSeconds: -7113768241875088710 + timeoutSeconds: -977567736 + resizePolicy: + - resourceName: 8VNf4C + restartPolicy: Ě} + resources: + limits: + 2TX: "0" + Yd3: "0" + avcFFX: "0" + restartPolicy: Ę<彪6 + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - ūW銹fn|óOB¶őǝ:ɛ暙- 嫴 + - 韣噺Ȑ主鋥Ɣ睩熾@Ĥvƈ + - 気ʎɭ愢勈īɔ垆ŀ槌,q儇p顼ǯ歳 + drop: + - EģIJ>筡|n譌ɶd2鍇$X/ȴ偎穾7 + - "赻探ǞiN胂a + name: 79CeZyd + subPath: xMQ + subPathExpr: NvU + - mountPath: smgfnmvP + mountPropagation: ʈ + name: CuKUC + subPath: hZ8KJ3 + subPathExpr: CK4WsX + - mountPath: zm + mountPropagation: 傩骟Ⱥ|尤fŇɓ呣ɘĩŽ + name: wRtUU + readOnly: true + subPath: T1 + subPathExpr: cidBhX8I + workingDir: M0jsi8 +- args: + - rQ7QBmZ4 + - Q32wY3lGUA + - VGeP + command: + - "6" + - 5vVr2Q + - 4YDd + env: + - name: DY1 + value: sge + valueFrom: + configMapKeyRef: + key: O8RUTpJ + name: SCF5ph + optional: true + fieldRef: + apiVersion: NY0hb + fieldPath: ViZ0f + resourceFieldRef: + containerName: "Y" + divisor: "0" + resource: sCX + secretKeyRef: + key: Ma + name: 6s6lc5 + optional: false + - name: m19lk2eiDtcdB7 + value: 0JaB + valueFrom: + configMapKeyRef: + key: VolU + name: jnFjMLIQ19 + optional: true + fieldRef: + apiVersion: "6" + fieldPath: N0wIEnFmQ + resourceFieldRef: + containerName: QwDG86d + divisor: "0" + resource: pda + secretKeyRef: + key: Uc7x1XF + name: efgc + optional: true + - name: 8A + value: 1kUmljHSb + valueFrom: + configMapKeyRef: + key: "" + name: z18yxT + optional: true + fieldRef: + apiVersion: 1qaE + fieldPath: vEzPx + resourceFieldRef: + containerName: GYhSz + divisor: "0" + resource: Ttq + secretKeyRef: + key: aaGRQS + name: C + optional: false + envFrom: + - configMapRef: + name: "0" + optional: false + prefix: 5cqcw + secretRef: + name: O7Gex12 + optional: false + - configMapRef: + name: DHEYwZ + optional: false + prefix: wSbyGx + secretRef: + name: 9nM86dZi + optional: false + image: E + imagePullPolicy: 栧Z + lifecycle: + postStart: + exec: + command: + - 6775E + httpGet: + host: hIoYmpbc + path: qEf + port: rnJpXG69m + scheme: 赙¯6a腚 + sleep: + seconds: 4894208532244895909 + preStop: + exec: + command: + - mHtY + - 0hh1Tr + - "" + httpGet: + host: BuElf + path: fJPDiyG + port: PybmIT + scheme: M*Ķ + sleep: + seconds: 7544543348205057985 + livenessProbe: + exec: + command: + - z7IJ + failureThreshold: -360493877 + grpc: + port: -1395908290 + service: zV1i + httpGet: + host: GLn + port: -279409955 + scheme: ǃU螄骰褃Ʀ诐Ɯ{,ɍb萎Ɲʢ鰪\U + initialDelaySeconds: 1831688310 + periodSeconds: -280461011 + successThreshold: 84363106 + terminationGracePeriodSeconds: 7513815341722354757 + timeoutSeconds: 442815657 + name: pGthpc + readinessProbe: + exec: + command: + - T39QO5 + - "" + - DbSsPel + failureThreshold: -1901163919 + grpc: + port: 1255815597 + service: xeTv + httpGet: + host: bipPJGJ + path: nghEbF + port: uyLPK + scheme: 翁渹牯澖 + initialDelaySeconds: 1295268788 + periodSeconds: 17921235 + successThreshold: -212369586 + terminationGracePeriodSeconds: 1061046207943693656 + timeoutSeconds: -1707711843 + resizePolicy: + - resourceName: RLHi + restartPolicy: 掳?帐(Ǖčĭ纜 + - resourceName: H1Bv + restartPolicy: Ɉ駃愝ɲƁ2*ʍJ蕦ʃĹr}尕5J埉g + - resourceName: f + restartPolicy: ɧ帨y晒ʪäǗ«ǤǞugT埤X澇寿Ù\ + resources: {} + restartPolicy: 7Y熀7rúǬ轘 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - Ǒn%Aʙ]m* + privileged: false + procMount: 鼷R珍沌 + readOnlyRootFilesystem: false + runAsGroup: -287129322294347273 + runAsNonRoot: true + runAsUser: 3942212766283409661 + startupProbe: + exec: + command: + - gN + - zpmlcJ + - DeLJ4s + failureThreshold: 102924404 + grpc: + port: -1304933194 + service: 0iK + httpGet: + host: jbg + path: ZqaSpx8C + port: UPJqfy9dOO + scheme: 韼QY岩沴ì釪儇9ĩN + initialDelaySeconds: -46268668 + periodSeconds: -1126074804 + successThreshold: -2093938118 + terminationGracePeriodSeconds: -3498490773203628311 + timeoutSeconds: -736335366 + terminationMessagePath: "7" + terminationMessagePolicy: 辺OB¯悱楆3Ǫ首傭ɟ鮛ïƇ豙ǁUȵ + tty: true + volumeDevices: + - devicePath: DSh1 + name: 1OMawuQAlZD7 + - devicePath: "Y" + name: liCI2j + volumeMounts: + - mountPath: JPO9Ewk3kgaeuBD + mountPropagation: k釂Żɮ>ɸêW箁B| + name: QGO7HtoR + readOnly: true + subPath: oYudCrOqA + subPathExpr: Z1oG + - mountPath: iH6 + mountPropagation: dP帗俪Ťŷ/6¤þ剛&Ģ趽qi + name: 9Ro4aQU5yby + readOnly: true + subPath: piBl3 + subPathExpr: nfDFn + - mountPath: uU2H4 + mountPropagation: ljQ + name: "" + subPath: rj2 + subPathExpr: E + workingDir: BveK3 +extraEnv: +- name: 14jKCyMC + value: Mb95Ivlchi + valueFrom: + configMapKeyRef: + key: FMRh9 + name: VwME2dRYnb + optional: true + fieldRef: + apiVersion: NlY1uxRPgql + fieldPath: NDrKU5 + resourceFieldRef: + containerName: gPQ1TD3MX + divisor: "0" + resource: r6HOpjj + secretKeyRef: + key: "n" + name: RQLa2rQL7Y + optional: false +extraVolumeMounts: +- mountPath: pqfdKzb + mountPropagation: "" + name: 6btv + subPath: xLjoA + subPathExpr: UseM +- mountPath: EYXxm + mountPropagation: 煊`ś蠶+蓲慅4曌Ƥ4臜.魼簌m缽荈巇 + name: 6ut6g + subPath: 7N + subPathExpr: ypY +extraVolumes: +- name: 00PT1WRWHX +- name: P4 +- name: fn +fullnameOverride: Bv0I +image: + pullPolicy: 垿儣Ƈ#WMƻ + registry: XB9ke7yB + repository: EwU0pzhz + tag: SmZAnO7 +imagePullSecrets: +- name: ygWNP7C0W9 +- name: lo0PU +ingress: + className: vg + enabled: true + hosts: + - host: daRMGxIy7gKoE + paths: + - path: GVhF41Ue + pathType: TeM8 + - path: UontjIzl + pathType: MN + - path: "" + pathType: xN + - host: YCgI + paths: + - path: MPhdfahEcn + pathType: ECPrn + - host: GDOlAVRM + paths: + - path: H5pExfzke + pathType: v8 + tls: + - hosts: + - dQiMWdJ8cYKS + - 35K + - 8Kin + secretName: C + - hosts: + - zPo + - Z7 + secretName: SiZz +initContainers: + extraInitContainers: ITIY +livenessProbe: + exec: {} + failureThreshold: 724782955 + grpc: + port: -2055628426 + service: kYxAdPiz + httpGet: + host: JfFu5eafS + path: S8lsKuv + port: 45830231 + scheme: 嵋6ǞkĤ閾8_Tu鍓 + initialDelaySeconds: 1633166106 + periodSeconds: 2105675880 + successThreshold: 225361138 + terminationGracePeriodSeconds: -5739612377473505352 + timeoutSeconds: -1665363921 +nameOverride: "" +nodeSelector: + LAqpO: N7lh0C2 + RqG8qj: ltTa5 + X3q: F5c +podLabels: + Klzm: we + e: C2swj + s: vw1lrq +podSecurityContext: + fsGroup: -8750452531563962174 + fsGroupChangePolicy: RȗɻÎ + runAsGroup: 3754171381447903160 + runAsNonRoot: false + runAsUser: 2565919490422334632 + supplementalGroups: + - 2907772986244331938 + - -4686580881125536152 + - -7134026849524391427 + sysctls: + - name: 8gezWufB + value: 2Jv + - name: 4nhjhT6P + value: 32ZuT + - name: cQk5tljX + value: Aimzt8kirN +priorityClassName: F +readinessProbe: + exec: {} + failureThreshold: -1128918125 + grpc: + port: -1566880140 + service: wMGGUi + httpGet: + host: EwUYUz5 + path: qC4K0 + port: frlhx + scheme: 2鳳ǿ{ǿN + initialDelaySeconds: -116128728 + periodSeconds: -1936485392 + successThreshold: -1735161598 + terminationGracePeriodSeconds: -4458812029359989949 + timeoutSeconds: -1293939870 +replicaCount: 464 +resources: + limits: + 0PRJ1bi: "0" + JUjtrq: "0" + WN9h: "0" + requests: + TCeGWCB: "0" + x5O0IxuN: "0" +secret: + create: false + enterprise: + licenseSecretRef: + key: Sfb6 + name: Fkoh + kafka: + awsMskIamSecretKey: Bof21IpUS + protobufGitBasicAuthPassword: fIQwt + saslPassword: KBS + schemaRegistryPassword: TehF8FK + schemaRegistryTlsCa: 40HTol + schemaRegistryTlsCert: cgz0Y9o + schemaRegistryTlsKey: QUpyP + tlsCa: naM + tlsCert: cC23TMJ + tlsPassphrase: NxVcNj + login: + github: + clientSecret: IDQ0 + personalAccessToken: "4" + google: + clientSecret: P + groupsServiceAccount: oKbW15 + jwtSecret: "5" + oidc: + clientSecret: YcYiIJm + okta: + clientSecret: CtRNDaLkEFXR + directoryApiToken: pH3E2YC7xP + redpanda: + adminApi: + password: "y" + tlsCa: 4ieHo3L + tlsCert: pQ6AshR + tlsKey: s9 +securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - '@晏駚T!UɎȉépg鎘Ȉ' + drop: + - ÚơĊ猴渋ĭ8膔櫔ż択ůĦ抹 + privileged: true + procMount: 偖躪 + readOnlyRootFilesystem: false + runAsGroup: -543916493751029755 + runAsNonRoot: false + runAsUser: 7772713475568767829 +service: + annotations: + C3p: uCspVMX + nodePort: 441 + port: 51 + targetPort: 456 + type: ZQQlqx7Np +serviceAccount: + annotations: + 7lpi: QQ + RK: "" + od3x: "3" + automountServiceAccountToken: true + create: true + name: HMyYp +strategy: + rollingUpdate: {} + type: Ʉ>朄崍ʡƥɼ戋\IJĹ +tests: + enabled: true +tolerations: +- effect: aƻƀi + key: 7II7D0fA + operator: 跳<ȴŤƇ梐ȸŷR + tolerationSeconds: -92963183946417046 + value: U +- effect: p鸿xś冣9ɩ揊Ů忁琺ȖP壡o繊堮 + key: 5sC + operator: XɦǨ燖Ż綯逆挤ʦ斝蟏滣ʣ + tolerationSeconds: -6405135249548565002 + value: c2m6hlo +topologySpreadConstraints: +- labelSelector: + matchExpressions: + - key: bsO + operator: Ⱥ8欟慡Ƿţ6氙絿鐘黬聠ç + values: + - hbuLC + - SdAZnchI + - key: b4Pjya + operator: jɀh5湧,Ȳǣ6謉<ɦ + - key: gXEm + operator: ',k涃栏岴g橚甇ȳ0禰餝榖睌ěB縩侾F' + values: + - q9VqX4l + - zoMoc9Vb5 + matchLabels: + B0T: uiIEpLD2 + V: jdhpTcaa + pz: V1dJXS8 + matchLabelKeys: + - yoFhTrxV + - o + maxSkew: -1837539887 + minDomains: 2144009248 + nodeAffinityPolicy: 怓覷環ʤ苷疿ʡB聧!]LJƱĿGť + nodeTaintsPolicy: V~0韾¾Ȣû&嵙纠&ȠVƧ鍌 + topologyKey: GldA + whenUnsatisfiable: Ƀk纩{寍HƋ&庝僟D徼聊 +-- case-036 -- +affinity: + nodeAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - preference: + matchExpressions: + - key: bkwD5 + operator: B砟摫ʟ]估ȽÓĖ頒ʙǯ + - key: 4n + operator: "" + - key: DDWUTPllaee + operator: ǒ@訹Ðđɤ軗ɲǃZ袓6悔ʙ[x] + values: + - bHwxZg + - iPWF3DQz + - yhiFQZ98w6h + weight: -551427274 + - preference: + matchExpressions: + - key: kZ + operator: "" + values: + - BMfDa + - key: l + operator: unɚʀɂ7Ǩ蘕 + values: + - 1vsAjW + - lEGj0 + matchFields: + - key: EYCyU + operator: 袒雬Ǐ蔡|骐pOĆƍbʌʝl + - key: e9QdJHV + operator: Ɏ鼛鏗擌-悝Ű + values: + - DToToJ + - Gq4 + - key: M4b3wwVy + operator: 煛苅=İ哋ońɢ\Głh斳hɷ韙 + values: + - fMIoNrUiyJdi + - tcNEhOds + - N0 + weight: -906035045 + - preference: + matchExpressions: + - key: 05VafuKQo + operator: ƃèĢC篘 + values: + - McUwm + - oMXVW + matchFields: + - key: "" + operator: 9ȮLǟ3V廉\5膏ɩ袴 + values: + - t + - r8d6G + - FevHe + - key: KeJd9X4 + operator: \Y#uɆɫwĉɎ卲S + weight: -773391374 + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: PiRY + operator: 週畯嘰Œ铖'ȸ0Į5k,逊 + values: + - Fo9oE + - KLfm4 + - PiZJC + - key: 6HCuuj + operator: Ȋ!ʈh牅HŹ蓓% + values: + - PU34U + - bZ12kwJ4s1 + matchFields: + - key: CCVSIZH + operator: (铴Njʦ釖Ĩ鎅ƒ獞p)唓u¸::2 + values: + - DjvLD + - key: 9gy6tFM + operator: ø + values: + - lPjPu0 + podAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: 2oL + operator: Ì溄祤BNjɎ_ )jðZF + - key: Tl1mGP + operator: r0ȨȵeēP眼饾j + - key: 98uL + operator: "" + matchLabels: + "": H0F + IGfr: 8iR8 + pTjU: 2vy5Ol + matchLabelKeys: + - l2d3an + mismatchLabelKeys: + - gomcuJ + - UMhaBnQUuSH4 + namespaceSelector: + matchExpressions: + - key: CyYjfraf + operator: 鸫ʊűoǪĞ3 + values: + - uPW + - key: vuREiHB + operator: ^ĄçȂ挌 + matchLabels: + tlcI6jz: 87JK + namespaces: + - eUszN + topologyKey: yJ + weight: 1657692208 + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: 3d3mr + operator: 鿈Ė聭焚歉Ð(币帄Ⱥ + values: + - h + - key: Z5c + operator: ma琓 + values: + - i5Ae6oUo + - EWixIB + - "y" + namespaceSelector: + matchExpressions: + - key: XFYbW + operator: M~ + - key: lWHcsQ + operator: 铿X异~<ÿ缇ī*^ĩ + matchLabels: + s: l6sxM + vFiVA7j: WEOy1jtU + topologyKey: JW85dr45m2G + weight: 444678250 + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: bMT + operator: ^)4ɊDZǸDŽ + values: + - CG9Onrt + - key: T + operator: ƞ傏 + values: + - bXs59oj + matchLabels: + 6BRwn: Pdm + Yy: aaoLnp + myN: rwJGrW + mismatchLabelKeys: + - "n" + - c + namespaceSelector: + matchLabels: + 5QMzPp: AP + D: "2" + u: Dca + namespaces: + - 8Af + - NYfxoYf + - R4G + topologyKey: yY + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: 2uhHhqog + operator: Ȧ + values: + - YgsgGf + - key: EaR + operator: 愅YVǵ楔¢4Ʋ + values: + - xaEk + - key: NV5iPi5Kw + operator: ' 軕氡#晉Ʀ筜篧e蹶ʀSɟʂÊʕT' + values: + - BY4 + matchLabelKeys: + - 9fTYFH7s + - aK6HB6 + mismatchLabelKeys: + - 13L + namespaceSelector: + matchExpressions: + - key: 3FT + operator: Tğ枕Ōo*a種JU-ɶƠdz鱓fƑS + values: + - 4ISUCT + - po8yM2L + - T5Q0UARu + - key: RhB + operator: "" + values: + - Re7 + - 7id + - 91GFPdrt + - key: ShRTzNRj + operator: ʬ吇Ȭ?搰Ç + values: + - HiGOGJE + - wOi + - HmllR83Dbvoz + namespaces: + - "" + - TBCPW + topologyKey: 0H + weight: 1493754197 + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: CESaz + operator: ŢaæX#暁鲸'媩俛5齗aw'ĥ煆W + values: + - "" + - key: YtpoWP + operator: 瀽LƠ' + values: + - uS13z + - ip0h + - o8m9MWnmr92 + matchLabels: + 7o4tt: QX9gjN + KScJOoR95: Dpu + wfAk1b: rH5Z + matchLabelKeys: + - Yh1S1nZ7hm + - Fwx + - 6mhp + mismatchLabelKeys: + - ihvyNa7 + - m8 + - Q + namespaceSelector: + matchLabels: + 2KH67NR4: Vy8qZyy + topologyKey: w0KJ + weight: 1592497187 + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchLabels: + 1UcAh: h + namespaceSelector: + matchExpressions: + - key: yxz + operator: ',酵ýhȿ鲹芫澥 Ǧ_Ź躄_莯ʊ傡硬M' + values: + - Fof + - key: 8KwNEN + operator: 8炮逴8`M鞵ȍȟ蟷盱 + - key: N0 + operator: Ì崌爷矉&佷* JQȴ躀厇退ƿƍ肙 + values: + - kjlwyKc + - DDz + - Yf8Vf5Ar7w7 + topologyKey: n5cRtvXjK +annotations: + GvX4jkWw: xAyNk + MdtXxfH: "" + WyrWx: 8QO +automountServiceAccountToken: false +autoscaling: + enabled: false + maxReplicas: 213 + minReplicas: 211 + targetCPUUtilizationPercentage: 270 + targetMemoryUtilizationPercentage: 495 +commonLabels: + Nv: YHcp9u + RMi5: o4 + ViLr0: zrEw3 +configmap: + create: false +console: + roleBindings: + - cwSnKnhS: null + mzA9: null + oRCBU: null + - 4VfdtEVC: null + UF: null + - 785va: null + Cmlc: null + NyhDjFL: null +deployment: + create: true +enterprise: + licenseSecretRef: + key: teD + name: fP2IA +extraContainers: +- args: + - gfDaDhh + command: + - Eu + envFrom: + - configMapRef: + name: 9LtiYU + optional: false + prefix: dS5JDbtZJ + secretRef: + name: 3X5 + optional: false + - configMapRef: + name: vpOLCCmA + optional: true + prefix: IJpeUVYk3 + secretRef: + name: TaghAr + optional: true + image: Nw59jHFBw + imagePullPolicy: Eźz购綗映ò#ZuS絇溾^飷 + lifecycle: + postStart: + exec: + command: + - N2F2q + - XKeJn + - CfoVd + httpGet: + host: 0u3Kgf + port: PVA8u + scheme: ȧX[噦摼鎥憈ǴńƘŅ + sleep: + seconds: 9185496374723367536 + preStop: + exec: + command: + - lrWSClt + httpGet: + host: uS + path: 51Gzg9s + port: -1680102290 + scheme: 8涒齃ɠĬ諛鰅jyr塸ȷg× + sleep: + seconds: -302278202696680147 + livenessProbe: + exec: + command: + - fmu + - wJR3 + - 60zV6s4327rKb9 + failureThreshold: 2122798666 + grpc: + port: 1914605377 + service: ES + httpGet: + host: 7LAmwy8 + path: o2XAC + port: S5 + scheme: 犘ßħɚÂ剐*鬰ȇxȺ錎 + initialDelaySeconds: 343978803 + periodSeconds: -1725283583 + successThreshold: 1055506692 + terminationGracePeriodSeconds: -737021961431151273 + timeoutSeconds: 1721351711 + name: r + ports: + - containerPort: -341996687 + hostIP: zR + hostPort: -641414216 + name: AGa7X6lnw + protocol: 阧 + - containerPort: -1616018360 + hostIP: 8q + hostPort: -2060443566 + name: B + protocol: 位ŲȟHbfp餪魹| + - containerPort: -321829785 + hostIP: S + hostPort: 850049722 + protocol: ĢŔ=ɦŊ鳺醩hĂ踻鉀 + readinessProbe: + exec: + command: + - VRq0lZK + - nCUDH3Zgc + - f2h2C + failureThreshold: -444080905 + grpc: + port: -1484737838 + service: UL8hSUw + httpGet: + host: 8DDb + path: Z + port: It67aEO18 + scheme: 蹐疒Į浤 + initialDelaySeconds: -1225398553 + periodSeconds: -1497056806 + successThreshold: -1256842388 + terminationGracePeriodSeconds: -3265344141862786392 + timeoutSeconds: 1127947387 + resources: + limits: + "36": "0" + Oaiu: "0" + v: "0" + requests: + F0olO: "0" + tvGpYtd: "0" + restartPolicy: Ě卿ɫȰLZ懁 + securityContext: + allowPrivilegeEscalation: true + capabilities: + add: + - "" + drop: + - Ę螅7O5Ɵ駢Ó宮緂 + privileged: true + procMount: ʤ敠æx漭fƈŸʄ + readOnlyRootFilesystem: true + runAsGroup: -1779689763650765955 + runAsNonRoot: true + runAsUser: -1786517016760367110 + startupProbe: + exec: + command: + - Mcn36l + - "n" + - OMT3J + failureThreshold: 1137002720 + grpc: + port: -2106637755 + service: OYW + httpGet: + path: K + port: STUmUBT + scheme: 貪iɐ巶ɿiɲbɎ;Ŏċ2橺汲ŋ刢g + initialDelaySeconds: -648188998 + periodSeconds: -278768915 + successThreshold: 890955082 + terminationGracePeriodSeconds: 5660177701724482122 + timeoutSeconds: 959596283 + stdin: true + terminationMessagePath: h2a2mAm + terminationMessagePolicy: pjĉ + volumeDevices: + - devicePath: cZ95 + name: wLm + - devicePath: P9RW + name: PjzHR + volumeMounts: + - mountPath: b + mountPropagation: 脣Į + name: bOY + readOnly: true + subPath: mBuB + subPathExpr: 0io + - mountPath: DYp + mountPropagation: 9鹺t"Ĭij(?NB4ɖ鴼B屈桲ȋ噤ǁ + name: O + readOnly: true + subPath: EcI7mF + subPathExpr: HKfaS + - mountPath: NTgHw + mountPropagation: (ńÆ;裉嵀 + name: U6TGXB + subPath: wjpyjQ + subPathExpr: nqq + workingDir: NpjQN3dM +- args: + - m + - fmRfLPl + command: + - okKsRu + env: + - name: y8FxBu + valueFrom: + configMapKeyRef: + key: 1kdTq + name: NGzFHD + optional: false + fieldRef: + apiVersion: WDoDm + fieldPath: HTHz + resourceFieldRef: + containerName: aWk + divisor: "0" + resource: RcTwrpd4PaqW + secretKeyRef: + key: 27uDnW9fM1 + name: diwId6SMC + optional: true + - name: NZ1pEV + value: Xq7fA + valueFrom: + configMapKeyRef: + key: cYo + name: IhK1oKNNr + optional: true + fieldRef: + apiVersion: 0C + fieldPath: "" + resourceFieldRef: + containerName: OywKEud3 + divisor: "0" + resource: E4 + secretKeyRef: + key: gGTl + name: V + optional: false + envFrom: + - configMapRef: + name: fJ + optional: true + prefix: zFUU1PguE + secretRef: + name: S7Jre + optional: false + image: gbZ4mqT + imagePullPolicy: '*罖Ē掙*uĕĥ世û煨o曁ɖ)嬫噩肖Ñ' + lifecycle: + postStart: + exec: + command: + - nxKsxt + - F25ka4x + httpGet: + host: "0" + path: 9k0yMphk + port: GJdG + scheme: 婁箅蝼đ杣Ɗ°VAƭ0ĺ钘1 + sleep: + seconds: 8039264634100238529 + preStop: + exec: + command: + - NuJoJm + - gykEI + - "6" + httpGet: + host: UnkqD3SS + path: BhN + port: 712546393 + scheme: u + sleep: + seconds: 409536667065008471 + livenessProbe: + exec: {} + failureThreshold: 204373937 + grpc: + port: 1803358082 + service: VXsxSeh + httpGet: + host: Ht64jf7Eo + path: u1jjW9Qu + port: 556487018 + scheme: 熖Ű存ŖT磇ɘ外 + initialDelaySeconds: -1152834471 + periodSeconds: -1133396594 + successThreshold: -1385193405 + terminationGracePeriodSeconds: 2915006546098799012 + timeoutSeconds: -1401054296 + name: dfD716 + ports: + - containerPort: 691082006 + hostIP: b + hostPort: 636825973 + name: S5FmEWKv + protocol: g]se墰掀媸晓櫚驟憽hbƥsư° + readinessProbe: + exec: {} + failureThreshold: 152987910 + grpc: + port: 642951905 + service: q2qfom8L + httpGet: + host: GaxyfqlQ + path: Oh0t + port: -766612198 + scheme: UÂ_ + initialDelaySeconds: -1382761032 + periodSeconds: 967018272 + successThreshold: -178373997 + terminationGracePeriodSeconds: 6605400648980208248 + timeoutSeconds: -1404918452 + resources: + limits: + 7cu: "0" + 22n7v: "0" + XsU5mrE: "0" + requests: + kyXuqf: "0" + mBk4P9DWW: "0" + restartPolicy: ʓdT>NȚks_q祈 + securityContext: + allowPrivilegeEscalation: true + capabilities: + add: + - ȸŏ脸(Yǃ¯~垇耗A) + - T翱ĥ + drop: + - 商ʏ軒Ƣ厢 + - Ⱥãt\跋þ漙苣ű吡憕鿶0傜om + privileged: false + procMount: Ŷ% + readOnlyRootFilesystem: true + runAsGroup: -1052699124096043871 + runAsNonRoot: false + runAsUser: 3737016357651072730 + startupProbe: + exec: + command: + - jefRNS + failureThreshold: -9144267 + grpc: + port: 642233169 + service: WjvgDkGG + httpGet: + host: 8hzgS0q + path: z + port: -885964296 + scheme: ɸliŵ + initialDelaySeconds: 1014078949 + periodSeconds: 1410148112 + successThreshold: 1164669668 + terminationGracePeriodSeconds: -3385668069040237914 + timeoutSeconds: -1723583731 + stdin: true + terminationMessagePath: zbCh + terminationMessagePolicy: 4攨2õė+軩Ç + tty: true + volumeDevices: + - devicePath: Nx + name: QLHA + - devicePath: 9JAgFLSdSqQ + name: "5" + volumeMounts: + - mountPath: KXG1 + mountPropagation: ȁ捄ɺ絒馢A¥`Èť + name: aghWO + readOnly: true + subPath: el7KEVsV + subPathExpr: tdksniBM + - mountPath: 5nus8 + mountPropagation: N饢杼M7X尅扐ǗÃɱNƞeuĦg儡 + name: TS4kHG + readOnly: true + subPath: i + subPathExpr: ktDaTCGG + - mountPath: CSkt9N0i + mountPropagation: 爕ɐYYȁ<獱椂@椗áʇ憣>\Ɋ筙纉Ë + name: KIKRXUR + readOnly: true + subPath: bWYTiq + subPathExpr: cgxlHqVV + workingDir: F +extraEnv: +- name: 0iCX + value: UfKNkXj6I + valueFrom: + configMapKeyRef: + key: GGYmdb5PBtUx + name: Zl1rWu9 + optional: true + fieldRef: + apiVersion: 1pKgni + fieldPath: 8Zmv + resourceFieldRef: + containerName: nK + divisor: "0" + resource: Yizp + secretKeyRef: + key: Dxqh + name: td + optional: false +- name: bm + value: K06vl + valueFrom: + configMapKeyRef: + key: dOTjzfwtRPzX + name: YleYOzRS + optional: true + fieldRef: + apiVersion: xl + fieldPath: 6NM2 + resourceFieldRef: + containerName: jreT + divisor: "0" + resource: "" + secretKeyRef: + key: B7 + name: cu + optional: true +- name: F4Vp + value: 9q + valueFrom: + configMapKeyRef: + key: dAPalKT0 + name: UXC7S + optional: false + fieldRef: + apiVersion: bTxwQmS + fieldPath: XW + resourceFieldRef: + containerName: iqnl + divisor: "0" + resource: e9 + secretKeyRef: + key: c1WJ + name: sg2TuPSW + optional: false +extraEnvFrom: +- configMapRef: + name: 3PT + optional: true + prefix: l + secretRef: + name: zakko + optional: false +- configMapRef: + name: RdxlkV + optional: false + prefix: 9Ae4W + secretRef: + name: UiJ + optional: true +- configMapRef: + name: bp + optional: true + prefix: SU + secretRef: + name: fy + optional: true +extraVolumeMounts: +- mountPath: Oly + mountPropagation: ƈįlñ + name: QuM + readOnly: true + subPath: NPJ + subPathExpr: vn +- mountPath: xsiqpcicm + mountPropagation: Ŝȃ燩čƃʤǸ儼 + name: blYv + readOnly: true + subPath: 8f + subPathExpr: I +- mountPath: "" + mountPropagation: 犒k洐ɨ3UʓďȏUm8/x艂" + name: i2 + readOnly: true + subPath: G + subPathExpr: Wo47OrA +extraVolumes: +- name: HUa7xM +fullnameOverride: AumW +image: + pullPolicy: ǫtŖŮƘ瓧ù¹勍u + registry: ai + repository: f54I + tag: iO +imagePullSecrets: +- name: bbjdn +- name: VI +ingress: + annotations: + RX47S: lb0 + Ton: ukp + className: R3Ykmr + enabled: false + hosts: + - host: bybyr6XsLFPDg + paths: + - path: c9F + pathType: TyYv +initContainers: + extraInitContainers: q +livenessProbe: + exec: + command: + - dRbj + failureThreshold: 864346345 + grpc: + port: -568790446 + service: 9WyiSW + httpGet: + host: EbFlYW + path: HC + port: C1Fv7 + scheme: 軔ǷʧP + initialDelaySeconds: -1341055636 + periodSeconds: 2055603833 + successThreshold: -175204389 + terminationGracePeriodSeconds: -2333626465204273709 + timeoutSeconds: -589897727 +nameOverride: 9mG8n4Wu4 +nodeSelector: + U3Rfg9: WSTvjvP + hODw: LSv + iwleZ: fD +podAnnotations: + jLE31lUP: LWc +podLabels: + 6W: FQvOa + YwkBSNWK: 0qqd + jP3: iNkD +podSecurityContext: + fsGroup: 8205502301244812774 + fsGroupChangePolicy: "" + runAsGroup: -8440674019915815616 + runAsNonRoot: true + runAsUser: 4432310384984167581 + supplementalGroups: + - 7965846110903121951 + - -9174375158887062481 + sysctls: + - name: OkeQ + value: A + - name: 24y + value: fIPA + - name: "" + value: b3 +priorityClassName: gPB +readinessProbe: + exec: + command: + - NjJ7Lit5 + - 29odviV2mnb + failureThreshold: 1075627654 + grpc: + port: 364618769 + service: g1wc + httpGet: + host: 40i + path: OTDO + port: -2089902693 + scheme: $Gȇ表匾ʞG絁娚彰ŝê<ĭ + initialDelaySeconds: 333726894 + periodSeconds: 1376975278 + successThreshold: 112483424 + terminationGracePeriodSeconds: 1389336444380098948 + timeoutSeconds: 669945326 +replicaCount: 24 +resources: + limits: + 7VHN3: "0" +secret: + create: true + enterprise: + licenseSecretRef: + key: jPpQY + name: uRkzw + kafka: + awsMskIamSecretKey: B + protobufGitBasicAuthPassword: EfQbyB + saslPassword: w + schemaRegistryPassword: qiltVq + schemaRegistryTlsCa: kyT4j + schemaRegistryTlsCert: Tu4varJ + schemaRegistryTlsKey: bmT + tlsCa: UyskLmDZ + tlsCert: "" + tlsPassphrase: IdsCzt + login: + github: + clientSecret: hPt + personalAccessToken: vRbRqD0 + google: + clientSecret: "" + groupsServiceAccount: lcc9 + jwtSecret: tf0x + oidc: + clientSecret: A9RDbO6GzTtHYG + okta: + clientSecret: HktzleLAg + directoryApiToken: qX + redpanda: + adminApi: + password: 5imX8ztdqjU + tlsCa: opQQ + tlsCert: PGcfJC3zH + tlsKey: IhqyTvQn4T +securityContext: + allowPrivilegeEscalation: true + capabilities: + add: + - '*·戌ɳKõʚK(懷ë蟅ȣg' + - vOpɔm&ɞ法槪ųf + drop: + - l¤0ɖK樌ŕDĪ箰ɬȓũ梫h揼 + - 躟OBZş互鹫Íʨƶ`ã + privileged: false + procMount: 9®俠ɳ屑ŏO'pe,Q+膿麣 + readOnlyRootFilesystem: false + runAsGroup: -289823929905824069 + runAsNonRoot: true + runAsUser: -4392330066259666500 +service: + nodePort: 249 + port: 113 + targetPort: 414 + type: XHYb2qmrk +serviceAccount: + automountServiceAccountToken: true + create: false + name: Jg +strategy: + rollingUpdate: {} + type: LJėwǮ甧 +tests: + enabled: false +-- case-037 -- +affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: IPWU1 + operator: 魡燸"趵p砮ƘċÈ3ljDŽ + values: + - i + matchFields: + - key: "" + operator: 廋46齄aā[傡ŤXjğ@ɫ聱昣ȞA + values: + - hrjhAJC + - RGJEJ + - key: 9XRD + operator: 鏖Ų姓萲1蜓舆 + - key: nmlhnezDL + operator: =WF»圻礼鍕4u-瘸]NJ + values: + - MlE9xcsLb + podAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: vxH0 + operator: kűŐ鄴 + matchLabels: + YR: ZYyx + matchLabelKeys: + - lrfi + - 9s + - "2" + mismatchLabelKeys: + - "" + - vc + - rz4SvG + namespaceSelector: + matchExpressions: + - key: ybBiR8Fm + operator: UlƜ寻眅崈O+聁ȴ + values: + - xxao + - key: UpNi + operator: v韠Ʀ.Ɓ氩諑ʊ0ɔ凹 + values: + - ECPGYavF2 + matchLabels: + 7qRB: 56MM + tcHg1: kpR + topologyKey: "7" + weight: 212582037 + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchLabels: + 6PJt: OILe3j + mismatchLabelKeys: + - PB + namespaceSelector: + matchExpressions: + - key: "1" + operator: ǯVɳCĬ鷹儉ïXǐʐ楏ċŇǽ + - key: aFA + operator: ƣ諔&ȵ%ǼQ傠ûQ& + values: + - tdkCJmsLj + - 2WF + - nlO + matchLabels: + "": JgBcTwL + gUx2lrPlU: 2MEiay0i + namespaces: + - iUHz + - F + - C + topologyKey: 0DqLIsLvEJ + - labelSelector: + matchLabels: + D65k: m + v: Wf73pl + namespaceSelector: + matchExpressions: + - key: Mql8T + operator: Ȳ + values: + - kiCXA + matchLabels: + QJPP2Wmbc: MGiu + tm: POZGk072F + v: OdyUJaKz8sW + topologyKey: CaAJ + - labelSelector: + matchExpressions: + - key: kJFGWDPIX + operator: '`園bsN唲幈ùÄ!鑢' + values: + - x + - key: PQktimeqK + operator: Í Ho亜q毂EɌ39蓷 + values: + - rYZ + - key: L6Wp + operator: '&去鉼晆Äě菉' + values: + - BPX5 + - 7Ows + matchLabelKeys: + - PhOMWnct + - 4Iar + mismatchLabelKeys: + - SfvAwYYqtwPc + - w9 + namespaceSelector: + matchExpressions: + - key: VmRQ2 + operator: 錛ȋʤ`搲ZL婨ƅ\鴃m闬ǿ戺ƨĤs@ + values: + - Ah8tj + matchLabels: + JBFf5vLf4: q2X6daLRz + VuZT: gmluiWbT + p64cMTP: B9 + namespaces: + - Ri6BSDl1 + topologyKey: nACF7H8 + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: ZZaxS + operator: 黦ƒ©瀂 + values: + - "" + - 20OCN + - IZ86eI1 + - key: RXLfn + operator: .惊ŝ4ni`ræseȕƌ筬NJ@pŻ + values: + - Fuy + - 6ZIkwShr + matchLabels: + RJHcF0aLL9: avVll8hJB + Spsji: hW + mismatchLabelKeys: + - RDiUdFmoEZ + namespaceSelector: + matchExpressions: + - key: RmcZbbc + operator: uŒ¶鱸K + values: + - 90lQUM5B + - J07lI + matchLabels: + 6hQX9h: Sr5NoqB + L0vc: i + iJ6hIS: yLkpjBIU + namespaces: + - i1uGAcY9Xxf + - DO5c + topologyKey: uVcRZ + weight: 608820709 + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: Mgdm + operator: 惋¯ʢÝǒ=h佅茆接 + - key: "n" + operator: 系¦澜C2騗ā穩 + values: + - yelaWfaB + - Cq + - Va + - key: Ymvr + operator: 7 ^»ðq> + values: + - GES + - gPThP + matchLabels: + zj9Ud7LvFtg: trcgDo5 + matchLabelKeys: + - X + mismatchLabelKeys: + - peo1 + - zVPvCpJUM + - "" + namespaceSelector: + matchLabels: + "1": qRCy + namespaces: + - Eczjbhs + - F8 + topologyKey: Az + weight: -470853400 + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: {} + matchLabelKeys: + - VWM7 + namespaceSelector: + matchLabels: + Q4BC: BojBLo + Vz06Yne: "" + namespaces: + - yEEmKNg + - iGJzcn + - G1bhP4 + topologyKey: pcOSh + - labelSelector: + matchExpressions: + - key: lCW5OK2A6HKOaC7 + operator: 蚿~2婈 ʝ似矉k + values: + - 5IOGWj + - UwmQ + - Ser + matchLabels: + "4": PB0Pb9 + Ykh3k: oX8w + matchLabelKeys: + - SfZ9pUjA + mismatchLabelKeys: + - i16lOT + - 8iU + namespaceSelector: + matchExpressions: + - key: ZxE + operator: 恇3 + values: + - "" + - 43TqLr + - key: ikCzWLGa + operator: E + values: + - W1 + - ZqA + matchLabels: + "": YJaQ + 7h: dybADQ + topologyKey: "" + - labelSelector: + matchExpressions: + - key: 0bZO + operator: '[ ' + values: + - DPm + matchLabelKeys: + - "" + namespaceSelector: + matchExpressions: + - key: b8XGJRAsiP7 + operator: ']眆寜眴z' + values: + - MsgI + - dhrJF0b + - key: SMx + operator: JɦĈ + values: + - o + - yknE + - key: rfxn3qvEK + operator: 綐岮~2熗昕Ñ占Wm员Ƴ橝灃Ɗ + values: + - "" + - K + matchLabels: + 2Jd: g3du2W + ZHju0: u7DvsT5e + zUssA7: ZKAL + namespaces: + - Qpqer2VPQ6oA + - zR0okqL + - nuH + topologyKey: i +annotations: + 1B8qie: FSPYCLoT + I: hpwL4TH + Z: 0LFy +automountServiceAccountToken: false +autoscaling: + enabled: false + maxReplicas: 370 + minReplicas: 221 + targetCPUUtilizationPercentage: 463 + targetMemoryUtilizationPercentage: 49 +commonLabels: + BJ: Gq0Rw + FPcPYvmbB7dAZe: Cy7WaeI + uEVMkDkYRvnn: zvptNai +configmap: + create: true +console: + roleBindings: + - 2m: null + VNrY1fwY: null + eaGm2c: null + - Ng0sM: null + Txhv6: null + e2uo: null + roles: + - Dd: null + H0QLXtA: null +deployment: + create: false +enterprise: + licenseSecretRef: + key: HqS5hb + name: 3sA8DqHdr +extraContainers: +- args: + - UaqwQ7 + image: 9gJVF + imagePullPolicy: 5傅c諹ɕ ƅƬDr1鰹瀣n怌ʡ + lifecycle: + postStart: + exec: + command: + - EJfXoz + - pxAl7T7 + httpGet: + host: 4dtyQHxp + path: 9i + port: BmGAi + scheme: ¼ů + sleep: + seconds: 2333336810403167963 + preStop: + exec: + command: + - EF + httpGet: + host: gc + path: 5IcdjR2 + port: Ln1 + scheme: Ȱʛ{`Ɓʛ劽Ŋ劧Yǥ + sleep: + seconds: -8338094784810815040 + livenessProbe: + exec: {} + failureThreshold: -1009316117 + grpc: + port: 434468004 + service: hOHaw7yL5 + httpGet: + host: r0OfO9Tjf + path: rvqaH + port: 1861701721 + scheme: 蓫AȚ%Țx痷 + initialDelaySeconds: -1210592458 + periodSeconds: -1685889023 + successThreshold: -1513585658 + terminationGracePeriodSeconds: -2039599439532369874 + timeoutSeconds: 615837494 + name: 0z + ports: + - containerPort: 920384597 + hostIP: amIbTg + hostPort: -1446796645 + name: H + protocol: tsė歟ū$B,qʐ医枝 + - containerPort: 533680030 + hostIP: AQrcm57h + hostPort: 436553418 + name: zI + protocol: mĖ}ʘá~滬 + - containerPort: -88474612 + hostIP: 5Q7z7DzPSmu1KQ + hostPort: -894572877 + name: Ie31rl + protocol: Z尤汸 + readinessProbe: + exec: + command: + - Ig53IR5s + - X + - MD + failureThreshold: -697650972 + grpc: + port: -1408023460 + service: q3NQW + httpGet: + host: NClmq + path: "y" + port: 4KJj4nVotN + scheme: ®顫jV/懔e + initialDelaySeconds: 1925202911 + periodSeconds: 1008375062 + successThreshold: -1515262628 + terminationGracePeriodSeconds: -9135279372752511888 + timeoutSeconds: -757546061 + resizePolicy: + - resourceName: BhTx + restartPolicy: O憢%ȔnjŸƓx汮$ + resources: + limits: + 0R8h7mczbiK0u: "0" + ngcoDm: "0" + requests: + FvPC8: "0" + restartPolicy: 竴xJ飊µ + securityContext: + allowPrivilegeEscalation: true + capabilities: + add: + - eF + drop: + - '#泪<1饤ǯȲ78狎外龬郄晛頯6汐嫏' + privileged: true + procMount: bűƍȓ2C޵舕秗騛^ĪĪ溫Nȇ + readOnlyRootFilesystem: true + runAsGroup: -3343110605261139689 + runAsNonRoot: true + runAsUser: 7479178344552716344 + startupProbe: + exec: + command: + - 4mbBa0iSAgQ + - 9Vb + - B5u + failureThreshold: 753806032 + grpc: + port: 1382157718 + service: Sbk + httpGet: + host: bVoIiYzvoi0B2 + path: H7pGt3 + port: TTVi + scheme: 厪$dıQǵ_ƀÁ釔ɵ徣 + initialDelaySeconds: 849023271 + periodSeconds: -1908074475 + successThreshold: 328769480 + terminationGracePeriodSeconds: 5149904224053969297 + timeoutSeconds: 1277324377 + terminationMessagePath: 00uJXyD + terminationMessagePolicy: 禣儛x~靰ɿ`šŀǼŋP^n + tty: true + volumeDevices: + - devicePath: TMbZU + name: hFJz + - devicePath: yr + name: O0NQRcuq + - devicePath: UHqeq + name: Ydaqo + workingDir: TzR +- args: + - 1EEFNaNA + - U2l + command: + - CsMZk + - 4HgTHX + - Sqt9at + envFrom: + - configMapRef: + name: RRMDeJ + optional: false + secretRef: + name: lcA + optional: false + image: GQ69 + imagePullPolicy: Ɉǥ + lifecycle: + postStart: + exec: + command: + - 3YpG + - vZTzHN + httpGet: + host: cPtKCkyO + path: "4" + port: -1049236742 + scheme: 硺=ɸǖɵ恆Žd0 + sleep: + seconds: -7566729856608460688 + preStop: + exec: + command: + - y2fpvM + - VG + - hhX3m + httpGet: + host: o + path: "7" + port: nl5CZNKB + scheme: Ȉ + sleep: + seconds: -9000479934802388409 + livenessProbe: + exec: {} + failureThreshold: 115197733 + grpc: + port: 418872789 + service: mK04M1 + httpGet: + host: tYy4jqPpZ + path: om7u1 + port: 6vYh + scheme: 鬧ĕ,b嫲ʞÈȅɼ瑀\-ŤÔĞ{ + initialDelaySeconds: -1996330627 + periodSeconds: -2123682197 + successThreshold: -274102072 + terminationGracePeriodSeconds: -4086669261853017280 + timeoutSeconds: 1671175282 + name: MN + ports: + - containerPort: -581773322 + hostIP: w + hostPort: -1918799357 + name: NUQc5 + protocol: lɡFàW6ǼC7騰僮氁繸{Ȏ + readinessProbe: + exec: + command: + - IYC3M + failureThreshold: 178025639 + grpc: + port: -205038391 + service: EGqI + httpGet: + host: oGjb56 + path: mnq + port: pb9x + initialDelaySeconds: -1053907742 + periodSeconds: -777502604 + successThreshold: -350871959 + terminationGracePeriodSeconds: -6813701492426236069 + timeoutSeconds: -1712603807 + resources: + limits: + TwWe: "0" + requests: + 4FGQT: "0" + 57DEge: "0" + zBEzXaq: "0" + restartPolicy: 焂ś(Z緌挄ǥȪȑq*刾 + securityContext: + allowPrivilegeEscalation: true + capabilities: + add: + - Ư#æ9NF犔帙錈 + - N範3>ȖlǖɥöS竾ƾÔŸ烠dk弸 + privileged: false + procMount: ı.ĔtQ+p銍/盂pJr替àŽ + readOnlyRootFilesystem: true + runAsGroup: -9023516459602390407 + runAsNonRoot: false + runAsUser: 2513546243926544067 + startupProbe: + exec: + command: + - C + - 9o + failureThreshold: -1595663358 + grpc: + port: 879782754 + service: E3 + httpGet: + host: j + path: ZwGu + port: -1183682475 + scheme: ȉʬ|Ȗ-胨\GǴ酥âïŀ + initialDelaySeconds: -320635887 + periodSeconds: -1762048755 + successThreshold: -1206942688 + terminationGracePeriodSeconds: 2874889772540953352 + timeoutSeconds: 201190682 + terminationMessagePath: D5nhSA2KK + terminationMessagePolicy: '|Áʊv~' + tty: true + volumeDevices: + - devicePath: fl + name: "" + - devicePath: Pivii + name: SAJBTs + volumeMounts: + - mountPath: os + mountPropagation: 霤ņd碤 + name: Wma3F + readOnly: true + subPath: J + subPathExpr: rp + - mountPath: 7p + mountPropagation: ʜ塖ɥw阒ɠ·閐駔址遥铣C龂ȵ槂瑷 + name: EKv9jGIV + readOnly: true + subPath: YjGj1 + subPathExpr: goeN5mMZVyE + workingDir: 9pZ +- env: + - name: jUF3n5Y + value: 5Oas + valueFrom: + configMapKeyRef: + key: NjvBzcrV9 + name: kjnqdL + optional: true + fieldRef: + apiVersion: EKxzT + fieldPath: keiWEt + resourceFieldRef: + containerName: 6ei + divisor: "0" + resource: 5SYJ0LG + secretKeyRef: + key: khTsQnn + name: R22Yc + optional: true + - name: Eqsqk + value: ZbUl8L + valueFrom: + configMapKeyRef: + key: LBJ9Co8gX + name: 5F + optional: false + fieldRef: + apiVersion: BBXJwlU6ov + fieldPath: tR7Z2 + resourceFieldRef: + divisor: "0" + resource: Kw7UxsTdNB + secretKeyRef: + key: x1Ijg6T + name: qqT6Y + optional: true + - name: 7zUt + value: 92wkXugDh + valueFrom: + configMapKeyRef: + key: JfY0lIp0Jdtpv + name: nYzr + optional: false + fieldRef: + apiVersion: IDhOF + fieldPath: aTWd + resourceFieldRef: + containerName: m4s0LUsO + divisor: "0" + resource: jJSLfi + secretKeyRef: + key: KzYvK2KKl0 + name: sR + optional: true + envFrom: + - configMapRef: + name: LuhmK + optional: true + prefix: z3 + secretRef: + name: bhwKfwEMY + optional: true + - configMapRef: + name: ZLn6PrNZ + optional: true + prefix: CZK + secretRef: + name: ln + optional: false + image: 40twCh1 + lifecycle: + postStart: + exec: + command: + - "" + - 4qZLs + - OKN + httpGet: + host: L1rE + path: zDyVFyy + port: kQZa + scheme: l + sleep: + seconds: -7109845505283004784 + preStop: + exec: + command: + - HBLUwI5qG + httpGet: + host: vM5bd + path: "y" + port: 1065237668 + scheme: 働ı愊GƜǻo4qtHŢ*獊K[w + sleep: + seconds: -1099871671561452384 + livenessProbe: + exec: + command: + - K1 + - O5Tdq + failureThreshold: 1326476911 + grpc: + port: 1266228568 + service: 0yovH + httpGet: + host: feV + path: HDTE + port: "1" + scheme: '!@ȄKh8淫~ǿ%硬睇鵤嵤' + initialDelaySeconds: 1175577649 + periodSeconds: 1877040036 + successThreshold: -1354358221 + terminationGracePeriodSeconds: -925123122471881643 + timeoutSeconds: 1464454545 + name: W8b6OOS + readinessProbe: + exec: + command: + - i + failureThreshold: 1781656452 + grpc: + port: -1606887908 + service: RrbvDP + httpGet: + host: mKx + path: HD + port: hiq5RvT05 + scheme: 鱑Ȍ¾ĵ覓{>鿼钇 + initialDelaySeconds: -1803086365 + periodSeconds: 450703172 + successThreshold: -1624696013 + terminationGracePeriodSeconds: -5286538260023923986 + timeoutSeconds: -528162423 + resizePolicy: + - resourceName: um0g1naPII7 + restartPolicy: ¹俞Wƌ甝 + resources: + limits: + EDhQ2V: "0" + OQ: "0" + WtnTV: "0" + requests: + jQaF: "0" + restartPolicy: '{鉪蟏E喧t庛Þa¦ʕ' + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - Ň鰍坸Ñ霰ʁ攽$Ơ + - 蟒磁砈Z芥EDZ + drop: + - ċ6洌扼雚nj墣l睧奟*躾ƛƌ秡t + privileged: true + procMount: 蜵5>MU + readOnlyRootFilesystem: true + runAsGroup: -7704085956113873818 + runAsNonRoot: false + runAsUser: 5730999299228810722 + startupProbe: + exec: + command: + - ImPt + - cIB + - e58MzW + failureThreshold: 310737712 + grpc: + port: 1849024783 + service: B1W + httpGet: + host: 1nU5qLkMA + path: Oo7nHt + port: hxGSeC + scheme: ƇĒɔmĦɦ齋貢 + initialDelaySeconds: -1797908483 + periodSeconds: -761708273 + successThreshold: -1316915468 + terminationGracePeriodSeconds: 8128903938581944374 + timeoutSeconds: -1573011089 + terminationMessagePath: FYPtlxf + terminationMessagePolicy: Pʏɉ{ů囏Ì4鰸曘Ʃ氕峵 + tty: true + volumeDevices: + - devicePath: "93" + name: t3A + workingDir: w +extraEnv: +- name: fXB4uyH + value: GPmKm1YgQuvB8 + valueFrom: + configMapKeyRef: + key: BYyG6 + name: Kr8iKZ + optional: true + fieldRef: + apiVersion: sSt + fieldPath: 7r3LBO + resourceFieldRef: + containerName: B8G + divisor: "0" + resource: 3cRQ + secretKeyRef: + key: nQtb + name: B8Snqwl0U0 + optional: true +extraEnvFrom: +- configMapRef: + name: C1P + optional: true + prefix: KcZH45pd2 + secretRef: + name: N7Yt + optional: true +extraVolumeMounts: +- mountPath: twfjF9 + mountPropagation: ȶ唗蠤S柋ɖȈƻ + name: MMcC8 + subPath: UwT0sYVo + subPathExpr: 9ugOBQ +- mountPath: 6cj + mountPropagation: "" + name: 3iQ + subPath: SaQ + subPathExpr: QQI +extraVolumes: +- name: xbuLqNQHFY +fullnameOverride: ADIhC +image: + pullPolicy: '|í' + registry: CIzpk + repository: O + tag: F +imagePullSecrets: +- name: Yi +- name: 6XnEhUN +- name: oeoW +ingress: + annotations: + "8": SeJ + className: PHr + enabled: true + hosts: + - host: PXAcFs520n + paths: + - path: 1uGP0 + pathType: dWpX + - path: hAH + pathType: LjzFf + - path: 7Qy + pathType: vjB + - host: z9QAJ5 + - host: "" + paths: + - path: Hc0IpaX + pathType: bc0T + - path: dzn1ldJ5h + pathType: M +initContainers: + extraInitContainers: 7DdMwNg +livenessProbe: + exec: + command: + - XRPuLpEO + - nplEP2IP3 + - 9jrKdj2 + failureThreshold: 1516033986 + grpc: + port: -531236004 + service: 11bsOMf + httpGet: + host: 9PMyxMco + path: RI3zx + port: -2029405965 + scheme: G隠Ī:ŁuƠ禲oŇO鿈Ⱥȡ + initialDelaySeconds: 1774510914 + periodSeconds: 1308551645 + successThreshold: 752675362 + terminationGracePeriodSeconds: 8661862683503969755 + timeoutSeconds: 437106483 +nameOverride: u2r6 +nodeSelector: + CrYMUu1pg: "" + ftZ: dKqEwc + pNPla: Cc +podAnnotations: + dApB5noz: fJm84 +podLabels: + 9c2: 3fwyB6m1 + MyocWENxGGa: TrRadg +podSecurityContext: + fsGroup: 5618615494228351604 + fsGroupChangePolicy: ʩrXù济延唇ė袡 ʊ + runAsGroup: -3861060047548570674 + runAsNonRoot: false + runAsUser: 3602747950735365650 + supplementalGroups: + - -5665823160677538937 + - 2942720231280319982 + - -7811581565559124250 + sysctls: + - name: X + value: sWo + - name: MI521Dolo + value: ETgcRWsr + - name: 4gVCXpSch + value: csKV +priorityClassName: U7wS +readinessProbe: + exec: + command: + - cYKp + - vP + failureThreshold: 670800660 + grpc: + port: 1721771977 + service: y69H + httpGet: + host: mtLvsm + path: hd4c + port: 326683785 + scheme: X½鼅餕嚶渭闬脮ƧŗŠ#7êk.] + initialDelaySeconds: 713201976 + periodSeconds: 1611391820 + successThreshold: 604905966 + terminationGracePeriodSeconds: 8452879830155323173 + timeoutSeconds: 981065048 +replicaCount: 471 +resources: + limits: + avG: "0" + q: "0" + w8p: "0" + requests: + AZ: "0" + fGW: "0" + vom84xUd0: "0" +secret: + create: false + enterprise: + licenseSecretRef: + key: 41x + name: HHI4WeIS + kafka: + awsMskIamSecretKey: vvbXmwn + protobufGitBasicAuthPassword: uJNU2 + saslPassword: 1wgp7riu8 + schemaRegistryPassword: nKfA7t + schemaRegistryTlsCa: dsi + schemaRegistryTlsCert: 85xiT + schemaRegistryTlsKey: "1e0" + tlsCa: hEe0gyNOx + tlsCert: "" + tlsPassphrase: Jktiu0 + login: + github: + clientSecret: BDnf + personalAccessToken: MrWfu + google: + clientSecret: tkAac + groupsServiceAccount: w6hg3 + jwtSecret: zpS + oidc: + clientSecret: d + okta: + clientSecret: "" + directoryApiToken: a + redpanda: + adminApi: + password: raQeh15W + tlsCa: Ax453qH + tlsCert: 5cvfDAz7XB + tlsKey: ve +securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - Ȏ煣+ȗ爸詤rȱoCö:踕v;D'茈% + - 斉 + - 劝 + drop: + - 6儌 + privileged: false + procMount: G + readOnlyRootFilesystem: true + runAsGroup: 6433461052261949548 + runAsNonRoot: false + runAsUser: -8726272423258831483 +service: + nodePort: 150 + port: 226 + targetPort: 87 + type: At +serviceAccount: + automountServiceAccountToken: true + create: true + name: ItYso +strategy: + rollingUpdate: {} + type: 匏ǛǢ²Ƴ屣EǙ9Gʡy +tests: + enabled: true +topologySpreadConstraints: +- labelSelector: {} + matchLabelKeys: + - ImKkR6l + - oUu1w + maxSkew: 373901521 + minDomains: -938191316 + nodeAffinityPolicy: "" + nodeTaintsPolicy: 梄焑ȅƗH + topologyKey: Mh1K + whenUnsatisfiable: CǑ庬Kf鄊珪t忒訾Ɗ壚pv餲(ɯŕT铈藘SȂ臏閏@ȗ云Ȧ + weight: -1530606902 + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: [] + podAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: R8 + operator: 茔íȟÁ嗮敚S顕DZ躨ijȱ厎ɬɏl蜶拼 + values: + - PRc + - svCs + - key: LBaaOWdWW + operator: 0ŧĸ荕fR焌禗#ȰȶŁA + values: + - G0FXBn + - IpnG + - NM8oL + matchLabels: + lrB: NtdoEuXoTr2r + y1BSzp: ivK7CU + matchLabelKeys: + - 6ZNJrk5JxOHW + - B9Q + mismatchLabelKeys: + - "48" + - nm1WD5nM + - vLqhDh + namespaceSelector: + matchExpressions: + - key: GF6EQ8mKus + operator: B"(ň枣<吰檰戱R&狅Ɍ鋋Ļ飮 + values: + - f0plBpNy + - Gzl + - key: x4 + operator: Dz謶ʮ_ūKNdv· 壼×z朤 + values: + - zo + namespaces: + - QMv + topologyKey: r1z + weight: 1950038583 + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: x3pdwI + operator: ǿLȴ8涣ÎƶǛ醌Õ纺網(đ倠樓纗Ǯg + values: + - xJlJ3H5 + - iza5 + - 4rszgB8v9aH + - key: 9j5f + operator: ǘ賊ƾA迌磡m摾烊 + values: + - EMECS8f + - oveu + - He + matchLabelKeys: + - 33y4E5v + - 5XIM + - "" + mismatchLabelKeys: + - 37I + - a02Re + - GVqKNcGgl + namespaceSelector: + matchExpressions: + - key: Rtiwm + operator: 萱J矻軚fC + matchLabels: + 8ipw: G + JwDA: 8EVkJ + oiQ2p: mYGgaz + topologyKey: 5l6PI + weight: -1824427504 + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: "" + operator: 晑2%·QHVJTM錈 + values: + - CTU + - X5a + matchLabels: + WdJU6: I + bN: "" + uoTcuu: w1Y3yLW2rz + matchLabelKeys: + - O80Pf1RfMp + - WRJOT6B + mismatchLabelKeys: + - "" + - "6" + - nwQikpclV + namespaceSelector: + matchExpressions: + - key: CNaHfk + operator: 蕵Qmƀʁ6鲿)żȯ+ɩ玙9 + values: + - OuxZv + - key: dS + operator: 炧踮P-.壨ġ + values: + - 6ZJp7y + - key: jiLGGAQ + operator: 蟾Ɵ餌|ƨ綁訲bǝɋ圼 + values: + - mQ + - Fk3eA81t + - YR3WT + topologyKey: "5" + weight: 1634860618 + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: "" + operator: (冁粄Ƴ\Ē4ǀ9峖樾t燠熂鷸ȿź蛼* + values: + - fnrA + - g + - gptz8 + - key: 4Hue + operator: oğ魀Ʌ¦榴 + values: + - InPtpb + - rxTpo + - HXnghAhWU1 + - key: EE2p + operator: á儬倏qȼ療ƚ + matchLabels: + YvCi: 1Tg + oLQ9OhyY: pFYpYKV + matchLabelKeys: + - J7 + - VR5 + namespaceSelector: + matchExpressions: + - key: cwgATYQvdj + operator: ÷Zá磋舫棹瑗-神ĕ嘟泦猵 + matchLabels: + Inz: BpiLQXOvEh + topologyKey: 5sHov5x + - labelSelector: + matchExpressions: + - key: vLI2 + operator: 歑ūĿɒ + values: + - FiQIMCFX2 + - vqhAaV5N7 + matchLabels: + 6DNwSiVsen: 1fRK + V: 3L49A8YEn + matchLabelKeys: + - K0sPcZWy + - fqn0luLnrF + - "" + namespaceSelector: + matchLabels: + O9bMG: CvBa11UI9OL + cm56v: Z83nkLc + gLJIEvg5: tUJq + namespaces: + - yP + topologyKey: 3RN + - labelSelector: {} + matchLabelKeys: + - vMX6FV1t + - vP + - TU8VLc + mismatchLabelKeys: + - ZAaEBYk + - Y0F4V0C + namespaceSelector: {} + namespaces: + - LwoHgQ + - qAJ + topologyKey: "0" + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: afwQ + operator: X(^Ȓ蘘}例 + values: + - 2ak8Yfa6P + - key: T4 + operator: ȵë_-Òŝ/c諒M攕窸 + values: + - Vktm + - trH51Z3 + - key: in74thKl + operator: HþČ謼ijƉË + values: + - NK2D3 + - NUsncshnv + - YDiqn6 + matchLabels: + T1: "" + nQFxJe: tdqf + matchLabelKeys: + - KI + - 6LjhIKmlnlhpI + - 88DArl53wb + mismatchLabelKeys: + - Bn30p + - zjq + namespaceSelector: {} + topologyKey: LrLYm2oYCgO + weight: -1318876164 + - podAffinityTerm: + labelSelector: + matchLabels: + T837hItO1qv: mCNMYnPq + gDh4Dxx2O: JUZxy4z + matchLabelKeys: + - sTn + - 4nu + - CSgSC + namespaceSelector: + matchExpressions: + - key: A5z + operator: "" + values: + - PJ6Zh + - S + - key: VufLBVvFECvIW + operator: ʝcƘʣ]筍ġ0Ğ鎏£<艻錯瀢 + values: + - tz64EN + - i + - key: 8Q2s + operator: E1戠天:ɺ勎sȸɾ + matchLabels: + XTI: 7cIZ + jpH49wkR: D5u5c + namespaces: + - XyGPkW + - CERSWYSVu + - Ms80R + topologyKey: 57PFRYX + weight: -1558645933 + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: ZGO5iRhr + operator: 堭ŷz + values: + - IfLuRt6FZf7 + - 03fn3j1 + - key: HL + operator: M螎õ}shƏ檅葜0<瘼Ɗț夡J偦ʆ + values: + - "96" + - 4uInca + - KsWaAE + - key: nKr + operator: ʋƲ~uè蟪ʗƁʬȌ势ȃVÄ穵Ą + matchLabels: + DVRktk1U: 1XFlhcXH + matchLabelKeys: + - kJMI + - Js8qeQ + mismatchLabelKeys: + - lnn1G + - A4nlWqCrE3 + - BzU + namespaceSelector: + matchExpressions: + - key: "" + operator: ɍįmŐ冹?E蹣ƋH肥=ɭuR訷$ + values: + - faDMJv + - b0VUPX + - lOsWCl + - key: 7iy + operator: 0:H碼\b黵禧鐃 + - key: nbn + operator: 疬厼掚Ƿ蛬ƞÜ9懎拖ų洜 + values: + - byjrbi + - RqfcIc + - dLaAUt + topologyKey: BUfQ +annotations: + He: OemFaO9 + QE5O: 6CBP +automountServiceAccountToken: false +autoscaling: + enabled: false + maxReplicas: 400 + minReplicas: 455 + targetCPUUtilizationPercentage: 64 + targetMemoryUtilizationPercentage: 472 +configmap: + create: true +console: + roleBindings: + - zn: null + - WCQKaiaj: null + py: null + roles: + - {} +deployment: + create: false +enterprise: + licenseSecretRef: + key: 4F + name: k +extraEnv: +- name: fqLRMsbtI + value: VzzHe + valueFrom: + configMapKeyRef: + key: "" + name: 1au8QkGsYcK + optional: true + fieldRef: + apiVersion: "38" + fieldPath: rM + resourceFieldRef: + containerName: Moz + divisor: "0" + resource: V + secretKeyRef: + key: IQ7AC3i60u + name: BCb + optional: false +extraEnvFrom: +- configMapRef: + name: twq36B + optional: false + secretRef: + name: OLKXh + optional: true +- configMapRef: + name: Pyr + optional: true + prefix: nyu + secretRef: + name: HDmfly7EP + optional: true +- configMapRef: + name: 2TmUL8GD + optional: false + prefix: R5 + secretRef: + name: TyS + optional: false +extraVolumeMounts: +- mountPath: 4zQSAo1Lj + mountPropagation: 檛ȂWg + name: eeS + subPath: iaw3G + subPathExpr: N02q4 +extraVolumes: +- name: "" +fullnameOverride: j1dUk8TGy8Np +image: + pullPolicy: 谝鞛榜ɸ暐ɸ刀x喋 + registry: zi + repository: MTSoVvJ + tag: a25lJOfGpG +imagePullSecrets: +- name: OlRQO +- name: Hkuk3 +- name: fP +ingress: + annotations: + ADJxl: n5EK4WzM0 + M: Zoud6 + eWXUqq: "" + className: "27" + enabled: false + hosts: + - host: 6PclZ7Q + paths: + - path: RqbF29XX + pathType: WB + - path: npV1GL + pathType: zxvm + tls: + - secretName: Q + - hosts: + - EvjYI + secretName: gRDta + - hosts: + - zlgJP1 + - g367Bgr1 + secretName: eQ +initContainers: + extraInitContainers: d5lM +livenessProbe: + exec: + command: + - S + - eqi + failureThreshold: -574948042 + grpc: + port: -653621031 + service: ir + httpGet: + host: qboin0qudh2Y + path: 4jFbHK + port: 9APWoaII + scheme: ćdž埭]KU + initialDelaySeconds: 1217073146 + periodSeconds: 2084735603 + successThreshold: -1091703574 + terminationGracePeriodSeconds: -4975007928507132892 + timeoutSeconds: -203727359 +nameOverride: ld +podAnnotations: + Scdn: fLH1yCm + lCp: Hi +podLabels: + 6AmpBMD: yDh + lPb: vi6tx4 + u: Vai7 +podSecurityContext: + fsGroup: -4268923634359973318 + fsGroupChangePolicy: 椶'ɏ4Ŝʘþf¸ǚļţRď0 + runAsGroup: -5513988494785819878 + runAsNonRoot: true + runAsUser: 3348050323720255791 + supplementalGroups: + - -9211346208910065015 +priorityClassName: 89gnK9rXyDXui +readinessProbe: + exec: + command: + - WCCn1 + failureThreshold: 1866953941 + grpc: + port: -978078521 + service: Gk8q + httpGet: + host: 4aDbYIp + path: sFssnZ8D + port: b9TEE2n + scheme: n8鞘呷2ef嫰髡箩棔螇džNj雤 + initialDelaySeconds: -1624688782 + periodSeconds: -231284043 + successThreshold: 1609785496 + terminationGracePeriodSeconds: -564252460349465292 + timeoutSeconds: 767134266 +replicaCount: 444 +resources: + limits: + wjrESvfqh: "0" + requests: + fSPJBFEwK58: "0" + j: "0" +secret: + create: false + enterprise: + licenseSecretRef: + key: iKQ6Nz + name: OD68lA + kafka: + awsMskIamSecretKey: "" + protobufGitBasicAuthPassword: GKaL + saslPassword: J6S + schemaRegistryPassword: 8PuilRN + schemaRegistryTlsCa: "" + schemaRegistryTlsCert: "" + schemaRegistryTlsKey: LsoxQcg + tlsCa: rGkjDT + tlsCert: gzs + tlsPassphrase: "70" + login: + github: + clientSecret: BGgKCBXeA + personalAccessToken: S + google: + clientSecret: KQXew + groupsServiceAccount: Ll + jwtSecret: 95jKDcdtX + oidc: + clientSecret: "" + okta: + clientSecret: b + directoryApiToken: "" + redpanda: + adminApi: + password: y2jU08n6KI + tlsCa: 6YyBT + tlsCert: ZkxE + tlsKey: MpUTYb4y +securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - Ƹłš硇¹,9菧ȉŪ転Ǹï7ĭɜ + privileged: false + procMount: 榷ŋĦƨÈ俟ţUȫ桊fLŊƐbƼɤ襐 + readOnlyRootFilesystem: true + runAsGroup: 2134851813508950156 + runAsNonRoot: false + runAsUser: 1677623433130194771 +service: + nodePort: 470 + port: 46 + targetPort: 43 + type: uqFB +serviceAccount: + automountServiceAccountToken: true + create: true + name: fP77cJ3T +strategy: + rollingUpdate: {} + type: '>Ƒ梚ǩ' +tests: + enabled: true +topologySpreadConstraints: +- labelSelector: + matchLabels: + IoAy: C6rMwI0 + eM8D7JD5PJ: "n" + lFmG: gJ3l + maxSkew: 839777044 + minDomains: -1438737093 + nodeAffinityPolicy: Ƭ氄ɿ[閾pʙ9 + nodeTaintsPolicy: j珙%!溌BN + topologyKey: 2GZ + whenUnsatisfiable: 屄ɧȄ +- labelSelector: + matchExpressions: + - key: UQkB4Vn + operator: D86i溨F'>亖÷ + values: + - pH + - LHgYM1W9 + - gO + matchLabels: + bw52WaG7: 5zm31oU + t99k: AF0 + matchLabelKeys: + - lkYaHo + - 4tzd + maxSkew: -1948819142 + minDomains: -1754532325 + nodeAffinityPolicy: 酝ʪ+彨緱Y塞雾}捋嗭0]ȰʤĖé横 + nodeTaintsPolicy: '#騅Ɵ$F圃拱鿎鵅xq' + topologyKey: z2NL + whenUnsatisfiable: uȤÝ酑 +-- case-039 -- +affinity: + nodeAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - preference: + matchExpressions: + - key: OiH + operator: Eʤ#/7諨 + values: + - iYzfGpa4 + - PaMqxj5fj8 + - sWaI + - key: Pw + operator: Kw[o0鿚 + values: + - Gnm + matchFields: + - key: YO9QL + operator: ȏ网牙鍩橷潗D9騭ŗʈ求U縷讒Ƴ漏哟 + values: + - XV65fSG5o + weight: 144962453 + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: [] + podAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: p2uqgWn7p + operator: ǙmX窀ʄʙ婘m.Ƈ谱qŴĆ揿 + values: + - IQGwhE + - Hiut + - key: mrN9GbREak + operator: oʟ + values: + - GZkF1BV + matchLabels: + 8bOT0: pvv + VYd3OWm: 0gW5 + matchLabelKeys: + - thrYIp + namespaceSelector: + matchExpressions: + - key: sonam3I + operator: "" + values: + - a9M + - bM + - key: ZFAy + operator: yW揚ɻʖî床哲ɯǮ^DzǓ + - key: ZwHE + operator: sǍ逘璿Ǧ5u軟DZ鞏綇鏑Ɲ` + values: + - 1D6 + matchLabels: + MoK3: j4Rw + namespaces: + - yS + - F2VMFv + topologyKey: wNv3 + weight: -1334539094 + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: Hp + operator: QɃ蒜§Ɩ5SyǸ鎧ȝ)ɒ獬v氮n兡Ĝ + values: + - "" + - y3ufRu75J + matchLabels: + Sbhb4LC: p + U1NMpjoLa: BC1D + eIgw: tBbWDRZ7j + mismatchLabelKeys: + - iWKlUgr + namespaceSelector: + matchExpressions: + - key: 9HkK + operator: ȃĕ送 + - key: P9rh1yxLN + operator: ŋľ&謮稠Ÿ珀胔俨ʎŰ + values: + - 16yHoCooS + - r3ym6YAoy + matchLabels: + PrnS8: K2h + namespaces: + - s + - US2hE + topologyKey: 5SbLzS + weight: 1219402233 + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: 082AGo10x + operator: pȁij~搣ɢDĝ偩ʣȘ'oIʓ?憏圽U + - key: CXjEgRK + operator: 颭镃Ș蠮S闬耧涐²ǒ圡窽ǹ(ǁ + values: + - zIVWI7jXh + - HE8UDiZnhVG + - "" + matchLabels: + FRgh: MUBtKVc + iu: K3 + jV: 5jM + mismatchLabelKeys: + - h2 + namespaceSelector: + matchExpressions: + - key: "" + operator: mHɻȐĪ$ + values: + - GFueB + - 5prw02 + matchLabels: + KgBnfc: t9Hb4 + SxGw: 4qCJppj + h3m2: gRc + namespaces: + - 1maI + topologyKey: UCy + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: 08Q + operator: $鏪轟ſ俨+嬯呦ĄȕɓJp + matchLabels: + kSy3s8nE: Q0 + matchLabelKeys: + - bf0Tpn + - I + mismatchLabelKeys: + - 0Bm09lf + - P7 + - lyb2 + namespaceSelector: + matchExpressions: + - key: 6zTBp0G7 + operator: 氯¥+Dz睧勪娳Ƨ伮慒{ąɫ`瑛稃5绨 + values: + - 1YVGovQ + - bJ + - key: Cxm + operator: 芼 + topologyKey: f + - labelSelector: + matchExpressions: + - key: jNrAref + operator: 接ʼnĎ + values: + - N0 + - ZNwtHjxR + - key: 33k8BGf + operator: rĴr+qȩȃ休3Ȳȅ + values: + - "" + - E8yL4W + - 9anWnm + matchLabels: + WyV0Ct: 6BVL + vLUV: mvMLwn + matchLabelKeys: + - 9O + mismatchLabelKeys: + - CO + namespaceSelector: + matchExpressions: + - key: Jiyaq + operator: ɯ唺饓9 + values: + - qogYf + - key: UXg6 + operator: à! + values: + - phW2 + - BItew + - c09DZ9v + - key: hPhLpBwJ + operator: g«疻:糄Ś$q + namespaces: + - jAvA + - 0V6Uv6PU + - AOoh3 + topologyKey: d2QYa +annotations: + IJC774: 5hK + P1Py: YYAic7jN + REyW: 7LdLtJYMz +automountServiceAccountToken: false +autoscaling: + enabled: false + maxReplicas: 461 + minReplicas: 403 + targetCPUUtilizationPercentage: 297 + targetMemoryUtilizationPercentage: 161 +configmap: + create: true +console: + roleBindings: + - 6O4d: null + EY: null + oPTMvYGp: null +deployment: + create: false +enterprise: + licenseSecretRef: + key: KvJNskb5ptO + name: vVsE +extraContainers: +- args: + - fajfbgt + - 1XG4cARu + envFrom: + - configMapRef: + name: F5n + optional: false + prefix: Prg + secretRef: + name: vq2FHcobO + optional: false + - configMapRef: + name: Mfdidfx + optional: false + prefix: eggfGpU + secretRef: + name: gX5GT + optional: false + image: H + imagePullPolicy: 玣ɟ踣 + lifecycle: + postStart: + exec: + command: + - 5ABG2Ao + httpGet: + host: D4S2dPB + path: QCCIL6 + port: wu + scheme: eSÉĝ嶤ʮ牑 + sleep: + seconds: -6736232898620818377 + preStop: + exec: + command: + - "" + - 9oy + httpGet: + host: vIPKpEbM + path: l4HaTS9 + port: -180983347 + scheme: h儷#PX盩ʋÈ + sleep: + seconds: -3654571329064470871 + livenessProbe: + exec: + command: + - zGWiFCpvJyG + - 2A + failureThreshold: 130427535 + grpc: + port: -458689504 + service: keBJI3 + httpGet: + host: fkJ + path: MFy2 + port: 1638404838 + scheme: ƵĜRóM螻作仄ĨgŋƷ蔶慅Ƹ + initialDelaySeconds: -1024094942 + periodSeconds: -1045387639 + successThreshold: 966241980 + terminationGracePeriodSeconds: 43907789703605006 + timeoutSeconds: -2115548430 + name: n65z1Le + ports: + - containerPort: -496460005 + hostIP: m9e0LZZ + hostPort: 557092727 + name: hG + protocol: 奀x儋韖ȃ嶍射擋- + readinessProbe: + exec: {} + failureThreshold: 1620135876 + grpc: + port: -1149097195 + service: 7KtLa + httpGet: + host: Mel9pu + path: J + port: Bl + scheme: 臹欔 + initialDelaySeconds: -750113074 + periodSeconds: 820678693 + successThreshold: 1708685033 + terminationGracePeriodSeconds: 6351250062493105403 + timeoutSeconds: -89282235 + resizePolicy: + - resourceName: Cm2W + restartPolicy: o^Cǐɬ醒ÛQȌ帧圷孩Ą + - resourceName: jhEz4gNWQKP + restartPolicy: DV庴 + - resourceName: EgwUKXikbg + restartPolicy: 瑚 + resources: + limits: + 2jSTU8: "0" + 7OI: "0" + FIfseL: "0" + requests: + EPF86: "0" + GcwO1SNT: "0" + restartPolicy: '>Ǥ摔ȶ蘭ɘʜɩ' + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - J + - 8垺ŭihȸ£gJĠǐ!İ0 + - ƶ害Ƈ§孶邸 + drop: + - 龈PeęIJ傮ȅ溣E忬鮷蜆GÊ霌 + - þƢ^ + - RTmī07ý謐ɩ噎 + privileged: true + procMount: (朴頲碞!0¿搻ź)磑[哈YǓěNG$ + readOnlyRootFilesystem: false + runAsGroup: 3606686082741296584 + runAsNonRoot: true + runAsUser: -9076124251416402294 + startupProbe: + exec: {} + failureThreshold: -2038237600 + grpc: + port: -992723564 + service: bMQIm4Y6fY + httpGet: + host: w0Z6WQWwn + path: Kw + port: KdZFUIvpm + scheme: L媰 + initialDelaySeconds: 266050830 + periodSeconds: -879749840 + successThreshold: 1098563171 + terminationGracePeriodSeconds: -3577990655544091297 + timeoutSeconds: -838391922 + stdinOnce: true + terminationMessagePath: bh7 + terminationMessagePolicy: 餔Ŵ婜 + tty: true + volumeDevices: + - devicePath: 5EA9lR0y + name: wCP0dl2Uf + - devicePath: IKOQwmn + name: connmB4Ve + - devicePath: hssHEiwb + name: vP68uD + volumeMounts: + - mountPath: 9Yvkg + mountPropagation: Q众XM娪08菫 + name: XP + readOnly: true + subPath: Mk + subPathExpr: LV + - mountPath: 381fE + mountPropagation: ǚ钍jǍŏh濢n1ŕǼ姕ŗđċCʏ(漇 + name: 4prce + subPath: tvkrRPN + subPathExpr: Otc + workingDir: D4 +extraEnvFrom: +- configMapRef: + name: zdN8iNs1e + optional: true + prefix: z + secretRef: + name: tGw + optional: false +- configMapRef: + name: qRSvRtA6 + optional: false + prefix: dE0dDLvy + secretRef: + name: m + optional: false +extraVolumeMounts: +- mountPath: nTxUyaL + mountPropagation: "" + name: cwkJrEER + readOnly: true + subPath: FKU9h + subPathExpr: 12vLerk +- mountPath: DuUpWysEh2r + mountPropagation: IƏ + name: YlcuH + readOnly: true + subPath: 1faJ4ypp7 + subPathExpr: ZDct +extraVolumes: +- name: bdnliW +- name: Tr +- name: cd +fullnameOverride: bbshm +image: + pullPolicy: ɴ烚庻阐狘:ŭ(M$tY炜ī崞Ž + registry: QxUvz + repository: Gr + tag: hrAYj1i +imagePullSecrets: +- name: MTOK84IL +- name: YAl +ingress: + className: qyKUEOUT4u + enabled: true + tls: + - hosts: + - F7m23 + - "7" + secretName: M +initContainers: + extraInitContainers: aSeq42klM +livenessProbe: + exec: + command: + - ajpIBjdV + failureThreshold: -1650923727 + grpc: + port: -598400902 + service: NoUl1T + httpGet: + host: "1" + path: T + port: -1011339684 + initialDelaySeconds: -1047122153 + periodSeconds: 300714247 + successThreshold: 1660165948 + terminationGracePeriodSeconds: -6817463041894309382 + timeoutSeconds: 497385152 +nameOverride: o2F37Lr +nodeSelector: + Md8w5MD: cTipUm6 + Y31W: uQ5xyo +podAnnotations: + 5oGD5: wKq + Qi815eSQdI7wJ: SwgPh + vAJU: z +podSecurityContext: + fsGroup: -1210907643611065698 + fsGroupChangePolicy: IJ鄔ȫ荪癓椥%k矜椒ʊ0宻lƑɜIɇ + runAsGroup: -4059110951032458810 + runAsNonRoot: false + runAsUser: -6169453912741831517 + supplementalGroups: + - 5292690601828357137 + sysctls: + - name: xY9WN + value: JL + - name: v7R + value: q1nexB5KTD3SE + - name: PN + value: neE5ismaY +priorityClassName: aDlP +readinessProbe: + exec: + command: + - 2xO + - BlUV + failureThreshold: -2130189853 + grpc: + port: 996585883 + service: qWavRHqQOBBP + httpGet: + host: U + path: MJdmT7Y + port: aujUU + scheme: ¹Ť碏譽> + initialDelaySeconds: -781516024 + periodSeconds: 241739148 + successThreshold: 912206192 + terminationGracePeriodSeconds: 1472699093368179429 + timeoutSeconds: -1948646722 +replicaCount: 122 +resources: + limits: + g51: "0" + requests: + Wd: "0" +secret: + create: false + enterprise: + licenseSecretRef: + key: PXlML + name: 1ZXP + kafka: + awsMskIamSecretKey: Q8ZB + protobufGitBasicAuthPassword: 6x8Cv + saslPassword: kPhPSQWJJ + schemaRegistryPassword: JK + schemaRegistryTlsCa: SnQ + schemaRegistryTlsCert: nrxxx8 + schemaRegistryTlsKey: aizaszl + tlsCa: tKnCvE97 + tlsCert: XQGOjdnSY + tlsPassphrase: UIS + login: + github: + clientSecret: RAo + personalAccessToken: YJtxt19kpv + google: + clientSecret: V0kmwLq + groupsServiceAccount: AaiW + jwtSecret: FGWF3nXjDA4 + oidc: + clientSecret: rnv + okta: + clientSecret: ZE5mxhO6s + directoryApiToken: 7z + redpanda: + adminApi: + password: YwKgntj3 + tlsCa: ywmMdJU + tlsCert: OK6C5sNI0 + tlsKey: eNdF9knNN +secretMounts: +- defaultMode: 368 + name: GaEvNh0Ifo + path: 8c1 + secretName: "" +- defaultMode: 412 + name: Dy8Ef + path: X2Ct + secretName: QRQFk +- defaultMode: 211 + name: cLEkHy + path: alMc11eGER + secretName: 8miR +securityContext: + allowPrivilegeEscalation: true + capabilities: + add: + - ƕE仍腽ʨLJ甴Z´:涟 + - mŠ'菴h饘ǦŃ2 + privileged: false + procMount: 麤绊噃ȳ{ɚƪ秥ȧG + readOnlyRootFilesystem: false + runAsGroup: -8188439767627968973 + runAsNonRoot: true + runAsUser: 2990782549155496077 +service: + annotations: + 4yhZo: zLVEslN + Amz4VM: QAvK + IPCS: b1R + nodePort: 233 + port: 400 + targetPort: 329 + type: dPOD9Kzb +serviceAccount: + annotations: + PPZDrdmxKV: UBjiSx + automountServiceAccountToken: false + create: true + name: 8s2qVhKEW +strategy: + rollingUpdate: {} + type: '!蘃«2狺čH' +tests: + enabled: false +topologySpreadConstraints: +- labelSelector: + matchExpressions: + - key: K98063hAMXd + operator: 閃ŘDZƳwųA旰C汔§挦塳¹@ē + matchLabels: + y9: GJEjaj + matchLabelKeys: + - 4xZpqk + maxSkew: -659297182 + minDomains: 1124395321 + nodeAffinityPolicy: ʬC8 + nodeTaintsPolicy: 鱯禓瞝 + topologyKey: mq + whenUnsatisfiable: A´ʕɭNÀȜ龎q擞u貒槂轌v +- labelSelector: + matchExpressions: + - key: Yd + operator: "" + values: + - dCWo2pjVuA + - hl8G3Kp + - M + - key: VYxo + operator: _k?Ř + matchLabels: + 3kRK: xOzJ6 + KUwsC: FN5bAqvV + QPay: w0lIH + matchLabelKeys: + - gkJFY + maxSkew: 501038978 + minDomains: -2011840701 + nodeAffinityPolicy: Łdz倾僚ʒ屆9ÐE釤Ŏo + nodeTaintsPolicy: Ǩʖ#Ŭǧ¦Ûũ°啑 + topologyKey: JCJYk4 + whenUnsatisfiable: 暛ūZɆǗ絜皼bȇĀ簁搿WXƪçɗÁ +- labelSelector: + matchExpressions: + - key: gyZMV + operator: ƲƬ釒橙ȋ齸鑝鷳ĔǸɊZ聻趁õÈc + matchLabels: + T1YT: SJYt + W: ZaF + WdGxif: 3EKPjb9 + matchLabelKeys: + - ukD8HM + - mD + - Z + maxSkew: 1774410820 + minDomains: 36391976 + nodeAffinityPolicy: "" + nodeTaintsPolicy: ŵɎļ%鋏[ʞô + topologyKey: oGrtNcnUje + whenUnsatisfiable: ƓǪĈɏ荥蟗Ș鉢A +-- case-040 -- +affinity: + nodeAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - preference: + matchExpressions: + - key: 7RRFnuao + operator: 鑿梞e璺瀧敢tȱ + - key: 3qz030r9N4 + operator: 脟óȨq駥Ƽx垤R$L + - key: 4egJ + operator: 敕ƒ洀ņ+Ō轲C丼Ʒij.ƾ蚯ƺ痻3皆咒 + values: + - "" + - J66saNw8 + - xBRUfDKhiA + matchFields: + - key: Kgp4qFm + operator: 桋iz<ïŃǃ襶D齿 + - key: 7F + operator: "" + values: + - iquNT + - aFPIw + - lYMJn4Un3 + weight: -954635927 + - preference: + matchExpressions: + - key: ePHgEs + operator: 撹ł + weight: -2109244754 + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: gK + operator: 垭ʮȌ)"彛 + values: + - Vvo + - "" + - key: n0 + operator: 挪VɱȒ + values: + - 595ST + - sHQoTQgQ + - ZyYxnGB + matchFields: + - key: "8" + operator: 餒ơ鋦r)锟壃m汇 + values: + - H8 + - matchExpressions: + - key: nErJm + operator: Ûɟ敀淽 + values: + - sbjW + - 1l + - go + matchFields: + - key: ozzkD4D + operator: Ʌ\h崭蠒ȓ旉蹖楚_掁S5 + values: + - NrN0Id15O + - VrahPz + - YJfhO + - {} + podAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: qiGNj + operator: jƯȨ穞ɿPȧ + - key: HPRR + operator: ž8ƃKKDz蠽ƚ0ƻ + values: + - NAx + - Pr2F + matchLabels: + LY: ZRjD + matchLabelKeys: + - ikCO + - n25 + - IY0AqNStYm + mismatchLabelKeys: + - uO6G + - EFKfLOM0 + namespaceSelector: + matchExpressions: + - key: frBwUGG + operator: ǧ啯ʖ6džȡ衺Z莋æȘzv + values: + - 68q + - PrId4k5Nk + - 1Izg6c + - key: H5neR + operator: "" + values: + - gf2 + - "" + - key: LTEiVQV + operator: ʅďl$y韙bO儺e籾吕ŃV + values: + - LccIflVn3 + - QX + - kRZLtn + matchLabels: + lccn5: lx6 + topologyKey: AE + - labelSelector: + matchExpressions: + - key: ljGag0 + operator: "" + values: + - 3AlcF9eOiK + - key: XPoIj + operator: ĻĵN稙²x鸴ʊ + - key: "" + operator: m[ɻD«ʯĢĥɖHÃú锺N蓍!f + values: + - cwRFs + - wJtpMgyV1I + matchLabels: + 6gzmw2BW: v1eC + QI6Gl: Ckzyw0v + uRw21: 36kl + mismatchLabelKeys: + - XiX9Mrhv + - Xk2Ri + namespaceSelector: + matchExpressions: + - key: Roq9G + operator: 槓G{? + values: + - YCBJEhS + matchLabels: + 9X5C: TU1y + PG1k: 8j76iX8R + iYq9QLUSh3bk: Mvl2WRQ + namespaces: + - Pp + - z1O9mW5rB + topologyKey: U + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: pqtCgWlk + operator: eŭñZ) + values: + - 6eUrtsX + - GmGeP7 + - pBhe0 + - key: gctw + operator: L?岤紎!蠾黅誽帯÷Ʉ坏q + values: + - G + - "" + - "" + matchLabelKeys: + - IGYc + mismatchLabelKeys: + - C + - XlxD2Y5h + - Eut + namespaceSelector: + matchExpressions: + - key: QNvJq6Uc + operator: Ǔƀ閝遨垛簙UdĢ7ȍ騽¹DŽ + values: + - m4wq + - TmuqVB1 + - key: PTVC + operator: 珙'ɀɒ虃龓楼ƺ譄êǿ + values: + - w + - K + matchLabels: + GQp: tw + namespaces: + - t + topologyKey: I9Ng7D + weight: -278680619 + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: IaZiqfV6 + operator: 幋x:Ȗ + values: + - XmaYG80 + - aaEScB + - DxB + matchLabels: + J3Ny9zUJ2DOTKO: eiUL0RR + lt: bqOs + matchLabelKeys: + - XYHp1S + - JKj1 + namespaceSelector: + matchLabels: + WopugltEP1J: eaGpkiS + namespaces: + - H9w9Q + - A8D + topologyKey: pvkKW + weight: 252280673 + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: lSi + operator: 襚ǫAŇþ腦W[ĕ嘱ʌſœɃ槏Z岪 + matchLabels: + OzmceOBQ: F2mtk + QcoH: qt3OR6ZcjY + t5Cqg1: 1x9WW8EUyyn + matchLabelKeys: + - 0XGJ + mismatchLabelKeys: + - K6T + namespaceSelector: + matchExpressions: + - key: KoofEA + operator: ' íɀ馩Ȭɫġo娤螗暴Û漷ʦO腔' + values: + - nj + - U + - onkfJ4 + - key: 0aO + operator: Ŷű輖+¶)罩ƌ×螂 + matchLabels: + 2hf: GeFfROs4 + pA23: kqkG + rZ: DH6cT + namespaces: + - yvfsu + - L3Pu + topologyKey: BBBCjZel + weight: 392487334 + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchLabels: + 0hp: sd9 + mwTeR: D3HlJbmoK8 + matchLabelKeys: + - MwDkniC + - "" + mismatchLabelKeys: + - VuQB + namespaceSelector: + matchLabels: + 1x: Pj + D3J: 4gFps + bQU: weT0tI + namespaces: + - y9zrYKWApO + - rq0K3 + - 5XUeP7 + topologyKey: P7V + - labelSelector: + matchExpressions: + - key: Jv + operator: 啽ŃŐø + matchLabelKeys: + - s + namespaceSelector: + matchExpressions: + - key: Fy5Deb + operator: 旉錛!荕Ɂ! + values: + - nbiy + - "" + - 6QORDbd6zn + matchLabels: + bba0KJ: NE1j + nYif5xu0Hy9XW: 0s + qAoT: "46" + namespaces: + - 4JHyx + topologyKey: 7621t +automountServiceAccountToken: false +autoscaling: + enabled: false + maxReplicas: 470 + minReplicas: 361 + targetCPUUtilizationPercentage: 160 + targetMemoryUtilizationPercentage: 475 +commonLabels: + X: zjmrl + "Y": yG0 +configmap: + create: true +console: {} +deployment: + create: true +enterprise: + licenseSecretRef: + key: a7Ph + name: zsHNWVcS9 +extraContainers: +- args: + - jlI16Xnnb0 + - x0Z + - Tv6z + command: + - 3MnkZe0L + - OK + - cKvaGI + env: + - name: 7RtgX9 + value: TQH + valueFrom: + configMapKeyRef: + key: "" + name: GE2 + optional: false + fieldRef: + apiVersion: x2H + fieldPath: iVYVzT + resourceFieldRef: + containerName: 3QSG + divisor: "0" + resource: AgMtPE + secretKeyRef: + key: BhGA6 + name: LKemd3Cs9 + optional: false + - name: 9dFxchX + value: huoZj + valueFrom: + configMapKeyRef: + key: skdmo + name: gSEkUx + optional: true + fieldRef: + apiVersion: ymAcwLzaJ00G + fieldPath: de9Q + resourceFieldRef: + containerName: ZgwwQvA + divisor: "0" + resource: OTraA + secretKeyRef: + key: Pe8 + name: 39mCZV7ERv + optional: true + envFrom: + - configMapRef: + name: l + optional: false + prefix: kGdnbCakM + secretRef: + name: JrDM + optional: true + - configMapRef: + name: 0iH67 + optional: true + prefix: 3JVMhcII7 + secretRef: + name: PS1J + optional: true + image: Bx3IW17kjF7 + imagePullPolicy: È8秏糇 + lifecycle: + postStart: + exec: {} + httpGet: + host: EeLx + path: JC + port: 638412697 + scheme: 翔ĩñɁɬj局³喪Eů磘Ʒ唡嬤 + sleep: + seconds: -2739564842418698030 + preStop: + exec: + command: + - zjNyV + - 3i + httpGet: + host: RxhMCXQN + path: Dq + port: -821303664 + scheme: 髒xD>?ǠĆ踃w¬ + sleep: + seconds: 8925361607851382825 + livenessProbe: + exec: {} + failureThreshold: -2015695369 + grpc: + port: 102189788 + service: VG2k6Atq + httpGet: + host: 0dxm + path: Pix7SytH + port: 284583441 + scheme: 畝ǂƬƜ聞|b + initialDelaySeconds: 1150668189 + periodSeconds: 1279412097 + successThreshold: 337444728 + terminationGracePeriodSeconds: -665826210809930777 + timeoutSeconds: -802810999 + name: 1KSo0a + readinessProbe: + exec: + command: + - 3cCL4 + - en + - VN0 + failureThreshold: 448729232 + grpc: + port: -174942651 + service: paUcCUtV8A6 + httpGet: + host: tSEChhvGgDsf + path: Jrr + port: 516172996 + scheme: c{Ƭ臾斡:Ɣ?Í + initialDelaySeconds: -714126900 + periodSeconds: -88316167 + successThreshold: -1820867160 + terminationGracePeriodSeconds: 272130190949654337 + timeoutSeconds: 1803351679 + resources: + limits: + f9GQWFTKPFP: "0" + g5: "0" + requests: + 4A89zLoFG: "0" + SmOBH: "0" + restartPolicy: Ű高ǙG%7BČCaďʥyď + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - H鞕ă鶅镀秀 + - Ŏ昮0yƤɯ斺R妕Je芓BɜCĵ + privileged: false + procMount: ÿʑ鎆乭cŇ陛ǼȠn + readOnlyRootFilesystem: true + runAsGroup: 5591360478943231672 + runAsNonRoot: false + runAsUser: 6381588597473822835 + startupProbe: + exec: + command: + - rV83LKQ + - 87Vc + failureThreshold: -2022114361 + grpc: + port: 1348736621 + service: Gx8f9phR + httpGet: + host: fWnW4CGV + path: yQl0PNEE3g + port: TYi + scheme: 絅xn,ȵ6ʎ癙 + initialDelaySeconds: 205090742 + periodSeconds: -1401542741 + successThreshold: -2130268569 + terminationGracePeriodSeconds: 4104437343850793050 + timeoutSeconds: 604054255 + terminationMessagePath: ec8kHaD + terminationMessagePolicy: 甎i + tty: true + volumeDevices: + - devicePath: NFjF + name: AH + - devicePath: "" + name: u + - devicePath: 0q6A + name: nFe3FY4 + volumeMounts: + - mountPath: ad7JXhGN + mountPropagation: =廄殞+ + name: qVHWCUHp + readOnly: true + subPath: m3RBekA0 + subPathExpr: 7F0F8Ge + workingDir: LmnqIVV +- args: + - 3g94Jb + - "n" + - HxatWli7Qe + env: + - name: yKfn + value: fni0 + valueFrom: + configMapKeyRef: + key: cQjxg02ud + name: DqLUCO + optional: false + fieldRef: + apiVersion: dS + fieldPath: aH + resourceFieldRef: + containerName: BVSH2Bxu + divisor: "0" + resource: ZLW3 + secretKeyRef: + key: J + name: APYyG5qY + optional: false + - name: b4i9WEf + value: Ru + valueFrom: + configMapKeyRef: + key: mzxgZ + name: XgDd + optional: false + fieldRef: + apiVersion: U1l + fieldPath: sG2pcjz + resourceFieldRef: + containerName: Vlc1Ru + divisor: "0" + resource: hZpqB + secretKeyRef: + key: X0W3QpdAhux + name: I3L + optional: true + envFrom: + - configMapRef: + name: DJjN7Phe + optional: true + prefix: 4K2MBzNl + secretRef: + name: s4GF + optional: true + - configMapRef: + name: td0aZ + optional: true + prefix: CYvFW + secretRef: + name: WaBWGCRa8 + optional: true + - configMapRef: + name: ehHs9m + optional: false + prefix: n1x + secretRef: + name: TdUJ + optional: true + image: UNJ6E6 + imagePullPolicy: 砓³绔丬A + lifecycle: + postStart: + exec: + command: + - Qs8Sd + - JGX4Qj + - eCw00uq + httpGet: + host: NNLSd + path: y4tS + port: QzOfwe3a + scheme: º猗ĥɮƅLɘ隮术ƒ赥;,ǝ髳Ĝ7Ĭ嬳 + sleep: + seconds: 1170469124057922158 + preStop: + exec: + command: + - TN62uDLAuIx + - ndI + httpGet: + host: t7H6l2 + port: RHeYpAvJ8 + scheme: KǠɀƴ杔¸Ɉ$毕削peýfv! + sleep: + seconds: -5232306180460338099 + livenessProbe: + exec: {} + failureThreshold: -1900233123 + grpc: + port: -1323381498 + service: wJ + httpGet: + host: pAHsn3 + path: k31zW1 + port: 2elbrK + scheme: 痯秿丌 + initialDelaySeconds: 537756270 + periodSeconds: 1139432456 + successThreshold: -289377675 + terminationGracePeriodSeconds: -709025030374540888 + timeoutSeconds: 254134433 + name: zWs + readinessProbe: + exec: + command: + - x093a + - v1 + - Ef + failureThreshold: 75768089 + grpc: + port: -237977747 + service: "y" + httpGet: + host: EBEth + path: C + port: 790399211 + scheme: ær堹mhʢ + initialDelaySeconds: -157687184 + periodSeconds: 1071897332 + successThreshold: 824432298 + terminationGracePeriodSeconds: -54575953702939670 + timeoutSeconds: -1190752843 + resizePolicy: + - resourceName: R9fM + restartPolicy: ?ʖȒƅƀ逎v鐰wģ籫 + - resourceName: 7C + restartPolicy: óʌF鿯薸k} + - resourceName: Bqy + restartPolicy: E吻X秤} + resources: + limits: + UMJnobyO: "0" + qJmAwr: "0" + requests: + ZktW7e51vRUG: "0" + restartPolicy: '>ŀ鎙莸鼔茷蝼薼Ƽƅ°3貦罌臣洴軟處姼' + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - 儜vƝ¾ + - 輝Ġ$琑+檂 + - 飂 + privileged: false + procMount: ɓĎʙʗG0瑑娄K坢Ö&Ù + readOnlyRootFilesystem: true + runAsGroup: 2234167178876811137 + runAsNonRoot: true + runAsUser: -1191472066985646967 + startupProbe: + exec: + command: + - KGi9U + - D6 + - HZ3aC1 + failureThreshold: -2057203764 + grpc: + port: -1203229903 + service: Xd + httpGet: + host: tTW + path: oWk + port: -1347841801 + scheme: 檸`sȝBULj懄 + initialDelaySeconds: 1386184157 + periodSeconds: 2110004457 + successThreshold: -692279219 + terminationGracePeriodSeconds: -7060466210747559086 + timeoutSeconds: -905577521 + terminationMessagePath: g + terminationMessagePolicy: 頨Ĥ° òȯǤū暓坐ƚă杋鍄 + volumeMounts: + - mountPath: FmQht + mountPropagation: 饌^ǩ朳ųW磀ĥAijƨ+= + name: j5 + subPath: aoEWb7k + subPathExpr: 0ra + workingDir: zmwmt +- command: + - oFEaN2U1 + - HuBj9vk17eCjI + - "" + env: + - name: n3JVvVY + value: U14PEXs + valueFrom: + configMapKeyRef: + key: Ai0Xg3owIe7XlG + name: U4 + optional: false + fieldRef: + apiVersion: ZyO4Jpwkp2hV + fieldPath: roNil + resourceFieldRef: + containerName: gx + divisor: "0" + resource: Z + secretKeyRef: + key: AcP + name: qMy + optional: false + - name: oSWakHA + value: eR + valueFrom: + configMapKeyRef: + key: qsSVOr + name: o + optional: false + fieldRef: + apiVersion: SeP3aPXfjLIcfE + fieldPath: 091i + resourceFieldRef: + containerName: T5hI + divisor: "0" + resource: KxGi43CVGe + secretKeyRef: + key: "" + name: 5uI + optional: true + envFrom: + - configMapRef: + name: MujT + optional: false + prefix: cVRH + secretRef: + name: mpF + optional: true + - configMapRef: + name: MeO3F + optional: false + prefix: w3C4 + secretRef: + name: hnYx + optional: false + - configMapRef: + name: NT5MFmC65 + optional: true + prefix: "7" + secretRef: + name: yl2ze1 + optional: false + image: A8o + imagePullPolicy: ?晐T鴭Xp + lifecycle: + postStart: + exec: + command: + - zaLOG2 + httpGet: + host: kA51kbv + path: LMnFclIJczBo + port: 402299955 + scheme: :踖坯(Iȷ碨劅 + sleep: + seconds: 245674034851902981 + preStop: + exec: + command: + - Tz87qO + httpGet: + host: Xr6sP + path: xxE + port: 1901089000 + scheme: 3媧ş>La芸`Lzuŀɽ坤¦.痻Jǻ + sleep: + seconds: 6906639179439192094 + livenessProbe: + exec: + command: + - yxk0313sz + failureThreshold: 385001414 + grpc: + port: 1589713469 + service: UA + httpGet: + host: ZWfT + path: vTNYug5RZh + port: -192111662 + scheme: e¢dYÜdz + initialDelaySeconds: 1708942834 + periodSeconds: 1356452566 + successThreshold: 1750780088 + terminationGracePeriodSeconds: -1272770054640188829 + timeoutSeconds: 1656218869 + name: FxzTg + ports: + - containerPort: 63673829 + hostIP: 4xjED0VKV0G + hostPort: 2007665826 + name: xbwJ + protocol: ¼vb皪螯ʉwʒR玔È覦劙 + readinessProbe: + exec: + command: + - 0S + - "" + - GkPj + failureThreshold: 1405674719 + grpc: + port: -1659132742 + service: gIFP + httpGet: + host: jYnI3ins7 + path: bIEaFAc1 + port: UHfz + scheme: ʼn + initialDelaySeconds: 1531278754 + periodSeconds: -238235402 + successThreshold: -1690388514 + terminationGracePeriodSeconds: -2788228502880198888 + timeoutSeconds: -567709755 + resizePolicy: + - resourceName: nxpzTS + restartPolicy: ƫŀMs+,ǼƞȒ + - resourceName: 61uCVQ1 + restartPolicy: /澰ɍ½鑀a帷[鞺鏨攬姟壃F$R犬 + resources: + requests: + YfM: "0" + restartPolicy: œ|F彟S崘Ȑ貸1Ũȷ+齳 + securityContext: + allowPrivilegeEscalation: true + capabilities: + drop: + - 鸎dĉç荧 + privileged: true + procMount: "" + readOnlyRootFilesystem: false + runAsGroup: 5795239965908151493 + runAsNonRoot: true + runAsUser: 2409160731771391054 + startupProbe: + exec: + command: + - D6j2Q + failureThreshold: 975103738 + grpc: + port: -2081980063 + service: Nh + httpGet: + host: vdLm3FUXIs + path: jqCqF + port: "" + scheme: Ű"ƆĩNÙ襔冠ʈ + initialDelaySeconds: 524220215 + periodSeconds: 923596095 + successThreshold: 547119693 + terminationGracePeriodSeconds: 7382309226647739877 + timeoutSeconds: -1902082444 + terminationMessagePath: 2i5 + terminationMessagePolicy: 踑ĆĦ荷ýA/ǎ桫 + tty: true + volumeDevices: + - devicePath: KlUUX + name: NWO + - devicePath: W1JLM + name: qNw + - devicePath: BVE + name: c + volumeMounts: + - mountPath: yCztpht + mountPropagation: 巧苄;钽肇謌ʭɿw刄wɰM迵. + name: Mv9 + subPath: RWmlw + subPathExpr: Oy + - mountPath: Gf + mountPropagation: ɩ + name: On78O + readOnly: true + subPath: s7p + subPathExpr: 57aJIvpEm + - mountPath: m + mountPropagation: 崌蠿Ƣ湺 + name: CXSu + subPath: F8oe + subPathExpr: S +extraEnv: +- name: cD + value: JW + valueFrom: + configMapKeyRef: + key: "" + name: 8Ri7OfQ + optional: false + fieldRef: + apiVersion: Qc + fieldPath: 6ZYFg + resourceFieldRef: + containerName: qkUV + divisor: "0" + resource: yEf5zz13U + secretKeyRef: + key: xozuxs + name: z + optional: true +- name: "" + value: gea3 + valueFrom: + configMapKeyRef: + key: hwe3l3k2h + name: QX + optional: true + fieldRef: + apiVersion: kx + fieldPath: m7f + resourceFieldRef: + containerName: 0XEGE + divisor: "0" + resource: y4ce5 + secretKeyRef: + key: hmvX + name: 18Z + optional: true +extraEnvFrom: +- configMapRef: + name: DR3hdrvZIv + optional: true + prefix: kGV4HZ8 + secretRef: + name: tR3Yu1G + optional: true +- configMapRef: + name: 6pMd0VA0 + optional: true + prefix: Csp + secretRef: + name: ceqZBJ7fdqP + optional: true +extraVolumes: +- name: iPeR +- name: ZgdCb2kUB +fullnameOverride: KchYZFsbB3 +image: + pullPolicy: -0Ź桛ɼ訚Ņ;秵ňĝ苒9麡ñà臸ʫ + registry: cwfXN2KlU + repository: qYQHJ + tag: RIG +imagePullSecrets: +- name: V1 +- name: AyLzRkaGE +- name: 3pZ8 +ingress: + annotations: + 7KBv: R6qBYfCa + aBRf1: ygsbc + yL0ht8k8h: e + className: N8nne2Adwe5AYa + enabled: false + hosts: + - host: FyKy + paths: + - path: Cgcwa4F + pathType: pcConNItFmo +initContainers: + extraInitContainers: uND1 +livenessProbe: + exec: + command: + - 6VSzmxYwHC + failureThreshold: -1894321442 + grpc: + port: 487517384 + service: INsH + httpGet: + host: JNW + path: QZgsr + port: 228553774 + scheme: 躀廗裲繄鄸爖ž + initialDelaySeconds: 1986051838 + periodSeconds: 541607099 + successThreshold: -1968479306 + terminationGracePeriodSeconds: -7878496327638757142 + timeoutSeconds: 1374945691 +nameOverride: 6sW +nodeSelector: + y63G: wNiNvOMv +podSecurityContext: + fsGroup: 2302511509023017096 + fsGroupChangePolicy: 闦ñ禢`J鉤 + runAsGroup: -2347956389924856743 + runAsNonRoot: true + runAsUser: 1720952380350228641 + supplementalGroups: + - -621944387099711210 + sysctls: + - name: CvGz + value: "" + - name: dO + value: qwZyE +priorityClassName: 3A +readinessProbe: + exec: + command: + - "" + - KEndqzRiV + failureThreshold: 467513555 + grpc: + port: -1573796455 + service: ErWB + httpGet: + host: lLC + path: HH5gzp + port: -1970119534 + scheme: 酥梕ʄE訳 + initialDelaySeconds: -6410364 + periodSeconds: -623380707 + successThreshold: 1641270972 + terminationGracePeriodSeconds: -4383611239728405989 + timeoutSeconds: 1203716236 +replicaCount: 291 +resources: + limits: + "1": "0" + MrwIP: "0" + hgaW: "0" + requests: + 1lF: "0" +secret: + create: false + enterprise: + licenseSecretRef: + key: yoQYDK + name: xU86MHgk + kafka: + awsMskIamSecretKey: b1dpxuu + protobufGitBasicAuthPassword: bNLttpx0UHrQ + saslPassword: WLiPGk4IafDZkx8 + schemaRegistryPassword: d7In271W + schemaRegistryTlsCa: JYJZN + schemaRegistryTlsCert: muZOO19 + schemaRegistryTlsKey: 7cUIM + tlsCa: NWid + tlsCert: v843II + tlsPassphrase: ks1QSKsS + login: + github: + clientSecret: Bh26we + personalAccessToken: yKlBsX + google: + clientSecret: luzCc89Wm0 + groupsServiceAccount: qpX + jwtSecret: ojb + oidc: + clientSecret: cze + okta: + clientSecret: uuUR + directoryApiToken: WOW1d + redpanda: + adminApi: + password: rVI + tlsCa: yMec + tlsCert: YYHCeTg + tlsKey: 4Qv3y5Dl +secretMounts: +- defaultMode: 83 + name: ieSo8V + path: d + secretName: mD0jl +securityContext: + allowPrivilegeEscalation: true + capabilities: + add: + - 阊 + - DIȜO吽解诎-曅 + drop: + - 贎秨Ůɭ懾Ù盾| + privileged: true + procMount: ʪ勪įOew\Ǡ礓 + readOnlyRootFilesystem: true + runAsGroup: -6230225082797374618 + runAsNonRoot: true + runAsUser: -2569068293811684873 +service: + nodePort: 314 + port: 424 + targetPort: 17 + type: oZi +serviceAccount: + automountServiceAccountToken: true + create: false + name: Cj +strategy: + rollingUpdate: {} + type: G阏发6s +tests: + enabled: true +topologySpreadConstraints: +- labelSelector: + matchExpressions: + - key: pPoL + operator: ǭȉćŴ讶Y + values: + - "69" + - UC9 + - "7" + - key: 6toZoG + operator: Ġ+kʫȸ颷ʅÓ欽V譵; + values: + - go8adRXrn + - key: S + operator: ĕȻ*Gɝ靿暛_洳瑼Ĩ + matchLabelKeys: + - "" + - V7xIs1 + - eqq + maxSkew: 983843814 + minDomains: 854272231 + nodeAffinityPolicy: '>S篐ö抏茄(6' + nodeTaintsPolicy: e3äTȦ硷B捕萑Ǵ吷Ǿ邂Ǝièø + topologyKey: NoEcMWkg + whenUnsatisfiable: 幗鞲&渶Ÿɪ`鹵N +-- case-041 -- +affinity: + nodeAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - preference: + matchExpressions: + - key: gRchHJ + operator: g>騿b鈐ʃB¾偡医選ȍ恋 + values: + - I + - Ei + - "" + - key: hyf + operator: 斒ʃǜƆƲ + values: + - QUyyD + - key: Bkmx + operator: ư酰姺醪芄堑 + weight: 751548356 + - preference: + matchExpressions: + - key: oLam + operator: 蟹 + values: + - ouUaVpYnKDUI + - key: vjw6GPYYTKt + operator: 竣iN¸嚿×ɮib + values: + - ZTaqp + - key: d8VuBX6qV + operator: 脼Ȩ + values: + - a8aOe1 + matchFields: + - key: twbeCR + operator: óçøG靼Ɏȸ­乷ɍ + values: + - fJAm6rm + - 2h8IU + - zE9 + weight: 291395585 + - preference: + matchExpressions: + - key: qC6uf99en + operator: 鼢犖龆醑喐蠿鯌ʛB契p + initialDelaySeconds: -879591831 + periodSeconds: 1110714898 + successThreshold: -1301180826 + terminationGracePeriodSeconds: 3872467306429462875 + timeoutSeconds: 674947774 + terminationMessagePath: bm28lY3K2pwh + terminationMessagePolicy: Ȇƍ@¦Ț'±0ž + tty: true + volumeDevices: + - devicePath: o8dr + name: XmhFb + workingDir: 5wQN +- args: + - o0cO9clz7 + - HMSb + - 6uV0c + env: + - name: M3V9WePpx + value: ysO25 + valueFrom: + configMapKeyRef: + key: UqaJg4r + name: RfxtXP + optional: true + fieldRef: + apiVersion: lwe4YmNPx + fieldPath: tQj57vj + resourceFieldRef: + containerName: ZQ + divisor: "0" + resource: T + secretKeyRef: + key: x + name: ny4NEtt3z + optional: false + - name: cc2 + value: L0hw + valueFrom: + configMapKeyRef: + key: 385Ue36 + name: mmjoQw + optional: false + fieldRef: + apiVersion: 6oECJJ + fieldPath: viT + resourceFieldRef: + containerName: gwdJxK + divisor: "0" + resource: ck7 + secretKeyRef: + key: UuNsYAQvXJ0 + name: 1NAqDCU3 + optional: true + envFrom: + - configMapRef: + name: ZFk + optional: true + prefix: bXa4IzYR + secretRef: + name: aAJU + optional: false + image: JPgUP + imagePullPolicy: Q ¶ + lifecycle: + postStart: + exec: + command: + - r1uMNf + - M + - 8G + httpGet: + host: cuhhh + path: lXMriYoe + port: -988033465 + scheme: ',轄kzĒfť' + sleep: + seconds: -8820103652541681769 + preStop: + exec: + command: + - bElmX + httpGet: + host: bCNS + path: A0F + port: "" + scheme: 砘ɁA甜猷14ʣ)ǨƿŊ\ + sleep: + seconds: 821413986956195833 + livenessProbe: + exec: + command: + - M9y + - ay + - sRaY + failureThreshold: 600887441 + grpc: + port: 1597779369 + service: ua8K + httpGet: + host: 0XuF + path: V3 + port: -703127215 + scheme: 舷$趺É螳P阁]嚂驶钋琦袳$ƸO侎 + initialDelaySeconds: -1230549565 + periodSeconds: -335663932 + successThreshold: -1184112514 + terminationGracePeriodSeconds: 9077275487127832448 + timeoutSeconds: 1992088322 + name: pz + readinessProbe: + exec: + command: + - lVaA + - E9DNIWT7reP + - NW1Cc5O2 + failureThreshold: 1119300491 + grpc: + port: 2061347792 + service: fUXdOYJ9On + httpGet: + host: "0" + path: Us3pM3OkquAEW2 + port: -1693856749 + scheme: 鞡|鬟扝}肾~ + initialDelaySeconds: 1307857751 + periodSeconds: 1903760018 + successThreshold: 612917619 + terminationGracePeriodSeconds: -4296518247806248606 + timeoutSeconds: 1025631498 + resizePolicy: + - resourceName: "8" + restartPolicy: ȯy髚ʦ=ǰɮ瓿b:劀ǴáiO3IĮ + - resourceName: 8mFXK1FTs + restartPolicy: ėv|冿瀱Ƥ鐻D[ƼŮ/ + resources: + limits: + TVwPaoBqGL: "0" + juxQS6V3mr: "0" + requests: + igiG: "0" + restartPolicy: 皷ƴȿOvJ郦'欝 + securityContext: + allowPrivilegeEscalation: true + capabilities: + add: + - ǐ缠]館ʚƾó|őɤ + - 6 銨dN_ZɻǦ絛顆麓 + - u鹍u鼓练gʘɍK]痰痁鶄Ȼ咶嚅俊ǙǕ + drop: + - 沎闸埲dz + privileged: false + procMount: "" + readOnlyRootFilesystem: false + runAsGroup: -265773045457612130 + runAsNonRoot: true + runAsUser: -6489119899323828796 + startupProbe: + exec: + command: + - 95NULc + - cCLaGfz + failureThreshold: -414102461 + grpc: + port: 339886942 + service: 7hdbpU + httpGet: + host: bN6EBrngIW + path: Luv09 + port: plsGDEJ + scheme: ʔ垃桪抴痺MM温ǹ + initialDelaySeconds: 2135898388 + periodSeconds: 1107416140 + successThreshold: -648919802 + terminationGracePeriodSeconds: 4653203112295127978 + timeoutSeconds: 1294917615 + terminationMessagePath: C + terminationMessagePolicy: 擎:Ȓ + volumeDevices: + - devicePath: TGjb8dLs + name: QN5Dj50Kuoc + - devicePath: aRIfAur + name: wQ47Fq7W3WPNDG + - devicePath: 2Smu + name: 1Q3d5wRJf6 + volumeMounts: + - mountPath: 5Trbk9 + mountPropagation: 秮驇穁 + name: YvM + readOnly: true + subPath: pFKsUV + subPathExpr: mhIjzA + - mountPath: F3lqb + mountPropagation: 窆f + name: NJXDvoxv + subPath: zVGgP + subPathExpr: H + workingDir: IEObw8N +extraEnv: +- name: 4R567pw + value: mWumx + valueFrom: + configMapKeyRef: + key: zDKgXG8 + name: Murbi95HW + optional: false + fieldRef: + apiVersion: FE + fieldPath: WAoZL + resourceFieldRef: + containerName: KyYyulloT + divisor: "0" + resource: fqVTn + secretKeyRef: + key: "2" + name: MHnd7TscnRWwYy + optional: false +- name: fm + value: 8fbdsVIUd + valueFrom: + configMapKeyRef: + key: "" + name: 6dU18hENH + optional: false + fieldRef: + apiVersion: Z + fieldPath: yt6csyy + resourceFieldRef: + containerName: c1WXMV + divisor: "0" + resource: NJVUoKSuC7pJDm + secretKeyRef: + key: "" + name: JptOa + optional: false +- name: WjWJX + value: 9VpkkQa + valueFrom: + configMapKeyRef: + key: Rpe79 + name: os5FYjLzS + optional: true + fieldRef: + apiVersion: "0" + fieldPath: j + resourceFieldRef: + containerName: NYuP + divisor: "0" + resource: EWUuGe739oa + secretKeyRef: + key: CFh + name: 8zez51Q + optional: true +extraVolumeMounts: +- mountPath: cIK + mountPropagation: 爂 YLƝ«煘?沀#朚ń鮾+ğÔ + name: orwvhF0 + subPath: ivP1ha4I + subPathExpr: VPCFJYVRHf +- mountPath: s + mountPropagation: m椥扶ȟqÈ倕{峙刷} + name: O35 + subPath: AN + subPathExpr: vm7 +- mountPath: 7P72D19W + mountPropagation: 堂窜B,Ś贃腔Ʈ£顽ąfYR + name: 6Z + readOnly: true + subPath: d7MJ + subPathExpr: LF +extraVolumes: +- name: "4" +- name: Kry +fullnameOverride: eHZ +image: + pullPolicy: ź,Î斎殉媰Fƅ + registry: l0qIdHu + repository: 5OO0wF5p + tag: i +ingress: + annotations: + fDuBFTYK9Q: 5XXu + wYD: 6p + "y": "" + className: Zp11 + enabled: false + tls: + - hosts: + - "" + - I + secretName: yCke +initContainers: + extraInitContainers: GXh2uupW81kt +livenessProbe: + exec: {} + failureThreshold: 1618833311 + grpc: + port: -1505397275 + service: IUgXOa3 + httpGet: + host: 99a94 + path: YFX41J + port: -636645896 + scheme: ƣ[ɐ虪ǸI + initialDelaySeconds: -1510068452 + periodSeconds: -1728837159 + successThreshold: -1832841689 + terminationGracePeriodSeconds: -2499091687248362302 + timeoutSeconds: 254335269 +nameOverride: 84QIe +nodeSelector: + JDRn7n: tOGfx + lKq0V88a: uR3S + vXzm2Hny: tURxvlp +podAnnotations: + JkW1: feghYA7 + okSVM8H: 7Pau + yYrmYn: uT +podLabels: + b4I: j707zvg + eyn1: gqdp7 + sWR: MV07t +podSecurityContext: + fsGroup: 3426922926776119440 + fsGroupChangePolicy: 橣 + runAsGroup: 8316915980597683441 + runAsNonRoot: false + runAsUser: 6270039107728700969 + supplementalGroups: + - -2399342924686736516 + - 620655430084388100 +priorityClassName: 6ZbHC +readinessProbe: + exec: + command: + - u4wSt + failureThreshold: -992972964 + grpc: + port: -940292781 + service: zh5 + httpGet: + host: 1Tg + path: FfFHRfo + port: -94900838 + scheme: țcPÞ + initialDelaySeconds: 2051362912 + periodSeconds: -288287188 + successThreshold: -404266702 + terminationGracePeriodSeconds: -123318567100123885 + timeoutSeconds: 31934256 +replicaCount: 378 +resources: + limits: + 0Yl63: "0" + BUorG9: "0" + requests: + JNdWuFZf5nnT: "0" + aszsvHn: "0" + qC76cU: "0" +secret: + create: false + enterprise: + licenseSecretRef: + key: "5" + name: X2lLLdu + kafka: + awsMskIamSecretKey: RoyDigH4v7A0 + protobufGitBasicAuthPassword: 3m + saslPassword: 5E + schemaRegistryPassword: "2" + schemaRegistryTlsCa: DSr2uQnBZ2 + schemaRegistryTlsCert: mji + schemaRegistryTlsKey: EcukHN + tlsCa: HwarCHVf + tlsCert: tsx + tlsPassphrase: owRWr + login: + github: + clientSecret: 3QP + personalAccessToken: RFXhu + google: + clientSecret: KbrHoAQ + groupsServiceAccount: tSLR4 + jwtSecret: gQSZ8AC + oidc: + clientSecret: O + okta: + clientSecret: tv58V + directoryApiToken: C3j + redpanda: + adminApi: + password: OZVk + tlsCa: F4wK + tlsCert: nkKfJ + tlsKey: ewWdsq +secretMounts: +- defaultMode: 210 + name: gcTdF + path: ctE5Qa + secretName: MPU +- defaultMode: 186 + name: "4" + path: n8KpOJZ + secretName: s6 +- defaultMode: 412 + name: lBE0nAE + path: 3Ka7 + secretName: RG +securityContext: + allowPrivilegeEscalation: true + capabilities: + add: + - 憑 + - 贁 + - cÝ琦ŝʛD緪娥t諰ɤɼʠßʏ + drop: + - Hē粙 S綽ESFľĞóǂ + privileged: false + procMount: '>IÐ肣ɚòĺIGʖƟ穿ź' + readOnlyRootFilesystem: true + runAsGroup: -6867300864246942363 + runAsNonRoot: true + runAsUser: 972586500223089794 +service: + nodePort: 310 + port: 190 + targetPort: 396 + type: uTyclgj9tVV +serviceAccount: + annotations: + 1vh4t: 2P6FHr47JPz + JPV: tx0p + automountServiceAccountToken: true + create: false + name: gIkiPRSc53Eb4w +strategy: + rollingUpdate: {} + type: ĸ鍽3ɨ勍Ȱ¦T搟 +tests: + enabled: true +tolerations: +- effect: ć`湇Ȏ2篤螕巴蛬>@ø£鞌q + key: E7p + operator: 畁鼄瓈貔Ĕ釲ĸȚ貺|ǴĄl蔺İɽ糹 + tolerationSeconds: 3092681449541780742 + value: Zmrz8 +-- case-043 -- +affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: [] + podAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: x2q + operator: B肖HOʀ + values: + - "" + - Ys3JeXs5q + - key: kTV1 + operator: ɑɸ&楥ÃFŎł + values: + - UQJ1b + - PSnF + matchLabels: + x3: OyQXZWg + matchLabelKeys: + - c7l + - QL52 + mismatchLabelKeys: + - upadP + namespaceSelector: + matchExpressions: + - key: ve00EK + operator: 'ɗY莶ʥV蔈ƀ廜ȶƹŀLjÓ%õɽ ' + values: + - KsFwEq9un + matchLabels: + pZaTZ4dEyKe: Zr + y2udi: nOeICOHiSN + namespaces: + - eh3 + - Tk + topologyKey: sDRodPzb + weight: 950808176 + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: "5" + operator: 豗ŵǕ + values: + - CXc + - lamtTG39Nn + - key: PAiD + operator: 靑 + values: + - Xc2 + - 0vCS1b + - MsAd + - key: V5SqAAs0jK + operator: tŇ + values: + - "" + matchLabels: + sN: eS9 + zyhZtMI: vk + mismatchLabelKeys: + - "9" + - 8kmgYkR + namespaceSelector: {} + namespaces: + - rttEi + - LsPL05A + - vt + topologyKey: RI9Fz + weight: 735869102 + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: 3wYP8eoC3 + operator: Ĭ囁缯盦鍎Șe宧冸'Pțl諷鵣 + values: + - tjW4s6vTm + - dAFd + matchLabels: + MYd: Xsox8 + vdIPmBzGHW: u + vtRD: cJZSpnJ + mismatchLabelKeys: + - ysVrZBCS + namespaceSelector: + matchLabels: + LLN: an + zhG0GzF: ebgXWsq + namespaces: + - Tc7JW + - l5 + topologyKey: XvVTKe + weight: 284965413 + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: snHS61E + operator: ŁjĈ偔Ĵgä缬ɏ魜竿Ȍ匊ȡf + - key: GF64H + operator: N?+痱+龟嗙糨(;籄µ_ȤP榡Ȁ + values: + - sBC5mout + - gLNrAHCql + matchLabelKeys: + - I6T + - cfQ + - bj1O + mismatchLabelKeys: + - DOsKcbZ + namespaceSelector: + matchExpressions: + - key: wabhpRnnMK + operator: 昶Ǝ傪Ȃß + values: + - 6A + matchLabels: + AWV: wH5n597Z5ZD + MO5x: gCiuzkb + namespaces: + - SE6wLN + topologyKey: i + - labelSelector: + matchExpressions: + - key: hyV52PjMCdDTPM3Xj + operator: t.卆痘惠Ú皙駼ɥ飑蝪 + values: + - df + - QinuCr3k + matchLabels: + "4": xjs7u + 26YT8Kwl: 6Fn7QaX + IyQVKh: FT + matchLabelKeys: + - 43p + - 7wOCOZltU + mismatchLabelKeys: + - 69P + - KGelm4KjR + namespaceSelector: + matchExpressions: + - key: lc1l + operator: 圼酭蟶ƿʕNȎ褷K0¢戜ŰĨ矤磓 + values: + - F5sJcyG + - gSLP4 + - key: VUC9 + operator: 伂Nxŧ}_Ť + values: + - fdEFxj + - key: TtWF1erkH + operator: 鿐ȖP薈廰ǿÅʋ + values: + - 8fCxCdw018mnN + namespaces: + - MI7v + - 4d + topologyKey: t6NgG + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: D + operator: 棎 + values: + - 20fifD + - FrMdPhx9xo + - key: UGNn3lb + operator: 佛Ǥ3 + - key: Z2RLUvJbK + operator: "" + values: + - FdkgDft + - TefWIg2 + - bpqycNdCB + matchLabels: + HS3J6YWoEqk: Z6wgyP + doC4E: kBDLOXELx + matchLabelKeys: + - AcWh + - wz1OjMAc + mismatchLabelKeys: + - TzAtxmFj + namespaceSelector: + matchExpressions: + - key: 0PcmdJ + operator: h + values: + - cUMRXCqpYKF + - key: CNiL1smGnM + operator: cSŦ胪ǟ婟魳!M + values: + - nn + - J + - DT + namespaces: + - 115aP7 + - NIr + topologyKey: pAC + - labelSelector: + matchExpressions: + - key: N5YJ + operator: '`ȺDŽ窿U澩Û' + values: + - c6b9k + - kBiQmy4m0 + matchLabels: + I7ZhU9r: mVYody9U + kY71: tu + r0veMW: zYM + matchLabelKeys: + - iswu + mismatchLabelKeys: + - CANmp649B + namespaceSelector: + matchExpressions: + - key: 9dVeM + operator: "" + values: + - j4ohdLhch + - l + - "" + - key: Dg0F + operator: wŴǂ&;计DzP.觰髬uþ + values: + - gaIEZk1 + - W + - ox3 + - key: eem + operator: F铃ø睤榺蠯ƺDZ2s瘨澌秠%晸 + values: + - gQvNAvyI + - oime + - 4Sq9 + matchLabels: + J9W: R8 + o3EOEfEW: doLp + namespaces: + - kkkj1owvoXiU0 + - yfKU6aK + - LAx8rxmN8 + topologyKey: Z +automountServiceAccountToken: true +autoscaling: + enabled: false + maxReplicas: 400 + minReplicas: 207 + targetCPUUtilizationPercentage: 127 + targetMemoryUtilizationPercentage: 234 +configmap: + create: false +console: + roles: + - Ei: null + v4ACJLz: null + - isAtO9ew4: null + yruh: null + - 51fb5in: null + ILAz4wr: null + l90: null +deployment: + create: false +enterprise: + licenseSecretRef: + key: lN0R + name: Is29uweE +extraContainers: +- args: + - lXv3W4h + command: + - 0hlaE + env: + - name: 2R4HDOw + value: Ow63m2 + valueFrom: + configMapKeyRef: + key: W + name: K4xi + optional: true + fieldRef: + apiVersion: Jky + fieldPath: 53aQO + resourceFieldRef: + containerName: FnyzXcJW0Y + divisor: "0" + resource: CEeuoM3B + secretKeyRef: + key: d1k + name: gqHwwuuW7YCi + optional: false + - name: ixNGgU + value: zzCXF + valueFrom: + configMapKeyRef: + key: pAT30it + name: t + optional: false + fieldRef: + apiVersion: yp + fieldPath: Mh1WcPCbP + resourceFieldRef: + containerName: IswD1IBE9 + divisor: "0" + resource: Ro + secretKeyRef: + key: yFZxBVZdODt + name: X + optional: true + - name: WTnCxkS + value: pEk + valueFrom: + configMapKeyRef: + key: 11H + name: QATfCX3IsDv + optional: true + fieldRef: + apiVersion: vN4 + fieldPath: qMFch + resourceFieldRef: + containerName: uO0O + divisor: "0" + resource: N0cJGosw + secretKeyRef: + key: fDMU + name: hps + optional: true + envFrom: + - configMapRef: + name: 0OJJ5YVIX03 + optional: true + prefix: qMb + secretRef: + name: Q + optional: true + - configMapRef: + name: xbFZU + optional: false + prefix: a1 + secretRef: + name: x + optional: false + - configMapRef: + name: k37 + optional: false + prefix: YoFy + secretRef: + name: ogUiKqk + optional: true + image: 0pe + imagePullPolicy: 娒菐皎X噴粗嘍»ƪ~ + lifecycle: + postStart: + exec: {} + httpGet: + host: lO6z + path: Ocry6h + port: ZXfKF + scheme: ə朕IH尹ğ殤鍻O艚Ʃj"羈 + sleep: + seconds: 5751106255636900299 + preStop: + exec: {} + httpGet: + host: 7QkaR + path: F + port: 1848101873 + scheme: 7Õ嚎c煣擢?ǙȬžREWƿY#¡DZ + sleep: + seconds: -6692990274650219794 + livenessProbe: + exec: + command: + - uNT + failureThreshold: -829813283 + grpc: + port: -567104846 + service: LDcJp + httpGet: + host: g20utb + path: SiqR + port: hDMLQykO + scheme: Ŧ螵n^ʑ柁ɼĥh韁傧厬džƑ + initialDelaySeconds: -564429238 + periodSeconds: -1564220228 + successThreshold: 358143040 + terminationGracePeriodSeconds: -3271131206023471117 + timeoutSeconds: 1743016683 + name: 0dQgH + ports: + - containerPort: 1592798281 + hostIP: Ob6i + hostPort: 1226080714 + name: owTN2e7 + - containerPort: -909719890 + hostIP: LU4ibkw2 + hostPort: -291412037 + protocol: ț榌餬<孋蔣熰瘞;癘, + - containerPort: -1320944614 + hostIP: FALEX24mB + hostPort: -2067901656 + name: 3x2T + protocol: 鑴桄ɵ珧Ū + readinessProbe: + exec: + command: + - oc + failureThreshold: -784903530 + grpc: + port: -2046315075 + service: OUsbY + httpGet: + host: s50gn + path: gPyB + port: -2077437763 + scheme: 撫ƄǥǞ + initialDelaySeconds: 1983356613 + periodSeconds: 1988783141 + successThreshold: 2066305810 + terminationGracePeriodSeconds: 2348593211159662414 + timeoutSeconds: -418402994 + resizePolicy: + - resourceName: yW + restartPolicy: 9從O9籿c绉ȠýH + - resourceName: 9WLZ + restartPolicy: 酎!8 + - resourceName: ISSu7K + restartPolicy: RǷ巫錬$e幅"Ȅ + resources: + requests: + ZAHXO: "0" + cT: "0" + ftA: "0" + restartPolicy: 箕赳箨J顏 + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - 厍F>%甾灵讝 dɌ撑礙Oo_ʦ + - ǮI埁艏:řŴi/隰6Ň + privileged: false + procMount: 籟ɔ矎C趶椰ʓ + readOnlyRootFilesystem: true + runAsGroup: -1819068651107678420 + runAsNonRoot: true + runAsUser: -4446960001037568719 + startupProbe: + exec: {} + failureThreshold: 1529697760 + grpc: + port: 2086810289 + service: LFhs + httpGet: + host: y7 + path: 7Q5PcVes + port: i + scheme: 阀ÿ¼+砵S麦ƺ'nǥ恪qżZǹ + initialDelaySeconds: -2048008543 + periodSeconds: -1559576850 + successThreshold: -655600930 + terminationGracePeriodSeconds: -8913842277118830912 + timeoutSeconds: -857654009 + terminationMessagePath: 9TOoj + terminationMessagePolicy: ¦ƫʇȬ儤f^_U躭 + tty: true + workingDir: cGeaEyJc6A9 +extraEnv: +- name: 1qcxFe + value: CddCzg + valueFrom: + configMapKeyRef: + key: uetPc0pnjv + name: CvmkK + optional: true + fieldRef: + apiVersion: FHMfGqk + fieldPath: 2P + resourceFieldRef: + containerName: bD1 + divisor: "0" + resource: kcSi + secretKeyRef: + key: pUu0 + name: 31uIu28D + optional: false +extraEnvFrom: +- configMapRef: + name: sJl8l + optional: false + secretRef: + name: ULPPuBUveK + optional: false +- configMapRef: + name: r4KbQIM + optional: true + prefix: vFNhdrDV + secretRef: + name: b + optional: false +extraVolumeMounts: +- mountPath: BsnW + mountPropagation: 撾<¥燩Uáb魩2wdz携W駟c韀羸â閹 + name: kS + readOnly: true + subPath: MQkyaubVs + subPathExpr: Bc +extraVolumes: +- name: FK5aYrlt +- name: BuMd +fullnameOverride: y0pa6pm83 +image: + pullPolicy: ā + registry: frvkIce + repository: Eyf5QN + tag: NF +imagePullSecrets: +- name: kBoh0Lyd +ingress: + annotations: + GOF: Fk7wcu + J2: ViiBwn6 + WODaheluZ: jCoFdBnr + className: 4Z1r6JSTY + enabled: true + tls: + - hosts: + - hAi45 + - N3wGXf + - 2Og0 + secretName: 11BdzGx + - hosts: + - MPqkMom + - mBwetJrK + - PcEKgK + secretName: HtA + - secretName: jRYKg +initContainers: + extraInitContainers: "" +livenessProbe: + exec: + command: + - 5l + - TPa5xuR1 + - pL3 + failureThreshold: -665161597 + grpc: + port: -1993107785 + service: u6KPs + httpGet: + host: R4Get + path: 0V + port: 1160926320 + scheme: ǨĄBW躼uQ劢Z + initialDelaySeconds: -958442622 + periodSeconds: 1883059027 + successThreshold: 1933410843 + terminationGracePeriodSeconds: 6283661173054068495 + timeoutSeconds: -1835273944 +nameOverride: "" +podLabels: + ZUMXq: 1paitbyR + o5jSmwn: "1" +podSecurityContext: + fsGroup: -2194962218839547968 + fsGroupChangePolicy: Ƃ搵Ņů羁nʇ雵Ri摿TǛø!ʣa饪詹 + runAsGroup: -8349123147211058668 + runAsNonRoot: false + runAsUser: -7634316416044162316 + supplementalGroups: + - -8005115528631553908 + - 3338610853164048033 + sysctls: + - name: KolWq + value: HzqTwBK4G4 + - name: rWyCA7 + value: DXY + - name: ukO43edoA + value: EVLsuF +priorityClassName: vW +readinessProbe: + exec: + command: + - 0X8tCVJI + - Sm4 + failureThreshold: -1604827341 + grpc: + port: 42051403 + service: H + httpGet: + host: 0gB9WjO + path: 0sPD + port: -849836679 + initialDelaySeconds: -1237987229 + periodSeconds: -2089146286 + successThreshold: 1944965466 + terminationGracePeriodSeconds: 6313366685724995629 + timeoutSeconds: -421565232 +replicaCount: 180 +resources: + limits: + pWciOVB3: "0" + requests: + CokuM: "0" +secret: + create: false + enterprise: + licenseSecretRef: + key: KGprr + name: w + kafka: + awsMskIamSecretKey: "" + protobufGitBasicAuthPassword: SerI + saslPassword: GKTX + schemaRegistryPassword: 4e + schemaRegistryTlsCa: "" + schemaRegistryTlsCert: 5V + schemaRegistryTlsKey: WFfrAH2a + tlsCa: kdCuX + tlsCert: j8Y2S + tlsPassphrase: jzecZl + login: + github: + clientSecret: cRkCl + personalAccessToken: 7XzR7g4 + google: + clientSecret: 1h + groupsServiceAccount: PpzN + jwtSecret: "" + oidc: + clientSecret: r + okta: + clientSecret: om + directoryApiToken: vYqev5 + redpanda: + adminApi: + password: X0 + tlsCa: MadMnzee10AL + tlsCert: SXxHZ + tlsKey: HYAn +secretMounts: +- defaultMode: 257 + name: mbhBeHK + path: 4B + secretName: "3" +securityContext: + allowPrivilegeEscalation: true + capabilities: + add: + - ɓ秈Ǽ霏*苇ȋɇ燡ƲɔċɈx + - 畼#QȲȬ懹脆俼[葓箘Ⱥ¿ + - ƭ + drop: + - 鉉C餱芕鳧ǥƔʚŰ + - ǖ瞱祈)售歜ŃȀƖ厀Ʃ9茡ɥq + privileged: false + procMount: '''³編Ź~莽WS2孲j禺' + readOnlyRootFilesystem: false + runAsGroup: -7898786566866618408 + runAsNonRoot: false + runAsUser: 5048177807031045156 +service: + nodePort: 402 + port: 11 + targetPort: 465 + type: 9TsjJQkJZ +serviceAccount: + automountServiceAccountToken: true + create: true + name: Gma +strategy: + rollingUpdate: {} + type: I讗烉Ð-Ǵ +tests: + enabled: false +topologySpreadConstraints: +- labelSelector: + matchExpressions: + - key: 8oHl6iWalV + operator: 嗌ƕþ]eěk歄兠惴5]nj鿵ų|暫\ + matchLabelKeys: + - n2lT + - nr + maxSkew: 565546972 + minDomains: 1026506021 + nodeAffinityPolicy: _攊v + nodeTaintsPolicy: 踠~Ë?¶嘬 + topologyKey: OZKwm9I + whenUnsatisfiable: 艽ʧj +- labelSelector: + matchExpressions: + - key: e + operator: 貙wɡȗ扊l橠,ȶ^ + values: + - "2" + - 1aeU + - X1mzNz + matchLabels: + Kw: L0rDwe + hFD: 9Kbm7CtaSg + matchLabelKeys: + - lw1gZ + maxSkew: 131623139 + minDomains: 1034504401 + nodeAffinityPolicy: NƎ乮+却ŷƑIf.L焚 + nodeTaintsPolicy: "" + topologyKey: dpa7OA + whenUnsatisfiable: 貧uƻläʯlÓʐȮ竇dʐ疮儾 +-- case-044 -- +affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: AFOKvXU + operator: ¸藬 + values: + - vIFxLM + podAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchLabels: + ZpWVx: agTJ2kP3DWNYN + matchLabelKeys: + - "4" + mismatchLabelKeys: + - 0qG + namespaceSelector: + matchExpressions: + - key: D8 + operator: d|ɬ曖 + values: + - p3iQYi6Y + - key: c + operator: ǵmV逛鲳鈐譮稹ÚȾČXú + values: + - a + - 3C55L6S7 + - SQaxr + matchLabels: + "5": jC + namespaces: + - oDKjy + - "" + topologyKey: C9jgFk + weight: 1276231314 + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: lGp2 + operator: "" + matchLabels: + "": sKP1q2 + 44krG: UrYUSMsisV + unYZqLh67: tMKQ + matchLabelKeys: + - orDt3ZdEA + - LIBJK3 + mismatchLabelKeys: + - bgz2i + - CNqlQJ + namespaceSelector: + matchExpressions: + - key: 35CZTXLY + operator: 掟0笝润ɲDGĪ1Ɋ乧鴹ǥ + values: + - OOB1s + - o4H + - key: f21 + operator: nȿqh + namespaces: + - L0w7 + - DB9 + - T1mom4CrS + topologyKey: OWKJz + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: WaOHp + operator: Ƥ熅ǒe²敹Ņ0ľ(Ȯɩ6ÿ + - key: 0X + operator: be3蚛鷿_鴈y+圚ʀF虹D + values: + - ZIZDTnyfwD + - B4NWO9ffPz + - 1jsu + matchLabelKeys: + - mXhYg + mismatchLabelKeys: + - mp6 + namespaceSelector: + matchExpressions: + - key: xE + operator: ʩ畕 + values: + - uc7IZ + - Hxl1 + - key: Xb41Q + operator: cʓʁ卡嵷韻 + values: + - pA + namespaces: + - edcrY + topologyKey: sP2BdI + - labelSelector: + matchExpressions: + - key: U0 + operator: 卢ʩ + values: + - OBtefl + - yMIZlx + - key: X + operator: Ǔ%é鵔:ß侙鞅 + values: + - s1qg3meB + - e6J6ZH89 + - key: dhFO + operator: ƋŎ頖,é襺枣Ť卩骏ɰ抟篧JɂǛȝȵ + values: + - R9sJoCz + matchLabels: + 2T: 84ZhksfB + matchLabelKeys: + - Yc41 + mismatchLabelKeys: + - zgncb + - pCwXYOK + - hViR + namespaceSelector: + matchExpressions: + - key: 3hWtuB6Y + operator: ʪ+ʜǻ拎奜跁ª4鶒鲒[ʒJi\ʝ)皡 + values: + - s + - key: xGSn + operator: 羥/Br=Z擧Ŀ泀Ą舨cïŕɘʡȽIJ鉽 + values: + - lOZtQ2cI + - Vk6 + - Ri3t + - key: Z6UDhR9VLqSA + operator: 淸c欨pɝo腛ı廓齩鄬檏繑郭>Ö呡 + values: + - s6hp + topologyKey: wZZTf + - labelSelector: {} + matchLabelKeys: + - afDo + mismatchLabelKeys: + - S + namespaceSelector: + matchExpressions: + - key: AWObA + operator: ĝf表OS厅啬児0~L槩华L稙訐\Tȼ + values: + - M39 + matchLabels: + 0D9: u5 + T1: xiLiZn + v6: nSQp5 + topologyKey: mr +annotations: + 4i: zwiMMKf + ZTKUDg2t: qHc7 + fGsx: dIpd +automountServiceAccountToken: false +autoscaling: + enabled: false + maxReplicas: 220 + minReplicas: 54 + targetCPUUtilizationPercentage: 269 + targetMemoryUtilizationPercentage: 205 +commonLabels: + BvJq2xZ: jY6O0 +configmap: + create: true +console: + roleBindings: + - UiHg9: null + - "": null + mAYLjAybA: null + roles: + - 0NpG04j: null + UxtPt: null + l5dMdK: null + - J9: null + MzWfEl: null + yNu: null + - "": null + Pv: null + tGJIDyXG: null +deployment: + create: true +enterprise: + licenseSecretRef: + key: x8ik3q + name: K7c7oe +extraContainers: +- args: + - CCdc + - xnWsPf + - K9Lp8whZH + envFrom: + - configMapRef: + name: eRd + optional: true + prefix: jF9v + secretRef: + name: QS0dQM4 + optional: false + image: UEbFmY + imagePullPolicy: ɂǖ耒ȯ+Ǎ妸ÄĊ wʠB堯¥ƿɤp + lifecycle: + postStart: + exec: + command: + - 89MtW + - LOaqkcP + - JzjyxNZS + httpGet: + host: "3" + path: V + port: RUOELw + scheme: u*暪÷鰦ʭ,0噱D #干 + sleep: + seconds: 7312334685976474890 + preStop: + exec: + command: + - Cmo91luAq + - DTCwI + - d3Q8xly + httpGet: + host: e + port: -1761554680 + scheme: '|' + sleep: + seconds: -8572473558022233717 + livenessProbe: + exec: + command: + - 1K0Fir + - Ws + - jWym + failureThreshold: 1492079208 + grpc: + port: -1612320137 + service: wk3AYU + httpGet: + host: U + path: yLWf + port: dE + scheme: (魠ʫ倳|岺溻IJħu|æ粅 + initialDelaySeconds: -1551121242 + periodSeconds: 101556636 + successThreshold: -690762638 + terminationGracePeriodSeconds: -7606489989577612357 + timeoutSeconds: -947750725 + name: GKPhj2 + ports: + - containerPort: 690563670 + hostIP: mVXvug29A + hostPort: -1389446008 + name: pcUz3a8NWF + protocol: o& + readinessProbe: + exec: {} + failureThreshold: 816403475 + grpc: + port: 2090385753 + service: pp5W00 + httpGet: + host: sP9DV + path: cpLL + port: TNUIzm + scheme: '!敓GĜƝ塀ȏ@{8嶤ɍ|' + initialDelaySeconds: 911169006 + periodSeconds: 257542772 + successThreshold: 1702435185 + terminationGracePeriodSeconds: -4557510245814657403 + timeoutSeconds: -581799810 + resources: + limits: + 5UdZ91O: "0" + TXdC: "0" + bK0pEj0Mb: "0" + requests: + s8hZFXOGF: "0" + tCP: "0" + restartPolicy: Ǩ轡´@ǂȟ + securityContext: + allowPrivilegeEscalation: true + capabilities: + add: + - 鿞;P粜鬌)Ǭ郑&鑉k!f] + - Ċ + drop: + - ?孡渄:Ơ廔晞!ē8瞅@rDZ_ + - cfdú¯'ƱơÅś祏侪 + privileged: true + procMount: ȝ?A@û2蝓撕%o摤絡) + readOnlyRootFilesystem: true + runAsGroup: -2314751572399378702 + runAsNonRoot: true + runAsUser: 989961539055775316 + startupProbe: + exec: {} + failureThreshold: 971752114 + grpc: + port: -1594677871 + service: O + httpGet: + host: EIXRs + path: EA1CukJtUZ + port: g9g0 + scheme: 遱O靑課淁hɕ怡ņ鲥 + initialDelaySeconds: -1020857297 + periodSeconds: 1332161137 + successThreshold: -1412285197 + terminationGracePeriodSeconds: -7087737322486666596 + timeoutSeconds: 563432789 + stdin: true + terminationMessagePath: S + terminationMessagePolicy: =ɑ_èʊâ錯Ɛ窾O亇_ + tty: true + volumeDevices: + - devicePath: 2EtZS + name: "" + - devicePath: glBRF4 + name: e8K + volumeMounts: + - mountPath: L4U + mountPropagation: '}6ʓ蓱9峖3疖售Ʉ朞' + name: 4oVeDs + subPath: RoA + subPathExpr: b + - mountPath: b3TFcP + mountPropagation: ʘʟ| + name: jg4Ya + subPath: F + subPathExpr: flS + workingDir: VZi6ElPHw +- command: + - 3xxCjTRw + env: + - name: 1n + value: cHl + valueFrom: + configMapKeyRef: + key: "95" + name: gi + optional: true + fieldRef: + apiVersion: sQA8hZeZu + fieldPath: xgpJlFJ2 + resourceFieldRef: + containerName: fLR0HyM + divisor: "0" + resource: Sanx4 + secretKeyRef: + key: XgKm5 + name: gvoS9jB + optional: false + - name: s2cwze + value: hu + valueFrom: + configMapKeyRef: + key: fDoUz3 + name: XKG + optional: true + fieldRef: + apiVersion: q0CUy1W + fieldPath: B3Lkh + resourceFieldRef: + containerName: V1gnkr8hpTmU + divisor: "0" + resource: 7PEJNYX + secretKeyRef: + key: IiBIw + name: kiXa5 + optional: false + envFrom: + - configMapRef: + name: JayMLn + optional: true + prefix: Iyk + secretRef: + name: I8 + optional: true + image: uuJKCAGoiYb + imagePullPolicy: '&mɈ{DC鹪ŘƖ暢C镯VĪɮJ樟' + lifecycle: + postStart: + exec: {} + httpGet: + host: TlUl + path: v9nd + port: Khf + scheme: 雦G'獲ɕ垑Ɠ奚 + sleep: + seconds: 3204757101293724426 + preStop: + exec: + command: + - s8505Cg5U + httpGet: + host: hAMBGK + port: LNxGid + scheme: 9?Ɉ + sleep: + seconds: -7512312074000843110 + livenessProbe: + exec: {} + failureThreshold: -1252597876 + grpc: + port: -544919593 + service: "N" + httpGet: + host: xfP + path: ByIZxFF1w + port: 465839308 + scheme: ôȔʄǽȕ$Ɨ嫸% + initialDelaySeconds: 1827740835 + periodSeconds: 1434348082 + successThreshold: 1145653124 + terminationGracePeriodSeconds: -9056662989967493169 + timeoutSeconds: -741454610 + name: pkN5 + readinessProbe: + exec: + command: + - pmJ6cF + failureThreshold: -182850181 + grpc: + port: -30654612 + service: q + httpGet: + host: Vra + path: tovB7 + port: -934938952 + scheme: Ⱥǵ1茆鯨ț]ų1ơñ澂 + initialDelaySeconds: -1966697414 + periodSeconds: -1866944455 + successThreshold: -259752087 + terminationGracePeriodSeconds: -4535014313385885341 + timeoutSeconds: -1545912021 + resizePolicy: + - resourceName: RxDBqX + restartPolicy: 韌ʮ濅& + - resourceName: spCee + restartPolicy: 腋+桯PɆ誎z4µ&ȁou-囈鵼夵v| + resources: + limits: + rElH: "0" + requests: + "": "0" + restartPolicy: 7GK¦碦ǒ抩Z芍緜 + securityContext: + allowPrivilegeEscalation: true + capabilities: + add: + - NjǗA窇ţ + - 逈%Ǵ7QǚƶƜr + drop: + - 鹭Iv0蠤'Ɵ皝ƨ=¨ + privileged: false + procMount: èįƤ;L虥u籖ʄƎ}橃V炖 + readOnlyRootFilesystem: false + runAsGroup: -1041723617216276814 + runAsNonRoot: false + runAsUser: -3933065726531016441 + startupProbe: + exec: {} + failureThreshold: -983644738 + grpc: + port: 1827183629 + service: X7oC1 + httpGet: + host: vGk + path: ohKaYc + port: l1rVsh9 + initialDelaySeconds: -648569392 + periodSeconds: 873065120 + successThreshold: -612441773 + terminationGracePeriodSeconds: 6808330544454597158 + timeoutSeconds: 1534439066 + terminationMessagePath: VYh + terminationMessagePolicy: 唌Üi+ + volumeDevices: + - devicePath: DGsn + name: Ia + volumeMounts: + - mountPath: "14" + mountPropagation: 渉seǝ蕟厪ë嵎ǥ墮@ + name: "" + readOnly: true + subPath: C1G4VS1 + subPathExpr: eU + workingDir: odPxO +extraEnv: +- name: Ahlf + value: UEv + valueFrom: + configMapKeyRef: + key: uwaRvb + name: M8Iklu7qx + optional: true + fieldRef: + apiVersion: H + fieldPath: 43xb + resourceFieldRef: + containerName: t8wgC87mO + divisor: "0" + resource: Z + secretKeyRef: + key: "" + name: EQfJ3z7tv + optional: false +- name: xj + value: lwmxmxP + valueFrom: + configMapKeyRef: + key: "" + name: cdBhO + optional: true + fieldRef: + apiVersion: U + fieldPath: Dj1sswKP + resourceFieldRef: + containerName: 1p3yUdrvd + divisor: "0" + resource: 5A + secretKeyRef: + key: DDcgdcu + name: oD38 + optional: true +extraEnvFrom: +- configMapRef: + name: 2ECaB + optional: true + prefix: bao + secretRef: + name: CA5S95 + optional: false +extraVolumeMounts: +- mountPath: v + mountPropagation: ?IJ純ʈxɧʅ + name: 9AiRaE35OlCv + readOnly: true + subPath: 2dv5RZ + subPathExpr: H7f +- mountPath: "4" + mountPropagation: 涾頴tOĜʥ朤 + name: ePEz + readOnly: true + subPath: BY + subPathExpr: w +- mountPath: n5FPgiJmk + mountPropagation: Ǵ棢__@ŗɆ4瞑5ŗ­L/ķ{篦ǯ + name: NryERK9Q + readOnly: true + subPath: tINFMAR5 + subPathExpr: VrBKy +extraVolumes: +- name: Kt6NIoVzEY +- name: O +fullnameOverride: resP +image: + pullPolicy: 讘ɂȴɩF壜î栒p + registry: UqWwteW0x + repository: TZqk + tag: 0fpMB +ingress: + annotations: + 7CEw: nk8 + bqg: H5 + x1S7: Pu + className: 6IuECM + enabled: false + hosts: + - host: gDc + paths: + - path: len9tdPYcpq + pathType: XETm5mmK3Es + - path: zn5u + pathType: p5jlQul + - host: "" + tls: + - hosts: + - Th5w + - xssK + - xFW9 + secretName: wA + - hosts: + - bR + - U73RtLKOI + secretName: jEnKU +initContainers: + extraInitContainers: 0VCU +livenessProbe: + exec: + command: + - wV + - eooUnSLpW + failureThreshold: 1147871047 + grpc: + port: 483952618 + service: Ca + httpGet: + host: pXrlUHltqchNl + path: kMP5 + port: -1823407150 + scheme: Ò壻«Ƭ魠?ǣ×Ç + initialDelaySeconds: -470682176 + periodSeconds: 842863336 + successThreshold: 2078067842 + terminationGracePeriodSeconds: 8174922400865091455 + timeoutSeconds: 1252398573 +nameOverride: tvDI +nodeSelector: + 2i: dRi6btw6 + R4: UsW + fFNJXGk: XBkx +podAnnotations: + N0F: vSjZxkjW +podLabels: + K1uahi: UMygEU2O2 + ecdKkB: "1" +podSecurityContext: + fsGroup: -3027126285888130862 + fsGroupChangePolicy: 袺芥ŵ罋o郘渢e堫柝dž + runAsGroup: -3172565869747057973 + runAsNonRoot: true + runAsUser: 5739747577453985710 + supplementalGroups: + - -1289730562709624524 + - 2918948066534341347 + - 8836988143915675306 + sysctls: + - name: ZSspAgrV + value: ES11 +priorityClassName: 8KMLup9vb +readinessProbe: + exec: + command: + - 50jwjhoUN3n + failureThreshold: 1026367217 + grpc: + port: -238173978 + service: Ju + httpGet: + host: wDDq9i + path: w7hRVdP6kmTaLN + port: -919313657 + scheme: 闡ś + initialDelaySeconds: -233395254 + periodSeconds: -96619339 + successThreshold: -2083481091 + terminationGracePeriodSeconds: -7352799244112409845 + timeoutSeconds: 1827269276 +replicaCount: 410 +resources: + limits: + eYVLCq: "0" + requests: + P: "0" + VsuQcjg: "0" + jwq: "0" +secret: + create: false + enterprise: + licenseSecretRef: + key: zvbci + name: W0 + kafka: + awsMskIamSecretKey: SFtL8nb + protobufGitBasicAuthPassword: "" + saslPassword: "" + schemaRegistryPassword: p + schemaRegistryTlsCa: 0m5L + schemaRegistryTlsCert: fqb + schemaRegistryTlsKey: whFm7 + tlsCa: 2Ir + tlsCert: JBVRtfzSurH + tlsPassphrase: OSDd + login: + github: + clientSecret: mCF8qeqhA + personalAccessToken: 7MnYqfh + google: + clientSecret: uo83GiVX2X + groupsServiceAccount: LCEQJi + jwtSecret: cmCx + oidc: + clientSecret: jW3Syrm + okta: + clientSecret: RDyL5FTb + directoryApiToken: BmJgmq2h + redpanda: + adminApi: + password: 6pe + tlsCa: gzJP1h + tlsCert: GRhBENFNa + tlsKey: qKQ +securityContext: + allowPrivilegeEscalation: true + capabilities: + add: + - ɐ毻sǨ斩麀|髦 + - (波F= + - 2鱶ɥǚ蘃齯ʃE桹蹝Ȓ畸蘋桙0 + drop: + - c掁轖e9\Ǟ¦ + - ȽT下Zź%賂蕄3 + - 乯`ŤĊŸ眸ʞ缔Ň妌嵳楕ǐwč*ǩ妩ɴ + privileged: true + procMount: ŃE诩Ŗś僆 + readOnlyRootFilesystem: true + runAsGroup: 6580465723841053659 + runAsNonRoot: true + runAsUser: -56006153890553620 +service: + annotations: + CRHNsVY: Nl04 + nodePort: 437 + port: 103 + targetPort: 329 + type: "" +serviceAccount: + automountServiceAccountToken: true + create: true + name: W9k +strategy: + rollingUpdate: {} + type: ɬdW5f +tests: + enabled: true +topologySpreadConstraints: +- labelSelector: + matchLabels: + 435gSB: cXqM + XuT: nA + sKWX6pPX: YyYe + maxSkew: -1347306472 + minDomains: 1890499147 + nodeAffinityPolicy: 扒Ŕ + nodeTaintsPolicy: 諹uɔM_灢ʫ6ªWŢ庿ɛ + topologyKey: 34nlpPe2Tl + whenUnsatisfiable: šĉ鎨嶕鯖Ťȯ蝲萤ɪeCŒ5ő3|押 +-- case-045 -- +affinity: + nodeAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - preference: + matchFields: + - key: MyOwAD1 + operator: 啜0Ȕ + values: + - ZGn4YX + - key: jDkjMmXqE + operator: NŤ~鷚ȃÐ醩@鿘.礡PdL + values: + - N3K + - ow + - PzPEWA + weight: -72104605 + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: JvUcVrA7 + operator: Žx"ơ + - key: xqi + operator: 1匹层舕ƒ僜ʓ + values: + - e + - key: eLiG + operator: '[r-!"ĻŻ艂酁嵍鏺]髠' + values: + - EKgA + - 2tR + podAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchLabels: + 7EKjs: lal36 + matchLabelKeys: + - DsNc + - EF + - MxSx7 + namespaceSelector: + matchExpressions: + - key: AJRciio + operator: I鎴 3ɡƞK慳hĉ + values: + - dh + - key: O8 + operator: ʤ喜牅ƫ]Ȉʚ廆Ƨ椬訐儹9ȡ趿 + values: + - QIR + - 4QIg3r + - key: xEKeM + operator: 嬕 + values: + - R0qm21j + topologyKey: yN7rFb + weight: 371178507 + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: 6m + operator: "" + values: + - sEP + - r + - 916oARGpag + - key: YtLdy2vWFRG + operator: "" + values: + - NbAvpL8G + - 0a3vqv + - key: TOiWxWC + operator: ǝ椦誄ȟ2沾ʩɁǢɶ攧Ţ胑< + values: + - BDKh + - NFb9UYct3p + - TFdQLF + matchLabelKeys: + - TACd + - RFCD1IMt + mismatchLabelKeys: + - CLaySswMot + - S3sEweRaY + - tC6pZ + namespaceSelector: + matchExpressions: + - key: pDz + operator: "" + - key: iRP7TsiyE + operator: 8šiƛPċŞ貲I轒ĮÜ + matchLabels: + 4IVb55JZf: "" + XokO: FntMc + namespaces: + - BOohC67i + - tv + topologyKey: Wc36G + - labelSelector: + matchExpressions: + - key: 2swiyf9 + operator: X + values: + - "2" + - Mmu6iYl3 + - XsZhnelID + matchLabels: + zf: IJlhUxrQg + namespaceSelector: + matchExpressions: + - key: RMLd0ptomdzoSd + operator: ƋŲǯ-'Dð獿礘ĘQ蕲螙x + values: + - rz5QKfx + - key: smO + operator: DɴK*4瘢齮 + matchLabels: + "": crZm + R7TX: 7hcjy + Yh: dyM1 + namespaces: + - PqubN + - elFz + - 5Iah6Cz + topologyKey: QE + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: faWSc + operator: ʚʉŝwʊ寭跼Z + values: + - dgKap + matchLabelKeys: + - sEXCWO + mismatchLabelKeys: + - BqB + - QSJQOy + namespaceSelector: + matchExpressions: + - key: 9zT + operator: 锂遼9ɎVn嵕缰~ + - key: bJi68gZ + operator: 己樚僚%隓馦d + values: + - LT + - "" + matchLabels: + yt: Z + zMv4Ez: NSxkcn + namespaces: + - bfc + topologyKey: pUFg7ZP + weight: -962989660 + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: {} + matchLabelKeys: + - "" + mismatchLabelKeys: + - Mfh + namespaceSelector: + matchExpressions: + - key: 6Ax1cf + operator: ʆ骜ʣ蘧F栮,C + values: + - 1WljmgAmSY + matchLabels: + 174k: 7or9Mr + F4YETWGCg: Rt46e + cMQyYT: RTaOOxz3Li + topologyKey: 9j +annotations: + 12kkcHLZdTIn: FQ4am + LQDfr: q +automountServiceAccountToken: false +autoscaling: + enabled: true + maxReplicas: 305 + minReplicas: 326 + targetCPUUtilizationPercentage: 344 + targetMemoryUtilizationPercentage: 186 +commonLabels: + M1diW: PVb +configmap: + create: false +console: + roles: + - tvT4mf0wFe: null +deployment: + create: false +enterprise: + licenseSecretRef: + key: kMfu2CiNvgC34 + name: oa9a +extraContainers: +- args: + - HP10TO + - kuCNcTLL + command: + - m + - Nww8 + - 98Rn + env: + - name: SSO + value: dOiVAD + valueFrom: + configMapKeyRef: + key: rG6s + name: ZIOGFg7 + optional: true + fieldRef: + apiVersion: 5QpSAgTC + fieldPath: wvXbuBkn + resourceFieldRef: + containerName: ZRxTJ6p + divisor: "0" + resource: lxXIfgo + secretKeyRef: + key: a4I + name: fdAC + optional: true + - name: t + value: lhJB5Gu + valueFrom: + configMapKeyRef: + key: 9sIY7ap56C + name: jxSPO + optional: true + fieldRef: + apiVersion: 7y + fieldPath: TVs + resourceFieldRef: + containerName: Bk7GMS + divisor: "0" + resource: KghhcLY + secretKeyRef: + key: "4" + name: Q0xn + optional: true + envFrom: + - configMapRef: + name: xkM + optional: false + prefix: 6Hmq + secretRef: + name: 2W7 + optional: false + - configMapRef: + name: nw + optional: true + prefix: ZF8q + secretRef: + name: Hazz + optional: true + - configMapRef: + name: C0TBIATG + optional: true + prefix: Wm + secretRef: + name: Yg2 + optional: true + image: vXSldD9 + imagePullPolicy: .Ś.l庥抁臚蚋巸_ȧʟ[R榶E + lifecycle: + postStart: + exec: + command: + - oN + - eEYgTnILd + httpGet: + host: mg7llOt105m + path: dtlR4G + port: wD90f + scheme: ʖ两ĕ¤¬瞮U? + sleep: + seconds: -2237517267526569736 + preStop: + exec: + command: + - GMjypvCI + httpGet: + host: T8pa05 + path: u9bCqIg + port: M9zgB + scheme: '*蛬ŻĈ' + sleep: + seconds: 475574192596548942 + livenessProbe: + exec: + command: + - dUJeULUg + failureThreshold: 1485223326 + grpc: + port: 701458966 + service: CQKKuIS4d + httpGet: + host: E2fjZ + path: XvuU + port: NoCTx + scheme: 蜼烀ȏǓɦMDn糆ƥHʼn/瓏ìȢŷ + initialDelaySeconds: -1475170089 + periodSeconds: 1989433587 + successThreshold: 1386111224 + terminationGracePeriodSeconds: 5430499533574282933 + timeoutSeconds: 1740226413 + name: wG4ZxvZMuJ + readinessProbe: + exec: + command: + - "6" + - obo + failureThreshold: 2126666969 + grpc: + port: 521888256 + service: z + httpGet: + host: Fpq + path: ghrc2 + port: -314576227 + scheme: 瓰vp烫ǁĴŰDȐ插研Ǽʜ + initialDelaySeconds: 1330937719 + periodSeconds: 78230226 + successThreshold: -351220698 + terminationGracePeriodSeconds: 6147801770047971409 + timeoutSeconds: 1906635539 + resizePolicy: + - resourceName: Waf + restartPolicy: ʑ艜ɾ蘩Ƈ`7ɫ坓弎Ȗƈ + resources: + limits: + WfxZ: "0" + gZ: "0" + oup1P0j: "0" + requests: + D0AyOZ87h: "0" + Wmp9uU8: "0" + mowWvEm: "0" + restartPolicy: ǔ輋篐棶耏īʡm0Ñ!ř$曤Qʢ瞪Ļ + securityContext: + allowPrivilegeEscalation: true + capabilities: + add: + - Ì酃`sŬ硪W#鿻Gƃu + - 先ĜtàX + privileged: false + procMount: Ĕʤj螹țȞVa + readOnlyRootFilesystem: true + runAsGroup: 5877071704122825347 + runAsNonRoot: true + runAsUser: 607897543692979281 + startupProbe: + exec: + command: + - 1R1GIynL2u + failureThreshold: 197417586 + grpc: + port: 581882770 + service: jrlDhPYYcBk + httpGet: + host: btMskta + path: iy + port: -1405181644 + scheme: ­劲襇板ƶ2豣Ă輒" + initialDelaySeconds: -317632223 + periodSeconds: 1128778719 + successThreshold: -878681442 + terminationGracePeriodSeconds: -5809012571377279815 + timeoutSeconds: 326998121 + stdin: true + terminationMessagePath: vlSz + tty: true + volumeDevices: + - devicePath: jpSm + name: A1S8F + volumeMounts: + - mountPath: zH + mountPropagation: Œib抪黠wƱ軭 + name: vY1XOHYYy + subPath: Tui26JLZyP + subPathExpr: 2T0bhLFBv + - mountPath: qLd4 + mountPropagation: = + name: MlJNiuK + subPath: Gt + subPathExpr: 1br + workingDir: qaJz +extraEnv: +- name: "" + value: 8qqxpUmb + valueFrom: + configMapKeyRef: + key: nyn + name: 2a6 + optional: true + fieldRef: + apiVersion: 4VL + fieldPath: mLkq5SaY + resourceFieldRef: + containerName: q58NCY4 + divisor: "0" + resource: iTwPTz + secretKeyRef: + key: fymwKG2di + name: jP + optional: false +extraEnvFrom: +- configMapRef: + name: kjk + optional: true + prefix: bXXh + secretRef: + name: ksMoUzjV + optional: true +- configMapRef: + name: 8AWI + optional: false + prefix: hqwWp6 + secretRef: + name: a + optional: false +extraVolumeMounts: +- mountPath: g + mountPropagation: ƎÀ虰|墫} + name: izh4Kt + subPath: l3Jx + subPathExpr: bgpu9UdSPr4CF +extraVolumes: +- name: UQKug +- name: giK +fullnameOverride: 9gCm5xz +image: + pullPolicy: "" + registry: I + repository: utUA + tag: 3NaFJMnq7cwb +imagePullSecrets: +- name: rTO7I +- {} +ingress: + className: y6u9o + enabled: true + hosts: + - host: V + paths: + - path: VRp3 + pathType: WX + - path: ZXqa + pathType: LXDjotJK + - path: b + pathType: 6l3svu + tls: + - hosts: + - SzMunki + secretName: OT +initContainers: + extraInitContainers: Gaa +livenessProbe: + exec: + command: + - w + - 4y0unO7q + - fUMv46yk + failureThreshold: 564680295 + grpc: + port: -274686900 + service: SZ + httpGet: + host: "97" + path: R + port: sw2f4 + scheme: ǖe灻膃爌|rQʮ` + initialDelaySeconds: -1623540175 + periodSeconds: 2083875877 + successThreshold: 1467697726 + terminationGracePeriodSeconds: 1240720412315600394 + timeoutSeconds: 514813622 +nameOverride: tOoxEiwdVpT +nodeSelector: + 4X: PJ6v +podAnnotations: + TImM2rpn: ixT +podLabels: + jAyDz: vW2 +podSecurityContext: + fsGroup: 8841428564051369991 + fsGroupChangePolicy: '''諢憭捽鉚ƾ邓鈽6M_s' + runAsGroup: 5877981406957979012 + runAsNonRoot: false + runAsUser: -2714811370596686768 + supplementalGroups: + - 3627757755693767927 + - 3933990106793080427 +priorityClassName: Op +readinessProbe: + exec: + command: + - Rvxle1 + failureThreshold: -1544911058 + grpc: + port: 1480625343 + service: iUWGjn1Yq + httpGet: + host: 0Wg8b + path: qrDi3 + port: -689203177 + scheme: 馨PƆȣdfTNʫ*ɀLɐ3} + initialDelaySeconds: -386708604 + periodSeconds: -1196967535 + successThreshold: -658970667 + terminationGracePeriodSeconds: -8534050677682835111 + timeoutSeconds: 1352482566 +replicaCount: 218 +resources: + requests: + Nh6YX: "0" + z: "0" +secret: + create: true + enterprise: + licenseSecretRef: + key: "9" + name: Pd + kafka: + awsMskIamSecretKey: "" + protobufGitBasicAuthPassword: naFpMBw + saslPassword: nKEzr + schemaRegistryPassword: xU + schemaRegistryTlsCa: pc + schemaRegistryTlsCert: fF1z9FE + schemaRegistryTlsKey: tx + tlsCa: bhhbwypQ + tlsCert: Dw1477 + tlsPassphrase: zRD + login: + github: + clientSecret: 1UD4N + personalAccessToken: LmFkP6BgmLQ + google: + clientSecret: m + groupsServiceAccount: "" + jwtSecret: 9ejQZ6 + oidc: + clientSecret: cXdjG + okta: + clientSecret: eF90RohF + directoryApiToken: 1zXLSJEQ + redpanda: + adminApi: + password: rr4c4 + tlsCa: Eonnpq + tlsCert: aPCNgYI + tlsKey: vlrLQ9I9 +secretMounts: +- defaultMode: 266 + name: omIzst + path: "" + secretName: Pn +- defaultMode: 133 + name: "1" + path: gIWg + secretName: gi4zM +- defaultMode: 451 + name: lrUYguc + path: D9pR + secretName: 3FH +securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - m优ķNJ噓+Pð + - 橯O燁 + drop: + - 褈墄ȃ杵 + - 娨Î + - rƴ}Ɇ橮ʕ*m敼ʎhǰ.ʔcZ + privileged: true + procMount: 攏O婑 + readOnlyRootFilesystem: true + runAsGroup: 8829730151763757512 + runAsNonRoot: false + runAsUser: 64441908715087607 +service: + nodePort: 325 + port: 314 + targetPort: 398 + type: C +serviceAccount: + annotations: + "": zL + EANkzh: rmy + automountServiceAccountToken: false + create: true + name: nX5G +strategy: + rollingUpdate: {} + type: ɬ(ìɅ +tests: + enabled: true +tolerations: +- effect: ɥ)藖朡YȖɌGǼRŗ迼@醹F6鎚 + key: 7Nq + operator: "4" + tolerationSeconds: 3766411560743927749 + value: TCksEtpTf +- effect: ȷ^?3HʉɚŢȾL + key: mj5pit + operator: 隱瀆J纝ɽÄ:憹欓 + tolerationSeconds: -3549323835306297633 + value: CN0gSHK7T +topologySpreadConstraints: +- labelSelector: + matchLabels: + N5pfvDQM4ZnP: "" + ZDk6ppZLAO: nn + f1Z: 2Molvtunvm + matchLabelKeys: + - cUf4VG + maxSkew: 2039905438 + minDomains: -1795353257 + nodeAffinityPolicy: 啚FLjʐəǪɠ梎Ň沮<^Zæ + nodeTaintsPolicy: Å扯R + topologyKey: qVloCmz + whenUnsatisfiable: ūh挕ŀ靕土伔澍鄓 +- labelSelector: + matchExpressions: + - key: sgB0Jx + operator: "y" + matchLabels: + Dhp: chzEB + matchLabelKeys: + - TBO + - g5M + - h + maxSkew: -825758940 + minDomains: 1383227075 + nodeAffinityPolicy: 婬ȴ羉Ā蕲k<ǯŘ`貉ì攘窼ȶ{黺( + nodeTaintsPolicy: 晓}從磹砛鬀D + topologyKey: MXei + whenUnsatisfiable: Ē舐ɒ'Q|ȃ#Y\厾h +-- case-046 -- +affinity: + nodeAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - preference: + matchExpressions: + - key: 2Nsqe + operator: 阴闤Bǘ尚僞熐蘐槄TČ鉇拍Ɣ唉f钡 + values: + - EQslZWcPKU3 + - key: clrdH7j + operator: 鹓ī郖漖8ĬwƓ + values: + - zsB2 + - HGN2A + matchFields: + - key: Is7w3FDS5zse + operator: -ĉYd + values: + - U4nF56qPTw + - mm38x0AQL5c + weight: -1981921933 + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: mRa + operator: ȥǮĬʩɄeƩ蟤确= + values: + - ooR1 + - QIho6keUV5fIUe + - jrOsTe + matchFields: + - key: miXl + operator: ʯ5yɶȁ/z>Ǡb_Ȉ撿÷đ湕ǭ + - matchFields: + - key: yXFe + operator: ȁ!Ńǩ浉F蕊ƕ倉輴Q¬ß巩ɿ + - key: qEUUleUJCe + operator: dz楥Qɗ鎽嚬t轮黑<ƻ眄 + values: + - pXk + - l22 + - l6 + - key: DiInxf + operator: lťõ祟X鬀ò嬬uġ + values: + - CtW2vs2 + - x + - rT + podAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: 0oFNd + operator: 喯z芡I钷)bę%匾蟨 + values: + - i6xl9Mn + - "Y" + - Dnn1nA + matchLabels: + ACWAVtod: 5MsAi + W7L46x: Iohx + matchLabelKeys: + - tZcagyiX + - 5w + - SMP + mismatchLabelKeys: + - b + - f + - bqCBIIfcdw + namespaceSelector: + matchLabels: + H3qd: 6DBRkuQvCde + namespaces: + - Y3j7k + - 8i2rf + topologyKey: 290Z + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: j8OASVi + operator: Ų驐Ĥ>Ȳ`1)o}嵊袀d + values: + - DE + - key: Iir + operator: WqȊ晝ɛ唊ɵk抩Ǟ紅銫Ş秠Ś~ą + matchLabels: + 8RiTX5m: lU1nenIq2B + B1: gskcNQo6g + D1kq67: "" + matchLabelKeys: + - ii9Ab3 + mismatchLabelKeys: + - 4X2zohLQD + namespaceSelector: + matchExpressions: + - key: HyU35bXzWF + operator: 尽ǰ + values: + - "" + - sB3pY + - 4r + namespaces: + - vW + - LYI + - mhQ0 + topologyKey: pjisw + weight: 1962236401 + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: 9GtVGXjE + operator: 镭鱆ʁ;崽DȔ3Ĭ鐓敝 + values: + - igW0 + - Qiyx + - zMm24In + matchLabels: + AWiVWW: gPF0Yh + matchLabelKeys: + - 01T9Mphw + - qcecz73o + - o6bBrV + mismatchLabelKeys: + - uJJWe + - 8On4IIB31 + - p4t46HL8K + namespaceSelector: + matchLabels: + h: iExiiF + topologyKey: ZhTV + weight: -2130387111 +annotations: + cflWrdcz: jJe +automountServiceAccountToken: false +autoscaling: + enabled: false + maxReplicas: 451 + minReplicas: 241 + targetCPUUtilizationPercentage: 434 + targetMemoryUtilizationPercentage: 89 +commonLabels: + "": WcYTY + rHtDM6k: ZY6Kw +configmap: + create: false +console: + roleBindings: + - 0RZs: null + 3MoL: null + DS: null +deployment: + create: false +enterprise: + licenseSecretRef: + key: "" + name: mP +extraContainers: +- args: + - TLL + command: + - "" + - kyr + envFrom: + - configMapRef: + name: cGxJkM382 + optional: false + prefix: 8ZYix + secretRef: + name: sptdX + optional: true + - configMapRef: + name: sv + optional: true + prefix: juf4E1 + secretRef: + name: WrvN + optional: true + - configMapRef: + name: stixRM6Z1c + optional: false + prefix: eHg4 + secretRef: + name: kJK + optional: false + image: Q + imagePullPolicy: 榲µʪ + lifecycle: + postStart: + exec: + command: + - AHw4N6lX4 + httpGet: + host: CuJ + path: kY9OI68 + port: I6fEdljwf7WI + scheme: 0Tæ + sleep: + seconds: 8747859025599270243 + preStop: + exec: + command: + - SAiYloe + - rxrb8 + - U1 + httpGet: + host: D + path: Ck4D + port: 1235678776 + scheme: 讅º頼 + sleep: + seconds: 2255567287221174216 + livenessProbe: + exec: + command: + - rlPo + - TpvecI + - c + failureThreshold: -1194959675 + grpc: + port: 1286950474 + service: l03Ttx + httpGet: + host: iZbpkGTG + port: -104521289 + scheme: ǘɚƃŊ1_蛺ƥ篯 + initialDelaySeconds: -1041934050 + periodSeconds: 1858129919 + successThreshold: 812913269 + terminationGracePeriodSeconds: -6125486107996409317 + timeoutSeconds: -1767574186 + name: "5" + readinessProbe: + exec: {} + failureThreshold: 596482569 + grpc: + port: 1150156757 + service: qaPYsPWRM + httpGet: + host: iNasZ6 + path: CpVj + port: GC + scheme: 謭¤GȫȇƄ聭Dłʬ + initialDelaySeconds: -1604058483 + periodSeconds: -603768209 + successThreshold: 1589218932 + terminationGracePeriodSeconds: 4819160591653315271 + timeoutSeconds: 2047446198 + resizePolicy: + - resourceName: Or + restartPolicy: OȜ)漢ɨ酳h + - resourceName: i6roWBCG + restartPolicy: Ćʊ赆ʒ + resources: + limits: + ZTOf: "0" + requests: + "5": "0" + restartPolicy: ȱTǣıN飿 + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - c + - Ɛ絜-Ȭ狆ǚƫȼ)ɦȗ欌3Z + drop: + - '*`N}柁番贝鍝陂±Ǖ弊' + privileged: true + procMount: 湅ʨɩƗ吞硩Ǘɵ櫜5 + readOnlyRootFilesystem: true + runAsGroup: 2454233763446715277 + runAsNonRoot: true + runAsUser: 1349777568495231591 + startupProbe: + exec: + command: + - tEiO0Gf + failureThreshold: 1955219951 + grpc: + port: -4890683 + service: 4tTWT + httpGet: + host: 5h5p4Uk + path: JX2HU + port: b6yI + scheme: 娂儯庬Xǿƫ + initialDelaySeconds: 1159427409 + periodSeconds: -1534574298 + successThreshold: 1143094739 + terminationGracePeriodSeconds: -2223019815025430450 + timeoutSeconds: -1544667872 + stdin: true + stdinOnce: true + terminationMessagePath: 1FuR + volumeDevices: + - devicePath: "Y" + name: EahA503T0 + volumeMounts: + - mountPath: QxOZw9E + mountPropagation: N"賬 + name: k4sw3lfzmj4 + subPath: 9a + subPathExpr: q5p0 + - mountPath: 9FHN + mountPropagation: o~ʆ容Ĺkjɋ5cȔcƼ诔楞 + name: wmkq + subPath: M1UIiHV + subPathExpr: IhSh2 + - mountPath: KTgxDgARv + mountPropagation: 篪k矲PƊ$ʇ謞šS婝耻遄 + name: nvW2 + readOnly: true + subPath: u6 + subPathExpr: C3n82 + workingDir: F2B +extraEnvFrom: +- configMapRef: + name: s4S + optional: true + prefix: g8JM + secretRef: + name: Km8n + optional: false +extraVolumeMounts: +- mountPath: VW + mountPropagation: gjɲi呒>[ɻ + name: HRTFVpU6YN + readOnly: true + subPath: J + subPathExpr: Zx9CYV +extraVolumes: +- name: ldO +fullnameOverride: fB6TF +image: + pullPolicy: '&Q眫' + registry: HjNl + repository: z9WL9QV + tag: jKgmVjE +imagePullSecrets: +- name: DL1OBpd0 +- name: jM +ingress: + annotations: + A4M6T: IUmZ9 + AHN: gcT00IU6 + S: lzi1Q + className: aU0xOzsFN + enabled: true + tls: + - hosts: + - PV + secretName: aHG1 + - hosts: + - bX + - Cu + - xuscoJ + secretName: fBCynrlb +initContainers: + extraInitContainers: aF +livenessProbe: + exec: + command: + - mWA8 + failureThreshold: -2111746605 + grpc: + port: -159496093 + service: 5BzT + httpGet: + host: Pgb + path: W + port: FTodWK + scheme: '@ĝȗɰ*8Eȑ' + initialDelaySeconds: 1224736641 + periodSeconds: 1490424943 + successThreshold: 2012886943 + terminationGracePeriodSeconds: 1140281843739171103 + timeoutSeconds: 1910690397 +nameOverride: "" +podAnnotations: + P10bx: 4As + RWk: E + e: rh7XI +podLabels: + SnZ: mnX + aL0TsomY: aVv4hsuMJ7Aiq + luPi3E6: iCt +podSecurityContext: + fsGroup: -137977092678744094 + fsGroupChangePolicy: ʅ翄ąIJU÷[Ɉ<Ǧ兰巒鄂 + runAsGroup: 2453672470118860 + runAsNonRoot: false + runAsUser: -2867620198524252040 + sysctls: + - name: p + value: "" +priorityClassName: wQ +readinessProbe: + exec: + command: + - bmfgcwd + failureThreshold: -1418487663 + grpc: + port: -468793496 + service: MhQm3 + httpGet: + host: nQSr0S + path: M8 + port: 1657726276 + scheme: 鶉阑 $ý + initialDelaySeconds: 1895968402 + periodSeconds: -1686229865 + successThreshold: 1934722351 + terminationGracePeriodSeconds: 2537915062001973026 + timeoutSeconds: 1366589097 +replicaCount: 376 +resources: + limits: + 87w5tBp: "0" + AmXXE: "0" + QH55ZH: "0" + requests: + EbalAlq: "0" + RpvkPX: "0" +secret: + create: true + enterprise: + licenseSecretRef: + key: ellF2F + name: K3 + kafka: + awsMskIamSecretKey: Xs8UvJPyL + protobufGitBasicAuthPassword: BKbdr + saslPassword: xW3EDKA + schemaRegistryPassword: Vewx + schemaRegistryTlsCa: te + schemaRegistryTlsCert: JxH + schemaRegistryTlsKey: jhxioPhQ + tlsCa: eP + tlsCert: H9 + tlsPassphrase: Gz + login: + github: + clientSecret: Q + personalAccessToken: akEcq + google: + clientSecret: vj6 + groupsServiceAccount: pJ8NQ + jwtSecret: jUc4rQpG + oidc: + clientSecret: 8SCyi + okta: + clientSecret: Yd + directoryApiToken: q1rSa + redpanda: + adminApi: + password: mON + tlsCa: rNzsp + tlsCert: UStA + tlsKey: 3E +secretMounts: +- defaultMode: 305 + name: smBrE0cI + path: "2" + secretName: zeb +securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - pij*fƤ + privileged: false + procMount: 罽İ耲,衧駕R=k{ŝ{躈瑮L + readOnlyRootFilesystem: true + runAsGroup: 3478202026348193011 + runAsNonRoot: false + runAsUser: -5521479784565460908 +service: + annotations: + aDeGG7F9S: 5d + nodePort: 439 + port: 271 + targetPort: 481 + type: PK7oH1pcU3 +serviceAccount: + automountServiceAccountToken: false + create: false + name: "" +strategy: + rollingUpdate: {} + type: żb給ū裬M +tests: + enabled: false +tolerations: +- effect: 瑟bĕʫFuěG盲ÿ + key: d + operator: 秸ƿ + tolerationSeconds: -7614909558910242428 + value: h2U4 +topologySpreadConstraints: +- labelSelector: + matchExpressions: + - key: 60k + operator: ʉ赳Ɇǂt硴煟讒ib + values: + - M755avF + - He6fTmtHDXC + matchLabels: + c4BN5BiYtjB: tyUmvwGkL + matchLabelKeys: + - E4G8mM3 + - G1C9Cjj + maxSkew: -1527756346 + minDomains: 432090734 + nodeAffinityPolicy: qǗ阵W&喁CE®ņpPȂ\Ç苗ĈȄ + nodeTaintsPolicy: ȉ珉@:x凝謽Q釀ļn适c顦 + topologyKey: V + whenUnsatisfiable: 瀥 +-- case-047 -- +affinity: + nodeAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - preference: {} + weight: 182966451 + - preference: {} + weight: -2028220392 + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: [] + podAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: 5a5MXO + operator: kƎǦƙ«嚄ƭr騥邜Fċʐ叧F& + values: + - BRA + - Ywt7JHE + - key: TjE3wFb6 + operator: O`6ƥ縈L:Ckʄ鹟瑧 + values: + - "" + - dxDLfiL + - 0IgsneLlLo + - key: tuBbSOMR + operator: 桛ʫ褛ʒɩWkv濱瘛#Ěi邱CNǖ4孳 + values: + - 9zJ + - 7T3iJAwX + matchLabelKeys: + - ZYcvinlq + - PwQO9 + - M3gb + mismatchLabelKeys: + - e + - K1XrVh + - D1CkR8 + namespaceSelector: + matchExpressions: + - key: uqnyV6k + operator: rĮ'示嶠ĵ攛Ņ + - key: 0ONfMVB + operator: n梷E8ʟ菛晉 + values: + - Q + matchLabels: + IqH8n: pCJ16S + mUE: HyxdirX0F + namespaces: + - gptVP + - L + - 7CmPHtA + topologyKey: XDhewcrvK + weight: 2033587292 + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: jcAfZ5VF + operator: 饀re + - key: sj + operator: U姑R° + values: + - p8zbO + - key: 2LmP5 + operator: ŸȢ庾塁BƖ + values: + - NN + matchLabels: + ApvKyKe: kHE9lIIleR + mismatchLabelKeys: + - n3VRcT5qX + - zGNqgUGNX + - hDZ + namespaceSelector: + matchExpressions: + - key: "7" + operator: 砃=G墈赞飍鵝7d + values: + - Uiz9BnY + - key: hd76 + operator: '{緶ɡnW' + values: + - vc1yj10y + - Je + - eg + - key: 06pjmB + operator: =帛胏 + values: + - RQ10 + - Z5WWhGqt + namespaces: + - seMTT1 + topologyKey: E + - labelSelector: + matchLabels: + oplIL: 67Fs0Yu4 + mismatchLabelKeys: + - T1 + namespaceSelector: + matchExpressions: + - key: hOQWYMD + operator: vǑ壞2â飿"Xʝ簮倏c + values: + - "0" + - key: WWGKqAgL + operator: '''OƼŪ祰ǑŗiU嘏ɮ?Ī語' + values: + - yU5IOsL + - koP + namespaces: + - lDs + - xQZsD + - J + topologyKey: j0k4ds + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: 9nDdXGQwP + operator: '[痵lǝ,ǶÜÂD' + values: + - th + - u8xZ + - ucr3vqZeG + - key: QWVrK8k + operator: ʀăɼy耯#運+3坽« + values: + - 2lcZKn + - G2IQ + - YbYwv + - key: N4bc7Wn + operator: '%7`iɊȑ槦醒}' + values: + - NiSH90 + - 98iHVkt + - 0r3Yu9i + matchLabelKeys: + - zrV + - Ey + - R + namespaceSelector: + matchExpressions: + - key: gEbVS1wo + operator: z + matchLabels: + 2YURuF: "" + CJTjm6: nOFN + oUtlWUD: 0k14ag + topologyKey: M1yF5YA + weight: 477520510 + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: mdjoxbr + operator: V2SŨǰ8嫟淦 + values: + - 3ww0Ei + - 2PjudE + - pmpvETB0n + - key: NFqQGo + operator: 处;Ƕk鎹û絹褡Sy + values: + - V + - key: HuZ + operator: ȓő&ś>S怭ť]E榕 + values: + - sUume + matchLabels: + ef2q: 4ZL0O9b + r8xqG: MJ + matchLabelKeys: + - "" + - "Y" + mismatchLabelKeys: + - djn6fDf + - ukZi8 + namespaceSelector: {} + namespaces: + - dOU1F + - 1ygQdj3xZ3YIf + - wvpeJx + topologyKey: Rq4K6z6 + weight: -1277100698 + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: b + operator: "" + values: + - tmuB5 + - 9qE9GM + - oJpaRDn2 + - key: WY + operator: u酘b + values: + - RhO + - Cs2rDIRrPlii + - nG4bqoAkQU + - key: eMae + operator: ǟĕȴnjI覿9¥H艞ɋ + matchLabels: + ToIBbWL: 4k8X + i2qGkWjvF7QJ: pb0sZq + u12o4B4: Ybz + matchLabelKeys: + - HCKtJC7hm + mismatchLabelKeys: + - 21r0Z + - "" + namespaceSelector: + matchLabels: + 2BNgnKr7Ob: 5RffK5NB3ghhfO + bJC: WTOgH + uA: bxdRwsU + topologyKey: 2CsbupZ + - labelSelector: + matchExpressions: + - key: RIP + operator: Oȝ(氧罻 + values: + - 1bx3Fix9 + - key: eqQoi + operator: 68+ʈĘ + values: + - FgfwmYrR + - mznlyr2aLTGF + - GfAoC8M + matchLabels: + FKwNoJ: aJZxa + cEeo8ix: 3dHunLjp5 + ihSd: qG7x + matchLabelKeys: + - F6LQK + mismatchLabelKeys: + - ULcGW + - RYv + - fF + namespaceSelector: + matchExpressions: + - key: Tkp5 + operator: ȴ潺谡Ƣh躈ŮâÿȒũĔ + values: + - fY9NuWB + - O84 + matchLabels: + 09fI: EDSEVi + Dl: 4u38aD4O + vZCciR: neqAXd7k + namespaces: + - ozziI6FZ + - URQlLJF + topologyKey: SeSq4K +annotations: + Bx5i3M: s + svlaTGpSHD: 7P9k +automountServiceAccountToken: true +autoscaling: + enabled: true + maxReplicas: 122 + minReplicas: 449 + targetCPUUtilizationPercentage: 218 + targetMemoryUtilizationPercentage: 488 +configmap: + create: false +console: + roleBindings: + - eaLPMN8qOPT: null + xb: null + xnt: null + - 3Mgk: null + roHIFBN: null + - TtzrP: null +deployment: + create: true +enterprise: + licenseSecretRef: + key: nj + name: rl +extraContainers: +- args: + - lW + - lpUVzUh + command: + - 3mEGtoKbEWE2Jw5T + - b1GBFA + env: + - name: hsiWF93 + value: zBco + valueFrom: + configMapKeyRef: + key: 8hvvaoHB + name: "y" + optional: false + fieldRef: + apiVersion: WPT5J + fieldPath: sc + resourceFieldRef: + containerName: 0xbTU4O + divisor: "0" + resource: tPBV2ObG + secretKeyRef: + key: YEKZukl + name: px + optional: false + - name: PM0MyyH3R6R + value: yOzX + valueFrom: + configMapKeyRef: + key: I3pi + name: DC + optional: true + fieldRef: + apiVersion: "25" + fieldPath: "" + resourceFieldRef: + containerName: aZj1E7LU + divisor: "0" + resource: sxs0nE31 + secretKeyRef: + key: Ktb3c4 + name: g98T + optional: true + - name: 6kDq8UgFIS8 + value: L0i4 + valueFrom: + configMapKeyRef: + key: 9WUe9 + name: tZrRUK + optional: false + fieldRef: + apiVersion: GIc + fieldPath: AXTmU + resourceFieldRef: + containerName: E2 + divisor: "0" + resource: a63tq + secretKeyRef: + key: luWp + name: lPdowo + optional: true + envFrom: + - configMapRef: + name: vzVk + optional: true + prefix: DONFyRd + secretRef: + name: 9uct + optional: false + - configMapRef: + name: z5nC9D + optional: true + prefix: 5epUyS1iy5m8 + secretRef: + name: zqRFC + optional: true + - configMapRef: + name: awjfJlZxN + optional: true + prefix: LhArOQgbq1OCR2L + secretRef: + name: mb5axzX5 + optional: true + image: qPLiX + imagePullPolicy: '{Ĩ檽]ĻĹňɋ偌Ȏ.阛魉' + lifecycle: + postStart: + exec: + command: + - yAeOM + - s53um + - 3m + httpGet: + host: GJWsJm + path: iDQ + port: 1781170742 + scheme: 皐ű葺ȝĬ麐&ʉ執dz0娸叹 + sleep: + seconds: -4230531115544534394 + preStop: + exec: + command: + - sIGb5 + httpGet: + host: AbxhPKar + path: 3ZZ5 + port: 88852320 + scheme: 砨Ĝ_筀¤痟氻劊űI俼员z幛F + sleep: + seconds: -4758564920159898567 + livenessProbe: + exec: + command: + - ty6JMTW6vA + failureThreshold: -1459976999 + grpc: + port: -1689493187 + service: ihsDMVYd + httpGet: + host: e9NNlO5d + path: iBo4 + port: 334788778 + scheme: ƿ:ħȠL$ + initialDelaySeconds: 1625633184 + periodSeconds: 1327859251 + successThreshold: 1766792721 + terminationGracePeriodSeconds: -3971501657411371216 + timeoutSeconds: 557348614 + name: U3U + readinessProbe: + exec: + command: + - "Y" + failureThreshold: 391027623 + grpc: + port: -1858356724 + service: hnqm + httpGet: + host: g + path: C48 + port: F + scheme: 苎lɲÁ频×ȊDžȀ9Ď"昽 + initialDelaySeconds: -1404160881 + periodSeconds: 521131323 + successThreshold: 2005094455 + terminationGracePeriodSeconds: -5942417190535485186 + timeoutSeconds: 2118365394 + resources: + limits: + Ms1A: "0" + WkWhM: "0" + requests: + b4kR9nm9BfQZy: "0" + eLg: "0" + huME: "0" + restartPolicy: ľ慔/PpǏ銢9滖ɝ韍I鍌$ʪ辫Uz + securityContext: + allowPrivilegeEscalation: true + capabilities: + add: + - wą&嘪研Z`ȧȢfʘ*ō + drop: + - ƿ`ĉĎ苦Ǧ蘈NJ她笻Ƞ + - 磨3踦煨1JƸc錚捁 ĊZe)ám \ + privileged: true + procMount: 鋶XJm/覹ɋ¶ȉĒȤ瀶|ƻŒ(咡 + readOnlyRootFilesystem: false + runAsGroup: -8452021579348253718 + runAsNonRoot: true + runAsUser: 5983932912975749110 + startupProbe: + exec: + command: + - sZhTLr + - GK + - kqL9aDDm + failureThreshold: 1004086477 + grpc: + port: 1266077274 + service: l1ji1IW1ic + httpGet: + host: rJI + path: H731Dr + port: 1333462733 + scheme: 项鰚ɽ洍êƳ + initialDelaySeconds: 1806670133 + periodSeconds: 1290098703 + successThreshold: -490255445 + terminationGracePeriodSeconds: -206080146769410314 + timeoutSeconds: 270060590 + terminationMessagePath: P1HCGJEbJiD4 + terminationMessagePolicy: ʇ鞯BC鸼樁÷ǹ楺 + tty: true + volumeDevices: + - devicePath: a4 + name: 0bA + - devicePath: VeRXU9 + name: A0XbFJhG + - devicePath: fdim + name: RJf + workingDir: ZoDFb +extraEnv: +- name: "" + value: YbKo + valueFrom: + configMapKeyRef: + key: bIruuA + name: x8 + optional: true + fieldRef: + apiVersion: EqX + fieldPath: ZOh + resourceFieldRef: + containerName: IDJTm5lv + divisor: "0" + resource: QDC8v + secretKeyRef: + key: "8" + name: LcSdNiKff4 + optional: false +- name: RZHq9C + value: m + valueFrom: + configMapKeyRef: + key: PZVqf + name: x + optional: true + fieldRef: + apiVersion: xQi + fieldPath: vxeo + resourceFieldRef: + divisor: "0" + resource: l7 + secretKeyRef: + key: i3lK + optional: true +extraVolumeMounts: +- mountPath: OO0aO6h + mountPropagation: "" + name: kDKM + readOnly: true + subPath: AlRCH + subPathExpr: 7UemLsIe +- mountPath: Z8zdlU + mountPropagation: 醗¡°v:胡 + name: aedAMG + subPath: zo5P1xa + subPathExpr: WmuiME +- mountPath: ufiUx + mountPropagation: '`ʡÔ关Ľ?' + name: PWBh + subPath: 2hslJ + subPathExpr: pUtN3 +fullnameOverride: YUi5JpG +image: + pullPolicy: ȕ蚧竔/´苅oC + registry: zUsK + repository: lQjo + tag: p +ingress: + annotations: + CImW98Gx2v: otj + fP: SRGkm + className: lM + enabled: false + hosts: + - host: AYT + - host: oulge + paths: + - path: 3bi + pathType: ixqeQz + - path: nG + pathType: 5LwYGxvMr + - host: "" + paths: + - path: jJrUpe + pathType: 72AAc + - path: B0K + pathType: kxnm8kN + - path: tQDn + pathType: IxAmHD + tls: + - hosts: + - n9Np8ftRtFhzi + - g + secretName: C + - hosts: + - CMhuwA + - wYA0tSvo + secretName: z + - hosts: + - 34mbP + secretName: 80Z +initContainers: + extraInitContainers: PRtnaAy8 +livenessProbe: + exec: {} + failureThreshold: -1392926461 + grpc: + port: 257623603 + service: us + httpGet: + port: L9CrR58RHnS + scheme: ʅ²7kp + initialDelaySeconds: -1384385388 + periodSeconds: -1660079876 + successThreshold: 680842396 + terminationGracePeriodSeconds: 6050526356201491316 + timeoutSeconds: 213455290 +nameOverride: nEojiMtRc +podAnnotations: + Mfsd: hmi +podLabels: + 6dZAs: xJPaLHKS1Y2 +podSecurityContext: + fsGroup: -6567182940167159103 + fsGroupChangePolicy: 6iɰ堂:齐ǪÈ + runAsGroup: -1787219330993537800 + runAsNonRoot: true + runAsUser: -5627543087390804845 + supplementalGroups: + - -3306962996817147613 + - 975882030005456556 + - -5263492609498468245 + sysctls: + - name: YC + value: 7JlDTCP6hs +priorityClassName: 0P6RnoBeb5 +readinessProbe: + exec: {} + failureThreshold: 1689894479 + grpc: + port: 222105741 + service: D + httpGet: + host: vyj + path: JoV4VZMz2Bv + port: vRf9ZHgc4j + scheme: 条om競娷Njʑ + initialDelaySeconds: -1753994274 + periodSeconds: -1189421015 + successThreshold: 1278527365 + terminationGracePeriodSeconds: -6266260075166332402 + timeoutSeconds: -209775227 +replicaCount: 391 +resources: + limits: + 8ycM: "0" + requests: + CvglPI: "0" + s5: "0" + uiHB: "0" +secret: + create: false + enterprise: + licenseSecretRef: + key: Iq + name: Tb8RGi + kafka: + awsMskIamSecretKey: gj + protobufGitBasicAuthPassword: kO + saslPassword: IB3qNjrV + schemaRegistryPassword: 4wnp6Qi + schemaRegistryTlsCa: gFBJq + schemaRegistryTlsCert: LUubckiv + schemaRegistryTlsKey: 9Op + tlsCa: 94x0v + tlsCert: h4lSMbv + tlsPassphrase: CVT4wjw + login: + github: + clientSecret: YaYETggo1hi + personalAccessToken: d + google: + clientSecret: tDqsIg + groupsServiceAccount: FSUAkU004n0k + jwtSecret: 2dWKNqarwb + oidc: + clientSecret: i2n + okta: + clientSecret: XytR0yn + directoryApiToken: m3WEq4zKv + redpanda: + adminApi: + password: ozo + tlsCa: 0g + tlsCert: hQ + tlsKey: xfpkmy +secretMounts: +- defaultMode: 184 + name: L8dbWip + path: g + secretName: LF0O +securityContext: + allowPrivilegeEscalation: true + capabilities: + add: + - «Ƙz损 + - ɟE鄱Į惪Y桦ŗɘoȍ蠣4ƪ呀R> + - "" + drop: + - 娤b + privileged: false + procMount: ʍ曏(ƶæ + readOnlyRootFilesystem: true + runAsGroup: -406748533537085799 + runAsNonRoot: false + runAsUser: 3238073083343117470 +service: + annotations: + 8v2: JbH + 95cxbjjD7C: JBMaJ + VY: yRV7d + nodePort: 18 + port: 168 + targetPort: 227 + type: WAAXkZY +serviceAccount: + annotations: + DQxrtk8: buiWLPbYq + HHbP: sAY + Y0DKOcTa: D82Nfh + automountServiceAccountToken: true + create: true + name: DSw7 +strategy: + rollingUpdate: {} + type: żʧȟ +tests: + enabled: false +-- case-048 -- +affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchFields: + - key: v + operator: ė + values: + - ln + - lU4zX8iz + - t0Xc + - key: s3fpu + operator: ɥ娿ăʄĠ mʓ銈E'袭ĵ + values: + - ljJlhx + - matchExpressions: + - key: qPBvuBghor + operator: 泱诅ʫt + values: + - a05XZwN + - SiAvFWs + - FhW1 + - key: MVFTcW + operator: º囜N赧0索d + values: + - c + - ghZI + - AjB0J + matchFields: + - key: QzMSpLW + operator: :ɉùȪÇzǥC货°ÕV? + - matchExpressions: + - key: pA7a1gYdV + operator: '[ĪtOK' + values: + - 2bE4Bw + - fyMOYi + - key: wshbw7Ix + operator: J槭~撑MS=ÑƎ薽饵a緗 + values: + - 9jt6 + matchFields: + - key: s1 + operator: 犫茬睶ňv + values: + - XhyH + - Ng1r1 + - nqis + - key: mHLiT + operator: ȁ佝L郗s稷tŻ+f舭拳鰵2e{a + podAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: jdvk + operator: ƶ + values: + - NV + - y4 + - V2XRZS + - key: 9VvAl5 + operator: <坎陸$§¤_ã檠奙Å饉J夗ɓ翩锸辸 + values: + - x26kYkJ + matchLabels: + DziixIJYd: yCXzPc + matchLabelKeys: + - XNuk + - RGLu + mismatchLabelKeys: + - aF3 + - R + - Tnj6SmTq + namespaceSelector: + matchExpressions: + - key: e1XR + operator: Kɞ窏ǿ,鸣ŰcNc + values: + - Yrq + matchLabels: + F2Pe7J: dlwTdhs + lK: nolQ + ys9z: euXWPiaJ3Bv + namespaces: + - tAzvw4OH1G + topologyKey: 6y + weight: -1640008169 + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: XbjQvP + operator: V嶙NZ谡筩ǒ抂 + - key: i + operator: ɔŃ旓Ɍ鬺X + values: + - Zvx + - 7HWJ + - e4ucTP + matchLabelKeys: + - 0LSTZ + - ESk2r + mismatchLabelKeys: + - CKhfvR0Sg + namespaceSelector: + matchExpressions: + - key: A0tc + operator: 辛§ʢ垝V矋n握匞~嶯筪溆¸ + values: + - ML + matchLabels: + K1pr: ROFIwZhJYYo + ODc: 48WQ + namespaces: + - Wv7 + - zenLPw + topologyKey: tIVDde5U + weight: 1977587462 + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: 3YyUamlR + operator: 橯F + values: + - dHitre + - 90jUjk + - key: NtnSL + operator: 臰sR=坵Ěcñ黪:ɻ寊â9dƎ\V + values: + - qqzycK + - key: ICXJGRFS + operator: $貕^eėǭD鳅ʇ + values: + - txX + - SFrkJ9r + - 3jOnwEW1 + matchLabels: + Uwj1kpV: oUXOYkF + o: ts5wRqjTyCy + matchLabelKeys: + - V2DNNCORe7ZRA + - pglXe4D + - w3881 + mismatchLabelKeys: + - xbi5KtUmR + - eZenitLdd + namespaceSelector: + matchExpressions: + - key: fxd5Y + operator: 頣R熗!A麳Ƚ6r爤暓 + values: + - oe46YF + - rT30v + matchLabels: + 4WA: EH + nRhlLLx1yHy: 5UFrj + namespaces: + - 7j92oP + - 2hf + topologyKey: "" + weight: 92207265 + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: wBvol + operator: Ɂüɯ + values: + - eKmyok + - key: B2uj69 + operator: "" + - key: hLrZlh + operator: ȕ嵠味 ɼ_ + mismatchLabelKeys: + - W + namespaceSelector: + matchExpressions: + - key: Qu + operator: 亣i拴ÿ + values: + - OeiUsmYu + - oGXa6Ma + matchLabels: + "": Li + oDV7yR: NP + namespaces: + - PQjQb3LP + topologyKey: Gs1 + - labelSelector: + matchLabels: + "": nF + mismatchLabelKeys: + - YG6aQj + namespaceSelector: + matchExpressions: + - key: HpxPVtw + operator: z畘ŠƽǢ蘟\ɡ忕ɋ蜹5B + values: + - EQ + - RP3fBi + - key: Lv60cZut + operator: 裰ƈ + values: + - I9JbN + - dt + - Cya + - key: 0MGm8N + operator: 遍Ż + matchLabels: + nELvnrAFr: DClM + topologyKey: N57yxG + - labelSelector: + matchExpressions: + - key: "" + operator: KǞ}ɣȿ嚶宗荝«Dž + values: + - CGw32z4JHya + - E + - u5CDtdc + matchLabels: + J5LzcLei: kBwTCGZ + iLpqu: j4bqBNDjAK + jN: jUZ0u + matchLabelKeys: + - lNM + - K3nOO5 + - 9norFQpMiC + namespaceSelector: + matchExpressions: + - key: y4teb + operator: 蚯 + values: + - P + - O0 + - MvxOu + - key: v8w1Ok + operator: 8ƴņŨƊ¹艗胲ƦpYƿ9d脙~Ë + values: + - "4" + - "66" + namespaces: + - OtWsVW + - p + topologyKey: GeF + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: GRLHy + operator: Ä椶 + - key: Z + operator: ė牫ȃ汥Ƈ娍q\桕ɄNǴ + values: + - S1hMkP + - K + - x5coDg + - key: kJzBQ + operator: ʉĻ孺bɧɬʬ柿娤e¯]每) + values: + - DbD1 + - C5dyvNew + matchLabelKeys: + - 8G + - 7cCVU + - lN + mismatchLabelKeys: + - xJ5l + namespaceSelector: + matchExpressions: + - key: U89y + operator: ȓ2浿澰V缐厧钎wň莁願菶ʈ杈 + values: + - 9m6ydjpHu + - CatqpZmUCL + - dJz + - key: SIePbOJc6H + operator: ljR2qɟ$s櫮c雕Ů幔莁沥ʫľƙŝ + values: + - 75tj75r + - XiO + - key: "" + operator: 舄或崙Ĭɐ耼Ī弋禽$ + values: + - HWwXVr4o + - WEkwi8ZNDQ + - f + matchLabels: + fi8w0BX: Z48LRdXmkJ + namespaces: + - Yaw2NnfJ + topologyKey: ElKfd7Eo + weight: 1078166465 +annotations: + Dgw3Wl: 7aofTp +automountServiceAccountToken: true +autoscaling: + enabled: true + maxReplicas: 1 + minReplicas: 224 + targetCPUUtilizationPercentage: 468 + targetMemoryUtilizationPercentage: 256 +commonLabels: + 4kU: mkn8 + Ro: NFx1P + Z1p: WE +configmap: + create: true +console: + roleBindings: + - FZ5NQS6: null + - 0ToI: null + RTwav: null + mWwdgyM: null + - {} +deployment: + create: true +enterprise: + licenseSecretRef: + key: "" + name: 3VGefRh +extraContainers: +- args: + - 3QF + - k1BJBm + command: + - PMW + - j + - V7MAcfomz + env: + - name: rAzI53 + value: WlHlq + valueFrom: + configMapKeyRef: + key: zzIBsb + name: Bh261F + optional: false + fieldRef: + apiVersion: SlA + fieldPath: "6" + resourceFieldRef: + containerName: q0BBEv + divisor: "0" + resource: JE + secretKeyRef: + key: FvrZgBz + name: ZTBeic + optional: false + - name: uPptX + value: i9 + valueFrom: + configMapKeyRef: + key: JeHwi + name: TiQHOG1EsFUgIE + optional: true + fieldRef: + apiVersion: i7dd + fieldPath: Tu + resourceFieldRef: + containerName: ChdvA + divisor: "0" + resource: Eq1V33RTZQSJRJFg3V + secretKeyRef: + key: ojxn54r + name: L + optional: false + - name: Sl9Py25FX + value: e9 + valueFrom: + configMapKeyRef: + key: Zq80J9tyR0opcz + name: gy00dyvHFa + optional: true + fieldRef: + apiVersion: UJLSQy7zL + fieldPath: Xm4sg5H + resourceFieldRef: + containerName: ZmY7Fno6Fcop3 + divisor: "0" + resource: gqZwW + secretKeyRef: + key: v + name: hJDoWtjkfL + optional: true + envFrom: + - configMapRef: + name: RdWA + optional: true + prefix: Dq + secretRef: + name: BOBOO0sLIWw0e + optional: false + - configMapRef: + name: MoMnWNTC + optional: false + prefix: "3" + secretRef: + name: B58Vvj3 + optional: false + image: Vn5V + imagePullPolicy: 筥ǏŤČ癳嶧GĒH挕ÄHɡ + lifecycle: + postStart: + exec: + command: + - hTIx + - lslygl + - lSgx5G2IfU + httpGet: + host: GNVKz7 + path: d0Y + port: Igi + scheme: 莵łEǐ嫖ʒʔvŊ>ry5贛 + sleep: + seconds: -184172880642712439 + preStop: + exec: {} + httpGet: + host: tD1TkKV0ES + path: s6 + port: OpK5riOe96 + scheme: 琊*i#欱E唂ȧ鐄膶詃7 + sleep: + seconds: -4889549574266894064 + livenessProbe: + exec: {} + failureThreshold: 1591130939 + grpc: + port: -540029946 + service: aoAN2Lx03 + httpGet: + host: vWu + path: Lo + port: 1468671948 + scheme: ȯ煐IŢ + initialDelaySeconds: -1879733088 + periodSeconds: 1106663448 + successThreshold: 240850805 + terminationGracePeriodSeconds: -7405296717602935730 + timeoutSeconds: 524743651 + name: AInfx2Rak + readinessProbe: + exec: + command: + - oIA3 + - H + - 96Uj2 + failureThreshold: -1855887857 + grpc: + port: -495541010 + service: X + httpGet: + host: ZplmMg + path: tAAr + port: 1950182935 + scheme: ʂ綽oa;n轮ęB觼Z=G泇跢揌韇锶 + initialDelaySeconds: 1057136331 + periodSeconds: -2025421367 + successThreshold: -812558156 + terminationGracePeriodSeconds: 4314843605692522234 + timeoutSeconds: -1609986779 + resizePolicy: + - resourceName: EvmpG + restartPolicy: 4ɱ + - resourceName: hTB20ObO1 + restartPolicy: ½ŏ伐Q蔏ʝ噙漃袩J]Ɣ蒘岇 + resources: + limits: + KWlx2c: "0" + O: "0" + requests: + ZCJwGBL: "0" + restartPolicy: 1nĔ:蹮>s蹬ÍǺ + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - 迠寈搣弝渎İ- + drop: + - 檹Ɩ + - ɧ麧ç2ā兛杧蔙團载^P蚡5缿ʒU襩 + - cLD|ƶ虌Ȗ + privileged: false + procMount: ïƋ圏滜ľ転謀ĤP蹥ȅ|髃蒃Q癎æ + readOnlyRootFilesystem: false + runAsGroup: -4850605470374303682 + runAsNonRoot: false + runAsUser: 7731251064648990624 + startupProbe: + exec: + command: + - LqYoUQy3c4BE + - 5N + - Ug + failureThreshold: -1290004088 + grpc: + port: -1721281251 + service: H2p + httpGet: + host: 02CP5 + path: F609y + port: JjwFH + scheme: 珑 + initialDelaySeconds: -402608647 + periodSeconds: -1520214127 + successThreshold: 209058699 + terminationGracePeriodSeconds: -1900030585542850396 + timeoutSeconds: 1686394545 + terminationMessagePath: qixKzKz + terminationMessagePolicy: Ǥ衚蔁ʙ剠Ǡɭf~ + volumeDevices: + - devicePath: zM1 + name: jmc + - devicePath: IZ + name: PS + - devicePath: kN24U + name: Apu0r1U2 + workingDir: WgB +- args: + - 2Z37 + - 75kO + - TjvjkZTrc8s + command: + - M0NtzJ + env: + - name: 2EH + value: O + valueFrom: + configMapKeyRef: + key: J1ozKsuji + name: glLvAIHP7i + optional: true + fieldRef: + apiVersion: 3gAjGu + fieldPath: sNpuR8m + resourceFieldRef: + containerName: oxx + divisor: "0" + resource: PuKq + secretKeyRef: + key: Iua2L1LoCWMs2 + name: YfKwS8s + optional: true + image: PKNM + imagePullPolicy: ÍĪ0魣Ŋʒ + lifecycle: + postStart: + exec: {} + httpGet: + host: fsZ + path: EGnu + port: 765491661 + scheme: ?ğ叆ɂ&pʠ溶Ǚu + sleep: + seconds: 4688626474961012693 + preStop: + exec: {} + httpGet: + host: TB + path: "6" + port: -50369560 + scheme: ~Ǚɇ>ƃ\7]歉sh羘y4 + sleep: + seconds: -5293607398165581925 + livenessProbe: + exec: + command: + - 1g8dewdj + - lRmD + failureThreshold: -125369558 + grpc: + port: -1490211482 + service: R + httpGet: + host: CSGThzhG + path: 9NBKzoiFzs + port: -272474300 + scheme: ŀ + initialDelaySeconds: -1094670881 + periodSeconds: 1768141210 + successThreshold: -985604418 + terminationGracePeriodSeconds: -1297054466922920616 + timeoutSeconds: -1289231356 + name: KtKv6dg + ports: + - containerPort: -632764671 + hostIP: 8CU + hostPort: 917138107 + name: 1VgOx + protocol: 典ȫ窃ÛǪ3m患 + - containerPort: 739656218 + hostIP: dQQ3 + hostPort: -1348301133 + name: "3" + protocol: '?Ū慾ŘLº桒J:茦扰絥ǗȑĎ:' + readinessProbe: + exec: + command: + - qZ2J + failureThreshold: 293719665 + grpc: + port: 1235836411 + service: ig3 + httpGet: + host: Ws + path: FVnJhZq7I + port: -1075951148 + initialDelaySeconds: 321800409 + periodSeconds: -556535717 + successThreshold: -625124830 + terminationGracePeriodSeconds: -4084380722124342213 + timeoutSeconds: -904900305 + resizePolicy: + - resourceName: GKINnuJx + restartPolicy: Řl©=嬈牍]佧& + resources: + requests: + omO: "0" + uga5: "0" + xnRsp6C: "0" + restartPolicy: ʝdŌİ蒘傥>晑|癶x&ĭmŭƙŵ + securityContext: + allowPrivilegeEscalation: true + capabilities: + add: + - 約nɤưHĞ4WƳǤȣ糥蠇t + - ¾ʃŔ冻楟?¿揈h嘼œ + drop: + - 7忭譺屩嫕ƞʅ袬/氼Xg养ȸ陣萓 + - 胨`鯵ƪĽ藹 + privileged: true + procMount: Ulƙxȿƌ乜溬噕瀆储铐\纬 + readOnlyRootFilesystem: true + runAsGroup: 4589112012742886931 + runAsNonRoot: true + runAsUser: 3204614620414442288 + startupProbe: + exec: + command: + - TFJ + failureThreshold: -585814509 + grpc: + port: 178002023 + service: lAuHCrE + httpGet: + host: "88" + path: Th + port: In + scheme: 鷵菭g顲Ⱦ穪 + initialDelaySeconds: -1856697198 + periodSeconds: 1469578394 + successThreshold: 160563852 + terminationGracePeriodSeconds: -4442318275257517382 + timeoutSeconds: -16211809 + terminationMessagePath: 513sVbgA + terminationMessagePolicy: 隓Ǽ屼Å7嗟Ʈ麝0{ȦDžĐ! + tty: true + volumeDevices: + - devicePath: ugQAJ + name: Jf + - devicePath: BFfnTD + name: kfF6CZ + volumeMounts: + - mountPath: C3 + mountPropagation: 呍婻厦ǒ絶偂蠛ƺ蠖蕍v貰Ė + name: DQvHajhHx + subPath: aYHGugq + subPathExpr: MSs + workingDir: OE +extraEnv: +- name: rd10f1l + value: GtUE + valueFrom: + configMapKeyRef: + key: C1N + name: bi + optional: true + fieldRef: + apiVersion: 9GWlMsB + fieldPath: l2 + resourceFieldRef: + containerName: 4t + divisor: "0" + resource: eyjvzsf + secretKeyRef: + key: xBMOaej + name: O8AG + optional: false +- name: C + value: fYlde + valueFrom: + configMapKeyRef: + key: 4HvhDAkW + name: 5bgA7leE7 + optional: false + fieldRef: + fieldPath: zY6rf + resourceFieldRef: + containerName: S3 + divisor: "0" + resource: 3sD + secretKeyRef: + key: s43 + name: LpaQ + optional: true +extraVolumeMounts: +- mountPath: M5 + mountPropagation: 稤Bơ觓Ð琋 + name: yQHj49RtdzN + subPath: GdQkAKF + subPathExpr: Gvswh +- mountPath: QRg + mountPropagation: 搚Kƕ欕K貵蠜d旓ĀÝ虩釓 + name: qCEH27RF + readOnly: true + subPath: nHB05RuTZ + subPathExpr: K0yH +fullnameOverride: 3um +image: + pullPolicy: Ƀşb?師Ğ`3H觉趟糯襖 + registry: VHbf77MFq + repository: 9Gz + tag: Tg +ingress: + className: ob + enabled: false + hosts: + - host: gH + paths: + - path: Ts + pathType: CGb + - path: "" + pathType: zZQ + - host: iiV3 + tls: + - hosts: + - tHQ4 + secretName: fnmcizOYm + - hosts: + - iPP + - 6ESVwf0d + - ziZck0N + secretName: O7mKv7 + - hosts: + - 8YGvchGJ + - wN + - XtvjzH0 + secretName: VlbaTuVK +initContainers: + extraInitContainers: thAoOYwQDaAt +livenessProbe: + exec: + command: + - nCg + - T6fzKjCjD + failureThreshold: 279778022 + grpc: + port: -995356959 + service: 9yOO2 + httpGet: + host: PYJSaHej + path: fr7 + port: 8Ij + scheme: QɄ揆ѧ鶹i骡l僴Ǎ植烤ĕǘqɦ + initialDelaySeconds: 1098820524 + periodSeconds: 414174316 + successThreshold: 1178515566 + terminationGracePeriodSeconds: -5729352865043664628 + timeoutSeconds: 873461419 +nameOverride: W7q3X +nodeSelector: + Bm9U: oTYglG6dh +podAnnotations: + eG: vxInc0 + g: BI6yk + xCtSP: rQ +podLabels: + ZEXh: zufy +podSecurityContext: + fsGroup: -3794452885502571644 + fsGroupChangePolicy: 欲飹Rɦ薕µL<Ĕ + runAsGroup: -3171560656159467191 + runAsNonRoot: true + runAsUser: -4412205905842408558 + supplementalGroups: + - -7215185124091152595 + - 5139656417921062736 + - 600742233156257714 + sysctls: + - name: Te + value: cKzihj +priorityClassName: l4Mowg +readinessProbe: + exec: + command: + - "" + - c8G + failureThreshold: 37001950 + grpc: + port: 1211428387 + service: UUKg3TJGP2 + httpGet: + host: eznD + path: aBohoOMPU + port: -2044766681 + scheme: 讻;Ǩ办鈁癃靟èʣ¾fǖ^Ǟ + initialDelaySeconds: -396024246 + periodSeconds: -1467409206 + successThreshold: -1328773613 + terminationGracePeriodSeconds: -8721653473984246810 + timeoutSeconds: -1781454259 +replicaCount: 46 +resources: + limits: + 8cdWaeK7jVrR: "0" + HYBi6o: "0" + requests: + NOz: "0" + gH: "0" +secret: + create: false + enterprise: + licenseSecretRef: + key: wNZRnHu3m + name: ULOBG + kafka: + awsMskIamSecretKey: RfMF + protobufGitBasicAuthPassword: julgURa4B + saslPassword: uuq + schemaRegistryPassword: "54" + schemaRegistryTlsCa: 0rjT0gsnw3 + schemaRegistryTlsCert: kpA9ZJQgp1 + schemaRegistryTlsKey: 4rfN + tlsCa: NhTEC0A + tlsCert: iN0W + tlsPassphrase: Id1ovgK + login: + github: + clientSecret: LWyKxwgV + personalAccessToken: Nkq1DyJixsC + google: + clientSecret: tJv + groupsServiceAccount: 9jqz4h + jwtSecret: PWdr6CcxS + oidc: + clientSecret: RMxiMIY + okta: + clientSecret: SJ6I + directoryApiToken: 1wIf + redpanda: + adminApi: + password: C9I2x + tlsCa: Qpp + tlsCert: "" + tlsKey: 7uh28L +secretMounts: +- defaultMode: 80 + name: Mt1 + path: WsSL4vxNxCkXP + secretName: ZxXI0Hhv +securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - Ɋ闻ǃɗʀd撪 + - 蘑ǪY桼ɮǚɳ爥ňB + drop: + - 乄}ñ0詘蛾牪坣缰ƩǏ薷©瓚`Ʋ虯r + - ǓJğ&ĊƯʝbǠCŪzgì + - ńǜ[ɪ判Uʋ]泘狔 + privileged: false + procMount: 媹:堏_ɟ榧禙Ɲ'瞟 + readOnlyRootFilesystem: false + runAsGroup: 2759228957449300312 + runAsNonRoot: true + runAsUser: -812867783664200775 +service: + annotations: + c: DNy + kDPtPpnL: kFmmx + nodePort: 377 + port: 311 + targetPort: 29 + type: l5gj +serviceAccount: + automountServiceAccountToken: true + create: true + name: sKa +strategy: + rollingUpdate: {} + type: 顓ǝSm +tests: + enabled: false +tolerations: +- effect: 嫜ʎ愤wßj硭 + key: JO1 + operator: ȼ¾Pȇ挮ƶȋ'蹑鶚嗵ïG + tolerationSeconds: -6027642013843151183 + value: a3XbyS +-- case-049 -- +affinity: + nodeAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - preference: + matchExpressions: + - key: L + operator: 域%Ɠ礇!ʘl.ǷŠ该貹&N + values: + - oAk8rvkey + - Fb08GpumY + - key: YJGr + operator: '|4\i事!ų藦x鳜Ǫ' + values: + - 63Yvc + - key: j + operator: ¸瀖čņ!彅搀 + values: + - RnzdW + - Nxs + - unZuno + matchFields: + - key: wLP0QqdHBmd9e + operator: ȑwȼ嶢vC`ȖĜƐ桡牆ēIa,謧ŗ + - key: mdgmMZ + operator: Ō§ȶƔ>#Z骻5S洝岛Ċ啞. + values: + - Fvf6 + - key: GQsV + operator: 涥ȕêȩȋ婍0毙舺糩\DŽŅ饒 + values: + - XccQkxG + weight: -1172839714 + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: JpS0BkW + operator: 聣耥ʒ昼|Ȏ)ß瞖a癨櫒缮{v + - key: HLL3gv + operator: 铡ÞC腢z蟒Á + - key: iDGQV8Bjyu5Q + operator: 舢脛歛ƻ68 + values: + - eLCH7Nc + - QQqPUN + - "" + matchFields: + - key: AY2q9fnL + operator: ȏ伌鎩5桀ʁ + values: + - Uac + - K0q + - bY71A + - key: rBwZz + operator: '*ĴȉǼ矼SN]ʛ源' + values: + - 5yMkn + - key: S1C + operator: ÿƙ彋,嘲樦 + values: + - OXH + - vl1 + - uCYaO8Cn + - {} + podAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: mZ3rAF9 + operator: yŲĺȫ阁笵W®詃Œ + values: + - bhvFz + - key: uiaNXZcXT + operator: "" + - key: AAM + operator: 閸鬼駝洁c奊(Ƅ謍MǍ辰T堍癩)丗 + values: + - "9" + - ESiN3 + matchLabels: + kCSDZtsm5: vVk + oBlyCq: jlh + matchLabelKeys: + - BCZ8FFbh + - A + namespaceSelector: + matchExpressions: + - key: Lsf + operator: L + values: + - a0HB + - C + - key: eoj6ic3 + operator: ż伌oA汄俔ɿ7巪娻% + matchLabels: + Cx: wwPPM + namespaces: + - 9xhG + - JAutZqe4gGeuf + - "" + topologyKey: 1a + weight: 223935020 + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: LtGRhs + operator: 棺ǔ'ɘ砒Æ擑Ɵģ + values: + - GhM4BSJqNOf + matchLabels: + "": 7Ni + matchLabelKeys: + - yxF4 + - 22RoWr + - etRteovEh9 + mismatchLabelKeys: + - 7NOfe + namespaceSelector: + matchExpressions: + - key: 3KCX2 + operator: 臞ʀ¯弄Ɨ橎琜ġ鍳¶ȣ2墛.ɮ濎ɕ磞 + values: + - 5YiE0xEC + - 4spxMd + - vUPA + matchLabels: + YHIq: nS + topologyKey: F4 + weight: 716052627 + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: "9" + operator: ĠƑȥ兾3ŶJ + - key: pPvuyWZ + operator: ;bļo刲+圊}MǏŅ惤ć + values: + - 9pMXT + - Ezwo11 + matchLabels: + 66347W: ccFxZoF9 + X: VrN5kt + mismatchLabelKeys: + - u4LyY1 + - zT + namespaceSelector: + matchExpressions: + - key: qwhutJo + operator: 垴ǞƼ + matchLabels: + OFxMkYx: lhxtM + topologyKey: WN8qbUgigF + weight: -1609734055 + - podAffinityTerm: + labelSelector: {} + matchLabelKeys: + - "" + mismatchLabelKeys: + - XnhP + - "" + - Bk + namespaceSelector: + matchExpressions: + - key: M + operator: Ǽ糨ʡ毺Ɇw + values: + - ntvI + - vs + matchLabels: + "4": 2Y2FBpcbg + namespaces: + - 1S8c + topologyKey: jxiZ4d + weight: 1993833508 + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: EpKkdimp + operator: 额ƀ箰L禼aÅ顙)C舉 + - key: e2Zu7Kb + operator: t潱髦pö鵺b澁6銹 + values: + - z9n + - LdMQ + - r + matchLabels: + F: Nc + Qa2h5toVwd: GGxZ3BQ + l: Z6Rh + matchLabelKeys: + - LsCC + - dgmxxZW + mismatchLabelKeys: + - e + - Cb + - e0DAEluN + namespaceSelector: + matchLabels: + oJ56D: 33m + tkP8tO: mIkfyE6E + namespaces: + - VxN + - hbwB9 + - t + topologyKey: qag0unul +annotations: + BceQMZiOm: E1uakdHPkLNL +automountServiceAccountToken: true +autoscaling: + enabled: true + maxReplicas: 292 + minReplicas: 381 + targetCPUUtilizationPercentage: 255 + targetMemoryUtilizationPercentage: 99 +commonLabels: + 0HYkOrz: JCwpSW + 0TgDztQSY: P + ztm: qegfb80 +configmap: + create: false +console: + roleBindings: + - K: null + nGSYV: null + roles: + - {} +deployment: + create: true +enterprise: + licenseSecretRef: + key: yAo51i + name: blNvk6O7Urx +extraContainers: +- args: + - kn0F9 + command: + - M + - Hph3 + - lZfWKF + env: + - name: HBWtNh10A + value: 8guE + valueFrom: + configMapKeyRef: + key: Chnm + name: UlwzEQ + optional: false + fieldRef: + apiVersion: 8pq9 + fieldPath: qpnfP4p + resourceFieldRef: + divisor: "0" + resource: L0tn + secretKeyRef: + key: J + name: gbfgF + optional: true + envFrom: + - configMapRef: + name: n32MM + optional: true + prefix: cp3 + secretRef: + name: Uc + optional: true + - configMapRef: + name: VGBL + optional: true + prefix: NTMU + secretRef: + name: CEg + optional: true + image: zIWYBi7 + imagePullPolicy: 蘂ȱʃ& + lifecycle: + postStart: + exec: + command: + - QpTcv + - MS0T0N + - wiE + httpGet: + host: ZCUJOIH + path: UsXT + port: 8nExSP2u + scheme: 'uŊ6熀: 焆 烷ʫ-Ŗ亾ɣʖ氝"肰' + sleep: + seconds: -2519616411083819638 + preStop: + exec: + command: + - rmQ7 + - GxRXQk + httpGet: + host: UIVpXMrzW + path: 4tHQ + port: 8xLK1VyM + scheme: ƳǃóɃȊ{回żz闓葊G嚥 + sleep: + seconds: 3595323074300269449 + livenessProbe: + exec: {} + failureThreshold: -882825879 + grpc: + port: 503069299 + service: W + httpGet: + host: FilCCd + path: NPZrCEq + port: 6NoPho8wIsxe + scheme: āȹ顺悩錣Xƕ灄ĿG乒 + initialDelaySeconds: 781680731 + periodSeconds: 205458 + successThreshold: 1115648780 + terminationGracePeriodSeconds: 4579765768791485272 + timeoutSeconds: -676867842 + name: 2tf + readinessProbe: + exec: + command: + - edKf + - 0U + - MFr2Oh + failureThreshold: 1812906550 + grpc: + port: -791379232 + service: IAqADBco + httpGet: + host: 55GZ + path: AQC + port: sxTXcp + scheme: ƷMg靚珨嘸ȗʒ鑉Ȝ梒ŗǐkōĕĵ鞍 + initialDelaySeconds: -130429301 + periodSeconds: 876742351 + successThreshold: -1424043483 + terminationGracePeriodSeconds: -1574530902871555383 + timeoutSeconds: 764935409 + resources: + limits: + 9eHi: "0" + rO52puR: "0" + requests: + UF8LV7N: "0" + ao: "0" + cRVsAz8v: "0" + restartPolicy: ɥ]×璳 + securityContext: + allowPrivilegeEscalation: true + capabilities: + add: + - ɖ膵7&ʞíXĦx-ǰİɾ榩聨ŗ% + - DŽ熲鴼玜覲杷ȆƠ沺伤{拢 + - ɉȋʠRÂo霾噜奩ƻv$Áő + drop: + - ɑ摿愻J«ʘA宜ƹ¶ + - 餫aJ矐sǁ隑z36渢X赼 + - )ǜ鄰挺溒ŒV栜Ù涸JH-_d + privileged: false + procMount: Ito縎 + readOnlyRootFilesystem: false + runAsGroup: 2484782727894659713 + runAsNonRoot: false + runAsUser: -6936271037843914749 + startupProbe: + exec: + command: + - X + failureThreshold: -256045507 + grpc: + port: 376282302 + service: wdQrDn0 + httpGet: + host: teaO6 + path: DBHpGkYdgAJ + port: -1625640156 + scheme: Ʌ + initialDelaySeconds: 673272264 + periodSeconds: -1050905915 + successThreshold: 282500457 + terminationGracePeriodSeconds: 5768805478519709604 + timeoutSeconds: -601307290 + stdinOnce: true + terminationMessagePath: POO + terminationMessagePolicy: '#d鿂Hk閎=ɰ蜐ġOʡ蠁żǖ' + tty: true + workingDir: Z3pdGL +- args: + - a7Tqs + - UuID5t + - gRCnbjyp + env: + - name: ZV1KP + value: WrT0 + valueFrom: + configMapKeyRef: + key: zZzTgax + name: 3z3eoets + optional: true + fieldRef: + apiVersion: 88zo + fieldPath: z0vE72 + resourceFieldRef: + containerName: DF4t + divisor: "0" + resource: hfVfYFW4 + secretKeyRef: + key: I6JwpO5 + name: I88w22gsx3 + optional: true + - name: z8 + value: sgj8UHZ + valueFrom: + configMapKeyRef: + key: Q85vN + name: lYGl4 + optional: true + fieldRef: + apiVersion: oQu7 + fieldPath: TYd + resourceFieldRef: + containerName: "Y" + divisor: "0" + resource: Yx + secretKeyRef: + key: f + name: 0Pjf9YBj + optional: false + envFrom: + - configMapRef: + name: fAH + optional: false + prefix: vjjU + secretRef: + name: 9A8OgEQ9 + optional: false + image: R7L + imagePullPolicy: '}m6铤<豎ŵ,#M狥ʬo' + lifecycle: + postStart: + exec: + command: + - 2E + - gzntg + httpGet: + host: BOoVI + path: ns7ZMdNwQC + port: XF + scheme: ky咊ʅ ʂ娼ȟƐ橽ǿ唔ARɨ罙 + sleep: + seconds: -3978858376823543730 + preStop: + exec: + command: + - Hns + httpGet: + host: Lw8 + path: wdo + port: -239095421 + scheme: ƹ禍OÇ + sleep: + seconds: 3838288160382433952 + livenessProbe: + exec: + command: + - 8E + failureThreshold: -1052479375 + grpc: + port: 82058135 + service: S3UA2HwQaN + httpGet: + host: T0 + path: wYV6 + port: cEf + scheme: 斡1{嘫b葎剜屙唯皎図Ǜ錮ơxȒt駦Ƨ + initialDelaySeconds: -1976610733 + periodSeconds: 436460884 + successThreshold: -949159248 + terminationGracePeriodSeconds: 1786907735670591108 + timeoutSeconds: -2035324376 + name: 0ygO + readinessProbe: + exec: + command: + - "" + - YQ + failureThreshold: 1469514474 + grpc: + port: -1835111333 + service: 5WmTypZfT + httpGet: + host: BDf + path: ZY + port: tyrBXIqhX + scheme: 趬扬鉰昵 + initialDelaySeconds: -683847692 + periodSeconds: -95594828 + successThreshold: -1707399501 + terminationGracePeriodSeconds: 3256417681193515380 + timeoutSeconds: -2088454060 + resources: + limits: + zVX: "0" + restartPolicy: 晄d塮@ʥO%驮ÆgǍô + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ' 吓zǘa畷' + - 鲃ʍ瑘ƴɛjV艑ǔpMK杣Ġ + privileged: true + procMount: zɱÙŭǫäƿ诧聉ń醽Ƥ裩5 + readOnlyRootFilesystem: true + runAsGroup: -2381715627246700598 + runAsNonRoot: false + runAsUser: 6590063474480015904 + startupProbe: + exec: + command: + - "9" + - oRMM2F + - "" + failureThreshold: -1711876939 + grpc: + port: 1138187974 + service: OvdS + httpGet: + host: GZWJ + path: vzJeBCvGMHn7 + port: h9p1Pak + initialDelaySeconds: 447733263 + periodSeconds: 1805541821 + successThreshold: -1114184264 + terminationGracePeriodSeconds: 2730048172651207780 + timeoutSeconds: -1850805595 + terminationMessagePath: GK8 + terminationMessagePolicy: ɾDŽ÷郃ɻ玗璺,4 + volumeDevices: + - devicePath: bLf + name: UVN1o + - devicePath: fIT + name: Qiswb + - devicePath: 9b8i + name: h1 + workingDir: 1IOT +extraEnvFrom: +- configMapRef: + name: GTjM + optional: true + prefix: GSbKp + secretRef: + name: vhsV8Pl5 + optional: true +- configMapRef: + name: cvXs + optional: false + prefix: cBFtb + secretRef: + name: x9N + optional: false +- configMapRef: + name: rDSrOmdL + optional: false + prefix: 0u3 + secretRef: + name: A6PG37zBJfwNR + optional: false +extraVolumeMounts: +- mountPath: De7 + mountPropagation: 1k噟霞ƁĹ + name: 1Z2WnghTc + subPath: Ts5Ful + subPathExpr: YyidD +- mountPath: onM7c3 + mountPropagation: m=Cɬ + name: GC5ZsY07Mr + readOnly: true + subPath: Xt + subPathExpr: r6gZk +- mountPath: 8gPjX7hc + mountPropagation: ƃ柅珚ȭ能 + name: oN + subPath: auYcD + subPathExpr: aheb25w +fullnameOverride: 0BIfuN +image: + pullPolicy: õ鴀铑û + registry: RCYS61Exfql + repository: 8ZLfmymq + tag: 4BSL9iL +imagePullSecrets: +- name: h5x +ingress: + annotations: + q5IN: ehJ3uPo + zL3YTK: "3" + className: aflhQOHWYOXuZ3 + enabled: false + hosts: + - host: obOeJZKpH + - host: u1ac0 + paths: + - path: Riz + pathType: Oa0rGRl + - path: w2xzu + pathType: n2bXr + - path: a68 + pathType: S + tls: + - hosts: + - pgmng + - hosts: + - rxpJYOgPS + secretName: dMa7jxJF +initContainers: + extraInitContainers: N4zG +livenessProbe: + exec: + command: + - "8" + - hRb + - cFB + failureThreshold: -567921134 + grpc: + port: -512457609 + service: F01OY6OLj + httpGet: + host: C04PqGy + path: lMqUJbF + port: 381786117 + scheme: c隢ƖȂ賒Q'd{X旝ĤɪI,k4Ú + initialDelaySeconds: -507660572 + periodSeconds: 1912372611 + successThreshold: -232304560 + terminationGracePeriodSeconds: -4579383330955987300 + timeoutSeconds: 582403024 +nameOverride: 8dJzE +nodeSelector: + ra78: fJ +podAnnotations: + "": cuRn + qBdeU: EQv +podLabels: + O2n4u: kpFpu + g1c: XEOMg +podSecurityContext: + fsGroup: 6449559755791185949 + fsGroupChangePolicy: 慩梱ʂcƎƱ\火ɘ²ɉ_ + runAsGroup: 841256803887707704 + runAsNonRoot: true + runAsUser: -2824253868920734938 + supplementalGroups: + - 8145086042470336086 + - -5005570809576723279 +priorityClassName: JhGfjGXQ +readinessProbe: + exec: {} + failureThreshold: 1010917423 + grpc: + port: 1307350058 + service: TfOG + httpGet: + host: dKWY + path: Qr + port: -837347685 + scheme: C_ + initialDelaySeconds: -986314779 + periodSeconds: 1763110639 + successThreshold: 1473932979 + terminationGracePeriodSeconds: -4633283219964217670 + timeoutSeconds: 1291669389 +replicaCount: 308 +resources: + limits: + x6: "0" + requests: + eeR: "0" + l: "0" + xppI8xB: "0" +secret: + create: true + enterprise: + licenseSecretRef: + key: 6LDJ8t + name: 4n4q72vaO + kafka: + awsMskIamSecretKey: INqD5 + protobufGitBasicAuthPassword: SBJl + saslPassword: 78E + schemaRegistryPassword: YMuFCG7qR + schemaRegistryTlsCa: 1y5yRb6O2b + schemaRegistryTlsCert: NuhkhpMV7b + schemaRegistryTlsKey: 9zcrFj + tlsCa: 0PF + tlsCert: wArD + tlsPassphrase: bj3xqz + login: + github: + clientSecret: jdPGF7 + personalAccessToken: y6xqv + google: + clientSecret: m6FeI + groupsServiceAccount: xi1j27Lipj8 + jwtSecret: pg + oidc: + clientSecret: zbsTootC + okta: + clientSecret: rHSfT + directoryApiToken: rOXaN + redpanda: + adminApi: + password: 8c + tlsCa: CJbHIM + tlsCert: uO + tlsKey: uhB0L +secretMounts: +- defaultMode: 500 + name: 99SgdOsZD + path: AQpWvptFEk7y + secretName: B6Fq +- defaultMode: 337 + name: U + path: p44 + secretName: DddF02 +- defaultMode: 246 + name: WFd + path: UiI + secretName: tz +securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - 趩燡º嗂{踦 + - CƮ + drop: + - 殟kĔ=ņŧɋ] + privileged: false + procMount: aŻ釯fȠ埱ɺȚ + readOnlyRootFilesystem: true + runAsGroup: 4284419790643993066 + runAsNonRoot: true + runAsUser: -4828746969388386674 +service: + annotations: + L: CP + Yf: K4waOjMg + tIYLLgy: d1szIPW6xt + nodePort: 291 + port: 269 + targetPort: 479 + type: IfYfRoHRG +serviceAccount: + annotations: + 5bpPp: ponDVyZ + Ml1: "" + lt: 6VN8BRlJd + automountServiceAccountToken: true + create: true + name: z12W +strategy: + rollingUpdate: {} + type: 擺m鷾DžPĨ +tests: + enabled: true +tolerations: +- key: ka + tolerationSeconds: 2857628758439265098 + value: Ohni9QGx +topologySpreadConstraints: +- labelSelector: + matchLabels: + 3Ym: o2h5aVp + yR4PPZO: 3X + matchLabelKeys: + - vCKujB + - UqCFKCN + - Xnjfai + maxSkew: -943395897 + minDomains: 1955399000 + nodeAffinityPolicy: 噙撢馥櫱m>Q脕擏w梪 + nodeTaintsPolicy: 蝚溄鑝刉=歱Mr踄 + topologyKey: cHyq + whenUnsatisfiable: Q輒ƗȈʑǯƐ| +- labelSelector: + matchLabels: + E: lyK5b9t + UuSjduy: NcK4 + fty: iP6ai + maxSkew: 1881677866 + minDomains: -561571142 + nodeAffinityPolicy: ȫ寴ī嘌.樥'ǹs + nodeTaintsPolicy: ɇ剀ǨUǜ!俛dz餂~匹呃 + topologyKey: pCHj + whenUnsatisfiable: 尘I:Ƒ匌,騸 diff --git a/charts/redpanda/redpanda/5.9.2/charts/console/testdata/template-cases.golden.txtar b/charts/redpanda/redpanda/5.9.2/charts/console/testdata/template-cases.golden.txtar new file mode 100644 index 000000000..cf65330d4 --- /dev/null +++ b/charts/redpanda/redpanda/5.9.2/charts/console/testdata/template-cases.golden.txtar @@ -0,0 +1,24705 @@ +-- testdata/autoscaling-cpu.yaml.golden -- +--- +# Source: console/templates/serviceaccount.yaml +apiVersion: v1 +automountServiceAccountToken: true +kind: ServiceAccount +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: console + namespace: default +--- +# Source: console/templates/secret.yaml +apiVersion: v1 +kind: Secret +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: console +stringData: + enterprise-license: "" + kafka-protobuf-git-basicauth-password: "" + kafka-sasl-aws-msk-iam-secret-key: "" + kafka-sasl-password: "" + kafka-schema-registry-password: "" + kafka-schemaregistry-tls-ca: "" + kafka-schemaregistry-tls-cert: "" + kafka-schemaregistry-tls-key: "" + kafka-tls-ca: "" + kafka-tls-cert: "" + kafka-tls-key: "" + login-github-oauth-client-secret: "" + login-github-personal-access-token: "" + login-google-groups-service-account.json: "" + login-google-oauth-client-secret: "" + login-jwt-secret: SECRETKEY + login-oidc-client-secret: "" + login-okta-client-secret: "" + login-okta-directory-api-token: "" + redpanda-admin-api-password: "" + redpanda-admin-api-tls-ca: "" + redpanda-admin-api-tls-cert: "" + redpanda-admin-api-tls-key: "" +type: Opaque +--- +# Source: console/templates/configmap.yaml +apiVersion: v1 +data: + config.yaml: | + # from .Values.console.config + {} +kind: ConfigMap +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: console +--- +# Source: console/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: console + namespace: default +spec: + ports: + - name: http + port: 8080 + protocol: TCP + targetPort: 0 + selector: + app.kubernetes.io/instance: console + app.kubernetes.io/name: console + type: ClusterIP +--- +# Source: console/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: console + namespace: default +spec: + replicas: null + selector: + matchLabels: + app.kubernetes.io/instance: console + app.kubernetes.io/name: console + strategy: {} + template: + metadata: + annotations: + checksum/config: 4f717eb67ef3f4c7e8737af0264bfe0922c76494c9ee31f7f52c63a13b02de86 + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/name: console + spec: + affinity: {} + automountServiceAccountToken: true + containers: + - args: + - --config.filepath=/etc/console/configs/config.yaml + command: null + env: + - name: LOGIN_JWTSECRET + valueFrom: + secretKeyRef: + key: login-jwt-secret + name: console + envFrom: [] + image: docker.redpanda.com/redpandadata/console:v2.7.0 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 3 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: 0 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + name: console + ports: + - containerPort: 8080 + name: http + protocol: TCP + readinessProbe: + failureThreshold: 3 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + resources: {} + securityContext: + runAsNonRoot: true + volumeMounts: + - mountPath: /etc/console/configs + name: configs + readOnly: true + - mountPath: /etc/console/secrets + name: secrets + readOnly: true + imagePullSecrets: [] + initContainers: [] + nodeSelector: {} + priorityClassName: "" + securityContext: + fsGroup: 99 + runAsUser: 99 + serviceAccountName: console + tolerations: [] + topologySpreadConstraints: [] + volumes: + - configMap: + name: console + name: configs + - name: secrets + secret: + secretName: console +--- +# Source: console/templates/hpa.yaml +apiVersion: autoscaling/v2 +kind: HorizontalPodAutoscaler +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: console +spec: + maxReplicas: 100 + metrics: + - resource: + name: cpu + target: + averageUtilization: 80 + type: Utilization + type: Resource + - resource: + name: memory + target: + averageUtilization: 10 + type: Utilization + type: Resource + minReplicas: 1 + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: console +--- +# Source: console/templates/tests/test-connection.yaml +apiVersion: v1 +kind: Pod +metadata: + name: "console-test-connection" + namespace: "default" + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + annotations: + "helm.sh/hook": test +spec: + containers: + - name: wget + image: busybox + command: ['wget'] + args: ['console:8080'] + restartPolicy: Never + priorityClassName: +-- testdata/autoscaling-memory.yaml.golden -- +--- +# Source: console/templates/serviceaccount.yaml +apiVersion: v1 +automountServiceAccountToken: true +kind: ServiceAccount +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: console + namespace: default +--- +# Source: console/templates/secret.yaml +apiVersion: v1 +kind: Secret +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: console +stringData: + enterprise-license: "" + kafka-protobuf-git-basicauth-password: "" + kafka-sasl-aws-msk-iam-secret-key: "" + kafka-sasl-password: "" + kafka-schema-registry-password: "" + kafka-schemaregistry-tls-ca: "" + kafka-schemaregistry-tls-cert: "" + kafka-schemaregistry-tls-key: "" + kafka-tls-ca: "" + kafka-tls-cert: "" + kafka-tls-key: "" + login-github-oauth-client-secret: "" + login-github-personal-access-token: "" + login-google-groups-service-account.json: "" + login-google-oauth-client-secret: "" + login-jwt-secret: SECRETKEY + login-oidc-client-secret: "" + login-okta-client-secret: "" + login-okta-directory-api-token: "" + redpanda-admin-api-password: "" + redpanda-admin-api-tls-ca: "" + redpanda-admin-api-tls-cert: "" + redpanda-admin-api-tls-key: "" +type: Opaque +--- +# Source: console/templates/configmap.yaml +apiVersion: v1 +data: + config.yaml: | + # from .Values.console.config + {} +kind: ConfigMap +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: console +--- +# Source: console/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: console + namespace: default +spec: + ports: + - name: http + port: 8080 + protocol: TCP + targetPort: 0 + selector: + app.kubernetes.io/instance: console + app.kubernetes.io/name: console + type: ClusterIP +--- +# Source: console/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: console + namespace: default +spec: + replicas: null + selector: + matchLabels: + app.kubernetes.io/instance: console + app.kubernetes.io/name: console + strategy: {} + template: + metadata: + annotations: + checksum/config: 4f717eb67ef3f4c7e8737af0264bfe0922c76494c9ee31f7f52c63a13b02de86 + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/name: console + spec: + affinity: {} + automountServiceAccountToken: true + containers: + - args: + - --config.filepath=/etc/console/configs/config.yaml + command: null + env: + - name: LOGIN_JWTSECRET + valueFrom: + secretKeyRef: + key: login-jwt-secret + name: console + envFrom: [] + image: docker.redpanda.com/redpandadata/console:v2.7.0 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 3 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: 0 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + name: console + ports: + - containerPort: 8080 + name: http + protocol: TCP + readinessProbe: + failureThreshold: 3 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + resources: {} + securityContext: + runAsNonRoot: true + volumeMounts: + - mountPath: /etc/console/configs + name: configs + readOnly: true + - mountPath: /etc/console/secrets + name: secrets + readOnly: true + imagePullSecrets: [] + initContainers: [] + nodeSelector: {} + priorityClassName: "" + securityContext: + fsGroup: 99 + runAsUser: 99 + serviceAccountName: console + tolerations: [] + topologySpreadConstraints: [] + volumes: + - configMap: + name: console + name: configs + - name: secrets + secret: + secretName: console +--- +# Source: console/templates/hpa.yaml +apiVersion: autoscaling/v2 +kind: HorizontalPodAutoscaler +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: console +spec: + maxReplicas: 100 + metrics: + - resource: + name: cpu + target: + averageUtilization: 14 + type: Utilization + type: Resource + minReplicas: 1 + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: console +--- +# Source: console/templates/tests/test-connection.yaml +apiVersion: v1 +kind: Pod +metadata: + name: "console-test-connection" + namespace: "default" + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + annotations: + "helm.sh/hook": test +spec: + containers: + - name: wget + image: busybox + command: ['wget'] + args: ['console:8080'] + restartPolicy: Never + priorityClassName: +-- testdata/autoscaling-nulls.yaml.golden -- +--- +# Source: console/templates/serviceaccount.yaml +apiVersion: v1 +automountServiceAccountToken: true +kind: ServiceAccount +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: console + namespace: default +--- +# Source: console/templates/secret.yaml +apiVersion: v1 +kind: Secret +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: console +stringData: + enterprise-license: "" + kafka-protobuf-git-basicauth-password: "" + kafka-sasl-aws-msk-iam-secret-key: "" + kafka-sasl-password: "" + kafka-schema-registry-password: "" + kafka-schemaregistry-tls-ca: "" + kafka-schemaregistry-tls-cert: "" + kafka-schemaregistry-tls-key: "" + kafka-tls-ca: "" + kafka-tls-cert: "" + kafka-tls-key: "" + login-github-oauth-client-secret: "" + login-github-personal-access-token: "" + login-google-groups-service-account.json: "" + login-google-oauth-client-secret: "" + login-jwt-secret: SECRETKEY + login-oidc-client-secret: "" + login-okta-client-secret: "" + login-okta-directory-api-token: "" + redpanda-admin-api-password: "" + redpanda-admin-api-tls-ca: "" + redpanda-admin-api-tls-cert: "" + redpanda-admin-api-tls-key: "" +type: Opaque +--- +# Source: console/templates/configmap.yaml +apiVersion: v1 +data: + config.yaml: | + # from .Values.console.config + {} +kind: ConfigMap +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: console +--- +# Source: console/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: console + namespace: default +spec: + ports: + - name: http + port: 8080 + protocol: TCP + targetPort: 0 + selector: + app.kubernetes.io/instance: console + app.kubernetes.io/name: console + type: ClusterIP +--- +# Source: console/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: console + namespace: default +spec: + replicas: null + selector: + matchLabels: + app.kubernetes.io/instance: console + app.kubernetes.io/name: console + strategy: {} + template: + metadata: + annotations: + checksum/config: 4f717eb67ef3f4c7e8737af0264bfe0922c76494c9ee31f7f52c63a13b02de86 + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/name: console + spec: + affinity: {} + automountServiceAccountToken: true + containers: + - args: + - --config.filepath=/etc/console/configs/config.yaml + command: null + env: + - name: LOGIN_JWTSECRET + valueFrom: + secretKeyRef: + key: login-jwt-secret + name: console + envFrom: [] + image: docker.redpanda.com/redpandadata/console:v2.7.0 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 3 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: 0 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + name: console + ports: + - containerPort: 8080 + name: http + protocol: TCP + readinessProbe: + failureThreshold: 3 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + resources: {} + securityContext: + runAsNonRoot: true + volumeMounts: + - mountPath: /etc/console/configs + name: configs + readOnly: true + - mountPath: /etc/console/secrets + name: secrets + readOnly: true + imagePullSecrets: [] + initContainers: [] + nodeSelector: {} + priorityClassName: "" + securityContext: + fsGroup: 99 + runAsUser: 99 + serviceAccountName: console + tolerations: [] + topologySpreadConstraints: [] + volumes: + - configMap: + name: console + name: configs + - name: secrets + secret: + secretName: console +--- +# Source: console/templates/hpa.yaml +apiVersion: autoscaling/v2 +kind: HorizontalPodAutoscaler +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: console +spec: + maxReplicas: 100 + metrics: + - resource: + name: cpu + target: + averageUtilization: 80 + type: Utilization + type: Resource + minReplicas: 1 + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: console +--- +# Source: console/templates/tests/test-connection.yaml +apiVersion: v1 +kind: Pod +metadata: + name: "console-test-connection" + namespace: "default" + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + annotations: + "helm.sh/hook": test +spec: + containers: + - name: wget + image: busybox + command: ['wget'] + args: ['console:8080'] + restartPolicy: Never + priorityClassName: +-- testdata/case-000.yaml.golden -- +--- +# Source: console/templates/serviceaccount.yaml +apiVersion: v1 +automountServiceAccountToken: false +kind: ServiceAccount +metadata: + annotations: {} + creationTimestamp: null + labels: + "": 31q1Pbz + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: "n" + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: HRoLg + namespace: default +--- +# Source: console/templates/secret.yaml +apiVersion: v1 +kind: Secret +metadata: + creationTimestamp: null + labels: + "": 31q1Pbz + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: "n" + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: hvGoJL +stringData: + enterprise-license: "" + kafka-protobuf-git-basicauth-password: "" + kafka-sasl-aws-msk-iam-secret-key: "" + kafka-sasl-password: "" + kafka-schema-registry-password: "" + kafka-schemaregistry-tls-ca: "" + kafka-schemaregistry-tls-cert: "" + kafka-schemaregistry-tls-key: "" + kafka-tls-ca: "" + kafka-tls-cert: "" + kafka-tls-key: "" + login-github-oauth-client-secret: "" + login-github-personal-access-token: "" + login-google-groups-service-account.json: "" + login-google-oauth-client-secret: "" + login-jwt-secret: SECRETKEY + login-oidc-client-secret: "" + login-okta-client-secret: "" + login-okta-directory-api-token: "" + redpanda-admin-api-password: "" + redpanda-admin-api-tls-ca: "" + redpanda-admin-api-tls-cert: "" + redpanda-admin-api-tls-key: "" +type: Opaque +--- +# Source: console/templates/configmap.yaml +apiVersion: v1 +data: + config.yaml: | + # from .Values.console.config + {} +kind: ConfigMap +metadata: + creationTimestamp: null + labels: + "": 31q1Pbz + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: "n" + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: hvGoJL +--- +# Source: console/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + annotations: {} + creationTimestamp: null + labels: + "": 31q1Pbz + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: "n" + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: hvGoJL + namespace: default +spec: + ports: + - name: http + port: 8080 + protocol: TCP + targetPort: 0 + selector: + app.kubernetes.io/instance: console + app.kubernetes.io/name: "n" + type: ClusterIP +--- +# Source: console/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: + Q9AVJD4: G9TEnp + creationTimestamp: null + labels: + "": 31q1Pbz + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: "n" + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: hvGoJL + namespace: default +spec: + replicas: 387 + selector: + matchLabels: + app.kubernetes.io/instance: console + app.kubernetes.io/name: "n" + strategy: + type: Ò泆A + template: + metadata: + annotations: + checksum/config: a2b60d22337ad49c09f2108d08f05fc6590bc4b45c804adc901467f348d564e1 + lyW: mn + pjq6fDr: YA2w301 + uXvFB: VQ5gP9 + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/name: "n" + spec: + affinity: {} + automountServiceAccountToken: true + containers: + - args: + - --config.filepath=/etc/console/configs/config.yaml + command: null + env: + - name: Z2BpO + value: 0ggF3ha7D + - name: LOGIN_JWTSECRET + valueFrom: + secretKeyRef: + key: login-jwt-secret + name: hvGoJL + envFrom: [] + image: docker.redpanda.com/redpandadata/console:v2.7.0 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 1028486626 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: 1713123405 + periodSeconds: -1411200119 + successThreshold: -1362510905 + timeoutSeconds: 1375594715 + name: console + ports: + - containerPort: 8080 + name: http + protocol: TCP + readinessProbe: + failureThreshold: 3 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + resources: + limits: + x0StjCjt: "0" + securityContext: + runAsNonRoot: true + volumeMounts: + - mountPath: /etc/console/configs + name: configs + readOnly: true + - mountPath: /etc/console/secrets + name: secrets + readOnly: true + imagePullSecrets: [] + initContainers: [] + nodeSelector: {} + priorityClassName: vQhDS + securityContext: + fsGroup: 99 + runAsUser: 99 + serviceAccountName: HRoLg + tolerations: [] + topologySpreadConstraints: [] + volumes: + - configMap: + name: hvGoJL + name: configs + - name: secrets + secret: + secretName: hvGoJL + - name: 7iCCax + - name: meEH + - name: xYVSV +--- +# Source: console/templates/tests/test-connection.yaml +apiVersion: v1 +kind: Pod +metadata: + name: "hvGoJL-test-connection" + namespace: "default" + labels: + "": 31q1Pbz + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: "n" + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + annotations: + "helm.sh/hook": test +spec: + containers: + - name: wget + image: busybox + command: ['wget'] + args: ['hvGoJL:8080'] + restartPolicy: Never + priorityClassName: vQhDS +-- testdata/case-001.yaml.golden -- +--- +# Source: console/templates/serviceaccount.yaml +apiVersion: v1 +automountServiceAccountToken: true +kind: ServiceAccount +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: Sh + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: T50cZi + namespace: default +--- +# Source: console/templates/secret.yaml +apiVersion: v1 +kind: Secret +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: Sh + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: T50cZi +stringData: + enterprise-license: "" + kafka-protobuf-git-basicauth-password: "" + kafka-sasl-aws-msk-iam-secret-key: "" + kafka-sasl-password: "" + kafka-schema-registry-password: "" + kafka-schemaregistry-tls-ca: "" + kafka-schemaregistry-tls-cert: "" + kafka-schemaregistry-tls-key: "" + kafka-tls-ca: "" + kafka-tls-cert: "" + kafka-tls-key: "" + login-github-oauth-client-secret: "" + login-github-personal-access-token: "" + login-google-groups-service-account.json: "" + login-google-oauth-client-secret: "" + login-jwt-secret: SECRETKEY + login-oidc-client-secret: "" + login-okta-client-secret: "" + login-okta-directory-api-token: "" + redpanda-admin-api-password: "" + redpanda-admin-api-tls-ca: "" + redpanda-admin-api-tls-cert: "" + redpanda-admin-api-tls-key: "" +type: Opaque +--- +# Source: console/templates/configmap.yaml +apiVersion: v1 +data: + config.yaml: | + # from .Values.console.config + {} +kind: ConfigMap +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: Sh + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: T50cZi +--- +# Source: console/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: Sh + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: T50cZi + namespace: default +spec: + ports: + - name: http + port: 8080 + protocol: TCP + targetPort: 0 + selector: + app.kubernetes.io/instance: console + app.kubernetes.io/name: Sh + type: ClusterIP +--- +# Source: console/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: Sh + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: T50cZi + namespace: default +spec: + replicas: 414 + selector: + matchLabels: + app.kubernetes.io/instance: console + app.kubernetes.io/name: Sh + strategy: {} + template: + metadata: + annotations: + checksum/config: 6eb5d8456a652d5006051c8425191238a1a7d39e93a9336b0cc8ca98963c2dbd + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/name: Sh + spec: + affinity: {} + automountServiceAccountToken: true + containers: + - args: + - --config.filepath=/etc/console/configs/config.yaml + command: null + env: + - name: 3Nf + value: vATdo0CH + valueFrom: + configMapKeyRef: + key: IRw5 + name: fa + fieldRef: + apiVersion: 93Fjhay + fieldPath: LRa2I + - name: T0 + value: trXO4 + - name: P9hPooVH + value: yii5lolb + valueFrom: + configMapKeyRef: + key: spAKa + name: U0EYAAe0 + - name: LOGIN_JWTSECRET + valueFrom: + secretKeyRef: + key: login-jwt-secret + name: T50cZi + envFrom: [] + image: docker.redpanda.com/redpandadata/console:v2.7.0 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 3 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: 0 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + name: console + ports: + - containerPort: 8080 + name: http + protocol: TCP + readinessProbe: + failureThreshold: 3 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + resources: {} + securityContext: + runAsNonRoot: true + volumeMounts: + - mountPath: /etc/console/configs + name: configs + readOnly: true + - mountPath: /etc/console/secrets + name: secrets + readOnly: true + - image: LlCU3if + imagePullPolicy: RɷVȄ×ʤǫĠ侻Ɏźx跻Å榜 + lifecycle: {} + name: l0 + resources: {} + securityContext: + allowPrivilegeEscalation: true + privileged: true + startupProbe: + exec: {} + failureThreshold: -1510490758 + initialDelaySeconds: 112782468 + periodSeconds: -738545847 + successThreshold: -1801864225 + timeoutSeconds: 1026753125 + terminationMessagePath: gCG + terminationMessagePolicy: hmƂÚÕʏ疅耪鯉瓉Ɏ煐8qĺ + tty: true + workingDir: ixD7Jq + imagePullSecrets: [] + initContainers: + - 'error unmarshaling JSON: while decoding JSON: json: cannot unmarshal string + into Go value of type []interface {}' + nodeSelector: {} + priorityClassName: NyOpfr + securityContext: + fsGroup: 99 + runAsUser: 99 + serviceAccountName: T50cZi + tolerations: + - effect: Mǣ鍙x奬Ø裗Ʈ唿踣ʘ)ɒâÄ + key: AWx + operator: yīÄLJʑʢ避 + value: cO + - effect: ï楡ɜƐf鱖À夹ǙȤK + key: Gk23T + operator: è6槈$_ȋ6}rvĕ曉¸顋ŀÓ + value: DCkzy + - effect: 蠯u牰ŇɔnÜȎĤ原H + key: qSC + operator: "n" + tolerationSeconds: -7696192156323826000 + value: z + topologySpreadConstraints: [] + volumes: + - configMap: + name: T50cZi + name: configs + - name: secrets + secret: + secretName: T50cZi +--- +# Source: console/templates/tests/test-connection.yaml +apiVersion: v1 +kind: Pod +metadata: + name: "T50cZi-test-connection" + namespace: "default" + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: Sh + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + annotations: + "helm.sh/hook": test +spec: + containers: + - name: wget + image: busybox + command: ['wget'] + args: ['T50cZi:8080'] + restartPolicy: Never + priorityClassName: NyOpfr +-- testdata/case-002.yaml.golden -- +--- +# Source: console/templates/serviceaccount.yaml +apiVersion: v1 +automountServiceAccountToken: true +kind: ServiceAccount +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: vN4yH7I + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: R1Yar8 + namespace: default +--- +# Source: console/templates/secret.yaml +apiVersion: v1 +kind: Secret +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: vN4yH7I + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: xZty +stringData: + enterprise-license: "" + kafka-protobuf-git-basicauth-password: "" + kafka-sasl-aws-msk-iam-secret-key: "" + kafka-sasl-password: "" + kafka-schema-registry-password: "" + kafka-schemaregistry-tls-ca: "" + kafka-schemaregistry-tls-cert: "" + kafka-schemaregistry-tls-key: "" + kafka-tls-ca: "" + kafka-tls-cert: "" + kafka-tls-key: "" + login-github-oauth-client-secret: "" + login-github-personal-access-token: "" + login-google-groups-service-account.json: "" + login-google-oauth-client-secret: "" + login-jwt-secret: SECRETKEY + login-oidc-client-secret: "" + login-okta-client-secret: "" + login-okta-directory-api-token: "" + redpanda-admin-api-password: "" + redpanda-admin-api-tls-ca: "" + redpanda-admin-api-tls-cert: "" + redpanda-admin-api-tls-key: "" +type: Opaque +--- +# Source: console/templates/configmap.yaml +apiVersion: v1 +data: + config.yaml: | + # from .Values.console.config + {} +kind: ConfigMap +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: vN4yH7I + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: xZty +--- +# Source: console/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: vN4yH7I + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: xZty + namespace: default +spec: + ports: + - name: http + port: 413 + protocol: TCP + targetPort: 267 + selector: + app.kubernetes.io/instance: console + app.kubernetes.io/name: vN4yH7I + type: ILpSX2Cy +--- +# Source: console/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: vN4yH7I + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: xZty + namespace: default +spec: + replicas: 417 + selector: + matchLabels: + app.kubernetes.io/instance: console + app.kubernetes.io/name: vN4yH7I + strategy: {} + template: + metadata: + annotations: + 8vRMfVroYC2: QXbUbLea + VV4w: s4sL + checksum/config: 69703ab54946efe744831224dacdb980663f666d8fa5be794fb800135f91d11f + upwTMuIqflmD: 9J0H45zXX + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/name: vN4yH7I + spec: + affinity: {} + automountServiceAccountToken: true + containers: + - args: + - --config.filepath=/etc/console/configs/config.yaml + command: null + env: + - name: LOGIN_JWTSECRET + valueFrom: + secretKeyRef: + key: login-jwt-secret + name: xZty + envFrom: + - prefix: cfVf + secretRef: + name: ha + - prefix: i2E2Jvnc + image: docker.redpanda.com/redpandadata/console:v2.7.0 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 3 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: 0 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + name: console + ports: + - containerPort: 267 + name: http + protocol: TCP + readinessProbe: + failureThreshold: 3 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + resources: + limits: + 27ywV: "0" + nMnjjF4kM: "0" + xar2JX: "0" + securityContext: + runAsNonRoot: true + volumeMounts: + - mountPath: /etc/console/configs + name: configs + readOnly: true + - mountPath: /etc/console/secrets + name: secrets + readOnly: true + - mountPath: Y40 + mountPropagation: $寕洦敬苖ēRõøȀ + name: vn5hd + readOnly: true + subPath: oXCY9 + subPathExpr: p + imagePullSecrets: + - {} + - name: YPVBzxvx + initContainers: [] + nodeSelector: {} + priorityClassName: TeCy + securityContext: + fsGroup: 99 + runAsUser: 99 + serviceAccountName: R1Yar8 + tolerations: + - effect: ǩ趥螏|F8ǻĬ嵍Ğ错ʂĺƠǷ俆峻噸 + key: b + operator: wąȹV{İ刡嚮ȜJ + value: ZuTw + - effect: D稕栥[Ǟ$焫昲 + key: NnhmxYy + operator: Xʀ + value: v65W + - effect: 岂bĤ晏#DĢº + key: MOgT + operator: 礩懜蹻ǍBȟvɸ堊 + value: 3iXh + topologySpreadConstraints: [] + volumes: + - configMap: + name: xZty + name: configs + - name: secrets + secret: + secretName: xZty +--- +# Source: console/templates/tests/test-connection.yaml +apiVersion: v1 +kind: Pod +metadata: + name: "xZty-test-connection" + namespace: "default" + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: vN4yH7I + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + annotations: + "helm.sh/hook": test +spec: + imagePullSecrets: + - {} + - name: YPVBzxvx + containers: + - name: wget + image: busybox + command: ['wget'] + args: ['xZty:413'] + restartPolicy: Never + priorityClassName: TeCy +-- testdata/case-003.yaml.golden -- +--- +# Source: console/templates/serviceaccount.yaml +apiVersion: v1 +automountServiceAccountToken: true +kind: ServiceAccount +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: w6 + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: 8nE + namespace: default +--- +# Source: console/templates/secret.yaml +apiVersion: v1 +kind: Secret +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: w6 + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: 8nE +stringData: + enterprise-license: "" + kafka-protobuf-git-basicauth-password: Fb + kafka-sasl-aws-msk-iam-secret-key: SrYY84t + kafka-sasl-password: xCc3TeVY + kafka-schema-registry-password: ovCqxwz9Bf + kafka-schemaregistry-tls-ca: JL + kafka-schemaregistry-tls-cert: cS + kafka-schemaregistry-tls-key: UMwYx4F + kafka-tls-ca: HFpsnPdw + kafka-tls-cert: hseIt + kafka-tls-key: "" + login-github-oauth-client-secret: "" + login-github-personal-access-token: "" + login-google-groups-service-account.json: "" + login-google-oauth-client-secret: "" + login-jwt-secret: SECRETKEY + login-oidc-client-secret: "" + login-okta-client-secret: "" + login-okta-directory-api-token: "" + redpanda-admin-api-password: "" + redpanda-admin-api-tls-ca: "" + redpanda-admin-api-tls-cert: "" + redpanda-admin-api-tls-key: "" +type: Opaque +--- +# Source: console/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: w6 + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: 8nE + namespace: default +spec: + ports: + - name: http + port: 8080 + protocol: TCP + targetPort: 0 + selector: + app.kubernetes.io/instance: console + app.kubernetes.io/name: w6 + type: ClusterIP +--- +# Source: console/templates/ingress.yaml +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: w6 + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: 8nE +spec: + ingressClassName: EqUYi + rules: + - host: bKQCmfZ + http: + paths: null + - host: djItx5GtejC6 + http: + paths: null + - host: 2wLaQU8 + http: + paths: null + tls: + - hosts: + - V8BpuMCig + - 7LqG4w92 + - el3u4v + secretName: nUlu5bMwB8 + - hosts: + - 4HLzq + - 2i4g + secretName: lSgQIKwj5 +--- +# Source: console/templates/tests/test-connection.yaml +apiVersion: v1 +kind: Pod +metadata: + name: "8nE-test-connection" + namespace: "default" + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: w6 + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + annotations: + "helm.sh/hook": test +spec: + containers: + - name: wget + image: busybox + command: ['wget'] + args: ['8nE:8080'] + restartPolicy: Never + priorityClassName: HNqN9h2 +-- testdata/case-004.yaml.golden -- +--- +# Source: console/templates/serviceaccount.yaml +apiVersion: v1 +automountServiceAccountToken: true +kind: ServiceAccount +metadata: + annotations: {} + creationTimestamp: null + labels: + "": PtQ7JxIAdPjt + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: YMl + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: console-YMl + namespace: default +--- +# Source: console/templates/secret.yaml +apiVersion: v1 +kind: Secret +metadata: + creationTimestamp: null + labels: + "": PtQ7JxIAdPjt + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: YMl + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: console-YMl +stringData: + enterprise-license: "" + kafka-protobuf-git-basicauth-password: "" + kafka-sasl-aws-msk-iam-secret-key: "" + kafka-sasl-password: "" + kafka-schema-registry-password: "" + kafka-schemaregistry-tls-ca: "" + kafka-schemaregistry-tls-cert: "" + kafka-schemaregistry-tls-key: "" + kafka-tls-ca: "" + kafka-tls-cert: "" + kafka-tls-key: "" + login-github-oauth-client-secret: "" + login-github-personal-access-token: "" + login-google-groups-service-account.json: "" + login-google-oauth-client-secret: "" + login-jwt-secret: SECRETKEY + login-oidc-client-secret: "" + login-okta-client-secret: "" + login-okta-directory-api-token: "" + redpanda-admin-api-password: "" + redpanda-admin-api-tls-ca: "" + redpanda-admin-api-tls-cert: "" + redpanda-admin-api-tls-key: "" +type: Opaque +--- +# Source: console/templates/configmap.yaml +apiVersion: v1 +data: + config.yaml: | + # from .Values.console.config + {} +kind: ConfigMap +metadata: + creationTimestamp: null + labels: + "": PtQ7JxIAdPjt + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: YMl + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: console-YMl +--- +# Source: console/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + annotations: {} + creationTimestamp: null + labels: + "": PtQ7JxIAdPjt + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: YMl + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: console-YMl + namespace: default +spec: + ports: + - name: http + port: 112 + protocol: TCP + targetPort: 173 + selector: + app.kubernetes.io/instance: console + app.kubernetes.io/name: YMl + type: dO7eovC +--- +# Source: console/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: {} + creationTimestamp: null + labels: + "": PtQ7JxIAdPjt + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: YMl + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: console-YMl + namespace: default +spec: + replicas: 261 + selector: + matchLabels: + app.kubernetes.io/instance: console + app.kubernetes.io/name: YMl + strategy: + type: ɡv?ĨJ姯ɚƟć匪cb + template: + metadata: + annotations: + 1iK8Ic: Qo3FCg9qi + 63SsVxDT: v + A1Q4J4: U9jygY2t1F + checksum/config: 5f83295c905c2d3c9fea06172a38428a89334248aea9df0ebd8b589a29afeb4f + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/name: YMl + spec: + affinity: + nodeAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - preference: {} + weight: -1713447377 + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: null + podAntiAffinity: {} + automountServiceAccountToken: true + containers: + - args: + - --config.filepath=/etc/console/configs/config.yaml + command: null + env: + - name: LOGIN_JWTSECRET + valueFrom: + secretKeyRef: + key: login-jwt-secret + name: console-YMl + envFrom: [] + image: docker.redpanda.com/redpandadata/console:v2.7.0 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 3 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: 0 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + name: console + ports: + - containerPort: 173 + name: http + protocol: TCP + readinessProbe: + failureThreshold: 3 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + resources: {} + securityContext: + runAsNonRoot: true + volumeMounts: + - mountPath: /etc/console/configs + name: configs + readOnly: true + - mountPath: /etc/console/secrets + name: secrets + readOnly: true + - mountPath: Oj + name: QmzFlXE + subPath: "" + imagePullSecrets: [] + initContainers: [] + nodeSelector: {} + priorityClassName: JT0MK + securityContext: + fsGroup: 99 + runAsUser: 99 + serviceAccountName: console-YMl + tolerations: [] + topologySpreadConstraints: [] + volumes: + - configMap: + name: console-YMl + name: configs + - name: secrets + secret: + secretName: console-YMl + - name: QmzFlXE + secret: + defaultMode: 197 + secretName: 7gi +--- +# Source: console/templates/tests/test-connection.yaml +apiVersion: v1 +kind: Pod +metadata: + name: "console-YMl-test-connection" + namespace: "default" + labels: + "": PtQ7JxIAdPjt + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: YMl + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + annotations: + "helm.sh/hook": test +spec: + containers: + - name: wget + image: busybox + command: ['wget'] + args: ['console-YMl:112'] + restartPolicy: Never + priorityClassName: JT0MK +-- testdata/case-005.yaml.golden -- +--- +# Source: console/templates/serviceaccount.yaml +apiVersion: v1 +automountServiceAccountToken: true +kind: ServiceAccount +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: MW + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: pN + namespace: default +--- +# Source: console/templates/secret.yaml +apiVersion: v1 +kind: Secret +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: MW + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: pN +stringData: + enterprise-license: "" + kafka-protobuf-git-basicauth-password: "" + kafka-sasl-aws-msk-iam-secret-key: "" + kafka-sasl-password: "" + kafka-schema-registry-password: "" + kafka-schemaregistry-tls-ca: "" + kafka-schemaregistry-tls-cert: "" + kafka-schemaregistry-tls-key: "" + kafka-tls-ca: "" + kafka-tls-cert: "" + kafka-tls-key: "" + login-github-oauth-client-secret: R4Zj + login-github-personal-access-token: N85av + login-google-groups-service-account.json: "" + login-google-oauth-client-secret: "" + login-jwt-secret: SECRETKEY + login-oidc-client-secret: enei1WIcV + login-okta-client-secret: "" + login-okta-directory-api-token: "" + redpanda-admin-api-password: "" + redpanda-admin-api-tls-ca: "" + redpanda-admin-api-tls-cert: "" + redpanda-admin-api-tls-key: "" +type: Opaque +--- +# Source: console/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: MW + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: pN + namespace: default +spec: + ports: + - name: http + port: 8080 + protocol: TCP + targetPort: 0 + selector: + app.kubernetes.io/instance: console + app.kubernetes.io/name: MW + type: ClusterIP +--- +# Source: console/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: MW + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: pN + namespace: default +spec: + replicas: 396 + selector: + matchLabels: + app.kubernetes.io/instance: console + app.kubernetes.io/name: MW + strategy: {} + template: + metadata: + annotations: + checksum/config: 74234e98afe7498fb5daf1f36ac2d78acc339464f950703b8c019892f982b90b + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/name: MW + spec: + affinity: {} + automountServiceAccountToken: true + containers: + - args: + - --config.filepath=/etc/console/configs/config.yaml + command: null + env: + - name: LOGIN_JWTSECRET + valueFrom: + secretKeyRef: + key: login-jwt-secret + name: pN + - name: LOGIN_GITHUB_CLIENTSECRET + valueFrom: + secretKeyRef: + key: login-github-oauth-client-secret + name: pN + - name: LOGIN_GITHUB_DIRECTORY_PERSONALACCESSTOKEN + valueFrom: + secretKeyRef: + key: login-github-personal-access-token + name: pN + - name: LOGIN_OIDC_CLIENTSECRET + valueFrom: + secretKeyRef: + key: login-oidc-client-secret + name: pN + envFrom: [] + image: 7iw15D/RnJFs0:OQDirE + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: -1921365096 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: -1548958176 + periodSeconds: -1952555242 + successThreshold: -1289242499 + timeoutSeconds: -265051013 + name: console + ports: + - containerPort: 8080 + name: http + protocol: TCP + readinessProbe: + failureThreshold: 3 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + resources: {} + securityContext: + runAsNonRoot: true + volumeMounts: + - mountPath: /etc/console/configs + name: configs + readOnly: true + - mountPath: /etc/console/secrets + name: secrets + readOnly: true + - mountPath: JU4z + name: QEJyD + subPath: ZBEy2m0m + subPathExpr: S1Kk + - mountPath: RjUw5sX7NP + name: ett1n + subPath: NmZKwz + subPathExpr: QOMT + imagePullSecrets: + - name: ATcT6Hd + - name: l15Hhw + initContainers: + - 'error unmarshaling JSON: while decoding JSON: json: cannot unmarshal string + into Go value of type []interface {}' + nodeSelector: {} + priorityClassName: KnLhcy2cw + securityContext: + fsGroup: 99 + runAsUser: 99 + serviceAccountName: pN + tolerations: [] + topologySpreadConstraints: [] + volumes: + - configMap: + name: pN + name: configs + - name: secrets + secret: + secretName: pN +--- +# Source: console/templates/tests/test-connection.yaml +apiVersion: v1 +kind: Pod +metadata: + name: "pN-test-connection" + namespace: "default" + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: MW + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + annotations: + "helm.sh/hook": test +spec: + imagePullSecrets: + - name: ATcT6Hd + - name: l15Hhw + containers: + - name: wget + image: busybox + command: ['wget'] + args: ['pN:8080'] + restartPolicy: Never + priorityClassName: KnLhcy2cw +-- testdata/case-006.yaml.golden -- +--- +# Source: console/templates/serviceaccount.yaml +apiVersion: v1 +automountServiceAccountToken: false +kind: ServiceAccount +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: gCH15URsJZr + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: nd7TSb2mNTS + namespace: default +--- +# Source: console/templates/secret.yaml +apiVersion: v1 +kind: Secret +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: gCH15URsJZr + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: rzd +stringData: + enterprise-license: "" + kafka-protobuf-git-basicauth-password: G + kafka-sasl-aws-msk-iam-secret-key: 1tq + kafka-sasl-password: K8kPgIp6 + kafka-schema-registry-password: "" + kafka-schemaregistry-tls-ca: Zr + kafka-schemaregistry-tls-cert: KN + kafka-schemaregistry-tls-key: t + kafka-tls-ca: CQ + kafka-tls-cert: 6xZ8 + kafka-tls-key: "" + login-github-oauth-client-secret: "" + login-github-personal-access-token: "" + login-google-groups-service-account.json: "" + login-google-oauth-client-secret: "" + login-jwt-secret: SECRETKEY + login-oidc-client-secret: "" + login-okta-client-secret: "" + login-okta-directory-api-token: "" + redpanda-admin-api-password: "" + redpanda-admin-api-tls-ca: "" + redpanda-admin-api-tls-cert: "" + redpanda-admin-api-tls-key: "" +type: Opaque +--- +# Source: console/templates/configmap.yaml +apiVersion: v1 +data: + config.yaml: | + # from .Values.console.config + {} +kind: ConfigMap +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: gCH15URsJZr + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: rzd +--- +# Source: console/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: gCH15URsJZr + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: rzd + namespace: default +spec: + ports: + - name: http + port: 8080 + protocol: TCP + targetPort: 0 + selector: + app.kubernetes.io/instance: console + app.kubernetes.io/name: gCH15URsJZr + type: ClusterIP +--- +# Source: console/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: gCH15URsJZr + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: rzd + namespace: default +spec: + replicas: 176 + selector: + matchLabels: + app.kubernetes.io/instance: console + app.kubernetes.io/name: gCH15URsJZr + strategy: {} + template: + metadata: + annotations: + checksum/config: f55f3fdc49a4774db4d2377ea9b69fd8da2a190ef99f7fb31aeb393215f878cc + s2D: DMU7 + creationTimestamp: null + labels: + CoBI: 20aOZaZvs + app.kubernetes.io/instance: console + app.kubernetes.io/name: gCH15URsJZr + e0xqmoOD: Nb5V + ylGQE: p + spec: + affinity: + podAffinity: {} + podAntiAffinity: {} + automountServiceAccountToken: true + containers: + - args: + - --config.filepath=/etc/console/configs/config.yaml + command: null + env: + - name: KAFKA_SASL_PASSWORD + valueFrom: + secretKeyRef: + key: kafka-sasl-password + name: rzd + - name: KAFKA_PROTOBUF_GIT_BASICAUTH_PASSWORD + valueFrom: + secretKeyRef: + key: kafka-protobuf-git-basicauth-password + name: rzd + - name: KAFKA_SASL_AWSMSKIAM_SECRETKEY + valueFrom: + secretKeyRef: + key: kafka-sasl-aws-msk-iam-secret-key + name: rzd + - name: KAFKA_TLS_CAFILEPATH + value: /etc/console/secrets/kafka-tls-ca + - name: KAFKA_TLS_CERTFILEPATH + value: /etc/console/secrets/kafka-tls-cert + - name: KAFKA_SCHEMAREGISTRY_TLS_CAFILEPATH + value: /etc/console/secrets/kafka-schemaregistry-tls-ca + - name: KAFKA_SCHEMAREGISTRY_TLS_CERTFILEPATH + value: /etc/console/secrets/kafka-schemaregistry-tls-cert + - name: KAFKA_SCHEMAREGISTRY_TLS_KEYFILEPATH + value: /etc/console/secrets/kafka-schemaregistry-tls-key + - name: LOGIN_JWTSECRET + valueFrom: + secretKeyRef: + key: login-jwt-secret + name: rzd + envFrom: [] + image: zT38Q/V:iSGm6MT1 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 3 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: 0 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + name: console + ports: + - containerPort: 8080 + name: http + protocol: TCP + readinessProbe: + failureThreshold: 3 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + resources: + requests: + PY: "0" + securityContext: + runAsNonRoot: true + volumeMounts: + - mountPath: /etc/console/configs + name: configs + readOnly: true + - mountPath: /etc/console/secrets + name: secrets + readOnly: true + - mountPath: 5uhd1qMX + mountPropagation: ȵS鈛ZQì暗 + name: "N" + readOnly: true + subPath: lbeciOZZ + subPathExpr: Pd88cwE + - mountPath: yVo + mountPropagation: ÑƇ[嫨ĸŁ幵鿯它(ȡ~嘶ƌO情=į臺 + name: Z + readOnly: true + subPath: Nrqx + subPathExpr: Q4ChfT + imagePullSecrets: [] + initContainers: + - 'error unmarshaling JSON: while decoding JSON: json: cannot unmarshal string + into Go value of type []interface {}' + nodeSelector: {} + priorityClassName: 1x11c0q + securityContext: + fsGroup: 99 + runAsUser: 99 + serviceAccountName: nd7TSb2mNTS + tolerations: [] + topologySpreadConstraints: [] + volumes: + - configMap: + name: rzd + name: configs + - name: secrets + secret: + secretName: rzd +-- testdata/case-007.yaml.golden -- +--- +# Source: console/templates/serviceaccount.yaml +apiVersion: v1 +automountServiceAccountToken: false +kind: ServiceAccount +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: HWL + app.kubernetes.io/version: v2.7.0 + cV05TKdtF: 55lItpeJD + h: 1Y7dqm4wZL + helm.sh/chart: console-0.7.29 + name: RFjc7 + namespace: default +--- +# Source: console/templates/secret.yaml +apiVersion: v1 +kind: Secret +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: HWL + app.kubernetes.io/version: v2.7.0 + cV05TKdtF: 55lItpeJD + h: 1Y7dqm4wZL + helm.sh/chart: console-0.7.29 + name: "y" +stringData: + enterprise-license: "" + kafka-protobuf-git-basicauth-password: "" + kafka-sasl-aws-msk-iam-secret-key: "" + kafka-sasl-password: "" + kafka-schema-registry-password: "" + kafka-schemaregistry-tls-ca: "" + kafka-schemaregistry-tls-cert: "" + kafka-schemaregistry-tls-key: "" + kafka-tls-ca: "" + kafka-tls-cert: "" + kafka-tls-key: "" + login-github-oauth-client-secret: "" + login-github-personal-access-token: "" + login-google-groups-service-account.json: gp + login-google-oauth-client-secret: Ln0 + login-jwt-secret: SECRETKEY + login-oidc-client-secret: "" + login-okta-client-secret: 3A593BjCuu + login-okta-directory-api-token: mSSz8MZ + redpanda-admin-api-password: t + redpanda-admin-api-tls-ca: QD1x71f + redpanda-admin-api-tls-cert: 744Ysvi + redpanda-admin-api-tls-key: 56VaHh +type: Opaque +--- +# Source: console/templates/configmap.yaml +apiVersion: v1 +data: + config.yaml: | + # from .Values.console.config + {} + role-bindings.yaml: |- + roleBindings: + - "": null + 5w1YcAu: null +kind: ConfigMap +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: HWL + app.kubernetes.io/version: v2.7.0 + cV05TKdtF: 55lItpeJD + h: 1Y7dqm4wZL + helm.sh/chart: console-0.7.29 + name: "y" +--- +# Source: console/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: HWL + app.kubernetes.io/version: v2.7.0 + cV05TKdtF: 55lItpeJD + h: 1Y7dqm4wZL + helm.sh/chart: console-0.7.29 + name: "y" + namespace: default +spec: + ports: + - name: http + port: 286 + protocol: TCP + targetPort: 404 + selector: + app.kubernetes.io/instance: console + app.kubernetes.io/name: HWL + type: Vvrvx +--- +# Source: console/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: HWL + app.kubernetes.io/version: v2.7.0 + cV05TKdtF: 55lItpeJD + h: 1Y7dqm4wZL + helm.sh/chart: console-0.7.29 + name: "y" + namespace: default +spec: + replicas: 103 + selector: + matchLabels: + app.kubernetes.io/instance: console + app.kubernetes.io/name: HWL + strategy: {} + template: + metadata: + annotations: + checksum/config: 37ddb9195e66f6743cc901bea8e2e2db0492fbf3e78355ffe8c7f2395ece1e90 + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/name: HWL + spec: + affinity: {} + automountServiceAccountToken: true + containers: + - args: + - --config.filepath=/etc/console/configs/config.yaml + command: null + env: + - name: qY0f + value: Wu + - name: 9zVp + value: g + - name: LOGIN_JWTSECRET + valueFrom: + secretKeyRef: + key: login-jwt-secret + name: "y" + - name: LOGIN_GOOGLE_CLIENTSECRET + valueFrom: + secretKeyRef: + key: login-google-oauth-client-secret + name: "y" + - name: LOGIN_GOOGLE_DIRECTORY_SERVICEACCOUNTFILEPATH + value: /etc/console/secrets/login-google-groups-service-account.json + - name: LOGIN_OKTA_CLIENTSECRET + valueFrom: + secretKeyRef: + key: login-okta-client-secret + name: "y" + - name: LOGIN_OKTA_DIRECTORY_APITOKEN + valueFrom: + secretKeyRef: + key: login-okta-directory-api-token + name: "y" + - name: REDPANDA_ADMINAPI_PASSWORD + valueFrom: + secretKeyRef: + key: redpanda-admin-api-password + name: "y" + - name: REDPANDA_ADMINAPI_TLS_CAFILEPATH + value: /etc/console/secrets/redpanda-admin-api-tls-ca + - name: REDPANDA_ADMINAPI_TLS_KEYFILEPATH + value: /etc/console/secrets/redpanda-admin-api-tls-key + - name: REDPANDA_ADMINAPI_TLS_CERTFILEPATH + value: /etc/console/secrets/redpanda-admin-api-tls-cert + envFrom: + - configMapRef: + name: OUS + optional: true + prefix: YWvtgT + - configMapRef: + name: 4xZZ + prefix: Djbp99U + image: docker.redpanda.com/redpandadata/console:v2.7.0 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 1105213631 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: -1727299217 + periodSeconds: -579129147 + successThreshold: -1278687101 + timeoutSeconds: -603846855 + name: console + ports: + - containerPort: 404 + name: http + protocol: TCP + readinessProbe: + failureThreshold: 114758306 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: 457836757 + periodSeconds: -1914503008 + successThreshold: 1926018786 + timeoutSeconds: 458769630 + resources: + requests: + 4P1f3: "0" + DmuY: "0" + securityContext: + runAsNonRoot: true + volumeMounts: + - mountPath: /etc/console/configs + name: configs + readOnly: true + - mountPath: /etc/console/secrets + name: secrets + readOnly: true + imagePullSecrets: [] + initContainers: + - 'error unmarshaling JSON: while decoding JSON: json: cannot unmarshal string + into Go value of type []interface {}' + nodeSelector: + CAy: 19kW + R2z: OpcDywz9x + priorityClassName: rs + securityContext: + fsGroup: 99 + fsGroupChangePolicy: 驸Ǩiµ慷泱世 + runAsGroup: 6873387834465682000 + runAsUser: 7937848737866681000 + sysctls: + - name: mp + value: SkIvFN + - name: E + value: RknyuPB + - name: kcY + value: us1 + serviceAccountName: RFjc7 + tolerations: [] + topologySpreadConstraints: [] + volumes: + - configMap: + name: "y" + name: configs + - name: secrets + secret: + secretName: "y" + - name: dCz +--- +# Source: console/templates/tests/test-connection.yaml +apiVersion: v1 +kind: Pod +metadata: + name: "y-test-connection" + namespace: "default" + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: HWL + app.kubernetes.io/version: v2.7.0 + cV05TKdtF: 55lItpeJD + h: 1Y7dqm4wZL + helm.sh/chart: console-0.7.29 + annotations: + "helm.sh/hook": test +spec: + containers: + - name: wget + image: busybox + command: ['wget'] + args: ['y:286'] + restartPolicy: Never + priorityClassName: rs +-- testdata/case-008.yaml.golden -- +--- +# Source: console/templates/serviceaccount.yaml +apiVersion: v1 +automountServiceAccountToken: true +kind: ServiceAccount +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: RW + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: YcV5zP8 + namespace: default +--- +# Source: console/templates/configmap.yaml +apiVersion: v1 +data: + config.yaml: | + # from .Values.console.config + {} +kind: ConfigMap +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: RW + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: GbgHqD +--- +# Source: console/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: RW + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: GbgHqD + namespace: default +spec: + ports: + - name: http + port: 8080 + protocol: TCP + targetPort: 0 + selector: + app.kubernetes.io/instance: console + app.kubernetes.io/name: RW + type: ClusterIP +--- +# Source: console/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: + hfXF: v4uLEC6f8m + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: RW + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: GbgHqD + namespace: default +spec: + replicas: 475 + selector: + matchLabels: + app.kubernetes.io/instance: console + app.kubernetes.io/name: RW + strategy: + rollingUpdate: {} + type: 堯飉J侚桤 合w犌ŝ|#è:(蹝Ƀy輐 + template: + metadata: + annotations: + BTlN: z8t + a: Pqjhw + checksum/config: 1ba99bb938e262d91c73069e0caf6c1ce45d5e92491a50db9d1af5d59db59aed + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/name: RW + spec: + affinity: {} + automountServiceAccountToken: false + containers: + - args: + - --config.filepath=/etc/console/configs/config.yaml + command: null + env: [] + envFrom: [] + image: docker.redpanda.com/redpandadata/console:v2.7.0 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 1421249778 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: 1194618095 + periodSeconds: 1245060237 + successThreshold: -641096828 + timeoutSeconds: -617099936 + name: console + ports: + - containerPort: 8080 + name: http + protocol: TCP + readinessProbe: + failureThreshold: -10750427 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: 208988771 + periodSeconds: -2096658971 + successThreshold: -233405863 + timeoutSeconds: 2042765580 + resources: {} + securityContext: + procMount: ȃ蘗ʮǺ踰蒐佛桸gɋ + readOnlyRootFilesystem: false + runAsGroup: 5367218369967094000 + runAsNonRoot: true + volumeMounts: + - mountPath: /etc/console/configs + name: configs + readOnly: true + imagePullSecrets: [] + initContainers: [] + nodeSelector: {} + priorityClassName: 0fXQqWA96 + securityContext: + fsGroup: 99 + fsGroupChangePolicy: ǶȚ/廻 + runAsGroup: 3241750191956122000 + runAsNonRoot: false + runAsUser: 2693812519144067600 + supplementalGroups: + - -7558357415363805000 + - -9152494874115652000 + - -906805565867492900 + sysctls: + - name: CBe8XsS + value: bh + - name: pUYyG9c + value: xPm1 + serviceAccountName: YcV5zP8 + tolerations: [] + topologySpreadConstraints: + - maxSkew: -722842418 + nodeTaintsPolicy: uã链掎ŏȅ噘籥邟澶N3-昃嗽(七|犘 + topologyKey: vq + whenUnsatisfiable: Ȭť'Ùt苷ŲĤ蘝 + - labelSelector: {} + maxSkew: 1436245353 + nodeAffinityPolicy: 0ʠƃ氁ʆZ + topologyKey: t + whenUnsatisfiable: x叾džʜƽ耨 + - labelSelector: {} + matchLabelKeys: + - 6T2 + - FqrwFd + maxSkew: -172720268 + nodeAffinityPolicy: 觏败TʙȎ喧5婬ȑªgȢ'!ÅWp襎 + nodeTaintsPolicy: ÛB¹]ʐ梳Ě + topologyKey: VyU9 + whenUnsatisfiable: 烹wɹȐN坿¨叻ʊ鴥/Ŭ屎釽C欼 + volumes: + - configMap: + name: GbgHqD + name: configs +--- +# Source: console/templates/tests/test-connection.yaml +apiVersion: v1 +kind: Pod +metadata: + name: "GbgHqD-test-connection" + namespace: "default" + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: RW + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + annotations: + "helm.sh/hook": test +spec: + containers: + - name: wget + image: busybox + command: ['wget'] + args: ['GbgHqD:8080'] + restartPolicy: Never + priorityClassName: 0fXQqWA96 +-- testdata/case-009.yaml.golden -- +--- +# Source: console/templates/serviceaccount.yaml +apiVersion: v1 +automountServiceAccountToken: true +kind: ServiceAccount +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: BKV + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: l1Bnpx + namespace: default +--- +# Source: console/templates/secret.yaml +apiVersion: v1 +kind: Secret +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: BKV + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: l1Bnpx +stringData: + enterprise-license: "" + kafka-protobuf-git-basicauth-password: "" + kafka-sasl-aws-msk-iam-secret-key: "" + kafka-sasl-password: "" + kafka-schema-registry-password: "" + kafka-schemaregistry-tls-ca: "" + kafka-schemaregistry-tls-cert: "" + kafka-schemaregistry-tls-key: "" + kafka-tls-ca: "" + kafka-tls-cert: "" + kafka-tls-key: "" + login-github-oauth-client-secret: "" + login-github-personal-access-token: "" + login-google-groups-service-account.json: "" + login-google-oauth-client-secret: "" + login-jwt-secret: SECRETKEY + login-oidc-client-secret: "" + login-okta-client-secret: "" + login-okta-directory-api-token: "" + redpanda-admin-api-password: "" + redpanda-admin-api-tls-ca: "" + redpanda-admin-api-tls-cert: "" + redpanda-admin-api-tls-key: "" +type: Opaque +--- +# Source: console/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + annotations: + efgehQaV5UI0y: GymqDudh + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: BKV + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: l1Bnpx + namespace: default +spec: + ports: + - name: http + port: 229 + protocol: TCP + targetPort: 85 + selector: + app.kubernetes.io/instance: console + app.kubernetes.io/name: BKV + type: yZy +--- +# Source: console/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: BKV + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: l1Bnpx + namespace: default +spec: + replicas: 315 + selector: + matchLabels: + app.kubernetes.io/instance: console + app.kubernetes.io/name: BKV + strategy: {} + template: + metadata: + annotations: + checksum/config: 74234e98afe7498fb5daf1f36ac2d78acc339464f950703b8c019892f982b90b + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/name: BKV + spec: + affinity: + nodeAffinity: {} + podAffinity: {} + podAntiAffinity: {} + automountServiceAccountToken: true + containers: + - args: + - --config.filepath=/etc/console/configs/config.yaml + command: null + env: + - name: LOGIN_JWTSECRET + valueFrom: + secretKeyRef: + key: login-jwt-secret + name: l1Bnpx + envFrom: [] + image: docker.redpanda.com/redpandadata/console:v2.7.0 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: -1420734522 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: 753838163 + periodSeconds: -444344576 + successThreshold: -1003403229 + timeoutSeconds: -172453343 + name: console + ports: + - containerPort: 85 + name: http + protocol: TCP + readinessProbe: + failureThreshold: -286281002 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: 138566964 + periodSeconds: -361700659 + successThreshold: 422528479 + timeoutSeconds: 352721839 + resources: {} + securityContext: + runAsNonRoot: true + volumeMounts: + - mountPath: /etc/console/configs + name: configs + readOnly: true + - mountPath: /etc/console/secrets + name: secrets + readOnly: true + - mountPath: xShE + name: yWBr98zs1 + subPath: "" + - mountPath: Wnbf + name: qUQ5 + subPath: "" + - mountPath: fgV + name: hpqapQJQ + subPath: "" + imagePullSecrets: + - name: x42RbB4KLm + initContainers: [] + nodeSelector: + OBRBvRK: hMXDLGN5 + ky: sv + priorityClassName: p0ShP6Yru + securityContext: + fsGroup: 99 + fsGroupChangePolicy: 灆Zeɪ霅ǭɒ<ǖ韆 + runAsGroup: -2394155475284911600 + runAsNonRoot: true + runAsUser: 99 + supplementalGroups: + - 802667379359895800 + - 8316082600801372000 + serviceAccountName: l1Bnpx + tolerations: [] + topologySpreadConstraints: + - maxSkew: -73453467 + minDomains: 326628755 + nodeAffinityPolicy: "" + topologyKey: zWgGRC + whenUnsatisfiable: 黚堳ʈ¡ + volumes: + - configMap: + name: l1Bnpx + name: configs + - name: secrets + secret: + secretName: l1Bnpx + - name: yWBr98zs1 + secret: + defaultMode: 414 + secretName: YMpib3J + - name: qUQ5 + secret: + defaultMode: 402 + secretName: Pw8 + - name: hpqapQJQ + secret: + defaultMode: 410 + secretName: 1JLIOjZI8 +--- +# Source: console/templates/tests/test-connection.yaml +apiVersion: v1 +kind: Pod +metadata: + name: "l1Bnpx-test-connection" + namespace: "default" + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: BKV + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + annotations: + "helm.sh/hook": test +spec: + imagePullSecrets: + - name: x42RbB4KLm + containers: + - name: wget + image: busybox + command: ['wget'] + args: ['l1Bnpx:229'] + restartPolicy: Never + priorityClassName: p0ShP6Yru +-- testdata/case-010.yaml.golden -- +--- +# Source: console/templates/serviceaccount.yaml +apiVersion: v1 +automountServiceAccountToken: true +kind: ServiceAccount +metadata: + annotations: + TTsn5: s3xEhO + tZiUN: CtjX + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: JFcK + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: kIzbDF + namespace: default +--- +# Source: console/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: JFcK + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: ivK + namespace: default +spec: + ports: + - name: http + port: 8080 + protocol: TCP + targetPort: 0 + selector: + app.kubernetes.io/instance: console + app.kubernetes.io/name: JFcK + type: ClusterIP +--- +# Source: console/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: JFcK + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: ivK + namespace: default +spec: + replicas: 250 + selector: + matchLabels: + app.kubernetes.io/instance: console + app.kubernetes.io/name: JFcK + strategy: {} + template: + metadata: + annotations: + checksum/config: 74234e98afe7498fb5daf1f36ac2d78acc339464f950703b8c019892f982b90b + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/name: JFcK + spec: + affinity: + nodeAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - preference: + matchExpressions: + - key: hu5a9Q0m + operator: Ʊ飁Ɲŗʫf + values: + - fDVpOP + - fUBu2Zhz + matchFields: + - key: zOA + operator: 豔|Ĺ霱鑕yȮM錕陰蔆 + - key: uqlr1 + operator: ʏ + weight: -157546286 + - preference: + matchExpressions: + - key: yI2tB1c6Om + operator: 槼湝@)萢=\Ɇ剋Ś>(.aC俥?蔔 + values: + - 5QB3 + - C + - key: IhL2k3 + operator: "" + matchFields: + - key: Kn1 + operator: q'ʏC効L¶ƋMʐģƥƝnĤe + weight: -1818860211 + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - {} + podAffinity: {} + automountServiceAccountToken: true + containers: + - args: + - --config.filepath=/etc/console/configs/config.yaml + command: null + env: + - name: LICENSE + valueFrom: + secretKeyRef: + key: 6Y + name: juyv + envFrom: [] + image: 4A/0YeLdES:1a4iH + imagePullPolicy: "" + livenessProbe: + failureThreshold: 3 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: 0 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + name: console + ports: + - containerPort: 8080 + name: http + protocol: TCP + readinessProbe: + failureThreshold: 1992527736 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: 1233698472 + periodSeconds: 1177961840 + successThreshold: -1634725396 + timeoutSeconds: -1493252430 + resources: {} + securityContext: + runAsNonRoot: true + volumeMounts: + - mountPath: /etc/console/configs + name: configs + readOnly: true + - mountPath: C3nMA + name: 0sxSVsP + readOnly: true + subPath: V + subPathExpr: 1E5cYdMw + - env: + - name: nE8 + value: hFfGzdv + valueFrom: + configMapKeyRef: + key: 9Sc + name: kviW + fieldRef: + fieldPath: bzL + resourceFieldRef: + containerName: ky9X6 + divisor: "0" + resource: RgwF + image: mEMnGhDi + imagePullPolicy: <Ǐ(嬘箓閁1_Y.脯鮉娇腾1 + name: ZyDivTyKOX + readinessProbe: + failureThreshold: 368214623 + initialDelaySeconds: 1711545214 + periodSeconds: -1669571514 + successThreshold: 830602444 + timeoutSeconds: -1406663042 + resources: + requests: + Ta: "0" + restartPolicy: M#L粓Ojw+ĸɊcƗ镃聆琮ǘ滂W + stdin: true + terminationMessagePath: 7hyobl + terminationMessagePolicy: gŜĶ蔓林驲%嶄ʚ轿竷 + volumeDevices: + - devicePath: zlgauG + name: Uy7Ds5N + - devicePath: pturCrgNMxS + name: "1" + volumeMounts: + - mountPath: 2ftw3U97pI + mountPropagation: ǮmW + name: NeLq9zvIQ + subPath: 5XYnpNAb + subPathExpr: rAeHuQk + - mountPath: aOj5TCBKn + name: DWFR + subPath: G + - mountPath: ovoJMYcQZ7 + mountPropagation: ɷ&娈瘱 + name: o6QaPD8 + subPath: rIo + subPathExpr: j0F1wa + workingDir: tj + - env: + - name: KO7zek + value: AE8r + valueFrom: {} + envFrom: + - prefix: T4nvtH0yCoJCx + - prefix: KaMGNcK + image: m + imagePullPolicy: 牀 + lifecycle: + preStop: + exec: {} + sleep: + seconds: -1229802121654850600 + livenessProbe: + failureThreshold: 1036399450 + grpc: + port: 1383801223 + service: nm0jd39Ta + httpGet: + host: VhafGy + path: CP9 + port: BnhNd + scheme: hxu崚奵Y + initialDelaySeconds: 141265356 + periodSeconds: 251484282 + successThreshold: 257415096 + terminationGracePeriodSeconds: 3476093234934520000 + timeoutSeconds: -1657896181 + name: UCZJ + ports: + - containerPort: 574867450 + hostPort: 156179933 + name: 0re + protocol: 頶韜»釟ţKFƂƄp錴畗~[禬B琡9 + - containerPort: -374880824 + hostPort: 1342282100 + name: OeyfSkg3EJIuD + protocol: 佃ŦŬ穷唂&2ŌĜ,gF躊貀j寝ô + readinessProbe: + failureThreshold: 978947885 + httpGet: + host: A + path: Ngfyt + port: "" + scheme: Í蠕窩獙 + initialDelaySeconds: 60101484 + periodSeconds: 1102760384 + successThreshold: 1260060937 + terminationGracePeriodSeconds: 1157546254675437000 + timeoutSeconds: -465800822 + resizePolicy: + - resourceName: P6b56 + restartPolicy: 冿÷Ý萦{[P貍ȕ,Sɕ錼 + - resourceName: azLsfqbuYlr + restartPolicy: 蒃Ký阹ǒ1T獽蛍峸伦ƨ(Ƭ-央á + - resourceName: skOpL + restartPolicy: 鸿dŶ徥w^ȏ嘳Ƙ唓Ęɸ-ɫ鷠C + resources: {} + terminationMessagePath: vmp + terminationMessagePolicy: Ƒh庛ʘ$8L藑奾ń4說 + workingDir: rgrA + imagePullSecrets: [] + initContainers: [] + nodeSelector: {} + priorityClassName: x0ISc2 + securityContext: + fsGroup: 99 + runAsUser: 99 + serviceAccountName: kIzbDF + tolerations: [] + topologySpreadConstraints: [] + volumes: + - configMap: + name: ivK + name: configs +--- +# Source: console/templates/tests/test-connection.yaml +apiVersion: v1 +kind: Pod +metadata: + name: "ivK-test-connection" + namespace: "default" + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: JFcK + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + annotations: + "helm.sh/hook": test +spec: + containers: + - name: wget + image: busybox + command: ['wget'] + args: ['ivK:8080'] + restartPolicy: Never + priorityClassName: x0ISc2 +-- testdata/case-011.yaml.golden -- +--- +# Source: console/templates/serviceaccount.yaml +apiVersion: v1 +automountServiceAccountToken: true +kind: ServiceAccount +metadata: + annotations: {} + creationTimestamp: null + labels: + JwK5MKTa: WW + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: Cy9eHCiP + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + v7E: 1g6JB + name: hbe + namespace: default +--- +# Source: console/templates/secret.yaml +apiVersion: v1 +kind: Secret +metadata: + creationTimestamp: null + labels: + JwK5MKTa: WW + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: Cy9eHCiP + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + v7E: 1g6JB + name: hbe +stringData: + enterprise-license: "" + kafka-protobuf-git-basicauth-password: "" + kafka-sasl-aws-msk-iam-secret-key: "" + kafka-sasl-password: "" + kafka-schema-registry-password: "" + kafka-schemaregistry-tls-ca: "" + kafka-schemaregistry-tls-cert: "" + kafka-schemaregistry-tls-key: "" + kafka-tls-ca: "" + kafka-tls-cert: "" + kafka-tls-key: "" + login-github-oauth-client-secret: "" + login-github-personal-access-token: "" + login-google-groups-service-account.json: "" + login-google-oauth-client-secret: "" + login-jwt-secret: SECRETKEY + login-oidc-client-secret: "" + login-okta-client-secret: "" + login-okta-directory-api-token: "" + redpanda-admin-api-password: "" + redpanda-admin-api-tls-ca: "" + redpanda-admin-api-tls-cert: "" + redpanda-admin-api-tls-key: "" +type: Opaque +--- +# Source: console/templates/configmap.yaml +apiVersion: v1 +data: + config.yaml: | + # from .Values.console.config + {} +kind: ConfigMap +metadata: + creationTimestamp: null + labels: + JwK5MKTa: WW + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: Cy9eHCiP + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + v7E: 1g6JB + name: hbe +--- +# Source: console/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + annotations: + "": NbuyvXjW + 2CTz: vRGLHMO53rD + yLzpKqz: uBjXvD + creationTimestamp: null + labels: + JwK5MKTa: WW + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: Cy9eHCiP + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + v7E: 1g6JB + name: hbe + namespace: default +spec: + ports: + - name: http + port: 478 + protocol: TCP + targetPort: 90 + selector: + app.kubernetes.io/instance: console + app.kubernetes.io/name: Cy9eHCiP + type: sl +--- +# Source: console/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: + pJ: f0brcnhV + creationTimestamp: null + labels: + JwK5MKTa: WW + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: Cy9eHCiP + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + v7E: 1g6JB + name: hbe + namespace: default +spec: + replicas: 65 + selector: + matchLabels: + app.kubernetes.io/instance: console + app.kubernetes.io/name: Cy9eHCiP + strategy: {} + template: + metadata: + annotations: + checksum/config: 0ebeace369c9c96d75109609694bd464d6c28c2e8d1fcbd96529ef96d4ba0ec5 + creationTimestamp: null + labels: + "2": RgUAFm + D2V: V80aQ + app.kubernetes.io/instance: console + app.kubernetes.io/name: Cy9eHCiP + spec: + affinity: + podAffinity: {} + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: {} + matchLabelKeys: + - E9nCu6aLM + topologyKey: PfPCGvStt + weight: -1379963896 + - podAffinityTerm: + namespaceSelector: {} + topologyKey: CgA4 + weight: -726546395 + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: ijh1hJb + operator: ƏŧD續筚朊 + values: + - BOfF5xB + - 3iu4 + - key: "93" + operator: Dij%{欬ɽ + - key: NEd + operator: ÿD + values: + - r + - B7E1BoYQ4Njb + - BTV + matchLabelKeys: + - FuyLvc + - Lh60qi + namespaceSelector: + matchExpressions: + - key: w + operator: 嘑 + - key: eQ6nY99xw + operator: H辄萟蘎Ÿ塪²;暃 + - key: 8JrCFA + operator: "" + values: + - wVO + topologyKey: ByO + - namespaceSelector: {} + topologyKey: b21 + - namespaces: + - Ifv + topologyKey: F9j5 + automountServiceAccountToken: true + containers: + - args: + - --config.filepath=/etc/console/configs/config.yaml + command: null + env: + - name: XW + value: PCPsJt + valueFrom: + configMapKeyRef: + key: Zk0vTu6kC + name: d9zm3 + optional: false + secretKeyRef: + key: mRF + name: CW + optional: false + - name: loir2K + value: Ti0q + - name: lAxIKF7cbLlc + value: 1ksS + valueFrom: + fieldRef: + apiVersion: 8i2Z + fieldPath: vD7H + resourceFieldRef: + containerName: yqY + divisor: "0" + resource: ebRDAl + secretKeyRef: + key: E9514U + name: g3Rbzs + optional: false + - name: LOGIN_JWTSECRET + valueFrom: + secretKeyRef: + key: login-jwt-secret + name: hbe + envFrom: + - configMapRef: + name: d + prefix: Fl1 + secretRef: + name: X8xDu + optional: true + - prefix: M + secretRef: + name: 10or1C2m + optional: false + - configMapRef: + name: BBj + optional: false + prefix: Xy + secretRef: + name: ZA3 + image: gjR/U:Tl0EP + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 653767212 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: 832425522 + periodSeconds: -1810991482 + successThreshold: 1954581711 + timeoutSeconds: -574178850 + name: console + ports: + - containerPort: 90 + name: http + protocol: TCP + readinessProbe: + failureThreshold: 1745353710 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: 1504484890 + periodSeconds: -846859037 + successThreshold: -1564014824 + timeoutSeconds: 888372342 + resources: + requests: + "Y": "0" + securityContext: + runAsNonRoot: true + volumeMounts: + - mountPath: /etc/console/configs + name: configs + readOnly: true + - mountPath: /etc/console/secrets + name: secrets + readOnly: true + - mountPath: 2Qy8k + name: n4BPeF + subPath: "" + - mountPath: O + mountPropagation: ŜQLhlkU穒´宕Ïůŝƪ + name: JeSPIB + readOnly: true + subPath: RTiJ + subPathExpr: wad + - mountPath: QV6Kf + name: Pj7R + subPath: qBOd + subPathExpr: kN3Uujt + imagePullSecrets: [] + initContainers: + - 'error unmarshaling JSON: while decoding JSON: json: cannot unmarshal string + into Go value of type []interface {}' + nodeSelector: + HC7: EI8 + priorityClassName: sJXoA3V + securityContext: + fsGroup: 4103142176308445000 + fsGroupChangePolicy: Ő6­撱悤ÅC`碸 + runAsUser: 9170579519391071000 + sysctls: + - name: 4OKA + value: P7ouRq + - name: iD9Oz + value: gL6ARE + serviceAccountName: hbe + tolerations: [] + topologySpreadConstraints: [] + volumes: + - configMap: + name: hbe + name: configs + - name: secrets + secret: + secretName: hbe + - name: n4BPeF + secret: + defaultMode: 12 + secretName: auIr +--- +# Source: console/templates/tests/test-connection.yaml +apiVersion: v1 +kind: Pod +metadata: + name: "hbe-test-connection" + namespace: "default" + labels: + JwK5MKTa: WW + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: Cy9eHCiP + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + v7E: 1g6JB + annotations: + "helm.sh/hook": test +spec: + containers: + - name: wget + image: busybox + command: ['wget'] + args: ['hbe:478'] + restartPolicy: Never + priorityClassName: sJXoA3V +-- testdata/case-012.yaml.golden -- +--- +# Source: console/templates/serviceaccount.yaml +apiVersion: v1 +automountServiceAccountToken: true +kind: ServiceAccount +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: Qr03ts + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: tmn2Kt + namespace: default +--- +# Source: console/templates/secret.yaml +apiVersion: v1 +kind: Secret +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: Qr03ts + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: tmn2Kt +stringData: + enterprise-license: "" + kafka-protobuf-git-basicauth-password: "" + kafka-sasl-aws-msk-iam-secret-key: "" + kafka-sasl-password: "" + kafka-schema-registry-password: "" + kafka-schemaregistry-tls-ca: "" + kafka-schemaregistry-tls-cert: "" + kafka-schemaregistry-tls-key: "" + kafka-tls-ca: "" + kafka-tls-cert: "" + kafka-tls-key: "" + login-github-oauth-client-secret: "" + login-github-personal-access-token: "" + login-google-groups-service-account.json: "" + login-google-oauth-client-secret: "" + login-jwt-secret: SECRETKEY + login-oidc-client-secret: "" + login-okta-client-secret: "" + login-okta-directory-api-token: "" + redpanda-admin-api-password: "" + redpanda-admin-api-tls-ca: "" + redpanda-admin-api-tls-cert: "" + redpanda-admin-api-tls-key: "" +type: Opaque +--- +# Source: console/templates/configmap.yaml +apiVersion: v1 +data: + config.yaml: | + # from .Values.console.config + {} +kind: ConfigMap +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: Qr03ts + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: tmn2Kt +--- +# Source: console/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: Qr03ts + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: tmn2Kt + namespace: default +spec: + ports: + - name: http + port: 8080 + protocol: TCP + targetPort: 0 + selector: + app.kubernetes.io/instance: console + app.kubernetes.io/name: Qr03ts + type: ClusterIP +--- +# Source: console/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: + v: D + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: Qr03ts + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: tmn2Kt + namespace: default +spec: + replicas: 407 + selector: + matchLabels: + app.kubernetes.io/instance: console + app.kubernetes.io/name: Qr03ts + strategy: + rollingUpdate: {} + type: 9Cɠ+餌µ骽O惠LƬɇɦ鉍挶 + template: + metadata: + annotations: + checksum/config: f03a44f92485e3dfb6772dc84dec7c868a151f08fa5c04332bebe63251290ce5 + creationTimestamp: null + labels: + "": S7BNyT + app.kubernetes.io/instance: console + app.kubernetes.io/name: Qr03ts + r1F: Fsc + yeY4LjT: MRlwtd + spec: + affinity: {} + automountServiceAccountToken: true + containers: + - args: + - --config.filepath=/etc/console/configs/config.yaml + command: null + env: + - name: LOGIN_JWTSECRET + valueFrom: + secretKeyRef: + key: login-jwt-secret + name: tmn2Kt + envFrom: + - prefix: RyT9JuZ + image: docker.redpanda.com/redpandadata/console:v2.7.0 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 666524470 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: 1841184951 + periodSeconds: 465079780 + successThreshold: -1928046688 + timeoutSeconds: 1377323766 + name: console + ports: + - containerPort: 8080 + name: http + protocol: TCP + readinessProbe: + failureThreshold: 3 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + resources: {} + securityContext: + allowPrivilegeEscalation: false + privileged: true + readOnlyRootFilesystem: false + runAsGroup: -6536894786619940000 + runAsNonRoot: false + volumeMounts: + - mountPath: /etc/console/configs + name: configs + readOnly: true + - mountPath: /etc/console/secrets + name: secrets + readOnly: true + - command: + - "" + - 7yJE + envFrom: + - prefix: kRXk + secretRef: + name: TJsCapqoxl + - prefix: ucUEP + secretRef: + name: 1zCfpPiVt9o + optional: true + image: hwJ + imagePullPolicy: dh + name: Ody4zqt + readinessProbe: + exec: {} + failureThreshold: 1607990521 + grpc: + port: 2033135747 + service: "" + initialDelaySeconds: -889776869 + periodSeconds: -35190825 + successThreshold: -958310065 + terminationGracePeriodSeconds: 3166888730011246600 + timeoutSeconds: 806015074 + resources: + requests: + mg2KyOVo97: "0" + restartPolicy: 档媘řĖ焘傐Yʮ,+Ƽ梽讫ƭ焇 + securityContext: + readOnlyRootFilesystem: true + runAsGroup: -2035296945120192500 + stdinOnce: true + terminationMessagePolicy: '*.Q' + workingDir: 0g9 + - command: + - ktel2 + - 2gO + image: Kq1K2HexLL + imagePullPolicy: 蟫黳jª0狫ĝ| + lifecycle: + postStart: + exec: + command: + - I + name: XmcrosJ9Art + resizePolicy: + - resourceName: 8dOXgKMh + restartPolicy: T@罞 + resources: + limits: + Qf424: "0" + UkBWyCgR: "0" + yS9FH: "0" + securityContext: + allowPrivilegeEscalation: true + capabilities: + drop: + - Ǐ蟯ƛU賊稁uv/u讎胗< + - 1湹 + privileged: false + readOnlyRootFilesystem: false + runAsGroup: -281571585037868400 + runAsUser: 8469885005475494000 + stdin: true + stdinOnce: true + terminationMessagePath: 6ii28 + terminationMessagePolicy: ȊGī3慺Ŏ + volumeDevices: + - devicePath: "" + name: lqvpF + - devicePath: 3vTez + name: pD6EOo + workingDir: QEqnPlY6YE + - args: + - eiyTiCxBp + envFrom: + - configMapRef: + name: uxUzs + prefix: 0Oq + secretRef: + name: ahghhjB + - configMapRef: + name: yjx + prefix: cOCr6ajjpSTT + - configMapRef: + name: "4" + prefix: 0XtWv + secretRef: + name: oKDQ + image: PV + imagePullPolicy: d?遼gŜT纬ɷšǧ餝Ƨ + livenessProbe: + exec: {} + failureThreshold: 746140291 + grpc: + port: 1197495917 + service: "" + httpGet: + host: x78yAB + path: P5mSLs + port: Cb2 + scheme: 儰试9ȷǴ燀ǃ¦籇射,ǠöcƲ伙 + initialDelaySeconds: 1418617842 + periodSeconds: 187037501 + successThreshold: -1821323321 + timeoutSeconds: -894994792 + name: ToH + resizePolicy: + - resourceName: 7Ut8kM + restartPolicy: gěǏ* + - resourceName: gvoJz7 + restartPolicy: ł0Iɷ»u诎żȋ貏C炭 + - resourceName: VpTvtNnJOw + restartPolicy: 阠eR'k.Ơ糦啮ŋ睷N譺 + resources: + limits: + cYhO6a: "0" + startupProbe: + exec: {} + failureThreshold: -1040244189 + grpc: + port: 1921669257 + service: Me + httpGet: + host: 5fL4Z + path: BwLac + port: SKrb2z + scheme: ľ<Ƽ浳s剪ɍ + initialDelaySeconds: -1064995957 + periodSeconds: 230643461 + successThreshold: -1865926881 + timeoutSeconds: 1102271416 + terminationMessagePath: ZbnnI + terminationMessagePolicy: 阳壀ɀS强pŇȆDž鹩 + tty: true + volumeDevices: + - devicePath: pP2eHwth + name: S9Sy + workingDir: Z + imagePullSecrets: [] + initContainers: + - 'error unmarshaling JSON: while decoding JSON: json: cannot unmarshal string + into Go value of type []interface {}' + nodeSelector: {} + priorityClassName: vMcB + securityContext: + fsGroup: 99 + runAsUser: 99 + serviceAccountName: tmn2Kt + tolerations: [] + topologySpreadConstraints: [] + volumes: + - configMap: + name: tmn2Kt + name: configs + - name: secrets + secret: + secretName: tmn2Kt +--- +# Source: console/templates/tests/test-connection.yaml +apiVersion: v1 +kind: Pod +metadata: + name: "tmn2Kt-test-connection" + namespace: "default" + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: Qr03ts + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + annotations: + "helm.sh/hook": test +spec: + containers: + - name: wget + image: busybox + command: ['wget'] + args: ['tmn2Kt:8080'] + restartPolicy: Never + priorityClassName: vMcB +-- testdata/case-013.yaml.golden -- +--- +# Source: console/templates/serviceaccount.yaml +apiVersion: v1 +automountServiceAccountToken: true +kind: ServiceAccount +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: dDkIKgMwXv + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: RttlJN + namespace: default +--- +# Source: console/templates/secret.yaml +apiVersion: v1 +kind: Secret +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: dDkIKgMwXv + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: RttlJN +stringData: + enterprise-license: "" + kafka-protobuf-git-basicauth-password: "" + kafka-sasl-aws-msk-iam-secret-key: "" + kafka-sasl-password: "" + kafka-schema-registry-password: "" + kafka-schemaregistry-tls-ca: "" + kafka-schemaregistry-tls-cert: "" + kafka-schemaregistry-tls-key: "" + kafka-tls-ca: "" + kafka-tls-cert: "" + kafka-tls-key: "" + login-github-oauth-client-secret: "" + login-github-personal-access-token: "" + login-google-groups-service-account.json: "" + login-google-oauth-client-secret: "" + login-jwt-secret: SECRETKEY + login-oidc-client-secret: "" + login-okta-client-secret: "" + login-okta-directory-api-token: "" + redpanda-admin-api-password: "" + redpanda-admin-api-tls-ca: "" + redpanda-admin-api-tls-cert: "" + redpanda-admin-api-tls-key: "" +type: Opaque +--- +# Source: console/templates/configmap.yaml +apiVersion: v1 +data: + config.yaml: | + # from .Values.console.config + {} +kind: ConfigMap +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: dDkIKgMwXv + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: RttlJN +--- +# Source: console/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: dDkIKgMwXv + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: RttlJN + namespace: default +spec: + ports: + - name: http + port: 8080 + protocol: TCP + targetPort: 0 + selector: + app.kubernetes.io/instance: console + app.kubernetes.io/name: dDkIKgMwXv + type: ClusterIP +--- +# Source: console/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: dDkIKgMwXv + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: RttlJN + namespace: default +spec: + replicas: 412 + selector: + matchLabels: + app.kubernetes.io/instance: console + app.kubernetes.io/name: dDkIKgMwXv + strategy: {} + template: + metadata: + annotations: + checksum/config: 80fd97b611d09c692bd5e12a12d43f51c7486213c5798a4f57bb8f0866119572 + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/name: dDkIKgMwXv + spec: + affinity: {} + automountServiceAccountToken: true + containers: + - args: + - --config.filepath=/etc/console/configs/config.yaml + command: null + env: + - name: LOGIN_JWTSECRET + valueFrom: + secretKeyRef: + key: login-jwt-secret + name: RttlJN + envFrom: [] + image: docker.redpanda.com/redpandadata/console:v2.7.0 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 3 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: 0 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + name: console + ports: + - containerPort: 8080 + name: http + protocol: TCP + readinessProbe: + failureThreshold: -225696508 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: 1573121125 + periodSeconds: -1561542711 + successThreshold: 1804677264 + timeoutSeconds: -1540252725 + resources: + limits: + f7Jr: "0" + fl: "0" + requests: + Q4O7nA: "0" + securityContext: + privileged: true + readOnlyRootFilesystem: false + runAsNonRoot: true + runAsUser: -8804799239371185000 + volumeMounts: + - mountPath: /etc/console/configs + name: configs + readOnly: true + - mountPath: /etc/console/secrets + name: secrets + readOnly: true + - mountPath: DVlVa1jiDIh5G + name: zaV + subPath: lXnque8 + subPathExpr: aFzzfyzr + - mountPath: 7VmD + name: bNuYmK + readOnly: true + subPath: zsTvmtU0 + subPathExpr: uNyQSZ + - mountPath: p + name: q3 + readOnly: true + subPathExpr: k4yfc0H + - env: + - name: bNyX + value: DpJ + valueFrom: + secretKeyRef: + key: r3ZL + name: GM2zRN8 + optional: false + - name: dS + value: u2CpI14PZ + - name: JVoNndPj + value: eCfRy + image: 9nkfM + imagePullPolicy: v洓p褾NJ翛Y/笸i洞偀fX綤鰐 + livenessProbe: + exec: + command: + - TzQ + - 5tBBhynsjV + failureThreshold: -1613952147 + httpGet: + host: gYV + path: 9qC2GovT + port: Gh + initialDelaySeconds: 1651935443 + periodSeconds: -1307313312 + successThreshold: 1553368137 + terminationGracePeriodSeconds: -4575724788805099000 + timeoutSeconds: -499895377 + name: aOBSLF + readinessProbe: + failureThreshold: 687754614 + initialDelaySeconds: -1880005074 + periodSeconds: 794268536 + successThreshold: -1510519942 + terminationGracePeriodSeconds: 3334702514671978000 + timeoutSeconds: -178867660 + resources: + requests: + hiWTQ: "0" + m7CDU: "0" + stdin: true + terminationMessagePath: Yj9V + terminationMessagePolicy: js$昦夁糎fț + tty: true + volumeMounts: + - mountPath: Xaoy + name: XuLXzMm + readOnly: true + subPath: NI8v + subPathExpr: nPRuyC + - mountPath: S + mountPropagation: ĜX鴮璫ȓĢ + name: c2o + readOnly: true + subPath: DEcziG + subPathExpr: 7UjF6H + workingDir: yPE + imagePullSecrets: [] + initContainers: + - 'error unmarshaling JSON: while decoding JSON: json: cannot unmarshal string + into Go value of type []interface {}' + nodeSelector: {} + priorityClassName: BDUfm1wSRDI + securityContext: + fsGroup: 99 + runAsUser: 99 + serviceAccountName: RttlJN + tolerations: + - effect: ƞ嬂 + key: wnH + operator: Ā蔥ąʏƅȑǚ缗'r~熐{Ǎ楯&鑫咂] + value: LYZYjeFUmK29wdL + - effect: 硞撤幅娰tȬ婒ĎɕÏǜ蚭馸諄W)偒½ + key: e2 + operator: bƤrZ + value: 8ssobF8u + topologySpreadConstraints: [] + volumes: + - configMap: + name: RttlJN + name: configs + - name: secrets + secret: + secretName: RttlJN +--- +# Source: console/templates/tests/test-connection.yaml +apiVersion: v1 +kind: Pod +metadata: + name: "RttlJN-test-connection" + namespace: "default" + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: dDkIKgMwXv + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + annotations: + "helm.sh/hook": test +spec: + containers: + - name: wget + image: busybox + command: ['wget'] + args: ['RttlJN:8080'] + restartPolicy: Never + priorityClassName: BDUfm1wSRDI +-- testdata/case-014.yaml.golden -- +--- +# Source: console/templates/serviceaccount.yaml +apiVersion: v1 +automountServiceAccountToken: true +kind: ServiceAccount +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: Vi2vH + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: h6eHrUr + namespace: default +--- +# Source: console/templates/secret.yaml +apiVersion: v1 +kind: Secret +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: Vi2vH + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: htymHJ +stringData: + enterprise-license: "" + kafka-protobuf-git-basicauth-password: "" + kafka-sasl-aws-msk-iam-secret-key: "" + kafka-sasl-password: "" + kafka-schema-registry-password: "" + kafka-schemaregistry-tls-ca: "" + kafka-schemaregistry-tls-cert: "" + kafka-schemaregistry-tls-key: "" + kafka-tls-ca: "" + kafka-tls-cert: "" + kafka-tls-key: "" + login-github-oauth-client-secret: "" + login-github-personal-access-token: "" + login-google-groups-service-account.json: "" + login-google-oauth-client-secret: "" + login-jwt-secret: SECRETKEY + login-oidc-client-secret: "" + login-okta-client-secret: "" + login-okta-directory-api-token: "" + redpanda-admin-api-password: "" + redpanda-admin-api-tls-ca: "" + redpanda-admin-api-tls-cert: "" + redpanda-admin-api-tls-key: "" +type: Opaque +--- +# Source: console/templates/configmap.yaml +apiVersion: v1 +data: + config.yaml: | + # from .Values.console.config + {} + role-bindings.yaml: |- + roleBindings: + - null +kind: ConfigMap +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: Vi2vH + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: htymHJ +--- +# Source: console/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: Vi2vH + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: htymHJ + namespace: default +spec: + ports: + - name: http + port: 41 + protocol: TCP + targetPort: 168 + selector: + app.kubernetes.io/instance: console + app.kubernetes.io/name: Vi2vH + type: Oiwzbmtjpb +--- +# Source: console/templates/tests/test-connection.yaml +apiVersion: v1 +kind: Pod +metadata: + name: "htymHJ-test-connection" + namespace: "default" + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: Vi2vH + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + annotations: + "helm.sh/hook": test +spec: + containers: + - name: wget + image: busybox + command: ['wget'] + args: ['htymHJ:41'] + restartPolicy: Never + priorityClassName: rcxHoi +-- testdata/case-015.yaml.golden -- +--- +# Source: console/templates/serviceaccount.yaml +apiVersion: v1 +automountServiceAccountToken: true +kind: ServiceAccount +metadata: + annotations: + IH: 3W + K5hNNf: "" + r: 9cmm + creationTimestamp: null + labels: + B0Pmybnj: gh8 + MdyMnFBP0Cd1: UUVRKbjhv + ShHkukRGF9k: KlIyX6upO + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: KD8DmV + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: zmr + namespace: default +--- +# Source: console/templates/secret.yaml +apiVersion: v1 +kind: Secret +metadata: + creationTimestamp: null + labels: + B0Pmybnj: gh8 + MdyMnFBP0Cd1: UUVRKbjhv + ShHkukRGF9k: KlIyX6upO + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: KD8DmV + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: 9RweMGWqBs +stringData: + enterprise-license: "" + kafka-protobuf-git-basicauth-password: "" + kafka-sasl-aws-msk-iam-secret-key: "" + kafka-sasl-password: "" + kafka-schema-registry-password: "" + kafka-schemaregistry-tls-ca: "" + kafka-schemaregistry-tls-cert: "" + kafka-schemaregistry-tls-key: "" + kafka-tls-ca: "" + kafka-tls-cert: "" + kafka-tls-key: "" + login-github-oauth-client-secret: "" + login-github-personal-access-token: "" + login-google-groups-service-account.json: "" + login-google-oauth-client-secret: "" + login-jwt-secret: SECRETKEY + login-oidc-client-secret: "" + login-okta-client-secret: "" + login-okta-directory-api-token: "" + redpanda-admin-api-password: "" + redpanda-admin-api-tls-ca: "" + redpanda-admin-api-tls-cert: "" + redpanda-admin-api-tls-key: "" +type: Opaque +--- +# Source: console/templates/configmap.yaml +apiVersion: v1 +data: + config.yaml: | + # from .Values.console.config + {} +kind: ConfigMap +metadata: + creationTimestamp: null + labels: + B0Pmybnj: gh8 + MdyMnFBP0Cd1: UUVRKbjhv + ShHkukRGF9k: KlIyX6upO + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: KD8DmV + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: 9RweMGWqBs +--- +# Source: console/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + annotations: {} + creationTimestamp: null + labels: + B0Pmybnj: gh8 + MdyMnFBP0Cd1: UUVRKbjhv + ShHkukRGF9k: KlIyX6upO + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: KD8DmV + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: 9RweMGWqBs + namespace: default +spec: + ports: + - name: http + port: 8080 + protocol: TCP + targetPort: 0 + selector: + app.kubernetes.io/instance: console + app.kubernetes.io/name: KD8DmV + type: ClusterIP +--- +# Source: console/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: + 2V: 50l + jFB7K: 5ZqGXdsD94 + creationTimestamp: null + labels: + B0Pmybnj: gh8 + MdyMnFBP0Cd1: UUVRKbjhv + ShHkukRGF9k: KlIyX6upO + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: KD8DmV + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: 9RweMGWqBs + namespace: default +spec: + replicas: 128 + selector: + matchLabels: + app.kubernetes.io/instance: console + app.kubernetes.io/name: KD8DmV + strategy: {} + template: + metadata: + annotations: + checksum/config: c07b76ad8263a0560734a09b913b4c726efe461a7f519da293467d20a90d78bf + creationTimestamp: null + labels: + FlwBgvWNMrbg5: YKgnz8q + TGDbR: 4egH + Xr8XMOk: 1DAii + app.kubernetes.io/instance: console + app.kubernetes.io/name: KD8DmV + spec: + affinity: + podAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: 7eVqbmnw4 + operator: 屈ǧȔŗS#~¸Dd馔uÈ飏ƌĔ魼ȓ + values: + - eZapFDhb + - dBr2cD + - key: Z13Kq48NE0 + operator: ª + values: + - 03LE6GE + - key: s + operator: 箱+ʑ圼;0丢顃M媆熋熼妄瞬 + values: + - E + - jC2mNBN + matchLabels: + 4tdQRoO: Tgv + 7Apxz: EPl5 + bPvG5Bf: sCS + namespaceSelector: {} + namespaces: + - bkN0U + topologyKey: haPJ + weight: -1043017794 + - podAffinityTerm: + labelSelector: + matchLabels: + PP8DxAPJwUzY: z9RL6 + U1a: J + due4: eRc0tKn + namespaceSelector: + matchExpressions: + - key: "y" + operator: 霮ʡ`罵瀖Kʓa嚃*Q`UV邠想ɷġ + namespaces: + - M2GNeyD + - eDNVdz1ne46 + topologyKey: kQ + weight: -1134437930 + - podAffinityTerm: + namespaceSelector: + matchExpressions: + - key: SnD + operator: 6愔ȶ獧:öȰ浻珼»ǰs睑,s頀旓eX + - key: yt197hBb + operator: ȒǦ^(á咟獐赠5ĺĜ嶜庌愖V揺ɞ\Ș + values: + - pu5 + - Ywv1TEhK + - pAo + matchLabels: + "": rZ + topologyKey: WSD + weight: 613733383 + requiredDuringSchedulingIgnoredDuringExecution: + - topologyKey: 4b6nMCalUl1 + automountServiceAccountToken: true + containers: + - args: + - --config.filepath=/etc/console/configs/config.yaml + command: null + env: + - name: iQE + value: Aj6RWPJE + - name: QwMCc + value: N9g6bDNI + - name: U5Qg5Qc0NWE + valueFrom: + configMapKeyRef: + key: R + name: n8 + optional: false + fieldRef: + apiVersion: zg0 + fieldPath: fNjpqJ + secretKeyRef: + key: MlF + name: h + - name: LOGIN_JWTSECRET + valueFrom: + secretKeyRef: + key: login-jwt-secret + name: 9RweMGWqBs + envFrom: [] + image: FezgEM/b4CZb:OoX + imagePullPolicy: '&Ŕ<駄AG' + livenessProbe: + failureThreshold: 3 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: 0 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + name: console + ports: + - containerPort: 8080 + name: http + protocol: TCP + readinessProbe: + failureThreshold: 398655641 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: 1516319657 + periodSeconds: -635156272 + successThreshold: 1338596793 + timeoutSeconds: -905426079 + resources: + requests: + I: "0" + b7jbi: "0" + r1cN: "0" + securityContext: + privileged: false + procMount: d聉l蝲ɓH>狱(Ȁ胄hʍy龝Ȼ埓Y + readOnlyRootFilesystem: false + runAsGroup: 2951274493718237000 + runAsNonRoot: true + runAsUser: -1772317555576666000 + volumeMounts: + - mountPath: /etc/console/configs + name: configs + readOnly: true + - mountPath: /etc/console/secrets + name: secrets + readOnly: true + - mountPath: y5BZm9v9L5 + name: mE9WF + readOnly: true + subPathExpr: 3vKqLj2 + imagePullSecrets: [] + initContainers: + - 'error unmarshaling JSON: while decoding JSON: json: cannot unmarshal string + into Go value of type []interface {}' + nodeSelector: + vy4h: rk + priorityClassName: "68" + securityContext: + fsGroup: 99 + fsGroupChangePolicy: ¶鮬眴帘ʥb豚DIĂ + runAsGroup: 4190388773600424000 + runAsUser: 99 + supplementalGroups: + - 6652209348598506000 + - 5521245057591626000 + - 6754698685787706000 + sysctls: + - name: "7" + value: vp + serviceAccountName: zmr + tolerations: + - effect: '#U媷ɑɥ±箑妌RɱfÈB矅蒟(' + key: g + operator: Řg~歟1ƹ,纙蝝垺 + tolerationSeconds: -9038490283678034000 + value: x6T1NM + - effect: ė{ɼ 5;^ʤàOKv泣0ƫ¢ + key: wdW6LI1a5 + operator: ú4ʫ-哖ýȻȣŦiĩġ膳". + tolerationSeconds: -5247520709138794000 + value: NXt + topologySpreadConstraints: + - labelSelector: + matchExpressions: + - key: dme + operator: )\鹮İ又Ȥ鏥Ĝ + matchLabels: + Cdk: atEBel + PhEVPxOjN: QTW4 + fC0YTiwm: fdAQN8t + maxSkew: 472867304 + minDomains: 1802867157 + nodeAffinityPolicy: ʈǔ聿ŶŹ&y鰜# + nodeTaintsPolicy: '"篍Ɛɰl鄱' + topologyKey: fqmSu + whenUnsatisfiable: äƟĻ鍣ųø啼ǫǷ" + - labelSelector: + matchExpressions: + - key: BEj + operator: Ɠ墳 + values: + - qBJ + - KZbk + - key: 9wxm2wFXlY + operator: ì蠁{\媽;ě8ɠ + values: + - yiuVv9DzzRse + - "N" + - z + - key: SWu + operator: Ī½曖1șWb3 + maxSkew: 774109577 + minDomains: -110979462 + nodeAffinityPolicy: 醿卨¬婾豜ʦKd` + topologyKey: 4iskW3Hbv + whenUnsatisfiable: ǮXƞ棤Ǘ + volumes: + - configMap: + name: 9RweMGWqBs + name: configs + - name: secrets + secret: + secretName: 9RweMGWqBs +--- +# Source: console/templates/ingress.yaml +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + annotations: + "": ZKQ6I + ES: uo + creationTimestamp: null + labels: + B0Pmybnj: gh8 + MdyMnFBP0Cd1: UUVRKbjhv + ShHkukRGF9k: KlIyX6upO + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: KD8DmV + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: 9RweMGWqBs +spec: + ingressClassName: x7Um + rules: + - host: chart-example.local + http: + paths: + - backend: + service: + name: 9RweMGWqBs + port: + number: 8080 + path: / + pathType: ImplementationSpecific + tls: + - hosts: null + secretName: Ye6 + - hosts: + - nNQW2NL + - g + - "N" + secretName: YQl +--- +# Source: console/templates/tests/test-connection.yaml +apiVersion: v1 +kind: Pod +metadata: + name: "9RweMGWqBs-test-connection" + namespace: "default" + labels: + B0Pmybnj: gh8 + MdyMnFBP0Cd1: UUVRKbjhv + ShHkukRGF9k: KlIyX6upO + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: KD8DmV + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + annotations: + "helm.sh/hook": test +spec: + containers: + - name: wget + image: busybox + command: ['wget'] + args: ['9RweMGWqBs:8080'] + restartPolicy: Never + priorityClassName: 68 +-- testdata/case-016.yaml.golden -- +--- +# Source: console/templates/serviceaccount.yaml +apiVersion: v1 +automountServiceAccountToken: true +kind: ServiceAccount +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: SC + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: DdF7ALq + namespace: default +--- +# Source: console/templates/secret.yaml +apiVersion: v1 +kind: Secret +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: SC + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: 6maz +stringData: + enterprise-license: "" + kafka-protobuf-git-basicauth-password: "" + kafka-sasl-aws-msk-iam-secret-key: "" + kafka-sasl-password: "" + kafka-schema-registry-password: "" + kafka-schemaregistry-tls-ca: "" + kafka-schemaregistry-tls-cert: "" + kafka-schemaregistry-tls-key: "" + kafka-tls-ca: "" + kafka-tls-cert: "" + kafka-tls-key: "" + login-github-oauth-client-secret: "" + login-github-personal-access-token: "" + login-google-groups-service-account.json: "" + login-google-oauth-client-secret: "" + login-jwt-secret: SECRETKEY + login-oidc-client-secret: "" + login-okta-client-secret: "" + login-okta-directory-api-token: "" + redpanda-admin-api-password: "" + redpanda-admin-api-tls-ca: "" + redpanda-admin-api-tls-cert: "" + redpanda-admin-api-tls-key: "" +type: Opaque +--- +# Source: console/templates/configmap.yaml +apiVersion: v1 +data: + config.yaml: | + # from .Values.console.config + {} + role-bindings.yaml: |- + roleBindings: + - Q0kslM: null + - null +kind: ConfigMap +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: SC + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: 6maz +--- +# Source: console/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: SC + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: 6maz + namespace: default +spec: + ports: + - name: http + port: 8080 + protocol: TCP + targetPort: 0 + selector: + app.kubernetes.io/instance: console + app.kubernetes.io/name: SC + type: ClusterIP +--- +# Source: console/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: SC + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: 6maz + namespace: default +spec: + replicas: 331 + selector: + matchLabels: + app.kubernetes.io/instance: console + app.kubernetes.io/name: SC + strategy: + rollingUpdate: {} + type: ŀ剭º(;ƍ4兖ȇ + template: + metadata: + annotations: + JYLUc483y: gTnWiG + checksum/config: e4b69acb9132e0c7dea94f0e868bb2c5850883e5487d4cca28762798c1b9dda6 + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/name: SC + spec: + affinity: + nodeAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - preference: + matchExpressions: + - key: 2Ldss9 + operator: ?霏ƦxǰA7ȇ(堃R + values: + - Ce7pGgB5o + - B8EWZ + - key: pJKw3VVY5 + operator: 2wq6JK?Ȏ惙徵r儊ǒ嵀匫W + matchFields: + - key: EQvFQjoLm1 + operator: «/o咑澇ƉɑȨŞƙ|5時 + weight: -508343495 + - preference: + matchExpressions: + - key: VRoHsoMNa + operator: cƄábŊɕg追ĦǙȿ男)hŬ + values: + - tcCIpd9m + - FsoFrK + - key: ReH4ocoZ + operator: "" + values: + - bnUyPckbz + - AE + - njW + - key: fZBGR + operator: 租ǜ藇錼 + weight: -1003115262 + podAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + namespaceSelector: + matchLabels: + qGlBCw: zUBwqj2xV + zlHLG: TDTkLQOC + namespaces: + - QWFH + - TEzgQKPSQ + topologyKey: "" + weight: 682123393 + - podAffinityTerm: + labelSelector: {} + matchLabelKeys: + - 1MiHrQ + namespaceSelector: + matchExpressions: + - key: JUYumiiJFrY + operator: .ƽCDZo& + values: + - t3wDXa + - 70HCTbI6g + - C + - key: ik + operator: Œ8v + values: + - Wp + - Zf + - c2q7e + topologyKey: Sc1Q + weight: 869908297 + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: ore + operator: ?ɴ$瀜蝪ĪźȀŐƌS莣幮屒n×U锇Ľ + values: + - mJM + - oc + - aU + - key: SQmv + operator: ȥī+ūĬ诧犂¹ + - key: Hh1r9 + operator: h蓟x蹵D¨谧罬 + matchLabelKeys: + - mDk + - Hki8 + topologyKey: x2q0Rx1f1N + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + namespaceSelector: + matchExpressions: + - key: H1Ni + operator: Ȧ厜OŊ + values: + - UWzAFu2 + - key: M + operator: 罐hĹ;'ǫ貉yĊ啉刉DzQį + - key: zZ + operator: 颉śĴJ|@W補A篐S献;ɾ[_鶙ȱ + values: + - 4BL + namespaces: + - Thgfgf7Z + topologyKey: XBju19e + weight: 1392601493 + automountServiceAccountToken: false + containers: + - args: + - --config.filepath=/etc/console/configs/config.yaml + command: null + env: + - name: LOGIN_JWTSECRET + valueFrom: + secretKeyRef: + key: login-jwt-secret + name: 6maz + envFrom: [] + image: PYDGV/HV3:cI8TzaYkws + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 713465020 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: 1849009003 + periodSeconds: 2079209425 + successThreshold: 1679782943 + timeoutSeconds: 2000039211 + name: console + ports: + - containerPort: 8080 + name: http + protocol: TCP + readinessProbe: + failureThreshold: 3 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + resources: {} + securityContext: + allowPrivilegeEscalation: false + procMount: 垮Ř2 + readOnlyRootFilesystem: true + runAsGroup: 5797501600954334000 + runAsNonRoot: true + runAsUser: -8444673787636984000 + volumeMounts: + - mountPath: /etc/console/configs + name: configs + readOnly: true + - mountPath: /etc/console/secrets + name: secrets + readOnly: true + - command: + - opIk + - v9eJ + - 4V + env: + - name: 5Q + value: o + envFrom: + - prefix: eBWmLK + secretRef: + name: FedJi + optional: false + - configMapRef: + name: M + optional: false + prefix: vUvV7W8k0 + secretRef: + name: IA + image: T4SYV + imagePullPolicy: Ƈ祃ǗǤɈ遖竀壙/ + livenessProbe: + failureThreshold: 20929095 + grpc: + port: -1775507003 + service: UZ6BT7NDI + httpGet: + host: QFkZxI6kA + path: tzQ + port: "" + scheme: Ƞ揞á惗É莏6XȪ/ʡ忨償 + initialDelaySeconds: 1046895310 + periodSeconds: -1971173139 + successThreshold: -476756841 + terminationGracePeriodSeconds: 144861231583008740 + timeoutSeconds: 814968592 + name: gEB + ports: + - containerPort: 2060914354 + hostIP: 9IXWKx38q5 + hostPort: -1191426039 + name: 5Mw7k + protocol: 悛ķ鳉ɍ恽j頔Œ6Eʮnx + resources: {} + restartPolicy: 樦ýȃ梪ĵ + stdin: true + stdinOnce: true + terminationMessagePath: c0e + imagePullSecrets: [] + initContainers: [] + nodeSelector: {} + priorityClassName: XtKq + securityContext: + fsGroup: -1425599568169885200 + fsGroupChangePolicy: ƶ Ÿ恢 + runAsGroup: -8737472966684837000 + runAsUser: 99 + supplementalGroups: + - 809809813702093200 + - 6124706841582845000 + - 6159358527003038000 + serviceAccountName: DdF7ALq + tolerations: [] + topologySpreadConstraints: + - labelSelector: {} + maxSkew: 972537130 + minDomains: -499606767 + topologyKey: q5 + whenUnsatisfiable: 鳯°ôŕƨʪuɘ"h貇榧0?cɉjA蜝 + - labelSelector: + matchExpressions: + - key: lAV + operator: 嵖xߟ擱ʄ衯"xɂ + - key: U6 + operator: =换J+Ř:嫚ʥ畠餐ǒŃ + values: + - Vj + - snF6cyZ + - 0sW9y4T5 + matchLabelKeys: + - 2wCjBs + maxSkew: -324080521 + minDomains: 695322418 + nodeAffinityPolicy: ʖ[兘Ũ鬎盦İƲ + topologyKey: z5y4Q8jyHH + whenUnsatisfiable: =Y~É.J樢ȃŤƫ甶Ȍ* + - labelSelector: {} + maxSkew: -1720129802 + minDomains: 1017048856 + nodeTaintsPolicy: 龨9猶e僦ɻ髧Ȍc + topologyKey: qKf6Ef3o + whenUnsatisfiable: ʂ?$鳴寘ŧ6脹餗ſ媷,峇埽 + volumes: + - configMap: + name: 6maz + name: configs + - name: secrets + secret: + secretName: 6maz +--- +# Source: console/templates/tests/test-connection.yaml +apiVersion: v1 +kind: Pod +metadata: + name: "6maz-test-connection" + namespace: "default" + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: SC + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + annotations: + "helm.sh/hook": test +spec: + containers: + - name: wget + image: busybox + command: ['wget'] + args: ['6maz:8080'] + restartPolicy: Never + priorityClassName: XtKq +-- testdata/case-017.yaml.golden -- +--- +# Source: console/templates/serviceaccount.yaml +apiVersion: v1 +automountServiceAccountToken: true +kind: ServiceAccount +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: tPiY + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: 9XG3SZW + namespace: default +--- +# Source: console/templates/secret.yaml +apiVersion: v1 +kind: Secret +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: tPiY + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: 9XG3SZW +stringData: + enterprise-license: "" + kafka-protobuf-git-basicauth-password: "" + kafka-sasl-aws-msk-iam-secret-key: "" + kafka-sasl-password: "" + kafka-schema-registry-password: "" + kafka-schemaregistry-tls-ca: "" + kafka-schemaregistry-tls-cert: "" + kafka-schemaregistry-tls-key: "" + kafka-tls-ca: "" + kafka-tls-cert: "" + kafka-tls-key: "" + login-github-oauth-client-secret: jw6tY22 + login-github-personal-access-token: JvG1jx + login-google-groups-service-account.json: "" + login-google-oauth-client-secret: "" + login-jwt-secret: SECRETKEY + login-oidc-client-secret: MalR2 + login-okta-client-secret: mDILgPMjOS9 + login-okta-directory-api-token: M2ywAiP + redpanda-admin-api-password: "" + redpanda-admin-api-tls-ca: "" + redpanda-admin-api-tls-cert: "" + redpanda-admin-api-tls-key: "" +type: Opaque +--- +# Source: console/templates/configmap.yaml +apiVersion: v1 +data: + config.yaml: | + # from .Values.console.config + {} + roles.yaml: |- + roles: + - JlwOk: null + QUzHpm: null + ch3WnNF: null + - {} + - null +kind: ConfigMap +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: tPiY + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: 9XG3SZW +--- +# Source: console/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: tPiY + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: 9XG3SZW + namespace: default +spec: + ports: + - name: http + port: 8080 + protocol: TCP + targetPort: 0 + selector: + app.kubernetes.io/instance: console + app.kubernetes.io/name: tPiY + type: ClusterIP +--- +# Source: console/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: + J5Z: aLYd149 + LCqYvOjK: Qsk + bU: "" + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: tPiY + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: 9XG3SZW + namespace: default +spec: + replicas: 173 + selector: + matchLabels: + app.kubernetes.io/instance: console + app.kubernetes.io/name: tPiY + strategy: {} + template: + metadata: + annotations: + checksum/config: a9353e622b2ed64d835d05830dc4357d8eb982e89685498d39ac88a30931fb87 + creationTimestamp: null + labels: + LBQpbD: AHB4hNVL + app.kubernetes.io/instance: console + app.kubernetes.io/name: tPiY + ey1GpAHh: fA + spec: + affinity: {} + automountServiceAccountToken: false + containers: + - args: + - --config.filepath=/etc/console/configs/config.yaml + command: null + env: + - name: Z + value: 1PasJFATvz + valueFrom: + configMapKeyRef: + key: Out + name: Z + - name: pUN + value: QTGN + valueFrom: + configMapKeyRef: + key: BLzs5FKV + name: xsgY3vBvZ + optional: true + fieldRef: + apiVersion: 5Ng + fieldPath: Psowh + resourceFieldRef: + containerName: pMz + divisor: "0" + resource: "" + secretKeyRef: + key: IY9s0 + optional: false + - name: LOGIN_JWTSECRET + valueFrom: + secretKeyRef: + key: login-jwt-secret + name: 9XG3SZW + - name: LOGIN_GITHUB_CLIENTSECRET + valueFrom: + secretKeyRef: + key: login-github-oauth-client-secret + name: 9XG3SZW + - name: LOGIN_GITHUB_DIRECTORY_PERSONALACCESSTOKEN + valueFrom: + secretKeyRef: + key: login-github-personal-access-token + name: 9XG3SZW + - name: LOGIN_OKTA_CLIENTSECRET + valueFrom: + secretKeyRef: + key: login-okta-client-secret + name: 9XG3SZW + - name: LOGIN_OKTA_DIRECTORY_APITOKEN + valueFrom: + secretKeyRef: + key: login-okta-directory-api-token + name: 9XG3SZW + - name: LOGIN_OIDC_CLIENTSECRET + valueFrom: + secretKeyRef: + key: login-oidc-client-secret + name: 9XG3SZW + envFrom: + - prefix: oK16T1 + - configMapRef: + name: GxM9 + optional: false + prefix: Hj8 + secretRef: + name: o5P67 + image: 3s/kPWhaC:BcBi + imagePullPolicy: k痿蹒 + livenessProbe: + failureThreshold: 3 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: 0 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + name: console + ports: + - containerPort: 8080 + name: http + protocol: TCP + readinessProbe: + failureThreshold: 738983906 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: -1729478206 + periodSeconds: 902558671 + successThreshold: 989047880 + timeoutSeconds: -402268186 + resources: + limits: + 0fvc8: "0" + W19cC: "0" + loZ4: "0" + securityContext: + capabilities: + add: + - "" + - 鸼ǀɛ_Y + - 利ƯǢ謼Ŀʇ佔4銣 + privileged: false + procMount: 頿ū詁ǎTɁ¯PlFd只鶗ƝǛƤ臃 + readOnlyRootFilesystem: true + runAsNonRoot: true + volumeMounts: + - mountPath: /etc/console/configs + name: configs + readOnly: true + - mountPath: /etc/console/secrets + name: secrets + readOnly: true + - mountPath: TLaWLIiD + name: 3SwG7HrS + subPath: "" + - mountPath: dXXPfK + name: Bfv9SGjlbgN + subPath: "" + - mountPath: YEOA49 + name: wz4K9oIYM + subPath: "" + - args: + - Bd + command: + - QwtEp + - lLi7 + - kxB1 + image: RpMWaJ + imagePullPolicy: ~崆Ǭe侊k + livenessProbe: + exec: {} + failureThreshold: -2101638962 + grpc: + port: -208999597 + service: jICxjA + initialDelaySeconds: 925230214 + periodSeconds: -996383814 + successThreshold: 152844544 + terminationGracePeriodSeconds: -7802949917649734000 + timeoutSeconds: -188255799 + name: qwOkQZ + ports: + - containerPort: -255758148 + hostIP: R + hostPort: 316791912 + name: 09i3b5oQR + protocol: 腴醗9-鐶 + - containerPort: 247145105 + hostIP: L4 + hostPort: 1727912240 + name: bz7Y1N7 + protocol: 暄璎 + readinessProbe: + exec: + command: + - 2fQQ + failureThreshold: -873648342 + grpc: + port: 889903834 + service: C3 + httpGet: + host: IPHal + path: 5Nb6iW9 + port: tkqo + scheme: m说Ď盐2Ƹ,约h鰥Ȕť3 + initialDelaySeconds: 1391319902 + periodSeconds: -1638942635 + successThreshold: 644454270 + timeoutSeconds: -553602240 + resources: + requests: + 0XxId: "0" + VsY2R9: "0" + ZLtS2: "0" + restartPolicy: ų蓶Lj,g珯i'Sû竒 + terminationMessagePath: Mx7V + terminationMessagePolicy: =Jƈ乚貃庪ș¯ÑVȯ6筌巨华ɀ(v + tty: true + workingDir: nKFDPLJvOh + - args: + - AV3kjV + - Gwq78lY2 + - wq + command: + - D + - EI + - fY5J + env: + - name: eCtpNU + value: jLkcq8S + - name: rynLbx + value: CdqgJabHhM + valueFrom: + configMapKeyRef: + key: uBUH5 + name: Uxei4G1 + optional: false + fieldRef: + apiVersion: Ul9al + fieldPath: vtGid + resourceFieldRef: + containerName: Oc + divisor: "0" + resource: "" + - name: GmDNpa0 + value: 7VJM2XsPm8N + valueFrom: + configMapKeyRef: + key: x3J0PMWE + resourceFieldRef: + containerName: x9Q + divisor: "0" + resource: EKFgoq + secretKeyRef: + key: lOZRvK9 + name: V + image: 1xn6 + imagePullPolicy: ɀ稤¼Mɻ«鐾6Ú{ŬtŮ鄖SSɌ戲 + lifecycle: + postStart: + exec: {} + httpGet: + host: sT2dWyT + path: vvbIxNVANZ + port: aCK8 + scheme: 昿孊卿昤軒JYƜÁ嶠şe灶 + sleep: + seconds: -3542823673709563400 + preStop: + exec: + command: + - "N" + - qkHmJ + - HupYy + httpGet: + host: 137dx + path: y3u7HE + port: -1357399425 + scheme: '@济ɉ鳛讧跕(#7NJɓũǸ]ɨ梊sj' + sleep: + seconds: -2408406850575106600 + name: J6VFtJd3giFt + resources: + requests: + 3dqK0M: "0" + restartPolicy: 70ʆ氶応爱怙鉉塼tƗhY嚇 + securityContext: + allowPrivilegeEscalation: false + capabilities: {} + privileged: false + procMount: ȚƼ提瀴t8oƥc + startupProbe: + exec: {} + failureThreshold: 1782005431 + grpc: + port: 676289916 + service: 3xqeCsf + httpGet: + host: YDL1TP + path: "8" + port: lLWR + scheme: BKō筹 + initialDelaySeconds: 134613881 + periodSeconds: 1547524591 + successThreshold: 1778605907 + terminationGracePeriodSeconds: -7593859121613943000 + timeoutSeconds: 2026260743 + terminationMessagePath: E + terminationMessagePolicy: 碓 + workingDir: kl + - command: + - "" + env: + - name: TG1HQA + value: 5X + valueFrom: + fieldRef: + apiVersion: Vhn + fieldPath: jluMkQnv9 + resourceFieldRef: + containerName: rLfbH + divisor: "0" + resource: "" + - name: "" + value: TOTyqqGn + valueFrom: + fieldRef: + apiVersion: 0CAdSa + fieldPath: LWMRC + resourceFieldRef: + divisor: "0" + resource: G5eZP4R + secretKeyRef: + key: xYOgJL + name: vMTywG + image: 2Z + imagePullPolicy: z.鎸ƦʖFNj棪Ƃ鯌b抵#Dzr + lifecycle: + postStart: + exec: {} + httpGet: + host: k8z + path: TxNa2e + port: -573570086 + scheme: oɌdǹ[M灙螮伪芛探塢庖Njȕ仸 + sleep: + seconds: 4118046687980194000 + preStop: + exec: + command: + - 6iZbF + - OeZTW + httpGet: + host: rbqq + path: sno + port: -429531729 + scheme: s璙Ȼȗ榛ǵ0ƿ.忋闳溨 + name: Cms + ports: + - containerPort: -211101225 + hostIP: 8v + hostPort: 1994344080 + name: kyMvksZa + protocol: fȞ蚊悘ū錩Ȩ龒ċŴ + - containerPort: -806313867 + hostIP: Ky2F2 + hostPort: 1605736520 + name: oe0nMMl + protocol: 慿)"Ǒ3浹襈}(VE-B³閪叒k1绝 + readinessProbe: + exec: {} + failureThreshold: 1398486074 + grpc: + port: 1157090744 + service: oFrTS0 + httpGet: + host: 5pfrE + port: TJb4 + scheme: 畢î + initialDelaySeconds: -1830121652 + periodSeconds: -1398007905 + successThreshold: 1183454316 + timeoutSeconds: 1797763090 + resizePolicy: + - resourceName: hzxTj + restartPolicy: 渣箢樳掯ȉÏǼ店喘©g + resources: + limits: + zGvF9poISMtK: "0" + requests: + lUp3T: "0" + restartPolicy: '}賩6''V霟足''È''*F÷ƙǕ' + stdin: true + terminationMessagePath: 4tn + terminationMessagePolicy: ɢ荵鯴庡ǁ婛埽猜犝笖á7譃ǁ¦GɖC + volumeDevices: + - devicePath: eGfD9B + name: G3Bd + - devicePath: x + name: TB + workingDir: iKksE1 + imagePullSecrets: [] + initContainers: [] + nodeSelector: {} + priorityClassName: qcIlT + securityContext: + fsGroup: 99 + runAsUser: 99 + serviceAccountName: 9XG3SZW + tolerations: + - effect: 懻 + key: JifsKW + operator: 檧űÊǮȡ廄儱RəȏĮ顪ÅÞ + tolerationSeconds: 4501363800484543000 + value: KkCBzwToBMjJ + - effect: B囧ƉOß + key: Q3cj + operator: ɲ朁ß栢 + tolerationSeconds: 4944598504260379000 + value: Z5 + - effect: 敘愰ɰuƪ晐 + key: K8wM + operator: ș + tolerationSeconds: 8375376960471889000 + value: TnWS + topologySpreadConstraints: [] + volumes: + - configMap: + name: 9XG3SZW + name: configs + - name: secrets + secret: + secretName: 9XG3SZW + - name: 3SwG7HrS + secret: + defaultMode: 442 + secretName: VR + - name: Bfv9SGjlbgN + secret: + defaultMode: 383 + secretName: T + - name: wz4K9oIYM + secret: + defaultMode: 13 + secretName: WzM +-- testdata/case-018.yaml.golden -- +--- +# Source: console/templates/serviceaccount.yaml +apiVersion: v1 +automountServiceAccountToken: true +kind: ServiceAccount +metadata: + annotations: + X7E: CRSzr + lPi: bGP + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: 1qyLP36T + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: uAvlOXf + namespace: default +--- +# Source: console/templates/secret.yaml +apiVersion: v1 +kind: Secret +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: 1qyLP36T + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: ExFU3 +stringData: + enterprise-license: "" + kafka-protobuf-git-basicauth-password: IsvQ9 + kafka-sasl-aws-msk-iam-secret-key: 8GlUc + kafka-sasl-password: Vb + kafka-schema-registry-password: UJ7Zl + kafka-schemaregistry-tls-ca: T1Q + kafka-schemaregistry-tls-cert: 17r + kafka-schemaregistry-tls-key: O44 + kafka-tls-ca: n8k9 + kafka-tls-cert: aK + kafka-tls-key: "" + login-github-oauth-client-secret: t6z0n + login-github-personal-access-token: "" + login-google-groups-service-account.json: fpuCEFLL + login-google-oauth-client-secret: h + login-jwt-secret: SECRETKEY + login-oidc-client-secret: t + login-okta-client-secret: 3CcKl + login-okta-directory-api-token: AZt8H77 + redpanda-admin-api-password: NUkb3zIpwAR + redpanda-admin-api-tls-ca: t + redpanda-admin-api-tls-cert: zttTAvj + redpanda-admin-api-tls-key: "" +type: Opaque +--- +# Source: console/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: 1qyLP36T + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: ExFU3 + namespace: default +spec: + ports: + - name: http + port: 415 + protocol: TCP + targetPort: 489 + selector: + app.kubernetes.io/instance: console + app.kubernetes.io/name: 1qyLP36T + type: 2cM +--- +# Source: console/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: + "": 3E5rtKA + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: 1qyLP36T + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: ExFU3 + namespace: default +spec: + replicas: 297 + selector: + matchLabels: + app.kubernetes.io/instance: console + app.kubernetes.io/name: 1qyLP36T + strategy: + rollingUpdate: {} + type: ɬ搢.Ƒ躂ɻɅȄ莨qc婔Åå + template: + metadata: + annotations: + checksum/config: 74234e98afe7498fb5daf1f36ac2d78acc339464f950703b8c019892f982b90b + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/name: 1qyLP36T + spec: + affinity: + nodeAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - preference: {} + weight: -37659402 + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: [] + podAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + matchLabelKeys: + - ajbCE + - Y0MRgpE8 + namespaceSelector: + matchExpressions: + - key: Auai + operator: ùfƽÜQķɨ逑ʒÅģ + values: + - Q + - key: 1S2Nfq + operator: 臺瑷tƎ鍤p}滳`竦ÙǾ晖ǃʏȵ + namespaces: + - 4GTSAZF + topologyKey: NS733 + weight: -968286112 + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: eyt3TPSYPBWDt + operator: e偁&蔄癳.ŚƘ + matchLabelKeys: + - eE7PA8D + - cKalkvb + mismatchLabelKeys: + - Lan + topologyKey: v + weight: -2133598054 + - podAffinityTerm: + mismatchLabelKeys: + - "5" + namespaceSelector: + matchExpressions: + - key: UrrD + operator: ƞ + - key: rkfCsnUcx + operator: ȇ睾¦棌鉝-m糤LPjX.;Ğ× + - key: kla + operator: '"竮壣祠ł9抵墙' + namespaces: + - gyF + topologyKey: ZG + weight: -428742233 + requiredDuringSchedulingIgnoredDuringExecution: + - matchLabelKeys: + - tZZj + namespaces: + - VuG + - I5XU + topologyKey: V2CZqa + - labelSelector: {} + mismatchLabelKeys: + - "" + - q9L4 + - C4YJ57 + namespaces: + - 8xRk06ngy + - WeZO2 + - 7tbTFK + topologyKey: rnpto + automountServiceAccountToken: false + containers: + - args: + - --config.filepath=/etc/console/configs/config.yaml + command: null + env: + - name: KAFKA_SASL_PASSWORD + valueFrom: + secretKeyRef: + key: kafka-sasl-password + name: ExFU3 + - name: KAFKA_PROTOBUF_GIT_BASICAUTH_PASSWORD + valueFrom: + secretKeyRef: + key: kafka-protobuf-git-basicauth-password + name: ExFU3 + - name: KAFKA_SASL_AWSMSKIAM_SECRETKEY + valueFrom: + secretKeyRef: + key: kafka-sasl-aws-msk-iam-secret-key + name: ExFU3 + - name: KAFKA_TLS_CAFILEPATH + value: /etc/console/secrets/kafka-tls-ca + - name: KAFKA_TLS_CERTFILEPATH + value: /etc/console/secrets/kafka-tls-cert + - name: KAFKA_SCHEMAREGISTRY_TLS_CAFILEPATH + value: /etc/console/secrets/kafka-schemaregistry-tls-ca + - name: KAFKA_SCHEMAREGISTRY_TLS_CERTFILEPATH + value: /etc/console/secrets/kafka-schemaregistry-tls-cert + - name: KAFKA_SCHEMAREGISTRY_TLS_KEYFILEPATH + value: /etc/console/secrets/kafka-schemaregistry-tls-key + - name: KAFKA_SCHEMAREGISTRY_PASSWORD + valueFrom: + secretKeyRef: + key: kafka-schema-registry-password + name: ExFU3 + - name: LOGIN_JWTSECRET + valueFrom: + secretKeyRef: + key: login-jwt-secret + name: ExFU3 + - name: LOGIN_GOOGLE_CLIENTSECRET + valueFrom: + secretKeyRef: + key: login-google-oauth-client-secret + name: ExFU3 + - name: LOGIN_GOOGLE_DIRECTORY_SERVICEACCOUNTFILEPATH + value: /etc/console/secrets/login-google-groups-service-account.json + - name: LOGIN_GITHUB_CLIENTSECRET + valueFrom: + secretKeyRef: + key: login-github-oauth-client-secret + name: ExFU3 + - name: LOGIN_OKTA_CLIENTSECRET + valueFrom: + secretKeyRef: + key: login-okta-client-secret + name: ExFU3 + - name: LOGIN_OKTA_DIRECTORY_APITOKEN + valueFrom: + secretKeyRef: + key: login-okta-directory-api-token + name: ExFU3 + - name: LOGIN_OIDC_CLIENTSECRET + valueFrom: + secretKeyRef: + key: login-oidc-client-secret + name: ExFU3 + - name: REDPANDA_ADMINAPI_PASSWORD + valueFrom: + secretKeyRef: + key: redpanda-admin-api-password + name: ExFU3 + - name: REDPANDA_ADMINAPI_TLS_CAFILEPATH + value: /etc/console/secrets/redpanda-admin-api-tls-ca + - name: REDPANDA_ADMINAPI_TLS_CERTFILEPATH + value: /etc/console/secrets/redpanda-admin-api-tls-cert + envFrom: + - prefix: hg + secretRef: + name: eLM59WyoAXO + image: iCFSIwyDtoG/6V6:6uR + imagePullPolicy: 螣暛擂ɾ#鏲*胭8饭1胠 + livenessProbe: + failureThreshold: 3 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: 0 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + name: console + ports: + - containerPort: 489 + name: http + protocol: TCP + readinessProbe: + failureThreshold: 3 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + resources: + limits: + QZqMxIAt: "0" + SUsu9: "0" + requests: + EMOXCuje: "0" + EzKKMIR: "0" + securityContext: + runAsNonRoot: true + volumeMounts: + - mountPath: /etc/console/configs + name: configs + readOnly: true + - mountPath: /etc/console/secrets + name: secrets + readOnly: true + - envFrom: + - prefix: EVZ + secretRef: + name: MxD + optional: true + - configMapRef: + name: A + optional: false + prefix: HuqxI + secretRef: + name: A + optional: true + image: SU + imagePullPolicy: 禵7璙p + lifecycle: + postStart: + httpGet: + host: YZMjhOUO8IS + path: nzYfH + port: Fcx + scheme: 矪Q9 + sleep: + seconds: 3463625415546708000 + livenessProbe: + failureThreshold: -560403806 + grpc: + port: 1751268094 + service: I + httpGet: + host: 0Sb + path: Utm2X + port: 395973041 + scheme: 醆蚎忨ŕ縨ƍ爋釬šÒ暺ƒŎO記岣 + initialDelaySeconds: -1011110535 + periodSeconds: -1229381750 + successThreshold: 260149510 + timeoutSeconds: 74546945 + name: e + resizePolicy: + - resourceName: XNKV + restartPolicy: ì焹.¬哄ȾŢȎȴe$p尶m`飻Ȭ + - resourceName: "" + restartPolicy: 閭I哗.寢荨ʪɛ侭ȵ(8 + resources: + requests: + 3nUsL: "0" + securityContext: + allowPrivilegeEscalation: false + privileged: false + readOnlyRootFilesystem: false + runAsGroup: -8616852535795885000 + terminationMessagePath: FjZ + terminationMessagePolicy: ÿb熿3,ćp寫ʃ#叺渍ƣș + volumeDevices: + - devicePath: Xvjm + name: 7yLA + - devicePath: 1Ci + name: Y0AloAQS + - devicePath: Gt + name: ZMKKc + workingDir: Mh + imagePullSecrets: + - name: vlnGQbo3y + initContainers: [] + nodeSelector: + Vckw: ifBZ9p7 + priorityClassName: 6jxv + securityContext: + fsGroup: 99 + runAsUser: 99 + serviceAccountName: uAvlOXf + tolerations: + - effect: č喅Ȳ崥ï{禙ÊÿC逻準?霘2 + key: YJE + operator: 珟 + tolerationSeconds: 3838637075734495700 + value: 1VemeDTEk1 + - effect: 艋Ƿ淛襀|Ǽ&矠Ģ凍J賜ɰō + key: ggxS8L + operator: 閞判ŏ + tolerationSeconds: -2249155605077506300 + value: m3c + - effect: 'Ljə]IŴ:' + key: 4BkJSo + value: Le + topologySpreadConstraints: + - matchLabelKeys: + - uyTA + - rJcqdY3 + maxSkew: 1887613958 + nodeAffinityPolicy: u鞝侠轁蛃6Ơfrt迄ʇQ勭ĶÇǻě + topologyKey: 3f9j + whenUnsatisfiable: µ + volumes: + - configMap: + name: ExFU3 + name: configs + - name: secrets + secret: + secretName: ExFU3 +--- +# Source: console/templates/tests/test-connection.yaml +apiVersion: v1 +kind: Pod +metadata: + name: "ExFU3-test-connection" + namespace: "default" + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: 1qyLP36T + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + annotations: + "helm.sh/hook": test +spec: + imagePullSecrets: + - name: vlnGQbo3y + containers: + - name: wget + image: busybox + command: ['wget'] + args: ['ExFU3:415'] + restartPolicy: Never + priorityClassName: 6jxv +-- testdata/case-019.yaml.golden -- +--- +# Source: console/templates/serviceaccount.yaml +apiVersion: v1 +automountServiceAccountToken: true +kind: ServiceAccount +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: 8MIg + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: NZ7h9 + namespace: default +--- +# Source: console/templates/secret.yaml +apiVersion: v1 +kind: Secret +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: 8MIg + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: NZ7h9 +stringData: + enterprise-license: "" + kafka-protobuf-git-basicauth-password: "" + kafka-sasl-aws-msk-iam-secret-key: "" + kafka-sasl-password: "" + kafka-schema-registry-password: "" + kafka-schemaregistry-tls-ca: "" + kafka-schemaregistry-tls-cert: "" + kafka-schemaregistry-tls-key: "" + kafka-tls-ca: "" + kafka-tls-cert: "" + kafka-tls-key: "" + login-github-oauth-client-secret: "" + login-github-personal-access-token: "" + login-google-groups-service-account.json: "" + login-google-oauth-client-secret: "" + login-jwt-secret: SECRETKEY + login-oidc-client-secret: "" + login-okta-client-secret: "" + login-okta-directory-api-token: "" + redpanda-admin-api-password: "" + redpanda-admin-api-tls-ca: "" + redpanda-admin-api-tls-cert: "" + redpanda-admin-api-tls-key: "" +type: Opaque +--- +# Source: console/templates/configmap.yaml +apiVersion: v1 +data: + config.yaml: | + # from .Values.console.config + {} +kind: ConfigMap +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: 8MIg + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: NZ7h9 +--- +# Source: console/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: 8MIg + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: NZ7h9 + namespace: default +spec: + ports: + - name: http + port: 8080 + protocol: TCP + targetPort: 0 + selector: + app.kubernetes.io/instance: console + app.kubernetes.io/name: 8MIg + type: ClusterIP +--- +# Source: console/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: + lgiIA: u + wK8: JrSfKH + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: 8MIg + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: NZ7h9 + namespace: default +spec: + replicas: 79 + selector: + matchLabels: + app.kubernetes.io/instance: console + app.kubernetes.io/name: 8MIg + strategy: + type: 鎦v財ɕŪ + template: + metadata: + annotations: + checksum/config: 9960ac5c5faddbc59ee9638bfac7f4fd7513b7e295e3fcc28b0fdfabc2aba1d3 + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/name: 8MIg + spec: + affinity: {} + automountServiceAccountToken: true + containers: + - args: + - --config.filepath=/etc/console/configs/config.yaml + command: null + env: + - name: pJ + value: whmTukCTD + valueFrom: + configMapKeyRef: + key: OHk + name: "3" + fieldRef: + apiVersion: TSp7 + fieldPath: mEUVMSp7vUo + resourceFieldRef: + containerName: bBDw + divisor: "0" + resource: tIcs3z + secretKeyRef: + key: jIR5V + name: "9" + - name: ZCEPmHP + value: FhwE4R + valueFrom: + fieldRef: + apiVersion: Nv + fieldPath: WMXeIjk + resourceFieldRef: + containerName: Hbt + divisor: "0" + resource: mo7F + - name: LOGIN_JWTSECRET + valueFrom: + secretKeyRef: + key: login-jwt-secret + name: NZ7h9 + envFrom: [] + image: GNXgFQ/W3:2vPed + imagePullPolicy: 韃ĝ + livenessProbe: + failureThreshold: -1736131786 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: 538755540 + periodSeconds: -937262167 + successThreshold: 2014961170 + timeoutSeconds: -614674118 + name: console + ports: + - containerPort: 8080 + name: http + protocol: TCP + readinessProbe: + failureThreshold: -1936056692 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: -2019126091 + periodSeconds: -1696700553 + successThreshold: 398361977 + timeoutSeconds: -184667912 + resources: {} + securityContext: + allowPrivilegeEscalation: true + capabilities: + drop: + - 狞濮噞饅烥H}湛m=U+卓Ǭï呣8Ú + privileged: true + runAsNonRoot: true + runAsUser: -471077223001866500 + volumeMounts: + - mountPath: /etc/console/configs + name: configs + readOnly: true + - mountPath: /etc/console/secrets + name: secrets + readOnly: true + - mountPath: UF6 + mountPropagation: ĻsŸ氂ǐ钋鮠Ĺ咳渼.pɫ + name: W1LIZa3 + subPath: qdDtjk + subPathExpr: Ew + imagePullSecrets: [] + initContainers: [] + nodeSelector: {} + priorityClassName: FERw + securityContext: + fsGroup: 99 + runAsUser: 99 + serviceAccountName: NZ7h9 + tolerations: + - effect: 飝壊%ǂP胅ɂǏ趸疷擁鹒DŽ营風顺z拇 + key: Ku2m + operator: ŲǪFTǗǔȟʥȰȎǎo玼Ü + value: 1u + - effect: 雾Ź歘ɇƇ昨OČƑɎ騨Ŗ=Ì楯 + key: 12vKa + operator: ( + value: u + topologySpreadConstraints: [] + volumes: + - configMap: + name: NZ7h9 + name: configs + - name: secrets + secret: + secretName: NZ7h9 +--- +# Source: console/templates/tests/test-connection.yaml +apiVersion: v1 +kind: Pod +metadata: + name: "NZ7h9-test-connection" + namespace: "default" + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: 8MIg + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + annotations: + "helm.sh/hook": test +spec: + containers: + - name: wget + image: busybox + command: ['wget'] + args: ['NZ7h9:8080'] + restartPolicy: Never + priorityClassName: FERw +-- testdata/case-020.yaml.golden -- +--- +# Source: console/templates/serviceaccount.yaml +apiVersion: v1 +automountServiceAccountToken: true +kind: ServiceAccount +metadata: + annotations: + Cs0Tv: PNgn + tawhZGj4: yuBQ1 + xdl: jbYUlUI + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: zzmAR9 + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: HMpc + namespace: default +--- +# Source: console/templates/secret.yaml +apiVersion: v1 +kind: Secret +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: zzmAR9 + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: Om7 +stringData: + enterprise-license: "" + kafka-protobuf-git-basicauth-password: "" + kafka-sasl-aws-msk-iam-secret-key: "" + kafka-sasl-password: "" + kafka-schema-registry-password: "" + kafka-schemaregistry-tls-ca: "" + kafka-schemaregistry-tls-cert: "" + kafka-schemaregistry-tls-key: "" + kafka-tls-ca: "" + kafka-tls-cert: "" + kafka-tls-key: "" + login-github-oauth-client-secret: XhRg8T + login-github-personal-access-token: oB8xbs + login-google-groups-service-account.json: "" + login-google-oauth-client-secret: "" + login-jwt-secret: SECRETKEY + login-oidc-client-secret: "" + login-okta-client-secret: saEi + login-okta-directory-api-token: tq8L + redpanda-admin-api-password: "" + redpanda-admin-api-tls-ca: "" + redpanda-admin-api-tls-cert: "" + redpanda-admin-api-tls-key: "" +type: Opaque +--- +# Source: console/templates/configmap.yaml +apiVersion: v1 +data: + config.yaml: | + # from .Values.console.config + {} +kind: ConfigMap +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: zzmAR9 + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: Om7 +--- +# Source: console/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: zzmAR9 + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: Om7 + namespace: default +spec: + ports: + - name: http + port: 310 + protocol: TCP + targetPort: 28 + selector: + app.kubernetes.io/instance: console + app.kubernetes.io/name: zzmAR9 + type: "" +--- +# Source: console/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: + 0lA: PZvwfKrip + AUm: KY + KBFrJC: hkdfq + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: zzmAR9 + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: Om7 + namespace: default +spec: + replicas: 344 + selector: + matchLabels: + app.kubernetes.io/instance: console + app.kubernetes.io/name: zzmAR9 + strategy: + rollingUpdate: {} + type: x&N涮ĶJ­ɕ + template: + metadata: + annotations: + checksum/config: 2881fbe0f4a9d0f2f17dbbbe515c08d46dd6d4a6d2c84c3482c94ace8ee6b09f + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/name: zzmAR9 + spec: + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - {} + - matchExpressions: + - key: a23jbG + operator: yb庇ɍ闒ǰPâƟVsJu + values: + - "" + - 1lQmmGa8 + - XzVleDXV4YoRc + - key: 3Gwd9r + operator: 4Nj7Ġ$Ea狆Ö絞Ƙ殈廔as知 + - key: 7C4FjM + operator: ɩ.叧¬ʧ倒 + matchFields: + - key: H + operator: Ğų* + values: + - 0i + - qK + - key: 7ocDt + operator: 餯ǚ璗汭槰<ƤƐ評ź膹棅珢ȹ3鮑 + values: + - g5Aa1Hm + - LKNvXrtO + - key: o + operator: ŎJ甧鷓 + values: + - vJQQjLRrqIK + - Isj + - 6EBsy + - matchFields: + - key: H0oh1dBCg + operator: 鉔qƿ氵[ȕ凭Śȅ3džȿȳ + name: xYM + subPath: nMMkHAUoYIsN + subPathExpr: 579Yn2LXk + - mountPath: 5z + mountPropagation: Ƀ陪7k惿Ɏǚ霤ƨƱ«ɤ»ȣ薥頠媉fʠ + name: KIX5g + readOnly: true + subPath: CGOswgk + subPathExpr: oxiB23ZW2KX + workingDir: IzOAr + - args: + - jrZTvs + env: + - name: jxl5Q + value: fm2F7DzZA + image: r7sTpTP8N + imagePullPolicy: 眒弿 + lifecycle: + preStop: + httpGet: + host: WEBUk + path: "1" + port: -377365982 + scheme: 娖阋顿|儴Éȱ鋦 + livenessProbe: + exec: + command: + - 2j + failureThreshold: -1631622345 + grpc: + port: -188887701 + service: s + httpGet: + host: "6" + path: 07rm4AD + port: DCtZ5 + scheme: ʼnK襡5殛鯙ȋʛ稲(C姓 + initialDelaySeconds: -1011676147 + periodSeconds: -1141844037 + successThreshold: -1528778970 + terminationGracePeriodSeconds: 422553046190448100 + timeoutSeconds: 99607263 + name: rhg + ports: + - containerPort: 1265703793 + hostIP: lYiq + hostPort: -931710582 + name: r2OdlKyZ + protocol: ŌK4Ʒ霖R婧,Ģ墤ʠ_Ƒ亽vĨO + - containerPort: -1093198499 + hostIP: xHuDhI2 + hostPort: 1423992590 + name: WdH + protocol: K嚜pn犓ɯ`劮ƫķPLm + resizePolicy: + - resourceName: M3EK5NW + restartPolicy: Ɲ囩 + resources: + limits: + 4zeCyo: "0" + PgUjG: "0" + requests: + IseC3: "0" + WHgRSz: "0" + yzZn: "0" + restartPolicy: ijƞ墫噌L诠=脳%Ɗ + securityContext: + privileged: false + readOnlyRootFilesystem: false + runAsGroup: -1074724161449892000 + runAsUser: 8255497511479977000 + startupProbe: + exec: {} + failureThreshold: -1172398717 + grpc: + port: 1919051215 + service: "" + initialDelaySeconds: 2020291403 + periodSeconds: 450860281 + successThreshold: 193397000 + timeoutSeconds: -665894379 + stdin: true + terminationMessagePath: MCVu + terminationMessagePolicy: ŷÍ:+壩ùI賎Rɜ卮cɣS惕mIɭ + tty: true + workingDir: 2L97y + imagePullSecrets: + - name: iA1C + - name: ZOdo + - name: qTOK0W + initContainers: + - 'error unmarshaling JSON: while decoding JSON: json: cannot unmarshal string + into Go value of type []interface {}' + nodeSelector: {} + priorityClassName: 0bGHQk7gL + securityContext: + fsGroup: -6946946538076897000 + fsGroupChangePolicy: 呆ɔȂwijà + runAsGroup: 3944693697856007700 + runAsNonRoot: true + runAsUser: -732766343758518300 + supplementalGroups: + - -5691922089175975000 + serviceAccountName: H5TDAALUdD + tolerations: + - effect: 媄 + key: IQD9Yww8 + operator: bǾå鱍 + tolerationSeconds: -7454358062612207000 + value: odxS1Q2Sd + - effect: Ɣv璔}oȡʞ¤ + key: ySGX + operator: ƪ渺¸貗ȹV廋ȉňu増嬎Ë韍ǘz茩Ƹ怯 + tolerationSeconds: -1083807005557333500 + value: bAy + topologySpreadConstraints: [] + volumes: + - configMap: + name: Uo + name: configs + - name: Jq0CSftnp + - name: QMHGzzYC2HW + - name: 1PkbzhfK +--- +# Source: console/templates/tests/test-connection.yaml +apiVersion: v1 +kind: Pod +metadata: + name: "Uo-test-connection" + namespace: "default" + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: Mh + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + annotations: + "helm.sh/hook": test +spec: + imagePullSecrets: + - name: iA1C + - name: ZOdo + - name: qTOK0W + containers: + - name: wget + image: busybox + command: ['wget'] + args: ['Uo:8080'] + restartPolicy: Never + priorityClassName: 0bGHQk7gL +-- testdata/case-026.yaml.golden -- +--- +# Source: console/templates/serviceaccount.yaml +apiVersion: v1 +automountServiceAccountToken: false +kind: ServiceAccount +metadata: + annotations: + "": tWl + 5mzy: 4t87VKeHA + a: UqD3iv5LoNYP + creationTimestamp: null + labels: + "": h0uSAPIi + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: vLjrafvp + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + kuKPk7: "" + name: Utu8ZHG2 + namespace: default +--- +# Source: console/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + annotations: {} + creationTimestamp: null + labels: + "": h0uSAPIi + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: vLjrafvp + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + kuKPk7: "" + name: qhaD + namespace: default +spec: + ports: + - name: http + port: 8080 + protocol: TCP + targetPort: 0 + selector: + app.kubernetes.io/instance: console + app.kubernetes.io/name: vLjrafvp + type: ClusterIP +--- +# Source: console/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: {} + creationTimestamp: null + labels: + "": h0uSAPIi + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: vLjrafvp + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + kuKPk7: "" + name: qhaD + namespace: default +spec: + replicas: 78 + selector: + matchLabels: + app.kubernetes.io/instance: console + app.kubernetes.io/name: vLjrafvp + strategy: + rollingUpdate: {} + type: I6终j2炅ȲbȻ + template: + metadata: + annotations: + LtAjph: 8Q + MiPvJub: 0x + checksum/config: 74234e98afe7498fb5daf1f36ac2d78acc339464f950703b8c019892f982b90b + j: xR98FRh + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/name: vLjrafvp + spec: + affinity: + nodeAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - preference: + matchExpressions: + - key: GP94 + operator: 駑Ŀ峇[ɕdž0 + values: + - jjNFKv8 + - uG7Rs + - ApO075 + weight: -549077137 + - preference: + matchExpressions: + - key: R88 + operator: Dzv)bôȏ磜覐橮波赘T^ + values: + - DscaGMdgXV + - uy + - N3d + - key: "" + operator: 誮Vw!/毴Z匌忶ª渆 + values: + - 4mX0s + - key: byy + operator: 鿟y馡錥HJ鶟b左Ő*čt顭塶 + values: + - 6oQ + - 9r22TM + matchFields: + - key: fNLkt + operator: "" + values: + - tW + - M03GnpfhQn + - key: WQQs + operator: 騡(Í芝x焍麅ɰ窓ɶÜò鵹 + weight: 579622465 + podAffinity: {} + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: {} + namespaceSelector: + matchLabels: + IYAfjz: GloAc + namespaces: + - hfFjlR + - KWIdaP11Y + - 3Dn + topologyKey: UB + - labelSelector: + matchExpressions: + - key: B7LSh + operator: ɉ邦夝ɷ1傹Þ袳@ɲ鉴 + matchLabelKeys: + - "n" + namespaceSelector: {} + namespaces: + - 88M + - fIEJUewFK + topologyKey: i + automountServiceAccountToken: true + containers: + - args: + - --config.filepath=/etc/console/configs/config.yaml + command: null + env: [] + envFrom: [] + image: docker.redpanda.com/redpandadata/console:v2.7.0 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 1372450161 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: -913177144 + periodSeconds: 912808843 + successThreshold: -765941931 + timeoutSeconds: 1174210794 + name: console + ports: + - containerPort: 8080 + name: http + protocol: TCP + readinessProbe: + failureThreshold: 1666039794 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: 989921147 + periodSeconds: 536392931 + successThreshold: 1020018972 + timeoutSeconds: 1790731281 + resources: {} + securityContext: + capabilities: + drop: + - ɿX齀蹪 + privileged: true + procMount: Ƚ[孠犥ƶʒ)遷U竕 + runAsGroup: 5229411704597624000 + runAsNonRoot: true + volumeMounts: + - mountPath: /etc/console/configs + name: configs + readOnly: true + - mountPath: U6f3w + name: ooYxXE + subPath: "" + - mountPath: qzOMXCl + name: Hmms9 + subPath: "" + - mountPath: dXa6uPxR + name: "" + subPath: "" + - mountPath: q + mountPropagation: 跐ʩ4鄧SD炿ɜǚhU + name: "" + subPath: SCLzbAMUW3x + subPathExpr: nzFw + - mountPath: cX8U + mountPropagation: b幈簇@艭K + name: b + readOnly: true + subPath: u5fY + subPathExpr: TRymQ + imagePullSecrets: [] + initContainers: + - 'error unmarshaling JSON: while decoding JSON: json: cannot unmarshal string + into Go value of type []interface {}' + nodeSelector: + ggwC: SQ + rIwToCbB: tUBM5 + priorityClassName: JnI8 + securityContext: + fsGroup: -2594082004410587000 + fsGroupChangePolicy: 'ċV1鯍E ' + runAsGroup: -880388195249084200 + runAsNonRoot: false + runAsUser: -9051010573896130000 + supplementalGroups: + - -2777109499517678000 + serviceAccountName: Utu8ZHG2 + tolerations: [] + topologySpreadConstraints: + - labelSelector: {} + maxSkew: -154369657 + minDomains: -319419210 + nodeTaintsPolicy: '#Vʅ糗斬ƈ橮IJȶ纀' + topologyKey: dTnKex + whenUnsatisfiable: '@OȤ驮Ʀ琓' + volumes: + - configMap: + name: qhaD + name: configs + - name: ooYxXE + secret: + defaultMode: 45 + secretName: LyH9zvv + - name: Hmms9 + secret: + defaultMode: 429 + secretName: zvR + - name: "" + secret: + defaultMode: 39 + secretName: PC2Ms7 + - name: LeIYAb + - name: 176OvjD + - name: b6NpMGfVo1N +--- +# Source: console/templates/ingress.yaml +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + annotations: + Lftu: PjroKEh + qvZJNWSzR: Jpoyc0 + creationTimestamp: null + labels: + "": h0uSAPIi + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: vLjrafvp + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + kuKPk7: "" + name: qhaD +spec: + ingressClassName: cAir + rules: + - host: o + http: + paths: null + - host: i18Wi + http: + paths: + - backend: + service: + name: qhaD + port: + number: 8080 + path: apsXYvp + pathType: 7q5 + - host: 8eBXg + http: + paths: + - backend: + service: + name: qhaD + port: + number: 8080 + path: cMbMbCQl + pathType: gJT + - backend: + service: + name: qhaD + port: + number: 8080 + path: XvfTwH + pathType: 4se + tls: + - hosts: + - fqD + - JDOgIG + secretName: vzUD + - hosts: + - M6H + - T + - twxgtsi + secretName: lg5siLdo +-- testdata/case-027.yaml.golden -- +--- +# Source: console/templates/serviceaccount.yaml +apiVersion: v1 +automountServiceAccountToken: true +kind: ServiceAccount +metadata: + annotations: + "": ta51q + RW5sX: LXvP + creationTimestamp: null + labels: + Q0: "" + T4ZmAFi: nfIb0b + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: h9P + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: 55C9f3 + namespace: default +--- +# Source: console/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + annotations: + Gi0OSuP5jF: ARBECJB + qId: Bo + wPKI: "" + creationTimestamp: null + labels: + Q0: "" + T4ZmAFi: nfIb0b + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: h9P + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: 61hunk + namespace: default +spec: + ports: + - name: http + port: 376 + protocol: TCP + targetPort: 473 + selector: + app.kubernetes.io/instance: console + app.kubernetes.io/name: h9P + type: G2gqK +--- +# Source: console/templates/ingress.yaml +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + annotations: + "": ZtbWlWc + y1ML9Hmg: d6h9 + creationTimestamp: null + labels: + Q0: "" + T4ZmAFi: nfIb0b + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: h9P + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: 61hunk +spec: + ingressClassName: Ijdd3 + rules: + - host: chart-example.local + http: + paths: + - backend: + service: + name: 61hunk + port: + number: 376 + path: / + pathType: ImplementationSpecific + tls: + - hosts: null + secretName: x + - hosts: null + secretName: aSf1 +--- +# Source: console/templates/tests/test-connection.yaml +apiVersion: v1 +kind: Pod +metadata: + name: "61hunk-test-connection" + namespace: "default" + labels: + Q0: "" + T4ZmAFi: nfIb0b + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: h9P + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + annotations: + "helm.sh/hook": test +spec: + imagePullSecrets: + - name: jkqm + containers: + - name: wget + image: busybox + command: ['wget'] + args: ['61hunk:376'] + restartPolicy: Never + priorityClassName: bpi +-- testdata/case-028.yaml.golden -- +--- +# Source: console/templates/secret.yaml +apiVersion: v1 +kind: Secret +metadata: + creationTimestamp: null + labels: + BKrxjHNg8: qlqPhj + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: 5XQu4RW + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: odFI2M4 +stringData: + enterprise-license: "" + kafka-protobuf-git-basicauth-password: aM + kafka-sasl-aws-msk-iam-secret-key: pcNJ4lPh + kafka-sasl-password: OT9m4 + kafka-schema-registry-password: 4VybIhiIU + kafka-schemaregistry-tls-ca: FVWvaL5HS3DE + kafka-schemaregistry-tls-cert: UqZl + kafka-schemaregistry-tls-key: ch + kafka-tls-ca: 0h0Ac6CS + kafka-tls-cert: pNm4uHVMn + kafka-tls-key: "" + login-github-oauth-client-secret: 5XbGmlDmls + login-github-personal-access-token: y0PF13 + login-google-groups-service-account.json: w3 + login-google-oauth-client-secret: lEvrgxa + login-jwt-secret: SECRETKEY + login-oidc-client-secret: VfRrL3 + login-okta-client-secret: 1Gm + login-okta-directory-api-token: hgmY7AyguR + redpanda-admin-api-password: WvzP1D53 + redpanda-admin-api-tls-ca: dxtnG + redpanda-admin-api-tls-cert: Rs3rHA8Qdb + redpanda-admin-api-tls-key: 7hsD +type: Opaque +--- +# Source: console/templates/configmap.yaml +apiVersion: v1 +data: + config.yaml: | + # from .Values.console.config + {} +kind: ConfigMap +metadata: + creationTimestamp: null + labels: + BKrxjHNg8: qlqPhj + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: 5XQu4RW + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: odFI2M4 +--- +# Source: console/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + annotations: {} + creationTimestamp: null + labels: + BKrxjHNg8: qlqPhj + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: 5XQu4RW + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: odFI2M4 + namespace: default +spec: + ports: + - name: http + port: 8080 + protocol: TCP + targetPort: 0 + selector: + app.kubernetes.io/instance: console + app.kubernetes.io/name: 5XQu4RW + type: ClusterIP +--- +# Source: console/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: + VLzukyGLL5H: "" + creationTimestamp: null + labels: + BKrxjHNg8: qlqPhj + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: 5XQu4RW + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: odFI2M4 + namespace: default +spec: + replicas: 278 + selector: + matchLabels: + app.kubernetes.io/instance: console + app.kubernetes.io/name: 5XQu4RW + strategy: + rollingUpdate: {} + type: 砓涶rƀł庫x烮ȯ~茤įêŎZ姮Ⱦ + template: + metadata: + annotations: + YefFO9J: uVUZra + checksum/config: cc3f7478d926a8c80ab516ac0060a56c87bbbfdd227b765567fa8644fbee7f09 + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/name: 5XQu4RW + n8PG: NEb + sINjD1zSK: exkAcWK3 + yG: T + spec: + affinity: + podAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchLabels: + 9yhGd: kXTYKV + xb5Co: trB98 + matchLabelKeys: + - gTre + - 3SLXY + namespaceSelector: {} + namespaces: + - q + - j3 + - k76qB + topologyKey: gz6KtIn43 + - labelSelector: + matchLabels: + 9slaN: 9Cv + M: NcJRMIAxd6 + f4JK: QX + matchLabelKeys: + - BGI9Dr + mismatchLabelKeys: + - SZUKIlPB + - WzTTmXWoFc + - wXLg9viobEw + namespaceSelector: + matchLabels: + MZx: u + NztFyV3: EvzmJzLQcn + topologyKey: iLs + - labelSelector: + matchExpressions: + - key: d3S + operator: ò洏ʓ暝歆Ű鈰钌鸔栵ù舁Tb曯ƫ貊ȵ + values: + - sanCz + - lZ + - 5rZ0 + matchLabels: + MEoILl9k: Jd + hVfX4: "" + "n": yhV + matchLabelKeys: + - HOI + namespaceSelector: + matchLabels: + fodO5ovc74m: lvF + mlCh: E1 + ve7: r4P5biTA + topologyKey: CtXr + automountServiceAccountToken: true + containers: + - args: + - --config.filepath=/etc/console/configs/config.yaml + command: null + env: + - name: wti + value: AYZm + valueFrom: + configMapKeyRef: + key: Sxryl + name: xXe78 + fieldRef: + apiVersion: HoyJsUxLKd + fieldPath: 2Ns + secretKeyRef: + key: w7WydZL + name: CgxV7 + optional: true + - name: eEKnv + value: BBAXaggk0n + valueFrom: + secretKeyRef: + key: GRP + name: dYBHtrO + optional: true + - name: KAFKA_SASL_PASSWORD + valueFrom: + secretKeyRef: + key: kafka-sasl-password + name: odFI2M4 + - name: KAFKA_PROTOBUF_GIT_BASICAUTH_PASSWORD + valueFrom: + secretKeyRef: + key: kafka-protobuf-git-basicauth-password + name: odFI2M4 + - name: KAFKA_SASL_AWSMSKIAM_SECRETKEY + valueFrom: + secretKeyRef: + key: kafka-sasl-aws-msk-iam-secret-key + name: odFI2M4 + - name: KAFKA_TLS_CAFILEPATH + value: /etc/console/secrets/kafka-tls-ca + - name: KAFKA_TLS_CERTFILEPATH + value: /etc/console/secrets/kafka-tls-cert + - name: KAFKA_SCHEMAREGISTRY_TLS_CAFILEPATH + value: /etc/console/secrets/kafka-schemaregistry-tls-ca + - name: KAFKA_SCHEMAREGISTRY_TLS_CERTFILEPATH + value: /etc/console/secrets/kafka-schemaregistry-tls-cert + - name: KAFKA_SCHEMAREGISTRY_TLS_KEYFILEPATH + value: /etc/console/secrets/kafka-schemaregistry-tls-key + - name: KAFKA_SCHEMAREGISTRY_PASSWORD + valueFrom: + secretKeyRef: + key: kafka-schema-registry-password + name: odFI2M4 + - name: LOGIN_JWTSECRET + valueFrom: + secretKeyRef: + key: login-jwt-secret + name: odFI2M4 + - name: LOGIN_GOOGLE_CLIENTSECRET + valueFrom: + secretKeyRef: + key: login-google-oauth-client-secret + name: odFI2M4 + - name: LOGIN_GOOGLE_DIRECTORY_SERVICEACCOUNTFILEPATH + value: /etc/console/secrets/login-google-groups-service-account.json + - name: LOGIN_GITHUB_CLIENTSECRET + valueFrom: + secretKeyRef: + key: login-github-oauth-client-secret + name: odFI2M4 + - name: LOGIN_GITHUB_DIRECTORY_PERSONALACCESSTOKEN + valueFrom: + secretKeyRef: + key: login-github-personal-access-token + name: odFI2M4 + - name: LOGIN_OKTA_CLIENTSECRET + valueFrom: + secretKeyRef: + key: login-okta-client-secret + name: odFI2M4 + - name: LOGIN_OKTA_DIRECTORY_APITOKEN + valueFrom: + secretKeyRef: + key: login-okta-directory-api-token + name: odFI2M4 + - name: LOGIN_OIDC_CLIENTSECRET + valueFrom: + secretKeyRef: + key: login-oidc-client-secret + name: odFI2M4 + - name: REDPANDA_ADMINAPI_PASSWORD + valueFrom: + secretKeyRef: + key: redpanda-admin-api-password + name: odFI2M4 + - name: REDPANDA_ADMINAPI_TLS_CAFILEPATH + value: /etc/console/secrets/redpanda-admin-api-tls-ca + - name: REDPANDA_ADMINAPI_TLS_KEYFILEPATH + value: /etc/console/secrets/redpanda-admin-api-tls-key + - name: REDPANDA_ADMINAPI_TLS_CERTFILEPATH + value: /etc/console/secrets/redpanda-admin-api-tls-cert + envFrom: + - configMapRef: + name: I6Dbq + optional: false + secretRef: + name: fhgE + optional: false + - prefix: L0m + - configMapRef: + name: pVHt + optional: true + prefix: 0xFYui3Ke2pJ + secretRef: + name: IBHH4sd + optional: false + image: qnkfx/ARBa:BetSp + imagePullPolicy: ȸ才TkâĆ8o + livenessProbe: + failureThreshold: -544797053 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: 1464359845 + periodSeconds: -775253635 + successThreshold: -2065370772 + timeoutSeconds: 3873767 + name: console + ports: + - containerPort: 8080 + name: http + protocol: TCP + readinessProbe: + failureThreshold: 286014638 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: -1755094379 + periodSeconds: 712612179 + successThreshold: 1265199044 + timeoutSeconds: 939664799 + resources: + limits: + H2g: "0" + requests: + i0vpd: "0" + piR58NXU: "0" + securityContext: + privileged: true + procMount: '`4乬+ʍÿȦ!常ʥ_' + readOnlyRootFilesystem: false + runAsNonRoot: true + runAsUser: 8119235947749130000 + volumeMounts: + - mountPath: /etc/console/configs + name: configs + readOnly: true + - mountPath: /etc/console/secrets + name: secrets + readOnly: true + - mountPath: hHTC4sQ + mountPropagation: ƭ埢Ş@ʮ擈Ɓsmďĝ + name: mVbo + subPath: bI + subPathExpr: q6R + - mountPath: "" + name: gC + readOnly: true + subPath: 5xyS + subPathExpr: Ju9L6o + imagePullSecrets: + - name: Nu2 + - name: j0 + initContainers: + - 'error unmarshaling JSON: while decoding JSON: json: cannot unmarshal string + into Go value of type []interface {}' + nodeSelector: + fD: q5Hun + priorityClassName: u8cTjKLB + securityContext: + fsGroup: -9123846953160880000 + fsGroupChangePolicy: UƻA竘锵]湞ȊM + runAsNonRoot: false + runAsUser: 2594597056592417300 + sysctls: + - name: 4eRaw + value: HnWeNFR + - name: 4hP + value: UoCU8Ni + - name: d + value: TpLFHKFo + serviceAccountName: 5zV + tolerations: + - effect: x)|綻%ŴC¸÷G) + key: 6c + operator: 皐łʨɆ挓R衯Ǫ诌ƍ爂vĂB麧尣Ć* + tolerationSeconds: 341291117142213700 + value: 45gIZCr + - effect: ɿ鎅ɸƱɿ韆頟R躦0P^,豐ƨe祠攇覙 + operator: ß¼ʐȻ*溃N妞 + tolerationSeconds: -7034164218355111000 + value: xb5 + topologySpreadConstraints: [] + volumes: + - configMap: + name: odFI2M4 + name: configs + - name: secrets + secret: + secretName: odFI2M4 + - name: 0nP + - name: 5Mq +--- +# Source: console/templates/tests/test-connection.yaml +apiVersion: v1 +kind: Pod +metadata: + name: "odFI2M4-test-connection" + namespace: "default" + labels: + BKrxjHNg8: qlqPhj + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: 5XQu4RW + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + annotations: + "helm.sh/hook": test +spec: + imagePullSecrets: + - name: Nu2 + - name: j0 + containers: + - name: wget + image: busybox + command: ['wget'] + args: ['odFI2M4:8080'] + restartPolicy: Never + priorityClassName: u8cTjKLB +-- testdata/case-029.yaml.golden -- +--- +# Source: console/templates/secret.yaml +apiVersion: v1 +kind: Secret +metadata: + creationTimestamp: null + labels: + HzuQ: mCfbHBQ + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: 3Wh + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + xi7L: ibI45 + name: HK +stringData: + enterprise-license: "" + kafka-protobuf-git-basicauth-password: "" + kafka-sasl-aws-msk-iam-secret-key: "" + kafka-sasl-password: "" + kafka-schema-registry-password: "" + kafka-schemaregistry-tls-ca: "" + kafka-schemaregistry-tls-cert: "" + kafka-schemaregistry-tls-key: "" + kafka-tls-ca: "" + kafka-tls-cert: "" + kafka-tls-key: "" + login-github-oauth-client-secret: "" + login-github-personal-access-token: "" + login-google-groups-service-account.json: "" + login-google-oauth-client-secret: "" + login-jwt-secret: SECRETKEY + login-oidc-client-secret: "" + login-okta-client-secret: "" + login-okta-directory-api-token: "" + redpanda-admin-api-password: "" + redpanda-admin-api-tls-ca: "" + redpanda-admin-api-tls-cert: "" + redpanda-admin-api-tls-key: "" +type: Opaque +--- +# Source: console/templates/configmap.yaml +apiVersion: v1 +data: + config.yaml: | + # from .Values.console.config + {} + roles.yaml: |- + roles: + - null + - null +kind: ConfigMap +metadata: + creationTimestamp: null + labels: + HzuQ: mCfbHBQ + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: 3Wh + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + xi7L: ibI45 + name: HK +--- +# Source: console/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + annotations: + 33Yi: tesf5 + creationTimestamp: null + labels: + HzuQ: mCfbHBQ + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: 3Wh + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + xi7L: ibI45 + name: HK + namespace: default +spec: + ports: + - name: http + port: 389 + protocol: TCP + targetPort: 52 + selector: + app.kubernetes.io/instance: console + app.kubernetes.io/name: 3Wh + type: sIQBZD +--- +# Source: console/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: + WVwaqt: gTMC + s6HZpOA: bc0 + sZaCXy: LXRQNTghxb1 + creationTimestamp: null + labels: + HzuQ: mCfbHBQ + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: 3Wh + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + xi7L: ibI45 + name: HK + namespace: default +spec: + replicas: 385 + selector: + matchLabels: + app.kubernetes.io/instance: console + app.kubernetes.io/name: 3Wh + strategy: + rollingUpdate: {} + template: + metadata: + annotations: + IVy: ho3qpcI + checksum/config: ed80a6573dafe73ab884b6322e9c75c1018d618e61286f9e61f445266092293d + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/name: 3Wh + spec: + affinity: + nodeAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - preference: + matchExpressions: + - key: hPtYq9oSSQ + operator: ŗ妃Mīú玢盛 + values: + - T0M + - aywAkbl + - key: F7yCY + operator: '2Pl@äEɜś`PȾ槯c:' + values: + - n7sIXrD6 + - 5EPSQgq3v + matchFields: + - key: wOOgY + operator: 乾Ǧ + values: + - GqfE + - key: gRF5bu + operator: DŸQ95ʊÊj蕵髪OHōM4Ľɝ钣 + values: + - 2rEXM1C + - BB + - key: TK75p + operator: 譌嵡荀Ș枻賿ė + values: + - MHB + - sI + weight: -1638497382 + - preference: + matchExpressions: + - key: sgUr6t + operator: ʁE'[剳嫯Ȧ梳*&櫺窟ľ幣ɥ{紌 + values: + - 6x + - NRmDb1X + - key: VrZW4eZ + operator: 蘨ȘÚ籘J嬋JƒÎhUl田U + values: + - 0cG6ed0 + - I + - key: Ui + operator: 遂樸tUŏǞF)橷嵱 + values: + - mUT9H9 + matchFields: + - key: zzI6 + operator: ƈ肶帅ʒb漄i + values: + - 9Xi0r + - key: Bm + operator: 嚏鈻峓霙ʊcʔ暏g圖鹔夺mą¹跑 + values: + - tvOC + weight: 1006541829 + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: ZlUi + operator: ʯ鼙%淹ȏ č>稄鱑Í朹s狑Ȱ螪;ǃ嘲 + values: + - gIlS + - 5lD7AvT7I + - "8" + podAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: hi0zfFEN + operator: 裧禿 + values: + - SymXRnv + - iKr + mismatchLabelKeys: + - wesfXhv + - Z78yvK + namespaceSelector: + matchExpressions: + - key: jqHt + operator: ûų:碃;ė燱5ìb-垢xźɆ + values: + - u8cOuqy + matchLabels: + "8": nCrnu + Fd: 5YhLJD3 + r5sMi70hp4TeB: KrDX7d + namespaces: + - LOH + - 9EvOI7HWh + - 5sHJp + topologyKey: "" + weight: 403248696 + - podAffinityTerm: + mismatchLabelKeys: + - Vrf + namespaceSelector: + matchExpressions: + - key: 5w + operator: '|泀ŏ咙ƚ' + matchLabels: + 4vRvwhR: Nz + T6uTCUGiwx: lS + ZuFER: Db8xhFevK + topologyKey: K7NA + weight: 249855905 + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: No2 + operator: Ɗ]鿇躠骐 + matchLabels: + 7nohEoAMei: WrMV + ddLK: 2ehkh + qtrhf: EAAqHFcrjgT + mismatchLabelKeys: + - DrrBoq + - Nh + namespaceSelector: + matchExpressions: + - key: BEXHPr1wQ + operator: 傝魦voȪwć撈 + values: + - i3 + - gUU + - 7nmbvkGs + matchLabels: + Rh65F: rKR + namespaces: + - 1x9DGG + - xKj137E + topologyKey: CSNQy1M + - labelSelector: + matchExpressions: + - key: psq4G + operator: ɓƦ + - key: 3IlNf + operator: ćȬ4鏉1, + values: + - L0 + namespaceSelector: + matchExpressions: + - key: nVgt + operator: ɤ湿ŭò-ɋ鼴)箥Ȅ鋖ʄBK + - key: GD7 + operator: 峄9ƚ涙閉ʃ謩云飠:鎂玚wƁȖ] + values: + - i8cg6A + - TeOYSsj + topologyKey: rEB + - labelSelector: + matchLabels: + s0PrY366si5H: Qwj + ytBgNf0: e + mismatchLabelKeys: + - eylzvu + - q + namespaceSelector: + matchExpressions: + - key: os4H6DpxQ + operator: 5õċ鋵葿葄痄ɍ览逪ȋ`j + matchLabels: + vL3arho: gPmLG + namespaces: + - PjQTIWTFeK + - g5HCelWpMjnF + - QN3mXW + topologyKey: I5osiWTrzhb + automountServiceAccountToken: true + containers: + - args: + - --config.filepath=/etc/console/configs/config.yaml + command: null + env: + - name: LOGIN_JWTSECRET + valueFrom: + secretKeyRef: + key: login-jwt-secret + name: HK + envFrom: [] + image: nZ5PG/5q2qCT:z10JAfCu + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: -1989869025 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: 56050789 + periodSeconds: 193173949 + successThreshold: -1606638368 + timeoutSeconds: -1117024654 + name: console + ports: + - containerPort: 52 + name: http + protocol: TCP + readinessProbe: + failureThreshold: -509957017 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: 1816814831 + periodSeconds: 406466643 + successThreshold: 450108513 + timeoutSeconds: -1862950899 + resources: {} + securityContext: + allowPrivilegeEscalation: true + capabilities: + drop: + - 邻ȸNJ"纴ý汫篤訙铵寄貹Z[逗ą弣 + - lǀ敕ɖ + privileged: true + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 3375680259081538600 + volumeMounts: + - mountPath: /etc/console/configs + name: configs + readOnly: true + - mountPath: /etc/console/secrets + name: secrets + readOnly: true + - mountPath: P + name: zBgE7HVQ + subPath: hw6PBLgv5R + subPathExpr: YAI5mPj5 + - args: + - K9 + - 02olyp + env: + - name: F + value: rhVGTadjT + valueFrom: + configMapKeyRef: + key: 3TA0cg2R2 + name: DLZ + fieldRef: + apiVersion: s + fieldPath: Ux + resourceFieldRef: + containerName: avop + divisor: "0" + resource: itl5J4xK4 + secretKeyRef: + key: Av9eKok + optional: false + - name: QaOLYDLT + value: FQu + image: 1MFnpZG + imagePullPolicy: 脓 + livenessProbe: + exec: + command: + - lH4S + failureThreshold: 1311534645 + grpc: + port: 1048835191 + service: p5EtELTs + httpGet: + path: Zjrv + port: Ypah5av + scheme: þʙ龠ȉ%Vę皓ŏ蟝ǙĿìɋN + initialDelaySeconds: 1980070741 + periodSeconds: -728109708 + successThreshold: 1412960079 + terminationGracePeriodSeconds: 4797597904045468000 + timeoutSeconds: -1164059804 + name: oron + readinessProbe: + failureThreshold: -1734715333 + grpc: + port: -673781482 + service: 20iHh + initialDelaySeconds: 270804414 + periodSeconds: 1240219458 + successThreshold: 957649997 + terminationGracePeriodSeconds: -7921460752123720000 + timeoutSeconds: 2069469191 + resizePolicy: + - resourceName: M29 + restartPolicy: tL + - resourceName: WK + restartPolicy: T軂>ȋ1觫蚴Ș + resources: + limits: + KS: "0" + ZDx: "0" + kIjQHQZ: "0" + requests: + BSB: "0" + restartPolicy: LJW獮 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ɺ嚹晐囕胐ƻ + - ņɹ桴O塾q6賤呋f铰}Ʒ輽ʁ[顝 + runAsGroup: 6868723237582569000 + runAsNonRoot: true + runAsUser: 433131246318901200 + startupProbe: + exec: + command: + - mB6 + - Om9w + - "" + failureThreshold: -1184477652 + grpc: + port: -1276243610 + service: m6d + httpGet: + host: VzPuwIiTpY + path: C + port: 0NYj1C + scheme: V=@彆鈂t³Ɉµs斾m蛊ɲ + initialDelaySeconds: -898287287 + periodSeconds: -413255468 + successThreshold: -1510482870 + terminationGracePeriodSeconds: 4884332649151511000 + timeoutSeconds: -1445193311 + stdinOnce: true + terminationMessagePath: DQTH7 + terminationMessagePolicy: ÈɁ;ň);ɑI×ĕ觫'ɣ + volumeDevices: + - devicePath: v + name: AZ6wCimJFM + - devicePath: ZtIx + name: GFe3 + volumeMounts: + - mountPath: tt + mountPropagation: 侮E墝調cé攊疀" + name: UJ + readOnly: true + subPath: JlqP + subPathExpr: lA2v + workingDir: OV90 + - command: + - 8jHRuz + envFrom: + - configMapRef: + optional: false + prefix: yfl3PI + secretRef: + name: r7eR + optional: true + image: m4Etaoz8Bf + imagePullPolicy: okÛļ閷YƗzƄǧ + lifecycle: + postStart: + exec: {} + httpGet: + host: zu9aQLsX + path: xIFogzAoC + port: 1MjUE + scheme: 斔疏ʟn菝 + preStop: + exec: {} + livenessProbe: + failureThreshold: -1399917612 + grpc: + port: -876522011 + service: 2y + httpGet: + host: X9nNdf + path: 8mVJlz + port: 220487349 + scheme: 兇)hr裳ǔ湟钑>ȓn厠tū晣颊 + initialDelaySeconds: -968878635 + periodSeconds: 411754743 + successThreshold: 2083381130 + terminationGracePeriodSeconds: 2736468416107855400 + timeoutSeconds: -423937148 + name: Or + readinessProbe: + failureThreshold: 1628351372 + grpc: + port: -1466105410 + service: b + httpGet: + host: 8kOz + path: IhSlrBw8tiX + port: 1Vd + scheme: qV·dƖ> + initialDelaySeconds: 735135195 + periodSeconds: -175995819 + successThreshold: 1379601279 + terminationGracePeriodSeconds: 386635447886660740 + timeoutSeconds: 125503732 + resources: + limits: + LuudLJ9i: "0" + iXpYUWY: "0" + mHi: "0" + requests: + XLnFU: "0" + mSq9e3u: "0" + t6WYwzmga: "0" + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - ɭ鎣肪綢ȀNj8)屫鈄骸嗢æ憰qWTƶ剡 + - "n" + - OwkʙƝk}ɾ丧< + drop: + - Ť<嶼ȯ愉9宆嵧pɡ%ɐxė鹞鸵鏞 + - ƅgʆ炊ƞąÙ$Ǯ帶SȔ黌畕ǦƖȫV9 + - Ŏʠ羮ɍ痘摬 + privileged: true + runAsGroup: 5710532895986022000 + runAsUser: -7207500526873246000 + startupProbe: + failureThreshold: 2053062827 + grpc: + port: -1076044334 + service: s8s7 + initialDelaySeconds: 7348194 + periodSeconds: 889500482 + successThreshold: -645465298 + terminationGracePeriodSeconds: 4356974427366500000 + timeoutSeconds: 136481601 + stdinOnce: true + terminationMessagePath: t4pW + terminationMessagePolicy: ƣ + volumeDevices: + - devicePath: Df8O3UFZ + name: QL93u + - devicePath: WKg + name: nD4H + volumeMounts: + - mountPath: xs9 + mountPropagation: e羝ș+oũ蘘汉 + name: grr + readOnly: true + subPath: aUYSuUM6f + subPathExpr: mm773yL + workingDir: o + imagePullSecrets: [] + initContainers: + - 'error unmarshaling JSON: while decoding JSON: json: cannot unmarshal string + into Go value of type []interface {}' + nodeSelector: + Jy9: v + VcMeUW2U: xOwcDQYY + wkI: TbemvxUUg + priorityClassName: sLkcwZ + securityContext: + fsGroup: 99 + runAsGroup: -9040107238323409000 + runAsNonRoot: false + runAsUser: 99 + serviceAccountName: 43zobnL + tolerations: + - effect: 蜆³Ə抴璖獍ä鷲炥/=霒0ǷU伀稂ı + key: EMvrrkeG3 + operator: Ȓǒs夃Ȑɉ鋄蛓m÷,旂 + value: yd + - effect: 旌;"ȡ媟窐:ljʥh蓭殰Ȩƴ邃ȬIȻL + key: n87GpiB + operator: '偵~ȥʢȈ珎ſ龕5sʠŇưT4-§Ƀ ' + value: TUaznROmQffrRe1 + topologySpreadConstraints: [] + volumes: + - configMap: + name: HK + name: configs + - name: secrets + secret: + secretName: HK + - name: "" + - name: SXJ +--- +# Source: console/templates/tests/test-connection.yaml +apiVersion: v1 +kind: Pod +metadata: + name: "HK-test-connection" + namespace: "default" + labels: + HzuQ: mCfbHBQ + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: 3Wh + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + xi7L: ibI45 + annotations: + "helm.sh/hook": test +spec: + containers: + - name: wget + image: busybox + command: ['wget'] + args: ['HK:389'] + restartPolicy: Never + priorityClassName: sLkcwZ +-- testdata/case-030.yaml.golden -- +--- +# Source: console/templates/secret.yaml +apiVersion: v1 +kind: Secret +metadata: + creationTimestamp: null + labels: + T: f0 + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: J + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + jwrBMvwfg: K6I5HsI5 + nk8eJc: nS + name: G9 +stringData: + enterprise-license: "" + kafka-protobuf-git-basicauth-password: DtIy + kafka-sasl-aws-msk-iam-secret-key: 9xCf7 + kafka-sasl-password: 8F + kafka-schema-registry-password: krNk2 + kafka-schemaregistry-tls-ca: 5I73C + kafka-schemaregistry-tls-cert: "" + kafka-schemaregistry-tls-key: "34" + kafka-tls-ca: DaT + kafka-tls-cert: LaU0jwOpGv + kafka-tls-key: "" + login-github-oauth-client-secret: BoOjni + login-github-personal-access-token: uUxZ + login-google-groups-service-account.json: NulwlJ + login-google-oauth-client-secret: oeL6p7fcL + login-jwt-secret: SECRETKEY + login-oidc-client-secret: yRSh2 + login-okta-client-secret: xKLBJ9ZAR + login-okta-directory-api-token: HTZWfHt + redpanda-admin-api-password: 5DQTqKD + redpanda-admin-api-tls-ca: m5pg + redpanda-admin-api-tls-cert: yfP + redpanda-admin-api-tls-key: gzG +type: Opaque +--- +# Source: console/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + annotations: {} + creationTimestamp: null + labels: + T: f0 + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: J + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + jwrBMvwfg: K6I5HsI5 + nk8eJc: nS + name: G9 + namespace: default +spec: + ports: + - name: http + port: 250 + protocol: TCP + targetPort: 475 + selector: + app.kubernetes.io/instance: console + app.kubernetes.io/name: J + type: QAVsE +--- +# Source: console/templates/hpa.yaml +apiVersion: autoscaling/v2 +kind: HorizontalPodAutoscaler +metadata: + creationTimestamp: null + labels: + T: f0 + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: J + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + jwrBMvwfg: K6I5HsI5 + nk8eJc: nS + name: G9 +spec: + maxReplicas: 10 + metrics: + - resource: + name: cpu + target: + averageUtilization: 227 + type: Utilization + type: Resource + - resource: + name: memory + target: + averageUtilization: 477 + type: Utilization + type: Resource + minReplicas: 306 + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: G9 +--- +# Source: console/templates/tests/test-connection.yaml +apiVersion: v1 +kind: Pod +metadata: + name: "G9-test-connection" + namespace: "default" + labels: + T: f0 + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: J + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + jwrBMvwfg: K6I5HsI5 + nk8eJc: nS + annotations: + "helm.sh/hook": test +spec: + imagePullSecrets: + - name: wu1 + containers: + - name: wget + image: busybox + command: ['wget'] + args: ['G9:250'] + restartPolicy: Never + priorityClassName: KuRS +-- testdata/case-031.yaml.golden -- +--- +# Source: console/templates/configmap.yaml +apiVersion: v1 +data: + config.yaml: | + # from .Values.console.config + {} + role-bindings.yaml: |- + roleBindings: + - {} + - {} + roles.yaml: |- + roles: + - {} +kind: ConfigMap +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: xknw + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + q4ZdG9q: IJWaYu9mhun + sFTTcyl: qVyaa0ULC + name: 59cQ0qKLI +--- +# Source: console/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: xknw + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + q4ZdG9q: IJWaYu9mhun + sFTTcyl: qVyaa0ULC + name: 59cQ0qKLI + namespace: default +spec: + ports: + - name: http + port: 112 + protocol: TCP + targetPort: 375 + selector: + app.kubernetes.io/instance: console + app.kubernetes.io/name: xknw + type: N9chrF +--- +# Source: console/templates/hpa.yaml +apiVersion: autoscaling/v2 +kind: HorizontalPodAutoscaler +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: xknw + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + q4ZdG9q: IJWaYu9mhun + sFTTcyl: qVyaa0ULC + name: 59cQ0qKLI +spec: + maxReplicas: 25 + metrics: + - resource: + name: cpu + target: + averageUtilization: 460 + type: Utilization + type: Resource + - resource: + name: memory + target: + averageUtilization: 169 + type: Utilization + type: Resource + minReplicas: 20 + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: 59cQ0qKLI +--- +# Source: console/templates/ingress.yaml +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + annotations: + Q: 3KXvHleq + YUY: BD + mdCRk: Ilk9wDjAw + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: xknw + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + q4ZdG9q: IJWaYu9mhun + sFTTcyl: qVyaa0ULC + name: 59cQ0qKLI +spec: + ingressClassName: GuB1VTCp + rules: + - host: WsTbK7W + http: + paths: + - backend: + service: + name: 59cQ0qKLI + port: + number: 112 + path: MKCR56 + pathType: hEV + - backend: + service: + name: 59cQ0qKLI + port: + number: 112 + path: "6" + pathType: pv + - backend: + service: + name: 59cQ0qKLI + port: + number: 112 + path: rNv + pathType: L0CY1c8 + - host: OxFD + http: + paths: null + - host: Ojx + http: + paths: null + tls: + - hosts: + - C + - wxjmQWXDn + secretName: ESgom5IBQR +--- +# Source: console/templates/tests/test-connection.yaml +apiVersion: v1 +kind: Pod +metadata: + name: "59cQ0qKLI-test-connection" + namespace: "default" + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: xknw + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + q4ZdG9q: IJWaYu9mhun + sFTTcyl: qVyaa0ULC + annotations: + "helm.sh/hook": test +spec: + imagePullSecrets: + - name: 2Ry3vDGf6 + - name: PE5R + - name: uWsoZ + containers: + - name: wget + image: busybox + command: ['wget'] + args: ['59cQ0qKLI:112'] + restartPolicy: Never + priorityClassName: mFg +-- testdata/case-032.yaml.golden -- +--- +# Source: console/templates/configmap.yaml +apiVersion: v1 +data: + config.yaml: | + # from .Values.console.config + {} + role-bindings.yaml: |- + roleBindings: + - K8wnWSD: null + bwYE7: null + y4j: null + - GvFfKdgL: null + enU8G4: null + wvnJcOn: null + - td7: null + roles.yaml: |- + roles: + - YQBucbbDX2R: null + - 2UuDKjR: null + IV0Yus9: null + ci20SljQkhw: null +kind: ConfigMap +metadata: + creationTimestamp: null + labels: + B19ue: 8W + Kxm5R1: R + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: wB + app.kubernetes.io/version: v2.7.0 + e3Cx: MIAO + helm.sh/chart: console-0.7.29 + name: llK4G +--- +# Source: console/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + annotations: {} + creationTimestamp: null + labels: + B19ue: 8W + Kxm5R1: R + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: wB + app.kubernetes.io/version: v2.7.0 + e3Cx: MIAO + helm.sh/chart: console-0.7.29 + name: llK4G + namespace: default +spec: + ports: + - name: http + port: 418 + protocol: TCP + targetPort: 486 + selector: + app.kubernetes.io/instance: console + app.kubernetes.io/name: wB + type: aaIqePq +--- +# Source: console/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: + xpNWT: MpOZ + creationTimestamp: null + labels: + B19ue: 8W + Kxm5R1: R + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: wB + app.kubernetes.io/version: v2.7.0 + e3Cx: MIAO + helm.sh/chart: console-0.7.29 + name: llK4G + namespace: default +spec: + replicas: null + selector: + matchLabels: + app.kubernetes.io/instance: console + app.kubernetes.io/name: wB + strategy: + rollingUpdate: {} + type: ȁ进辫fu + template: + metadata: + annotations: + checksum/config: ae52af057e6331e5caa1d321881f906df93659aa45a5458c4dd4ae890cf7695b + creationTimestamp: null + labels: + So: waKMMvnY + VXPE0: 8ExVsj + app.kubernetes.io/instance: console + app.kubernetes.io/name: wB + ip1RGEzt4t6: "1" + spec: + affinity: + nodeAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - preference: {} + weight: 735732238 + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: cFkyLM + operator: 岊B + - key: V3cKSq + operator: ǟ濈1ɑÎ"孲ȀŨFhŲ + values: + - hz + - matchExpressions: + - key: 8N + operator: 9´敤T + values: + - amWROpS + matchFields: + - key: 7hmWbsKS + operator: "" + values: + - lS + - slkOyX + - YlwPcdVh + - matchExpressions: + - key: n5YD + operator: Əüʢ軾ŚũɳnŒ + values: + - 5s4eD6x + - WMkZIzS40rxp + - zCnW + - key: JawyIOLo + operator: 巳c習Gnƛ{ɩ¯Ĭ枺lȜʩ泿趏ǙĊi + values: + - Fvzyw13fUZC + - 4w9T3GeG + - mVj9N + matchFields: + - key: 4amyTWvhx + operator: Ąŵ8雌%ɸ*W褒卒S + values: + - cPr0Nm2WFo1dBq + - a + podAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: XgsMMBS + operator: ȗ諹 + values: + - foI + - NN1yiUNR + matchLabels: + Qq: VB19aUlI + mismatchLabelKeys: + - hcD + namespaceSelector: + matchLabels: + vMT90cNq3PYf2z: upe + topologyKey: RSVn9W + weight: 603398420 + - podAffinityTerm: + labelSelector: {} + mismatchLabelKeys: + - 4IL0rEe9 + - yY0RMU2 + namespaceSelector: + matchExpressions: + - key: tIka9jS + operator: 7怘xə4ÏɦW + values: + - l + - ajs6c + - hkYj + - key: Qu + operator: ʊ鏀ɑ蒀刹gE + values: + - 2UvY + - hRB1wKXyHi9 + topologyKey: ZKWyn5kI + weight: -1674108352 + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: KQfZ4 + operator: ġȁAu盝ȭƈŦ齬{z + values: + - itNS0T + - jL + - key: q0HemjU + operator: e銳ȇ葁õDÏ筃 + values: + - M5yeE + - gJJY + - HInHzXgX + - key: d1LKZ1 + operator: Q + matchLabels: + XElv: QGJ + nD: kNCk5qe + wUtw34v: sCjj5z + matchLabelKeys: + - ej9hOPjp7W + mismatchLabelKeys: + - lhU9gP + - T7rMlvu + namespaceSelector: {} + namespaces: + - ii3aa + topologyKey: 8U7 + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: CkQsu4fS + operator: 鄦&ɲȅ + values: + - RVnwZ + - EVk + - key: yt + operator: 傓N嬅宠H^÷ + values: + - 1L + - rVQPs + - dUHOKQ + - key: hQ1Tl + operator: ɣë筁尻!絜辩^riʨ莠8dƋ + values: + - 4D6Y + - 5TXh + - 8RH + matchLabels: + "9": jb2X + IdL: PQj0N + iB09Upiijt: JpN + matchLabelKeys: + - rKS9p8 + - sK8p + namespaceSelector: + matchExpressions: + - key: KQ6 + operator: '篛I6ÝBŘ F媍/:' + values: + - NXP47Fm + - Z0Qh2Y4 + - JeWX + - key: Yh + operator: '!j3W' + values: + - mTm5dkO58H + - "" + - key: 6q + operator: 景¨Sŝvo/ + values: + - TrgtrP + - zqIsId + matchLabels: + 7E3A1K: "7" + 63IlVL: aSxc + W1hP: 1H9k3O + namespaces: + - "" + - 2Ma + topologyKey: FFqt + - labelSelector: + matchLabels: + "": wklJJ + C8JZ: LP + U1pz: kAE1l4 + matchLabelKeys: + - shj5V + - oU074y + - Ufq2w + mismatchLabelKeys: + - oBzMiOSgd + - iSF + namespaceSelector: + matchExpressions: + - key: fCbLu + operator: 塊衅m鑀ȣ戢ŭ阻蹯ȟ獇ɨ + values: + - B6TgQ75 + - FAHTEOSesQ + - Ms2Kw7XQ + - key: 133fMqId + operator: "" + values: + - pJc0Zu8 + - T1PEuV0uism + matchLabels: + 1rfPa2b4Ny: cemR + Np9l: lcX + SjNYy4: VZX + namespaces: + - 7W + - umFBWrpUDHv + - "" + topologyKey: pPUIqPXo + automountServiceAccountToken: true + containers: + - args: + - --config.filepath=/etc/console/configs/config.yaml + command: null + env: + - name: LICENSE + valueFrom: + secretKeyRef: + key: bujGpO7D0C + name: V + envFrom: + - configMapRef: + name: nJXDn + optional: true + prefix: g3ZpAEUJC + secretRef: + name: 5Yin + optional: true + - configMapRef: + name: spYG9o0 + optional: false + prefix: Wv01 + secretRef: + name: BxDbe + optional: true + image: mU/xY76Tj:AgKh6S1 + imagePullPolicy: "" + livenessProbe: + failureThreshold: 1396135036 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: 1526591550 + periodSeconds: -972224922 + successThreshold: -39437670 + timeoutSeconds: -1229662908 + name: console + ports: + - containerPort: 486 + name: http + protocol: TCP + readinessProbe: + failureThreshold: 1061708880 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: 1618839364 + periodSeconds: -2098998213 + successThreshold: -846859522 + timeoutSeconds: 1824930679 + resources: {} + securityContext: + allowPrivilegeEscalation: true + capabilities: + drop: + - 退晦Ţ鲛 + - '}ʄ攏嫫;Mǐ豒ɇf,搅Ð貑ș|Óf' + privileged: false + procMount: D + readOnlyRootFilesystem: false + runAsGroup: 1564095685271138800 + runAsNonRoot: true + runAsUser: -3929576237300142600 + volumeMounts: + - mountPath: /etc/console/configs + name: configs + readOnly: true + - args: + - T + - Pvf1yAamEa + - jQE8UakuY + env: + - name: 3g + value: JexRP + valueFrom: + configMapKeyRef: + key: QZ + name: QcC + optional: true + fieldRef: + apiVersion: Iv + fieldPath: d7xQ + resourceFieldRef: + containerName: jLpJ + divisor: "0" + resource: m + secretKeyRef: + key: Quhh + name: HUhzPAEo85 + optional: true + - name: ehSBff + value: nHu + valueFrom: + configMapKeyRef: + key: v3Icanu + name: dNPJ8 + optional: false + fieldRef: + apiVersion: xO7UQDq0 + fieldPath: gAyGB6Nj4 + resourceFieldRef: + containerName: Bs2D + divisor: "0" + resource: xJCQsH + secretKeyRef: + key: 3T6tjIQWa0C + name: 8TvRbhP + optional: false + envFrom: + - configMapRef: + name: mf + optional: false + prefix: pZxp + secretRef: + name: v + optional: true + - configMapRef: + name: wosjc9 + optional: true + prefix: ehhmFeLY + secretRef: + name: Ll + optional: false + image: kZ8UUm + imagePullPolicy: Ɓ + lifecycle: + postStart: + exec: {} + httpGet: + host: K29SzZPo + path: y2bQL8 + port: Cr + scheme: 轂Ì蕏ʋ + sleep: + seconds: -3765902632580054500 + preStop: + exec: + command: + - 1pT5X + httpGet: + host: NouEQF + path: WITzSW + port: 1565482371 + scheme: ƒ塒廛鎐藽瀫 + sleep: + seconds: 1831382645860082000 + livenessProbe: + exec: {} + failureThreshold: -1525719681 + grpc: + port: 99688681 + service: xa0sl3k5KM + httpGet: + host: prjHPqf + path: RHwZIE + port: 2UZ7hXI + scheme: 瑀ċ廤ȵ + initialDelaySeconds: -1367665605 + periodSeconds: -1023789296 + successThreshold: 206844073 + terminationGracePeriodSeconds: -3901072071078889000 + timeoutSeconds: 1670691424 + name: t + ports: + - containerPort: 2046398071 + hostIP: pJg + hostPort: -1247541550 + name: DrYeHQ6 + protocol: ²ȑBŸ + readinessProbe: + exec: {} + failureThreshold: 852505381 + grpc: + port: 8093048 + service: "N" + httpGet: + host: uuaPC + path: Mpxk6p + port: -297149767 + scheme: 這伦礗鯪àe]雚腴k£ɂ闧ɦĚH鏰浳 + initialDelaySeconds: 296244720 + periodSeconds: 1237321103 + successThreshold: 722306410 + terminationGracePeriodSeconds: 7739978307238029000 + timeoutSeconds: -2129506856 + resizePolicy: + - resourceName: NBfNOBC + restartPolicy: ƞdWǝi鎠R殩杜Ś晚尒尧ǐ; + - resourceName: oDw8xEb + restartPolicy: ja侬ƕ + resources: + limits: + BJcVkW: "0" + Ub5Spt: "0" + nWi63TNlCyM: "0" + requests: + e5vcw0H: "0" + eKz0z: "0" + gK: "0" + restartPolicy: 嗈ǒɟNǭ臥穥Ť + securityContext: + allowPrivilegeEscalation: true + capabilities: + add: + - $拷霒Ø耖} + - ijĸN藬?w粯痵餒薃辕5勅ů + - 幒Ƹʁòĺǂ浼GX + drop: + - 宖 + privileged: true + procMount: 凝 + readOnlyRootFilesystem: false + runAsGroup: -7000080292188881000 + runAsNonRoot: false + runAsUser: 9107304642056619000 + startupProbe: + exec: {} + failureThreshold: -208121509 + grpc: + port: 133215347 + service: pj4Kw + httpGet: + path: hGLW3 + port: -239286046 + scheme: YsÌǮŦʁ¡ē峪3 + initialDelaySeconds: -817672524 + periodSeconds: 1846655614 + successThreshold: -243958761 + terminationGracePeriodSeconds: 4190490525804645400 + timeoutSeconds: -973067987 + terminationMessagePath: 9vMe3Y + terminationMessagePolicy: 雍Wȯ嘷台厃$Țʍ13b霞两e + tty: true + volumeMounts: + - mountPath: yZbL + mountPropagation: 鲫絎Q(銞ÎÕX堙Ľ銃曅注t锋ɮj覧« + name: UFfAqsgd + subPath: wSo + subPathExpr: bIsBP3O + workingDir: DYBcINRq + - command: + - wgBryFN + image: NorbK + imagePullPolicy: 鉓Ĕʠ;兮)Frë + lifecycle: + postStart: + exec: {} + httpGet: + host: Z + path: 3v + port: W1vDkt + scheme: ŷ索gp=ŵāǼ餆嬦Ƹl媓R}豟ɠĖ. + sleep: + seconds: 1583583004300077000 + preStop: + exec: + command: + - XztEol6So + - GveA + - H4aUl + httpGet: + host: 75LDW + path: nu + port: I + scheme: 胛Uȁ¬ + sleep: + seconds: 4617693270470586000 + livenessProbe: + exec: {} + failureThreshold: 1423393786 + grpc: + port: 2097410769 + service: "" + httpGet: + host: W7 + path: PyPprD6 + port: dHwCyz + initialDelaySeconds: -1439644816 + periodSeconds: 182024489 + successThreshold: -1861505070 + terminationGracePeriodSeconds: -4166230023615503400 + timeoutSeconds: -704907360 + name: sFz5 + ports: + - containerPort: 1977465061 + hostIP: kxqRig + hostPort: 393211643 + name: DRO + protocol: ķǔȈ + readinessProbe: + exec: + command: + - mn + - 4TZCjrWPW18 + failureThreshold: 972699487 + grpc: + port: -1384519737 + service: IY5quWWV4JC + httpGet: + host: wq91i + path: Zy + port: -1192576969 + scheme: Á^_ + initialDelaySeconds: 2107832874 + periodSeconds: 1041520026 + successThreshold: -118135340 + terminationGracePeriodSeconds: -4946782594204673000 + timeoutSeconds: -1933961678 + resizePolicy: + - resourceName: MG7PMkMMObJJU + restartPolicy: §觫困Ȏ龝ƃȃɩ芴ÎĽ + resources: + requests: + I4: "0" + zLy: "0" + restartPolicy: 粛醑綇蝙Ɣò犁鶓A + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - 掀ǃA颺LnFąɏ動 + drop: + - 输6sĺ宯hĢ + - ĨƨO檔暰z + - Neɬ慿Ȁ0ɳ蠈ǚǦO¸Ğ崔ʂ¢剚 + privileged: false + procMount: 翄怉DžǬ?胉獄ǙƊɚx虉F + readOnlyRootFilesystem: false + runAsGroup: -1943526545280953900 + runAsNonRoot: true + runAsUser: -7089742793545457000 + startupProbe: + exec: + command: + - hDj + - ONyz91fkTFY9t3 + - ynDWkO + failureThreshold: -5561223 + grpc: + port: -1069825885 + service: oQmy + httpGet: + path: l4sWc + port: 53AhP + scheme: ȩ + initialDelaySeconds: -6165070 + periodSeconds: 1844899228 + successThreshold: 903779261 + terminationGracePeriodSeconds: -3909221818854749700 + timeoutSeconds: 746670574 + stdinOnce: true + terminationMessagePath: egr00cLki + terminationMessagePolicy: ɯ2鰌^坪yN蠏Ĵ + tty: true + volumeMounts: + - mountPath: YOyu1MjxN2 + mountPropagation: :鸛o鮓L`<]ơ1b忙n鲃{< + name: dODfVz + subPath: ZknFq + subPathExpr: oX1n + - mountPath: 4TEsoc + mountPropagation: 帺Õ斯剅ƫf鳌麓HƸŘÂ瘖?謾軌 + name: hau + subPath: w24Wq4e + subPathExpr: i2TEix + - mountPath: uuujj + mountPropagation: 氻ʃ2NFJ啼铗"O{À-ŧLJ弟 + name: klnXhhnxKk + subPath: SEx + subPathExpr: CK2FmmyYThL + workingDir: NCvZAa + imagePullSecrets: [] + initContainers: + - 'error unmarshaling JSON: while decoding JSON: json: cannot unmarshal string + into Go value of type []interface {}' + nodeSelector: + ih: xT3Dk3PXT + xhq: vu + zLR9: wFjrfu + priorityClassName: WeB9y8 + securityContext: + fsGroup: 7101468120327600000 + fsGroupChangePolicy: ȴ鳁ƨ殳h`熡ƍʊ0ŀ擳琗图.AƱX滋 + runAsGroup: 4262945102741077000 + runAsNonRoot: false + runAsUser: -9214274730002703000 + supplementalGroups: + - 4135587743067906600 + - -2908166639165702700 + sysctls: + - name: Yo9 + value: zak2 + serviceAccountName: zpH + tolerations: [] + topologySpreadConstraints: [] + volumes: + - configMap: + name: llK4G + name: configs + - name: 1zZI6J + - name: D + - name: OUqOnvjvba +--- +# Source: console/templates/hpa.yaml +apiVersion: autoscaling/v2 +kind: HorizontalPodAutoscaler +metadata: + creationTimestamp: null + labels: + B19ue: 8W + Kxm5R1: R + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: wB + app.kubernetes.io/version: v2.7.0 + e3Cx: MIAO + helm.sh/chart: console-0.7.29 + name: llK4G +spec: + maxReplicas: 459 + metrics: + - resource: + name: cpu + target: + averageUtilization: 497 + type: Utilization + type: Resource + - resource: + name: memory + target: + averageUtilization: 146 + type: Utilization + type: Resource + minReplicas: 198 + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: llK4G +--- +# Source: console/templates/ingress.yaml +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + annotations: + Lhm: f24CRNEJvs + pk6fq: "2" + creationTimestamp: null + labels: + B19ue: 8W + Kxm5R1: R + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: wB + app.kubernetes.io/version: v2.7.0 + e3Cx: MIAO + helm.sh/chart: console-0.7.29 + name: llK4G +spec: + ingressClassName: EXqR + rules: + - host: chart-example.local + http: + paths: + - backend: + service: + name: llK4G + port: + number: 418 + path: / + pathType: ImplementationSpecific + tls: + - hosts: + - xEciJGskt + - pBxfBltrqACoat + - INyj + secretName: Qy + - hosts: + - F6sf + - EHuJ + - 95my0 + secretName: XOIr +--- +# Source: console/templates/tests/test-connection.yaml +apiVersion: v1 +kind: Pod +metadata: + name: "llK4G-test-connection" + namespace: "default" + labels: + B19ue: 8W + Kxm5R1: R + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: wB + app.kubernetes.io/version: v2.7.0 + e3Cx: MIAO + helm.sh/chart: console-0.7.29 + annotations: + "helm.sh/hook": test +spec: + containers: + - name: wget + image: busybox + command: ['wget'] + args: ['llK4G:418'] + restartPolicy: Never + priorityClassName: WeB9y8 +-- testdata/case-033.yaml.golden -- +--- +# Source: console/templates/configmap.yaml +apiVersion: v1 +data: + config.yaml: | + # from .Values.console.config + {} + role-bindings.yaml: |- + roleBindings: + - 7x: null + Ia1K2tdRuYi: null + j6c9: null + roles.yaml: |- + roles: + - {} + - 6Vndf: null + f: null +kind: ConfigMap +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: bCPeYVWao + app.kubernetes.io/version: v2.7.0 + gZ85uw3T: e + helm.sh/chart: console-0.7.29 + qO: F4dqLo67vKYZ + name: foGC +--- +# Source: console/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + annotations: + lrtdFF: 60R7 + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: bCPeYVWao + app.kubernetes.io/version: v2.7.0 + gZ85uw3T: e + helm.sh/chart: console-0.7.29 + qO: F4dqLo67vKYZ + name: foGC + namespace: default +spec: + ports: + - name: http + port: 229 + protocol: TCP + targetPort: 59 + selector: + app.kubernetes.io/instance: console + app.kubernetes.io/name: bCPeYVWao + type: 2K35 +--- +# Source: console/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: bCPeYVWao + app.kubernetes.io/version: v2.7.0 + gZ85uw3T: e + helm.sh/chart: console-0.7.29 + qO: F4dqLo67vKYZ + name: foGC + namespace: default +spec: + replicas: 390 + selector: + matchLabels: + app.kubernetes.io/instance: console + app.kubernetes.io/name: bCPeYVWao + strategy: + rollingUpdate: {} + type: 呇弰$腕煴贔棳軀+œʃǀŖ* + template: + metadata: + annotations: + checksum/config: b3a4b261d0705e207d46ac15067d5c7d7c951cf0c0fa7736607331369bd47b6d + creationTimestamp: null + labels: + 1bb6: "" + 3U: mfPv + T: Q + app.kubernetes.io/instance: console + app.kubernetes.io/name: bCPeYVWao + spec: + affinity: + nodeAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - preference: + matchFields: + - key: 1O + operator: 拺5ř(Ƅ餕ʟ{鐻Ƈ + weight: -2070567569 + - preference: + matchFields: + - key: JlGR + operator: 脱?ĶA蛜頒ǽGǷ藸 , + values: + - 8zZEVom + - TY + - FSSQQ + - key: w3C + operator: sɯeM^筘褑 + values: + - Q + - i48uKb + weight: -1969968900 + - preference: + matchExpressions: + - key: ZsgVr + operator: Eȗ + - key: RfMZL + operator: "" + - key: r + operator: džɬ毿鵮V町iAÉ橁zy题ʔu7ÆO9 + values: + - uj8h + matchFields: + - key: "" + operator: :止褮Ȃ宸 + values: + - 9h + - Do + weight: 1160212382 + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: nmW + operator: '%U<Ȫk7家fƥ降]:' + values: + - e4hDXWb9G8Qi + - SynNDfUn + - C8kz + matchFields: + - key: QO0Q + operator: l!m0ʒbƹ豫ň + values: + - eh + - key: VE5mZtP + operator: ~x蹵#ÂvǗRɩ啭Ö澭肞¤7跜庛Ɍ + values: + - yT + - key: 1Cony + operator: 阃 + values: + - ahj6j + - matchExpressions: + - key: TvhlZutK + operator: 5叹ùz + values: + - rog + - key: qLPNTFw8 + operator: 藘鸘Œé溇ʄsoɷƱǺȾ蹾K混īl軇 + - key: F + operator: 則Yǹ郰饉貓伜ſ0|麊 az襽准 + matchFields: + - key: VcfFwmb + operator: WJMU狰槃žiǶq挿} + values: + - b7G + - "" + - wzxeij27DD + - key: "" + operator: 殀ǥ + values: + - "9" + - 0E3EkrfSX + - vzth + - key: omoz + operator: e´Ģ桇适TŽǤʈ + values: + - TVj0W7 + - 7HjUt2w + podAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: nN1614M7 + operator: '鰺/堅ý髉铊ɇƴ2友凇3 ' + values: + - D0tt + - sG9E + matchLabelKeys: + - l + mismatchLabelKeys: + - vqTKCL2D + namespaceSelector: + matchLabels: + LIgB: qqC9YL + namespaces: + - BLdVDzfY + - eq + - qB + topologyKey: qwces + weight: 899210618 + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: hIz8wo + operator: ĥ\{ė + values: + - ZwYh1 + - 4l9U + - Q5Io + - key: sd3eCUDob + operator: 蒴ǚ<灁Q柷娸颂嘃üĸƢı + values: + - U0 + - "" + - WXJjoBRKrfEY + matchLabels: + QSrEl7t0: hxsiSGCubb + mismatchLabelKeys: + - PiUy + - VhBWFCyx6C + namespaceSelector: + matchLabels: + G: 07tU6 + ZCO1QQK: b + uq: HISLIo9ZC + topologyKey: 87eQuI + weight: 1750437304 + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: nK0RSDE + operator: R(陛m诜ȯơȴ豨躻 + matchLabels: + CE9: u8FukDT + U5N: "y" + matchLabelKeys: + - 5I6wiiY + - JDZsP + - zGyW + mismatchLabelKeys: + - 4WZHZ + namespaceSelector: + matchExpressions: + - key: N9E9 + operator: ȅ)礯占鷨ʫɩfǡnʎə掅Ux曶HŁ遐 + values: + - JdC + - 3NS25HFHxU + - key: "" + operator: ı獗& + - key: q + operator: 髢£Ȋ泽ZwVfc剻Ţ嬊j + topologyKey: "" + - labelSelector: + matchExpressions: + - key: Tof0 + operator: ĥM:ɑȏF叆綯炩藁û漄f + values: + - jTpj + - gYZ8IIq + - key: avL + operator: ɼƌ壟.敾¦ + matchLabels: + P1w: Nb9t3e + matchLabelKeys: + - TkIx94Dmu + - 8KVE + - UEJW + namespaceSelector: + matchExpressions: + - key: gQOOR5Pz + operator: Ȁ蛝畆粔辧殤,ǔžɨʜ + values: + - MiGt + topologyKey: nn1x + - labelSelector: + matchExpressions: + - key: C + operator: 瘎%瑧¹$兤 + values: + - p5TR + matchLabels: + c9PNRTZ: L + matchLabelKeys: + - 9xrNO + - saFgUzTD530EV + namespaceSelector: + matchExpressions: + - key: "" + operator: 琨j貙ŰĤ煾骣ƢƐ肾Q`ĥ?舶 + values: + - "7" + - T4pSI + - key: u0lbHcT + operator: čÉ壶霻*ǻ蠦Źê潡%!Ȱʁr.ň沀痊 + values: + - voUu0X + namespaces: + - tX + - uDgtoDt + topologyKey: "1" + automountServiceAccountToken: true + containers: + - args: + - --config.filepath=/etc/console/configs/config.yaml + command: null + env: + - name: RTz9f + value: kK5WtZCFpsl + valueFrom: + configMapKeyRef: + key: CB1UV + name: 0pF + optional: false + fieldRef: + apiVersion: xO4s + fieldPath: n2G + resourceFieldRef: + containerName: GmnwMQ + divisor: "0" + resource: yX30Dke4u + secretKeyRef: + key: vPbHh + name: oBAn1EoZmPzN + optional: true + - name: LICENSE + valueFrom: + secretKeyRef: + key: 9y6KmPZ + name: QM + envFrom: + - configMapRef: + name: lo + optional: false + prefix: mSdySXyKqEkl + secretRef: + name: t4daT3 + optional: true + - configMapRef: + name: IFTvBGq + optional: false + prefix: qKk6o + secretRef: + name: "4" + optional: true + image: JWsGq/JAUpWzFL:3WF1aV + imagePullPolicy: 躂Qʢ瞶CǁȮ + livenessProbe: + failureThreshold: 604102540 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: 93396392 + periodSeconds: 1323534907 + successThreshold: 2044410955 + timeoutSeconds: -725304614 + name: console + ports: + - containerPort: 59 + name: http + protocol: TCP + readinessProbe: + failureThreshold: -1216486926 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: -1636119248 + periodSeconds: -1587206371 + successThreshold: 1085720843 + timeoutSeconds: 1603673472 + resources: + limits: + HS: "0" + sspp8OAsyF: "0" + securityContext: + allowPrivilegeEscalation: true + capabilities: + drop: + - ɇǎȬ+丰DZ}薞ɎƐ + privileged: false + procMount: Ȧ杖煃a/ɓ<3ő+笽pȗdzSj + readOnlyRootFilesystem: true + runAsGroup: 8336843233603803000 + runAsNonRoot: true + runAsUser: 956863148985923500 + volumeMounts: + - mountPath: /etc/console/configs + name: configs + readOnly: true + - mountPath: WfYQ + name: v1bEam0d + subPath: "" + - mountPath: hpZaUwi + name: 2keqwtlu + subPath: "" + - mountPath: bCeiaipj + name: RAI0g6yvn + subPath: "" + - mountPath: gRGvu + mountPropagation: Ŋ4ǔ盍薟惮睌ȿ濍ȯȀüƳ$ + name: oJv65V + readOnly: true + subPath: P20XHtoR + subPathExpr: SzD + - mountPath: xhuwGvn + mountPropagation: 搛悈nj鰣*颵俠Ʀ慫灗岵ȆǴ騔Ė栢č)q + name: ebDa1q2nKt + readOnly: true + subPath: "6" + subPathExpr: N0xOT + - mountPath: xHTM + mountPropagation: 0關ɮUeŪ + name: P8noEsWy3t + subPath: y5E + subPathExpr: oP2A6C + - args: + - 3OUsoZkVHy + - Gn3 + command: + - NLtY + env: + - name: 51Xcm68sAs + value: PUTq + valueFrom: + configMapKeyRef: + key: udLx6h9 + name: wSgnPbc + optional: false + fieldRef: + apiVersion: oVPbc + fieldPath: CGK + resourceFieldRef: + containerName: Ind7j + divisor: "0" + resource: 9tlZc + secretKeyRef: + key: z2i + name: aloI0W + optional: true + - name: nGb + value: I91 + valueFrom: + configMapKeyRef: + key: Ft8IZO4DX + name: 7PY9CO1 + optional: false + fieldRef: + apiVersion: DysSUO + fieldPath: M + resourceFieldRef: + containerName: i + divisor: "0" + resource: mbVAnrQ + secretKeyRef: + key: ZVD + name: 4gLX + optional: true + - name: SEd7KC2 + value: I0 + valueFrom: + configMapKeyRef: + key: 71k + name: B + optional: true + fieldRef: + apiVersion: vJE + fieldPath: nvSzEcQ + resourceFieldRef: + divisor: "0" + resource: fYaXGkFYlrz + secretKeyRef: + key: xDT4Uhi + name: a + optional: false + image: NLoqH + imagePullPolicy: U肵銨龋搁}ŗ=;ī篱ɺ頁掆薑 + lifecycle: + postStart: + exec: + command: + - NAmBp8Ijy9vgKS + httpGet: + path: GukCZ + port: umdXEe + scheme: ɭL莒ƠĦZ¢.0tȠȴF梩¯牏GȐ + sleep: + seconds: 2463489515348869600 + preStop: + exec: + command: + - RAP7lxh + - 0WRf37xLvaEE + httpGet: + host: Xi + port: 395093084 + scheme: '}Ä*諓懚泾ıɥ磀>ȃÓ愍瘞5' + sleep: + seconds: -2989387296528249000 + livenessProbe: + exec: + command: + - AondI + - CvX + - X9Dwm + failureThreshold: -1669443788 + grpc: + port: 1602861347 + service: 5dF71q + httpGet: + host: yOYLS + path: m99M + port: 1421693426 + scheme: cǶ嫙x勬´筮 + initialDelaySeconds: -348887387 + periodSeconds: -855526929 + successThreshold: -1868658835 + terminationGracePeriodSeconds: 7220662525875544000 + timeoutSeconds: -893266456 + name: 62y7 + ports: + - containerPort: 41082986 + hostIP: H + hostPort: -671022955 + name: Q + protocol: Ģ + - containerPort: -676585553 + hostIP: jdTqIIXMX + hostPort: 441858691 + name: bam + protocol: ã鯑 + readinessProbe: + exec: {} + failureThreshold: -1607827734 + grpc: + port: -732628448 + service: d + httpGet: + host: q2uSglvPX + path: 5YB9kNfy37 + port: -425352890 + scheme: ZʇįʔÌ玫Ʊ儝$緀ƥǣ鮀 + initialDelaySeconds: 1646541382 + periodSeconds: 597275764 + successThreshold: 1444783765 + terminationGracePeriodSeconds: -4224719974242331600 + timeoutSeconds: 1778484407 + resizePolicy: + - resourceName: YWwAdc + restartPolicy: 蓊ƽqs洊蛀Ƴ澠誉 + resources: + limits: + 9c5: "0" + DJI: "0" + uyw: "0" + requests: + 7livK1: "0" + PWZFD5fFpVA: "0" + restartPolicy: ǐ踊丸y苡汎0塛yM眗酊L攚dzyÚmG + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - țƒ摨1娣Q札遢ʌā4魯 + drop: + - W~ + - ȮnLv|麬O稕Ʉ幖0Ţ&揵¸ + - àPĪɉɯ鋹芨ȲƿƛĞx + privileged: false + procMount: ɉq$|ŀ蘨寱彣ɎȈORe]O掓I + readOnlyRootFilesystem: false + runAsGroup: -2438856757446633000 + runAsNonRoot: false + runAsUser: -8511671649189409000 + startupProbe: + exec: + command: + - "" + failureThreshold: 157629836 + grpc: + port: -20533111 + service: vASy4b + httpGet: + host: 94HpH + path: t70 + port: W59mpID + scheme: ħ6琏 + initialDelaySeconds: -146258274 + periodSeconds: 47385732 + successThreshold: -1646222325 + terminationGracePeriodSeconds: -5575789846018255000 + timeoutSeconds: -351943504 + terminationMessagePath: r0ZY2 + terminationMessagePolicy: 傂G嶃a橢抴=Ȃĺ庆ɏ鬹揖絴鹥ɣ¸Ȫs + tty: true + workingDir: XFFilzd + - command: + - VSuU6yfyc8y + - gLgP + env: + - name: PSOr4 + value: m2ujo1f4 + valueFrom: + configMapKeyRef: + key: B9Gc + name: BaR3c + optional: true + fieldRef: + apiVersion: OFu + fieldPath: Pydi + resourceFieldRef: + containerName: jPiF + divisor: "0" + resource: jyp8A7uPD + secretKeyRef: + key: fcGCM + name: Hs + optional: false + - name: Ax9HfRa4p + value: S3R2 + valueFrom: + configMapKeyRef: + key: ZDzzhFD + name: soDgOej + optional: false + fieldRef: + apiVersion: iSfQ + fieldPath: Plzxy53z + resourceFieldRef: + containerName: DfBt3S + divisor: "0" + resource: 757s44h + secretKeyRef: + key: bn2IGjj + name: x8E + optional: false + - name: r + value: PmO + valueFrom: + configMapKeyRef: + key: Htzib1 + name: gfbsiTcDY + optional: true + fieldRef: + apiVersion: Frhab7p2yh + fieldPath: K6XKg + resourceFieldRef: + containerName: CLX + divisor: "0" + resource: cq + secretKeyRef: + key: R + name: zPHkUHXQ + optional: false + image: bSZCow + lifecycle: + postStart: + exec: + command: + - "y" + httpGet: + host: 2cDO + path: L5m + port: yhJI + sleep: + seconds: 6222265361848815000 + preStop: + exec: + command: + - yVT + httpGet: + host: Ibt0C5XF + path: Kf7kW1 + port: Tlj66QW + scheme: 砰僮 + sleep: + seconds: 4926532563180302000 + livenessProbe: + exec: {} + failureThreshold: 982752870 + grpc: + port: -257993986 + service: XKTDj + httpGet: + host: 7vfaAybCd + path: GuTTi + port: 1952486193 + scheme: 馾耼qȩ罔磙ɮƥŴ²叇yēņȮ藺 + initialDelaySeconds: -817095459 + periodSeconds: 603211453 + successThreshold: -1693358568 + terminationGracePeriodSeconds: 3002071779676479000 + timeoutSeconds: 992801771 + name: 9QZX + ports: + - containerPort: -1838828544 + hostIP: cQQMftB + hostPort: -321659395 + name: XBD7a + protocol: '>V>ŝO随;YƁ' + - containerPort: -439290918 + hostIP: Bp0lf + hostPort: 431013681 + name: WQ5qc + protocol: 髄Ĝ估螗ȳ鎷ʫh + readinessProbe: + exec: + command: + - PjwAB3G + - k + failureThreshold: -2015478850 + grpc: + port: 156976837 + service: RSgDfH + httpGet: + host: Yi7aQ + path: 8Ql9 + port: 1150587533 + scheme: C箿i綔ȍȢ ŅŴ娒燸孆5乬瓤Ɛ + initialDelaySeconds: -486757233 + periodSeconds: -994300453 + successThreshold: 2128356439 + terminationGracePeriodSeconds: 4683705418302065000 + timeoutSeconds: 1635565784 + resizePolicy: + - resourceName: deutsepb + restartPolicy: õ崑o¾oɞø°ŮƑ欩Ʋ + - resourceName: WaO + restartPolicy: ±蜊ư蕭材y昍U + resources: + limits: + XiOokB: "0" + gxJ8zn4y: "0" + requests: + "": "0" + RFaH: "0" + restartPolicy: 7岻ðȸɉo熮燍ȉ=n + securityContext: + allowPrivilegeEscalation: true + capabilities: + add: + - 迠譚綞撪颫,ʖʃ佞诌Ŧ丞śɧ璯PʥT + privileged: false + procMount: 荞£DS + readOnlyRootFilesystem: true + runAsGroup: 6728166770219184000 + runAsNonRoot: true + runAsUser: 2918288689668335000 + startupProbe: + exec: + command: + - o + failureThreshold: -949081542 + grpc: + port: 220928812 + service: EIuHGNT4 + httpGet: + host: 21BmFcJ50ov + path: WC7WP + port: njQtxPF + scheme: 鲰ʌȱ卹烛橇淃ō雀)缅tb憅棔JǓ*ɒ + initialDelaySeconds: 1631334347 + periodSeconds: -785602818 + successThreshold: -1111896125 + terminationGracePeriodSeconds: -8014749222013301000 + timeoutSeconds: 795835881 + stdinOnce: true + terminationMessagePath: m08AZSt + terminationMessagePolicy: 盛P1砦ǚ瀱#Ʌ穇嘜\Ɍ + volumeDevices: + - devicePath: NdQPZme + name: uHcdGnKv + volumeMounts: + - mountPath: IX + mountPropagation: diȔiN6ļɃƐ釭卬O + name: fPg + subPath: iY + subPathExpr: U + - mountPath: E + mountPropagation: 1ĵ氓ŝ瘛o扬=[蟗 + name: xt + readOnly: true + subPath: 2KRhR + subPathExpr: Vm0HMwn + workingDir: jusEo + - args: + - Ejt + - DYgNM8X + env: + - name: HkwQ + value: fpHbv + valueFrom: + configMapKeyRef: + key: 3e + name: Q + optional: true + fieldRef: + apiVersion: lh + fieldPath: "" + resourceFieldRef: + containerName: E1uEhn3 + divisor: "0" + resource: 0Pa + secretKeyRef: + key: co85cv7H + name: KL1I3G + optional: false + - name: 5MQMJhqUni + value: 34PEKwUkR + valueFrom: + configMapKeyRef: + key: ABhM + name: qq5b + optional: false + fieldRef: + apiVersion: vCLN + fieldPath: tge3Z + resourceFieldRef: + containerName: ST + divisor: "0" + resource: qFS8 + secretKeyRef: + key: Am + name: BLI353a5GI + optional: false + envFrom: + - configMapRef: + name: KBum1 + optional: false + prefix: 56g + secretRef: + name: zt5 + optional: true + image: XgUFG + imagePullPolicy: 锄ģnj[眈例ƚ淍ƁĐ~ + lifecycle: + postStart: + exec: {} + httpGet: + host: Yp7F87b + path: "y" + port: OtElY + scheme: ǐʮŕ + sleep: + seconds: 640752187186511100 + preStop: + exec: + command: + - 4GYkI2pQ + - QB + httpGet: + host: DFjlmWGAFM + path: qLfFaRePdtA + port: GTUH4 + scheme: 罛&ĥ顱Ƌ + sleep: + seconds: -1289822532228205800 + livenessProbe: + exec: + command: + - youyR + - J + - IiK3AJ + failureThreshold: 527043957 + grpc: + port: -1790391516 + service: wFKNeu + httpGet: + host: TjItsuCL + path: Lo07CoiEpmJ + port: 1449812891 + scheme: 聗œdz_x忔8 + initialDelaySeconds: -923296146 + periodSeconds: -920279093 + successThreshold: 1372003156 + terminationGracePeriodSeconds: 4545671926845562400 + timeoutSeconds: -1730135112 + name: ouxZOTiA7 + ports: + - containerPort: 365499724 + hostIP: c3z3 + hostPort: -1622732613 + name: jfpQ + protocol: 鬍匤<ɔɟǜ鼴`ʃ荞ɗ线亮Ô¼ + - containerPort: 387750436 + hostIP: 7OF + hostPort: -922470687 + name: 20ZoNWnefc + - containerPort: -1003650010 + hostIP: yK31 + hostPort: -479225666 + name: 1Up + protocol: 郣-齡^c艃7ɑU牌驀墭:煞 + readinessProbe: + exec: {} + failureThreshold: -189409295 + grpc: + port: -880806937 + service: N1zEO + httpGet: + host: vN9 + path: n8TKqPF + port: -995680865 + initialDelaySeconds: -2090855365 + periodSeconds: 1849358636 + successThreshold: 811072097 + terminationGracePeriodSeconds: -5833095732594203000 + timeoutSeconds: -65186305 + resizePolicy: + - resourceName: 9rUpDkTFnW + restartPolicy: KSʮ1ĩ`乀_Ɠ颩紵 慒¨ƶ挢¸s诡 + resources: + limits: + MYEa: "0" + ngW: "0" + requests: + 174vfq: "0" + restartPolicy: 軵ƿǽ嚢遳E + securityContext: + allowPrivilegeEscalation: true + capabilities: {} + privileged: true + procMount: Ő\烔Z座畄睸zɩCɎx簫S悍a + readOnlyRootFilesystem: false + runAsGroup: -6410700953715651000 + runAsNonRoot: true + runAsUser: -8187102783441072000 + startupProbe: + exec: {} + failureThreshold: 1640672315 + grpc: + port: -799307372 + service: w9KE22PLk + httpGet: + host: e6Zo4rWs + path: tscGwI + port: 2071839677 + scheme: '&ǂȞ<辳)9撆ʚ6&U}P%捸`y' + initialDelaySeconds: 652003075 + periodSeconds: 1077051101 + successThreshold: 1528128815 + terminationGracePeriodSeconds: -2176015428967645200 + timeoutSeconds: -998563216 + stdinOnce: true + terminationMessagePath: P + terminationMessagePolicy: 8痃v7ȱ噣愜Å%Ġ3 + volumeDevices: + - devicePath: k8uvc + name: GL + - devicePath: 31O9l + name: ivY + workingDir: PtgSFsc1GvC + imagePullSecrets: + - name: s1B + - name: R54rm + initContainers: + - 'error unmarshaling JSON: while decoding JSON: json: cannot unmarshal string + into Go value of type []interface {}' + nodeSelector: + TDma3: eGasO + cs6G: CyEFp0L + r: xdylcKb + priorityClassName: uHKqx + securityContext: + fsGroup: -4412504815274792000 + fsGroupChangePolicy: Ȯƭhjb糯妔ȂǑʜ胴}轣 + runAsGroup: 3860793197532220000 + runAsNonRoot: true + runAsUser: -1963293898483195400 + supplementalGroups: + - 2429921255984048000 + - -2773566751575633000 + - 5629450590441919000 + sysctls: + - name: h + value: zKVw + - name: D5ekUqS2 + value: 5FxU + - name: dgHyyau + value: o + serviceAccountName: S9Bk + tolerations: + - effect: 酼駘宁ì<^ʉ逐GM¼韹宅劑圦ȢN鵸; + key: LjdOPUZjJ + operator: 窃銥ɺ嘭t緯ȇw,[t捻S麨vɂ閰 + tolerationSeconds: 1714321621775966700 + value: Uvm9nY3 + topologySpreadConstraints: + - labelSelector: + matchExpressions: + - key: AUro1 + operator: 聘 + values: + - x5E03owNK1 + - 61u06hoBRErcl + matchLabels: + HMA: 7iZSaiF + jCP15v: ksLC1iD + matchLabelKeys: + - cp + - CZpJKgP + maxSkew: 644443933 + minDomains: 1722624609 + nodeAffinityPolicy: ú(ʆɴȾ狍lfĒHȉ嫔7ix壿 + nodeTaintsPolicy: 遡lşř门Ǣl + topologyKey: qP + whenUnsatisfiable: "" + - labelSelector: + matchExpressions: + - key: i8xDfgO + operator: ʖĝ#烕ɋřĊI + values: + - bOA4n + - ByUsK + - key: 6fCdAFtmFF + operator: 靕ƭ錒Ĕ + values: + - JIMC2Pc + - a7wA08 + - key: xMn + operator: "" + values: + - gSa5XT + - 50IS6 + - "8" + matchLabels: + DoGCwvltR: vVXQcZcxdz + JLmhsQlh: L3AY0Pv + X9: U + maxSkew: -2038040013 + minDomains: -1884001920 + nodeAffinityPolicy: 嵋磋ɹ:ɢ慚TA烁.X幰 + nodeTaintsPolicy: 奒)ʅm=矕郔o鬻鴊ȵɯt债CŔ儤 + topologyKey: qkx4gKx7 + whenUnsatisfiable: 匊aO卞肝喚覕Ȭnr說ɉƢ/Æȧ婡賛 + volumes: + - configMap: + name: foGC + name: configs + - name: v1bEam0d + secret: + defaultMode: 64 + secretName: FOCtz7x + - name: 2keqwtlu + secret: + defaultMode: 494 + secretName: 1dug + - name: RAI0g6yvn + secret: + defaultMode: 354 + secretName: "2" + - name: MqQb15NA +-- testdata/case-034.yaml.golden -- +--- +# Source: console/templates/serviceaccount.yaml +apiVersion: v1 +automountServiceAccountToken: false +kind: ServiceAccount +metadata: + annotations: {} + creationTimestamp: null + labels: + 0fz: qRhpB + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: zE + app.kubernetes.io/version: v2.7.0 + blGSa: Hnim0SflkfpF + helm.sh/chart: console-0.7.29 + name: QxrM + namespace: default +--- +# Source: console/templates/configmap.yaml +apiVersion: v1 +data: + config.yaml: | + # from .Values.console.config + {} + role-bindings.yaml: |- + roleBindings: + - zktoFv: null + - BnTf: null + N30: null + O: null + - "5": null + up6oELWDxO: null + roles.yaml: |- + roles: + - 3vFSt6CV6h: null + - zwoEunAfS: null + - "": null + Kz: null +kind: ConfigMap +metadata: + creationTimestamp: null + labels: + 0fz: qRhpB + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: zE + app.kubernetes.io/version: v2.7.0 + blGSa: Hnim0SflkfpF + helm.sh/chart: console-0.7.29 + name: l +--- +# Source: console/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + annotations: + W8Ix4: 4kOonr2 + g93: wNXcKSBg + creationTimestamp: null + labels: + 0fz: qRhpB + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: zE + app.kubernetes.io/version: v2.7.0 + blGSa: Hnim0SflkfpF + helm.sh/chart: console-0.7.29 + name: l + namespace: default +spec: + ports: + - name: http + port: 421 + protocol: TCP + targetPort: 214 + selector: + app.kubernetes.io/instance: console + app.kubernetes.io/name: zE + type: d2QGeqxiX +--- +# Source: console/templates/tests/test-connection.yaml +apiVersion: v1 +kind: Pod +metadata: + name: "l-test-connection" + namespace: "default" + labels: + 0fz: qRhpB + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: zE + app.kubernetes.io/version: v2.7.0 + blGSa: Hnim0SflkfpF + helm.sh/chart: console-0.7.29 + annotations: + "helm.sh/hook": test +spec: + imagePullSecrets: + - name: AGiMf + containers: + - name: wget + image: busybox + command: ['wget'] + args: ['l:421'] + restartPolicy: Never + priorityClassName: ER4 +-- testdata/case-035.yaml.golden -- +--- +# Source: console/templates/serviceaccount.yaml +apiVersion: v1 +automountServiceAccountToken: true +kind: ServiceAccount +metadata: + annotations: + 7lpi: QQ + RK: "" + od3x: "3" + creationTimestamp: null + labels: + 5NU: UG7t + 6NmZI: QxuTdplvdDdc + BYcISWrd5: YZbXA + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: HMyYp + namespace: default +--- +# Source: console/templates/configmap.yaml +apiVersion: v1 +data: + config.yaml: | + # from .Values.console.config + {} + roles.yaml: |- + roles: + - CSJ: null + - 0hM2tbS5: null + ZhG3M: null +kind: ConfigMap +metadata: + creationTimestamp: null + labels: + 5NU: UG7t + 6NmZI: QxuTdplvdDdc + BYcISWrd5: YZbXA + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: Bv0I +--- +# Source: console/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + annotations: + C3p: uCspVMX + creationTimestamp: null + labels: + 5NU: UG7t + 6NmZI: QxuTdplvdDdc + BYcISWrd5: YZbXA + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: Bv0I + namespace: default +spec: + ports: + - name: http + port: 51 + protocol: TCP + targetPort: 456 + selector: + app.kubernetes.io/instance: console + app.kubernetes.io/name: console + type: ZQQlqx7Np +--- +# Source: console/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: {} + creationTimestamp: null + labels: + 5NU: UG7t + 6NmZI: QxuTdplvdDdc + BYcISWrd5: YZbXA + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: Bv0I + namespace: default +spec: + replicas: 464 + selector: + matchLabels: + app.kubernetes.io/instance: console + app.kubernetes.io/name: console + strategy: + rollingUpdate: {} + type: Ʉ>朄崍ʡƥɼ戋\IJĹ + template: + metadata: + annotations: + checksum/config: 6556f5b75614fc7b5556cf3e548fa463f543604a0e97446ccd74584bf794de97 + creationTimestamp: null + labels: + Klzm: we + app.kubernetes.io/instance: console + app.kubernetes.io/name: console + e: C2swj + s: vw1lrq + spec: + affinity: + nodeAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - preference: + matchExpressions: + - key: Zjc3H + operator: ~IJʚ伥ʜ1鷦鄪脳= + - key: AI40kXKS + operator: Tr^ǘõ8ù<鹶ĉ崱 + values: + - fCyDs + - nJRkjROTjd + matchFields: + - key: yFbZ + operator: Ĉ8%Sp + - key: AUDzh + operator: 礉 + values: + - agJ0f + - MD + - key: hREcH + operator: Ǻŀɏʉ紸戳禰ȸ酲 + values: + - JUaNJ + - CXFmegvU + weight: 1536882470 + - preference: + matchExpressions: + - key: pXW + operator: '@ļ矏鮯ɭ碊Gɽt蜮閻ƃǖ#ũ' + values: + - I8SZLF + - key: Rz + operator: '''p麛ȧ' + - key: mvD0aV1 + operator: 狴ȸ溂辷0Ġ + values: + - JpJWDh + matchFields: + - key: OB4 + operator: "" + values: + - tnWLH4yB + - "" + weight: 410194565 + - preference: + matchFields: + - key: 2C + operator: 屮少Ļɶ賊滺W + values: + - 28ZwpH + - ybv8 + - 8qy7 + - key: bs + operator: ŝ鮱芬Ǧ脸ƍ蠎Ā + weight: -1129044572 + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: [] + podAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: ayaEl + operator: Ɗ琫 + values: + - WGZPb + - EzYpfj + - key: Isb + operator: '@£驍' + matchLabelKeys: + - 2NNt + - NCBB22ja0 + - retU + mismatchLabelKeys: + - x3 + namespaceSelector: + matchExpressions: + - key: iQ + operator: u倲鹩?úʈ腄跛[¤O + values: + - 5y4bG + topologyKey: STnAVX + weight: -1894745290 + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: R + operator: xʣcǦ:槠ʒ鄊喁蠨 + values: + - P + - 348OOM + - "0" + - key: hpIVL + operator: 鷭ʚ櫹hȅɩ&嘨Ād旌³ƑǫʄcǶ + matchLabels: + h6hNi: II1Z29P + t: 8wxT + matchLabelKeys: + - P + - axCJXjr + - ICeVp + mismatchLabelKeys: + - ljKwc + - mr6kl5v + - e + namespaceSelector: + matchExpressions: + - key: C + operator: =ĥĕ壚_隈]Ȑ釀侹ʩʎ痿c揜 + values: + - K1K + - c8fwp + - 8vQ4EPywlatl + - key: 28EpNe + operator: 鼓頳'ʛ1挂ō緕当gToʇ接遫 + - key: "" + operator: ƝZĂ 寑=愝奚Ĩw桟t摧pŸ + values: + - BuqtJnV + - 0hpJEbg + matchLabels: + 4lNwC: NEzAktH + h3ErklId8G: qClR4lO9e + namespaces: + - AYtMy3oUrS + - aX5P8O + topologyKey: 6D + weight: -1152164451 + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: F6jo11z + operator: 亊路+M + values: + - h + - mmuiW + - GIV7E3H + - key: C + operator: v2佉鱉v辑ɞȠXɎʫǸú81Ɵ + values: + - QL + - MPxVd + - dqj9PPnthc + - key: 6JaPa + operator: 8dž貒ɑzןlȍH琧3ɞ + values: + - 1vJUmwXUq + matchLabels: + CIFj: YwH + Y2kn8RCwh: 90KzxhieelQ + y05g7PKLJ: 75bPN + matchLabelKeys: + - bYiD + mismatchLabelKeys: + - IiTYx5K5t + namespaceSelector: {} + namespaces: + - rZw0zlprDr + topologyKey: sxEn3K + weight: -1384321177 + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: VgaK0hEji + operator: Ĺ礇紈銠噐ɴ諠2稇Ɠ鸈ý藁 + - key: S + operator: 鋸ɢǎ"膤ƭU軖tg埞鴤駩蹡 + - key: 9CwIty + operator: '`\糖ť8弤娹)覇gƲ妒墲9n' + values: + - 3j6O7C1tYz8 + matchLabels: + 0gEuFD: 74yF5 + matchLabelKeys: + - C + - IaGS + mismatchLabelKeys: + - W1 + - x + namespaceSelector: + matchExpressions: + - key: WXQ4P + operator: eĈ峧ʔƟ±ps缆D戭ǟ + values: + - "" + - EyV7u6ShG55 + topologyKey: DHgv6 + - labelSelector: + matchExpressions: + - key: RrGr5 + operator: 苭 + values: + - s + - Uk9D + - qTA4 + matchLabels: + yvalC: zQDHWOCId + matchLabelKeys: + - j1mN0G + mismatchLabelKeys: + - VdCZU8 + namespaceSelector: + matchExpressions: + - key: YzPO7z + operator: Lȇ杦娀 + values: + - 4UCJLskm4 + - VY + - key: arPd + operator: 燔佰馛{I諵Gƣ_*e + matchLabels: + g3PzQTKu: EtFrI + namespaces: + - ZXe + - ik9z + topologyKey: Os0u + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: DTU + operator: 鷚OíDzRě¤觹J闬#6U脥狍 + values: + - "" + - A5o + - gC + matchLabels: + Dm: WpOLJ + matchLabelKeys: + - z + mismatchLabelKeys: + - ICMl + namespaceSelector: + matchLabels: + XY9q9YY6uD: CiedBn + namespaces: + - vZ6M + topologyKey: OpLnLGsE + weight: 538966601 + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: kEha + operator: Ę沌`f帞qA'躚S郻Ɏ珍韄 + values: + - etjdRyp + - zavjaM + - OYvYj + matchLabels: + KVwZfB: KEPzsU59 + RkZ: 0VcRQYQ + YpbOAE: DLjKEd + mismatchLabelKeys: + - djF + - SUMMj + - TGSC2G8I1Up + namespaceSelector: + matchExpressions: + - key: menWm + operator: k÷餌Ō + values: + - x9N + - mtsmYut + - key: szQb + operator: °« + values: + - hkxKeWqC + - key: YJUom + operator: ź²%FÔ縥:嗚K + values: + - NiQwKD + matchLabels: + 4AI5GYaY: ALH1BY + Bu43TOQ: WD + H: iujH1 + namespaces: + - Lc1PZ + - Z7LIE + - s4c0o + topologyKey: P7xmm2 + weight: 1130067767 + - podAffinityTerm: + labelSelector: {} + matchLabelKeys: + - yJiUSi + mismatchLabelKeys: + - 3ulP + - "66" + - "4" + namespaceSelector: + matchExpressions: + - key: eK + operator: 钕Ŧ + values: + - yRj + - Ukm + - "" + - key: "" + operator: 锧BȾLF譨Ɣ? + values: + - MtLk2 + - mUrlwRAdRoNX + - key: rlSqK0xlaaI + operator: 'Ɏƶʗ疇ȵMÇŕ翸鑉d劯kʦĺʄ4 ' + matchLabels: + FGHX9SlJz: MRMXuk + topologyKey: 4morNsk6TdYi + weight: -971499940 + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: zosngP + operator: ʒ蠜¡ȂŧIH闦º弓鳾蠖Ą批9}_ + matchLabels: + "": wEhn + P1O8tGwJ: ZC + matchLabelKeys: + - IN0 + namespaceSelector: + matchLabels: + wMID0: aOr1UxM + topologyKey: krnVB + - labelSelector: + matchExpressions: + - key: mE + operator: 虵xǯ6熋湧ƳʝŅU节擎隆X鏯 + values: + - k + - bcx + - ks + matchLabels: + nYs: Hv5tuwQ + zAVu: G1PF + matchLabelKeys: + - u + - Gi6tJR + - "60" + namespaceSelector: + matchExpressions: + - key: bqRj + operator: ĭ啞&/sFş(墠O1Ÿ( + values: + - fe2dTLTbB + - QLUYqgc + - XBuCBfk27 + - key: exMkm + operator: m輚ɮ凪哇褚 + values: + - EQROy + - XQDPF7uw + - key: MwOO + operator: 鹗u仏兤o*>蒟顨ƽėȰ + values: + - TGv + - VVtqHApm + - 7Mub + matchLabels: + PI: elzxW + Wd1Q: MYEPScu1su + i: uENdc + topologyKey: QlwUBoDWM + automountServiceAccountToken: true + containers: + - args: + - --config.filepath=/etc/console/configs/config.yaml + command: null + env: + - name: 14jKCyMC + value: Mb95Ivlchi + valueFrom: + configMapKeyRef: + key: FMRh9 + name: VwME2dRYnb + optional: true + fieldRef: + apiVersion: NlY1uxRPgql + fieldPath: NDrKU5 + resourceFieldRef: + containerName: gPQ1TD3MX + divisor: "0" + resource: r6HOpjj + secretKeyRef: + key: "n" + name: RQLa2rQL7Y + optional: false + - name: LICENSE + valueFrom: + secretKeyRef: + key: xLO4B2BCZUJ + name: BQR2Y + envFrom: [] + image: XB9ke7yB/EwU0pzhz:SmZAnO7 + imagePullPolicy: 垿儣Ƈ#WMƻ + livenessProbe: + failureThreshold: 724782955 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: 1633166106 + periodSeconds: 2105675880 + successThreshold: 225361138 + timeoutSeconds: -1665363921 + name: console + ports: + - containerPort: 456 + name: http + protocol: TCP + readinessProbe: + failureThreshold: -1128918125 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: -116128728 + periodSeconds: -1936485392 + successThreshold: -1735161598 + timeoutSeconds: -1293939870 + resources: + limits: + 0PRJ1bi: "0" + JUjtrq: "0" + WN9h: "0" + requests: + TCeGWCB: "0" + x5O0IxuN: "0" + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - '@晏駚T!UɎȉépg鎘Ȉ' + drop: + - ÚơĊ猴渋ĭ8膔櫔ż択ůĦ抹 + privileged: true + procMount: 偖躪 + readOnlyRootFilesystem: false + runAsGroup: -543916493751029760 + runAsNonRoot: false + runAsUser: 7772713475568768000 + volumeMounts: + - mountPath: /etc/console/configs + name: configs + readOnly: true + - mountPath: pqfdKzb + mountPropagation: "" + name: 6btv + subPath: xLjoA + subPathExpr: UseM + - mountPath: EYXxm + mountPropagation: 煊`ś蠶+蓲慅4曌Ƥ4臜.魼簌m缽荈巇 + name: 6ut6g + subPath: 7N + subPathExpr: ypY + - command: + - DlBCuc8xa + - X2hi8Mp + image: 00GQ5 + imagePullPolicy: 賎ʂG}Ƌ煚6ūaĠ腻f + lifecycle: + postStart: + exec: + command: + - mVlE + - cFmlozRTJ + - "" + httpGet: + host: RIzcOYFo + path: eZge9wzJjW + port: ugY08 + scheme: 讣Ɨƶ"ɇǘƓƮ + sleep: + seconds: -5362042555365295000 + preStop: + exec: + command: + - "" + httpGet: + host: hLxRfJhv + path: JA8kOIY + port: tpH1 + scheme: '''k:嘡葊佒ďȏǓɡ毫/视倴ĩ}Ɓ u' + sleep: + seconds: -915316715834475000 + livenessProbe: + exec: {} + failureThreshold: 1628387875 + grpc: + port: -119747124 + service: 3cnWKI + httpGet: + host: 6Wzb9 + path: Af + port: RAzYX + scheme: 嘾Q經f + initialDelaySeconds: 4951530 + periodSeconds: 1309655668 + successThreshold: 918641827 + terminationGracePeriodSeconds: -3073080783253286400 + timeoutSeconds: -1896420637 + name: yML27O + ports: + - containerPort: 509868797 + hostIP: XMFIjyy7MNejY + hostPort: 2083818454 + name: gd + protocol: 槏 R¨ƽT³簑ƤA$<猿.0d + - containerPort: -164866787 + hostIP: eh + hostPort: 1842390272 + name: H7 + protocol: y擫`/洄]ʢÓ7Ā紐ǟ塋 + readinessProbe: + exec: + command: + - 5MrELPMn + - 23x1a + failureThreshold: 1394382122 + grpc: + port: -96138878 + service: DBq + httpGet: + host: 60SrHkgc + path: OwZeja1P + port: 721461548 + scheme: ' `$ħ' + initialDelaySeconds: -2125734502 + periodSeconds: 66441733 + successThreshold: 130216629 + terminationGracePeriodSeconds: -7113768241875088000 + timeoutSeconds: -977567736 + resizePolicy: + - resourceName: 8VNf4C + restartPolicy: Ě} + resources: + limits: + 2TX: "0" + Yd3: "0" + avcFFX: "0" + restartPolicy: Ę<彪6 + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - ūW銹fn|óOB¶őǝ:ɛ暙- 嫴 + - 韣噺Ȑ主鋥Ɣ睩熾@Ĥvƈ + - 気ʎɭ愢勈īɔ垆ŀ槌,q儇p顼ǯ歳 + drop: + - EģIJ>筡|n譌ɶd2鍇$X/ȴ偎穾7 + - "赻探ǞiN胂a + name: 79CeZyd + subPath: xMQ + subPathExpr: NvU + - mountPath: smgfnmvP + mountPropagation: ʈ + name: CuKUC + subPath: hZ8KJ3 + subPathExpr: CK4WsX + - mountPath: zm + mountPropagation: 傩骟Ⱥ|尤fŇɓ呣ɘĩŽ + name: wRtUU + readOnly: true + subPath: T1 + subPathExpr: cidBhX8I + workingDir: M0jsi8 + - args: + - rQ7QBmZ4 + - Q32wY3lGUA + - VGeP + command: + - "6" + - 5vVr2Q + - 4YDd + env: + - name: DY1 + value: sge + valueFrom: + configMapKeyRef: + key: O8RUTpJ + name: SCF5ph + optional: true + fieldRef: + apiVersion: NY0hb + fieldPath: ViZ0f + resourceFieldRef: + containerName: "Y" + divisor: "0" + resource: sCX + secretKeyRef: + key: Ma + name: 6s6lc5 + optional: false + - name: m19lk2eiDtcdB7 + value: 0JaB + valueFrom: + configMapKeyRef: + key: VolU + name: jnFjMLIQ19 + optional: true + fieldRef: + apiVersion: "6" + fieldPath: N0wIEnFmQ + resourceFieldRef: + containerName: QwDG86d + divisor: "0" + resource: pda + secretKeyRef: + key: Uc7x1XF + name: efgc + optional: true + - name: 8A + value: 1kUmljHSb + valueFrom: + configMapKeyRef: + key: "" + name: z18yxT + optional: true + fieldRef: + apiVersion: 1qaE + fieldPath: vEzPx + resourceFieldRef: + containerName: GYhSz + divisor: "0" + resource: Ttq + secretKeyRef: + key: aaGRQS + name: C + optional: false + envFrom: + - configMapRef: + name: "0" + optional: false + prefix: 5cqcw + secretRef: + name: O7Gex12 + optional: false + - configMapRef: + name: DHEYwZ + optional: false + prefix: wSbyGx + secretRef: + name: 9nM86dZi + optional: false + image: E + imagePullPolicy: 栧Z + lifecycle: + postStart: + exec: + command: + - 6775E + httpGet: + host: hIoYmpbc + path: qEf + port: rnJpXG69m + scheme: 赙¯6a腚 + sleep: + seconds: 4894208532244896000 + preStop: + exec: + command: + - mHtY + - 0hh1Tr + - "" + httpGet: + host: BuElf + path: fJPDiyG + port: PybmIT + scheme: M*Ķ + sleep: + seconds: 7544543348205058000 + livenessProbe: + exec: + command: + - z7IJ + failureThreshold: -360493877 + grpc: + port: -1395908290 + service: zV1i + httpGet: + host: GLn + port: -279409955 + scheme: ǃU螄骰褃Ʀ诐Ɯ{,ɍb萎Ɲʢ鰪\U + initialDelaySeconds: 1831688310 + periodSeconds: -280461011 + successThreshold: 84363106 + terminationGracePeriodSeconds: 7513815341722355000 + timeoutSeconds: 442815657 + name: pGthpc + readinessProbe: + exec: + command: + - T39QO5 + - "" + - DbSsPel + failureThreshold: -1901163919 + grpc: + port: 1255815597 + service: xeTv + httpGet: + host: bipPJGJ + path: nghEbF + port: uyLPK + scheme: 翁渹牯澖 + initialDelaySeconds: 1295268788 + periodSeconds: 17921235 + successThreshold: -212369586 + terminationGracePeriodSeconds: 1061046207943693700 + timeoutSeconds: -1707711843 + resizePolicy: + - resourceName: RLHi + restartPolicy: 掳?帐(Ǖčĭ纜 + - resourceName: H1Bv + restartPolicy: Ɉ駃愝ɲƁ2*ʍJ蕦ʃĹr}尕5J埉g + - resourceName: f + restartPolicy: ɧ帨y晒ʪäǗ«ǤǞugT埤X澇寿Ù\ + resources: {} + restartPolicy: 7Y熀7rúǬ轘 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - Ǒn%Aʙ]m* + privileged: false + procMount: 鼷R珍沌 + readOnlyRootFilesystem: false + runAsGroup: -287129322294347260 + runAsNonRoot: true + runAsUser: 3942212766283409400 + startupProbe: + exec: + command: + - gN + - zpmlcJ + - DeLJ4s + failureThreshold: 102924404 + grpc: + port: -1304933194 + service: 0iK + httpGet: + host: jbg + path: ZqaSpx8C + port: UPJqfy9dOO + scheme: 韼QY岩沴ì釪儇9ĩN + initialDelaySeconds: -46268668 + periodSeconds: -1126074804 + successThreshold: -2093938118 + terminationGracePeriodSeconds: -3498490773203628500 + timeoutSeconds: -736335366 + terminationMessagePath: "7" + terminationMessagePolicy: 辺OB¯悱楆3Ǫ首傭ɟ鮛ïƇ豙ǁUȵ + tty: true + volumeDevices: + - devicePath: DSh1 + name: 1OMawuQAlZD7 + - devicePath: "Y" + name: liCI2j + volumeMounts: + - mountPath: JPO9Ewk3kgaeuBD + mountPropagation: k釂Żɮ>ɸêW箁B| + name: QGO7HtoR + readOnly: true + subPath: oYudCrOqA + subPathExpr: Z1oG + - mountPath: iH6 + mountPropagation: dP帗俪Ťŷ/6¤þ剛&Ģ趽qi + name: 9Ro4aQU5yby + readOnly: true + subPath: piBl3 + subPathExpr: nfDFn + - mountPath: uU2H4 + mountPropagation: ljQ + name: "" + subPath: rj2 + subPathExpr: E + workingDir: BveK3 + imagePullSecrets: + - name: ygWNP7C0W9 + - name: lo0PU + initContainers: + - 'error unmarshaling JSON: while decoding JSON: json: cannot unmarshal string + into Go value of type []interface {}' + nodeSelector: + LAqpO: N7lh0C2 + RqG8qj: ltTa5 + X3q: F5c + priorityClassName: F + securityContext: + fsGroup: -8750452531563962000 + fsGroupChangePolicy: RȗɻÎ + runAsGroup: 3754171381447903000 + runAsNonRoot: false + runAsUser: 2565919490422334500 + supplementalGroups: + - 2907772986244332000 + - -4686580881125536000 + - -7134026849524392000 + sysctls: + - name: 8gezWufB + value: 2Jv + - name: 4nhjhT6P + value: 32ZuT + - name: cQk5tljX + value: Aimzt8kirN + serviceAccountName: HMyYp + tolerations: + - effect: aƻƀi + key: 7II7D0fA + operator: 跳<ȴŤƇ梐ȸŷR + tolerationSeconds: -92963183946417040 + value: U + - effect: p鸿xś冣9ɩ揊Ů忁琺ȖP壡o繊堮 + key: 5sC + operator: XɦǨ燖Ż綯逆挤ʦ斝蟏滣ʣ + tolerationSeconds: -6405135249548566000 + value: c2m6hlo + topologySpreadConstraints: + - labelSelector: + matchExpressions: + - key: bsO + operator: Ⱥ8欟慡Ƿţ6氙絿鐘黬聠ç + values: + - hbuLC + - SdAZnchI + - key: b4Pjya + operator: jɀh5湧,Ȳǣ6謉<ɦ + - key: gXEm + operator: ',k涃栏岴g橚甇ȳ0禰餝榖睌ěB縩侾F' + values: + - q9VqX4l + - zoMoc9Vb5 + matchLabels: + B0T: uiIEpLD2 + V: jdhpTcaa + pz: V1dJXS8 + matchLabelKeys: + - yoFhTrxV + - o + maxSkew: -1837539887 + minDomains: 2144009248 + nodeAffinityPolicy: 怓覷環ʤ苷疿ʡB聧!]LJƱĿGť + nodeTaintsPolicy: V~0韾¾Ȣû&嵙纠&ȠVƧ鍌 + topologyKey: GldA + whenUnsatisfiable: Ƀk纩{寍HƋ&庝僟D徼聊 + volumes: + - configMap: + name: Bv0I + name: configs + - name: 00PT1WRWHX + - name: P4 + - name: fn +--- +# Source: console/templates/ingress.yaml +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + annotations: {} + creationTimestamp: null + labels: + 5NU: UG7t + 6NmZI: QxuTdplvdDdc + BYcISWrd5: YZbXA + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: Bv0I +spec: + ingressClassName: vg + rules: + - host: daRMGxIy7gKoE + http: + paths: + - backend: + service: + name: Bv0I + port: + number: 51 + path: GVhF41Ue + pathType: TeM8 + - backend: + service: + name: Bv0I + port: + number: 51 + path: UontjIzl + pathType: MN + - backend: + service: + name: Bv0I + port: + number: 51 + path: "" + pathType: xN + - host: YCgI + http: + paths: + - backend: + service: + name: Bv0I + port: + number: 51 + path: MPhdfahEcn + pathType: ECPrn + - host: GDOlAVRM + http: + paths: + - backend: + service: + name: Bv0I + port: + number: 51 + path: H5pExfzke + pathType: v8 + tls: + - hosts: + - dQiMWdJ8cYKS + - 35K + - 8Kin + secretName: C + - hosts: + - zPo + - Z7 + secretName: SiZz +--- +# Source: console/templates/tests/test-connection.yaml +apiVersion: v1 +kind: Pod +metadata: + name: "Bv0I-test-connection" + namespace: "default" + labels: + 5NU: UG7t + 6NmZI: QxuTdplvdDdc + BYcISWrd5: YZbXA + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + annotations: + "helm.sh/hook": test +spec: + imagePullSecrets: + - name: ygWNP7C0W9 + - name: lo0PU + containers: + - name: wget + image: busybox + command: ['wget'] + args: ['Bv0I:51'] + restartPolicy: Never + priorityClassName: F +-- testdata/case-036.yaml.golden -- +--- +# Source: console/templates/secret.yaml +apiVersion: v1 +kind: Secret +metadata: + creationTimestamp: null + labels: + Nv: YHcp9u + RMi5: o4 + ViLr0: zrEw3 + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: 9mG8n4Wu4 + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: AumW +stringData: + enterprise-license: "" + kafka-protobuf-git-basicauth-password: EfQbyB + kafka-sasl-aws-msk-iam-secret-key: B + kafka-sasl-password: w + kafka-schema-registry-password: qiltVq + kafka-schemaregistry-tls-ca: kyT4j + kafka-schemaregistry-tls-cert: Tu4varJ + kafka-schemaregistry-tls-key: bmT + kafka-tls-ca: UyskLmDZ + kafka-tls-cert: "" + kafka-tls-key: "" + login-github-oauth-client-secret: hPt + login-github-personal-access-token: vRbRqD0 + login-google-groups-service-account.json: lcc9 + login-google-oauth-client-secret: "" + login-jwt-secret: SECRETKEY + login-oidc-client-secret: A9RDbO6GzTtHYG + login-okta-client-secret: HktzleLAg + login-okta-directory-api-token: qX + redpanda-admin-api-password: 5imX8ztdqjU + redpanda-admin-api-tls-ca: opQQ + redpanda-admin-api-tls-cert: PGcfJC3zH + redpanda-admin-api-tls-key: IhqyTvQn4T +type: Opaque +--- +# Source: console/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + annotations: {} + creationTimestamp: null + labels: + Nv: YHcp9u + RMi5: o4 + ViLr0: zrEw3 + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: 9mG8n4Wu4 + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: AumW + namespace: default +spec: + ports: + - name: http + port: 113 + protocol: TCP + targetPort: 414 + selector: + app.kubernetes.io/instance: console + app.kubernetes.io/name: 9mG8n4Wu4 + type: XHYb2qmrk +--- +# Source: console/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: + GvX4jkWw: xAyNk + MdtXxfH: "" + WyrWx: 8QO + creationTimestamp: null + labels: + Nv: YHcp9u + RMi5: o4 + ViLr0: zrEw3 + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: 9mG8n4Wu4 + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: AumW + namespace: default +spec: + replicas: 24 + selector: + matchLabels: + app.kubernetes.io/instance: console + app.kubernetes.io/name: 9mG8n4Wu4 + strategy: + rollingUpdate: {} + type: LJėwǮ甧 + template: + metadata: + annotations: + checksum/config: 74234e98afe7498fb5daf1f36ac2d78acc339464f950703b8c019892f982b90b + jLE31lUP: LWc + creationTimestamp: null + labels: + 6W: FQvOa + YwkBSNWK: 0qqd + app.kubernetes.io/instance: console + app.kubernetes.io/name: 9mG8n4Wu4 + jP3: iNkD + spec: + affinity: + nodeAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - preference: + matchExpressions: + - key: bkwD5 + operator: B砟摫ʟ]估ȽÓĖ頒ʙǯ + - key: 4n + operator: "" + - key: DDWUTPllaee + operator: ǒ@訹Ðđɤ軗ɲǃZ袓6悔ʙ[x] + values: + - bHwxZg + - iPWF3DQz + - yhiFQZ98w6h + weight: -551427274 + - preference: + matchExpressions: + - key: kZ + operator: "" + values: + - BMfDa + - key: l + operator: unɚʀɂ7Ǩ蘕 + values: + - 1vsAjW + - lEGj0 + matchFields: + - key: EYCyU + operator: 袒雬Ǐ蔡|骐pOĆƍbʌʝl + - key: e9QdJHV + operator: Ɏ鼛鏗擌-悝Ű + values: + - DToToJ + - Gq4 + - key: M4b3wwVy + operator: 煛苅=İ哋ońɢ\Głh斳hɷ韙 + values: + - fMIoNrUiyJdi + - tcNEhOds + - N0 + weight: -906035045 + - preference: + matchExpressions: + - key: 05VafuKQo + operator: ƃèĢC篘 + values: + - McUwm + - oMXVW + matchFields: + - key: "" + operator: 9ȮLǟ3V廉\5膏ɩ袴 + values: + - t + - r8d6G + - FevHe + - key: KeJd9X4 + operator: \Y#uɆɫwĉɎ卲S + weight: -773391374 + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: PiRY + operator: 週畯嘰Œ铖'ȸ0Į5k,逊 + values: + - Fo9oE + - KLfm4 + - PiZJC + - key: 6HCuuj + operator: Ȋ!ʈh牅HŹ蓓% + values: + - PU34U + - bZ12kwJ4s1 + matchFields: + - key: CCVSIZH + operator: (铴Njʦ釖Ĩ鎅ƒ獞p)唓u¸::2 + values: + - DjvLD + - key: 9gy6tFM + operator: ø + values: + - lPjPu0 + podAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: 2oL + operator: Ì溄祤BNjɎ_ )jðZF + - key: Tl1mGP + operator: r0ȨȵeēP眼饾j + - key: 98uL + operator: "" + matchLabels: + "": H0F + IGfr: 8iR8 + pTjU: 2vy5Ol + matchLabelKeys: + - l2d3an + mismatchLabelKeys: + - gomcuJ + - UMhaBnQUuSH4 + namespaceSelector: + matchExpressions: + - key: CyYjfraf + operator: 鸫ʊűoǪĞ3 + values: + - uPW + - key: vuREiHB + operator: ^ĄçȂ挌 + matchLabels: + tlcI6jz: 87JK + namespaces: + - eUszN + topologyKey: yJ + weight: 1657692208 + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: 3d3mr + operator: 鿈Ė聭焚歉Ð(币帄Ⱥ + values: + - h + - key: Z5c + operator: ma琓 + values: + - i5Ae6oUo + - EWixIB + - "y" + namespaceSelector: + matchExpressions: + - key: XFYbW + operator: M~ + - key: lWHcsQ + operator: 铿X异~<ÿ缇ī*^ĩ + matchLabels: + s: l6sxM + vFiVA7j: WEOy1jtU + topologyKey: JW85dr45m2G + weight: 444678250 + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: bMT + operator: ^)4ɊDZǸDŽ + values: + - CG9Onrt + - key: T + operator: ƞ傏 + values: + - bXs59oj + matchLabels: + 6BRwn: Pdm + Yy: aaoLnp + myN: rwJGrW + mismatchLabelKeys: + - "n" + - c + namespaceSelector: + matchLabels: + 5QMzPp: AP + D: "2" + u: Dca + namespaces: + - 8Af + - NYfxoYf + - R4G + topologyKey: yY + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: 2uhHhqog + operator: Ȧ + values: + - YgsgGf + - key: EaR + operator: 愅YVǵ楔¢4Ʋ + values: + - xaEk + - key: NV5iPi5Kw + operator: ' 軕氡#晉Ʀ筜篧e蹶ʀSɟʂÊʕT' + values: + - BY4 + matchLabelKeys: + - 9fTYFH7s + - aK6HB6 + mismatchLabelKeys: + - 13L + namespaceSelector: + matchExpressions: + - key: 3FT + operator: Tğ枕Ōo*a種JU-ɶƠdz鱓fƑS + values: + - 4ISUCT + - po8yM2L + - T5Q0UARu + - key: RhB + operator: "" + values: + - Re7 + - 7id + - 91GFPdrt + - key: ShRTzNRj + operator: ʬ吇Ȭ?搰Ç + values: + - HiGOGJE + - wOi + - HmllR83Dbvoz + namespaces: + - "" + - TBCPW + topologyKey: 0H + weight: 1493754197 + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: CESaz + operator: ŢaæX#暁鲸'媩俛5齗aw'ĥ煆W + values: + - "" + - key: YtpoWP + operator: 瀽LƠ' + values: + - uS13z + - ip0h + - o8m9MWnmr92 + matchLabels: + 7o4tt: QX9gjN + KScJOoR95: Dpu + wfAk1b: rH5Z + matchLabelKeys: + - Yh1S1nZ7hm + - Fwx + - 6mhp + mismatchLabelKeys: + - ihvyNa7 + - m8 + - Q + namespaceSelector: + matchLabels: + 2KH67NR4: Vy8qZyy + topologyKey: w0KJ + weight: 1592497187 + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchLabels: + 1UcAh: h + namespaceSelector: + matchExpressions: + - key: yxz + operator: ',酵ýhȿ鲹芫澥 Ǧ_Ź躄_莯ʊ傡硬M' + values: + - Fof + - key: 8KwNEN + operator: 8炮逴8`M鞵ȍȟ蟷盱 + - key: N0 + operator: Ì崌爷矉&佷* JQȴ躀厇退ƿƍ肙 + values: + - kjlwyKc + - DDz + - Yf8Vf5Ar7w7 + topologyKey: n5cRtvXjK + automountServiceAccountToken: false + containers: + - args: + - --config.filepath=/etc/console/configs/config.yaml + command: null + env: + - name: 0iCX + value: UfKNkXj6I + valueFrom: + configMapKeyRef: + key: GGYmdb5PBtUx + name: Zl1rWu9 + optional: true + fieldRef: + apiVersion: 1pKgni + fieldPath: 8Zmv + resourceFieldRef: + containerName: nK + divisor: "0" + resource: Yizp + secretKeyRef: + key: Dxqh + name: td + optional: false + - name: bm + value: K06vl + valueFrom: + configMapKeyRef: + key: dOTjzfwtRPzX + name: YleYOzRS + optional: true + fieldRef: + apiVersion: xl + fieldPath: 6NM2 + resourceFieldRef: + containerName: jreT + divisor: "0" + resource: "" + secretKeyRef: + key: B7 + name: cu + optional: true + - name: F4Vp + value: 9q + valueFrom: + configMapKeyRef: + key: dAPalKT0 + name: UXC7S + optional: false + fieldRef: + apiVersion: bTxwQmS + fieldPath: XW + resourceFieldRef: + containerName: iqnl + divisor: "0" + resource: e9 + secretKeyRef: + key: c1WJ + name: sg2TuPSW + optional: false + - name: KAFKA_SASL_PASSWORD + valueFrom: + secretKeyRef: + key: kafka-sasl-password + name: AumW + - name: KAFKA_PROTOBUF_GIT_BASICAUTH_PASSWORD + valueFrom: + secretKeyRef: + key: kafka-protobuf-git-basicauth-password + name: AumW + - name: KAFKA_SASL_AWSMSKIAM_SECRETKEY + valueFrom: + secretKeyRef: + key: kafka-sasl-aws-msk-iam-secret-key + name: AumW + - name: KAFKA_TLS_CAFILEPATH + value: /etc/console/secrets/kafka-tls-ca + - name: KAFKA_SCHEMAREGISTRY_TLS_CAFILEPATH + value: /etc/console/secrets/kafka-schemaregistry-tls-ca + - name: KAFKA_SCHEMAREGISTRY_TLS_CERTFILEPATH + value: /etc/console/secrets/kafka-schemaregistry-tls-cert + - name: KAFKA_SCHEMAREGISTRY_TLS_KEYFILEPATH + value: /etc/console/secrets/kafka-schemaregistry-tls-key + - name: KAFKA_SCHEMAREGISTRY_PASSWORD + valueFrom: + secretKeyRef: + key: kafka-schema-registry-password + name: AumW + - name: LOGIN_JWTSECRET + valueFrom: + secretKeyRef: + key: login-jwt-secret + name: AumW + - name: LOGIN_GOOGLE_DIRECTORY_SERVICEACCOUNTFILEPATH + value: /etc/console/secrets/login-google-groups-service-account.json + - name: LOGIN_GITHUB_CLIENTSECRET + valueFrom: + secretKeyRef: + key: login-github-oauth-client-secret + name: AumW + - name: LOGIN_GITHUB_DIRECTORY_PERSONALACCESSTOKEN + valueFrom: + secretKeyRef: + key: login-github-personal-access-token + name: AumW + - name: LOGIN_OKTA_CLIENTSECRET + valueFrom: + secretKeyRef: + key: login-okta-client-secret + name: AumW + - name: LOGIN_OKTA_DIRECTORY_APITOKEN + valueFrom: + secretKeyRef: + key: login-okta-directory-api-token + name: AumW + - name: LOGIN_OIDC_CLIENTSECRET + valueFrom: + secretKeyRef: + key: login-oidc-client-secret + name: AumW + - name: REDPANDA_ADMINAPI_PASSWORD + valueFrom: + secretKeyRef: + key: redpanda-admin-api-password + name: AumW + - name: REDPANDA_ADMINAPI_TLS_CAFILEPATH + value: /etc/console/secrets/redpanda-admin-api-tls-ca + - name: REDPANDA_ADMINAPI_TLS_KEYFILEPATH + value: /etc/console/secrets/redpanda-admin-api-tls-key + - name: REDPANDA_ADMINAPI_TLS_CERTFILEPATH + value: /etc/console/secrets/redpanda-admin-api-tls-cert + envFrom: + - configMapRef: + name: 3PT + optional: true + prefix: l + secretRef: + name: zakko + optional: false + - configMapRef: + name: RdxlkV + optional: false + prefix: 9Ae4W + secretRef: + name: UiJ + optional: true + - configMapRef: + name: bp + optional: true + prefix: SU + secretRef: + name: fy + optional: true + image: ai/f54I:iO + imagePullPolicy: ǫtŖŮƘ瓧ù¹勍u + livenessProbe: + failureThreshold: 864346345 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: -1341055636 + periodSeconds: 2055603833 + successThreshold: -175204389 + timeoutSeconds: -589897727 + name: console + ports: + - containerPort: 414 + name: http + protocol: TCP + readinessProbe: + failureThreshold: 1075627654 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: 333726894 + periodSeconds: 1376975278 + successThreshold: 112483424 + timeoutSeconds: 669945326 + resources: + limits: + 7VHN3: "0" + securityContext: + allowPrivilegeEscalation: true + capabilities: + add: + - '*·戌ɳKõʚK(懷ë蟅ȣg' + - vOpɔm&ɞ法槪ųf + drop: + - l¤0ɖK樌ŕDĪ箰ɬȓũ梫h揼 + - 躟OBZş互鹫Íʨƶ`ã + privileged: false + procMount: 9®俠ɳ屑ŏO'pe,Q+膿麣 + readOnlyRootFilesystem: false + runAsGroup: -289823929905824060 + runAsNonRoot: true + runAsUser: -4392330066259666400 + volumeMounts: + - mountPath: /etc/console/configs + name: configs + readOnly: true + - mountPath: /etc/console/secrets + name: secrets + readOnly: true + - mountPath: Oly + mountPropagation: ƈįlñ + name: QuM + readOnly: true + subPath: NPJ + subPathExpr: vn + - mountPath: xsiqpcicm + mountPropagation: Ŝȃ燩čƃʤǸ儼 + name: blYv + readOnly: true + subPath: 8f + subPathExpr: I + - mountPath: "" + mountPropagation: 犒k洐ɨ3UʓďȏUm8/x艂" + name: i2 + readOnly: true + subPath: G + subPathExpr: Wo47OrA + - args: + - gfDaDhh + command: + - Eu + envFrom: + - configMapRef: + name: 9LtiYU + optional: false + prefix: dS5JDbtZJ + secretRef: + name: 3X5 + optional: false + - configMapRef: + name: vpOLCCmA + optional: true + prefix: IJpeUVYk3 + secretRef: + name: TaghAr + optional: true + image: Nw59jHFBw + imagePullPolicy: Eźz购綗映ò#ZuS絇溾^飷 + lifecycle: + postStart: + exec: + command: + - N2F2q + - XKeJn + - CfoVd + httpGet: + host: 0u3Kgf + port: PVA8u + scheme: ȧX[噦摼鎥憈ǴńƘŅ + sleep: + seconds: 9185496374723368000 + preStop: + exec: + command: + - lrWSClt + httpGet: + host: uS + path: 51Gzg9s + port: -1680102290 + scheme: 8涒齃ɠĬ諛鰅jyr塸ȷg× + sleep: + seconds: -302278202696680100 + livenessProbe: + exec: + command: + - fmu + - wJR3 + - 60zV6s4327rKb9 + failureThreshold: 2122798666 + grpc: + port: 1914605377 + service: ES + httpGet: + host: 7LAmwy8 + path: o2XAC + port: S5 + scheme: 犘ßħɚÂ剐*鬰ȇxȺ錎 + initialDelaySeconds: 343978803 + periodSeconds: -1725283583 + successThreshold: 1055506692 + terminationGracePeriodSeconds: -737021961431151200 + timeoutSeconds: 1721351711 + name: r + ports: + - containerPort: -341996687 + hostIP: zR + hostPort: -641414216 + name: AGa7X6lnw + protocol: 阧 + - containerPort: -1616018360 + hostIP: 8q + hostPort: -2060443566 + name: B + protocol: 位ŲȟHbfp餪魹| + - containerPort: -321829785 + hostIP: S + hostPort: 850049722 + protocol: ĢŔ=ɦŊ鳺醩hĂ踻鉀 + readinessProbe: + exec: + command: + - VRq0lZK + - nCUDH3Zgc + - f2h2C + failureThreshold: -444080905 + grpc: + port: -1484737838 + service: UL8hSUw + httpGet: + host: 8DDb + path: Z + port: It67aEO18 + scheme: 蹐疒Į浤 + initialDelaySeconds: -1225398553 + periodSeconds: -1497056806 + successThreshold: -1256842388 + terminationGracePeriodSeconds: -3265344141862786600 + timeoutSeconds: 1127947387 + resources: + limits: + "36": "0" + Oaiu: "0" + v: "0" + requests: + F0olO: "0" + tvGpYtd: "0" + restartPolicy: Ě卿ɫȰLZ懁 + securityContext: + allowPrivilegeEscalation: true + capabilities: + add: + - "" + drop: + - Ę螅7O5Ɵ駢Ó宮緂 + privileged: true + procMount: ʤ敠æx漭fƈŸʄ + readOnlyRootFilesystem: true + runAsGroup: -1779689763650766000 + runAsNonRoot: true + runAsUser: -1786517016760367000 + startupProbe: + exec: + command: + - Mcn36l + - "n" + - OMT3J + failureThreshold: 1137002720 + grpc: + port: -2106637755 + service: OYW + httpGet: + path: K + port: STUmUBT + scheme: 貪iɐ巶ɿiɲbɎ;Ŏċ2橺汲ŋ刢g + initialDelaySeconds: -648188998 + periodSeconds: -278768915 + successThreshold: 890955082 + terminationGracePeriodSeconds: 5660177701724483000 + timeoutSeconds: 959596283 + stdin: true + terminationMessagePath: h2a2mAm + terminationMessagePolicy: pjĉ + volumeDevices: + - devicePath: cZ95 + name: wLm + - devicePath: P9RW + name: PjzHR + volumeMounts: + - mountPath: b + mountPropagation: 脣Į + name: bOY + readOnly: true + subPath: mBuB + subPathExpr: 0io + - mountPath: DYp + mountPropagation: 9鹺t"Ĭij(?NB4ɖ鴼B屈桲ȋ噤ǁ + name: O + readOnly: true + subPath: EcI7mF + subPathExpr: HKfaS + - mountPath: NTgHw + mountPropagation: (ńÆ;裉嵀 + name: U6TGXB + subPath: wjpyjQ + subPathExpr: nqq + workingDir: NpjQN3dM + - args: + - m + - fmRfLPl + command: + - okKsRu + env: + - name: y8FxBu + valueFrom: + configMapKeyRef: + key: 1kdTq + name: NGzFHD + optional: false + fieldRef: + apiVersion: WDoDm + fieldPath: HTHz + resourceFieldRef: + containerName: aWk + divisor: "0" + resource: RcTwrpd4PaqW + secretKeyRef: + key: 27uDnW9fM1 + name: diwId6SMC + optional: true + - name: NZ1pEV + value: Xq7fA + valueFrom: + configMapKeyRef: + key: cYo + name: IhK1oKNNr + optional: true + fieldRef: + apiVersion: 0C + fieldPath: "" + resourceFieldRef: + containerName: OywKEud3 + divisor: "0" + resource: E4 + secretKeyRef: + key: gGTl + name: V + optional: false + envFrom: + - configMapRef: + name: fJ + optional: true + prefix: zFUU1PguE + secretRef: + name: S7Jre + optional: false + image: gbZ4mqT + imagePullPolicy: '*罖Ē掙*uĕĥ世û煨o曁ɖ)嬫噩肖Ñ' + lifecycle: + postStart: + exec: + command: + - nxKsxt + - F25ka4x + httpGet: + host: "0" + path: 9k0yMphk + port: GJdG + scheme: 婁箅蝼đ杣Ɗ°VAƭ0ĺ钘1 + sleep: + seconds: 8039264634100238000 + preStop: + exec: + command: + - NuJoJm + - gykEI + - "6" + httpGet: + host: UnkqD3SS + path: BhN + port: 712546393 + scheme: u + sleep: + seconds: 409536667065008450 + livenessProbe: + exec: {} + failureThreshold: 204373937 + grpc: + port: 1803358082 + service: VXsxSeh + httpGet: + host: Ht64jf7Eo + path: u1jjW9Qu + port: 556487018 + scheme: 熖Ű存ŖT磇ɘ外 + initialDelaySeconds: -1152834471 + periodSeconds: -1133396594 + successThreshold: -1385193405 + terminationGracePeriodSeconds: 2915006546098799000 + timeoutSeconds: -1401054296 + name: dfD716 + ports: + - containerPort: 691082006 + hostIP: b + hostPort: 636825973 + name: S5FmEWKv + protocol: g]se墰掀媸晓櫚驟憽hbƥsư° + readinessProbe: + exec: {} + failureThreshold: 152987910 + grpc: + port: 642951905 + service: q2qfom8L + httpGet: + host: GaxyfqlQ + path: Oh0t + port: -766612198 + scheme: UÂ_ + initialDelaySeconds: -1382761032 + periodSeconds: 967018272 + successThreshold: -178373997 + terminationGracePeriodSeconds: 6605400648980209000 + timeoutSeconds: -1404918452 + resources: + limits: + 7cu: "0" + 22n7v: "0" + XsU5mrE: "0" + requests: + kyXuqf: "0" + mBk4P9DWW: "0" + restartPolicy: ʓdT>NȚks_q祈 + securityContext: + allowPrivilegeEscalation: true + capabilities: + add: + - ȸŏ脸(Yǃ¯~垇耗A) + - T翱ĥ + drop: + - 商ʏ軒Ƣ厢 + - Ⱥãt\跋þ漙苣ű吡憕鿶0傜om + privileged: false + procMount: Ŷ% + readOnlyRootFilesystem: true + runAsGroup: -1052699124096043900 + runAsNonRoot: false + runAsUser: 3737016357651072500 + startupProbe: + exec: + command: + - jefRNS + failureThreshold: -9144267 + grpc: + port: 642233169 + service: WjvgDkGG + httpGet: + host: 8hzgS0q + path: z + port: -885964296 + scheme: ɸliŵ + initialDelaySeconds: 1014078949 + periodSeconds: 1410148112 + successThreshold: 1164669668 + terminationGracePeriodSeconds: -3385668069040238000 + timeoutSeconds: -1723583731 + stdin: true + terminationMessagePath: zbCh + terminationMessagePolicy: 4攨2õė+軩Ç + tty: true + volumeDevices: + - devicePath: Nx + name: QLHA + - devicePath: 9JAgFLSdSqQ + name: "5" + volumeMounts: + - mountPath: KXG1 + mountPropagation: ȁ捄ɺ絒馢A¥`Èť + name: aghWO + readOnly: true + subPath: el7KEVsV + subPathExpr: tdksniBM + - mountPath: 5nus8 + mountPropagation: N饢杼M7X尅扐ǗÃɱNƞeuĦg儡 + name: TS4kHG + readOnly: true + subPath: i + subPathExpr: ktDaTCGG + - mountPath: CSkt9N0i + mountPropagation: 爕ɐYYȁ<獱椂@椗áʇ憣>\Ɋ筙纉Ë + name: KIKRXUR + readOnly: true + subPath: bWYTiq + subPathExpr: cgxlHqVV + workingDir: F + imagePullSecrets: + - name: bbjdn + - name: VI + initContainers: + - 'error unmarshaling JSON: while decoding JSON: json: cannot unmarshal string + into Go value of type []interface {}' + nodeSelector: + U3Rfg9: WSTvjvP + hODw: LSv + iwleZ: fD + priorityClassName: gPB + securityContext: + fsGroup: 8205502301244812000 + fsGroupChangePolicy: "" + runAsGroup: -8440674019915816000 + runAsNonRoot: true + runAsUser: 4432310384984167400 + supplementalGroups: + - 7965846110903122000 + - -9174375158887063000 + sysctls: + - name: OkeQ + value: A + - name: 24y + value: fIPA + - name: "" + value: b3 + serviceAccountName: Jg + tolerations: [] + topologySpreadConstraints: [] + volumes: + - configMap: + name: AumW + name: configs + - name: secrets + secret: + secretName: AumW + - name: HUa7xM +-- testdata/case-037.yaml.golden -- +--- +# Source: console/templates/serviceaccount.yaml +apiVersion: v1 +automountServiceAccountToken: true +kind: ServiceAccount +metadata: + annotations: {} + creationTimestamp: null + labels: + BJ: Gq0Rw + FPcPYvmbB7dAZe: Cy7WaeI + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: u2r6 + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + uEVMkDkYRvnn: zvptNai + name: ItYso + namespace: default +--- +# Source: console/templates/configmap.yaml +apiVersion: v1 +data: + config.yaml: | + # from .Values.console.config + {} + role-bindings.yaml: |- + roleBindings: + - 2m: null + VNrY1fwY: null + eaGm2c: null + - Ng0sM: null + Txhv6: null + e2uo: null + roles.yaml: |- + roles: + - Dd: null + H0QLXtA: null +kind: ConfigMap +metadata: + creationTimestamp: null + labels: + BJ: Gq0Rw + FPcPYvmbB7dAZe: Cy7WaeI + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: u2r6 + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + uEVMkDkYRvnn: zvptNai + name: ADIhC +--- +# Source: console/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + annotations: {} + creationTimestamp: null + labels: + BJ: Gq0Rw + FPcPYvmbB7dAZe: Cy7WaeI + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: u2r6 + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + uEVMkDkYRvnn: zvptNai + name: ADIhC + namespace: default +spec: + ports: + - name: http + port: 226 + protocol: TCP + targetPort: 87 + selector: + app.kubernetes.io/instance: console + app.kubernetes.io/name: u2r6 + type: At +--- +# Source: console/templates/ingress.yaml +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + annotations: + "8": SeJ + creationTimestamp: null + labels: + BJ: Gq0Rw + FPcPYvmbB7dAZe: Cy7WaeI + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: u2r6 + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + uEVMkDkYRvnn: zvptNai + name: ADIhC +spec: + ingressClassName: PHr + rules: + - host: PXAcFs520n + http: + paths: + - backend: + service: + name: ADIhC + port: + number: 226 + path: 1uGP0 + pathType: dWpX + - backend: + service: + name: ADIhC + port: + number: 226 + path: hAH + pathType: LjzFf + - backend: + service: + name: ADIhC + port: + number: 226 + path: 7Qy + pathType: vjB + - host: z9QAJ5 + http: + paths: null + - host: "" + http: + paths: + - backend: + service: + name: ADIhC + port: + number: 226 + path: Hc0IpaX + pathType: bc0T + - backend: + service: + name: ADIhC + port: + number: 226 + path: dzn1ldJ5h + pathType: M + tls: null +--- +# Source: console/templates/tests/test-connection.yaml +apiVersion: v1 +kind: Pod +metadata: + name: "ADIhC-test-connection" + namespace: "default" + labels: + BJ: Gq0Rw + FPcPYvmbB7dAZe: Cy7WaeI + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: u2r6 + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + uEVMkDkYRvnn: zvptNai + annotations: + "helm.sh/hook": test +spec: + imagePullSecrets: + - name: Yi + - name: 6XnEhUN + - name: oeoW + containers: + - name: wget + image: busybox + command: ['wget'] + args: ['ADIhC:226'] + restartPolicy: Never + priorityClassName: U7wS +-- testdata/case-038.yaml.golden -- +--- +# Source: console/templates/serviceaccount.yaml +apiVersion: v1 +automountServiceAccountToken: true +kind: ServiceAccount +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: ld + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: fP77cJ3T + namespace: default +--- +# Source: console/templates/configmap.yaml +apiVersion: v1 +data: + config.yaml: | + # from .Values.console.config + {} + role-bindings.yaml: |- + roleBindings: + - zn: null + - WCQKaiaj: null + py: null + roles.yaml: |- + roles: + - {} +kind: ConfigMap +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: ld + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: j1dUk8TGy8Np +--- +# Source: console/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: ld + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: j1dUk8TGy8Np + namespace: default +spec: + ports: + - name: http + port: 46 + protocol: TCP + targetPort: 43 + selector: + app.kubernetes.io/instance: console + app.kubernetes.io/name: ld + type: uqFB +--- +# Source: console/templates/tests/test-connection.yaml +apiVersion: v1 +kind: Pod +metadata: + name: "j1dUk8TGy8Np-test-connection" + namespace: "default" + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: ld + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + annotations: + "helm.sh/hook": test +spec: + imagePullSecrets: + - name: OlRQO + - name: Hkuk3 + - name: fP + containers: + - name: wget + image: busybox + command: ['wget'] + args: ['j1dUk8TGy8Np:46'] + restartPolicy: Never + priorityClassName: 89gnK9rXyDXui +-- testdata/case-039.yaml.golden -- +--- +# Source: console/templates/serviceaccount.yaml +apiVersion: v1 +automountServiceAccountToken: false +kind: ServiceAccount +metadata: + annotations: + PPZDrdmxKV: UBjiSx + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: o2F37Lr + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: 8s2qVhKEW + namespace: default +--- +# Source: console/templates/configmap.yaml +apiVersion: v1 +data: + config.yaml: | + # from .Values.console.config + {} + role-bindings.yaml: |- + roleBindings: + - 6O4d: null + EY: null + oPTMvYGp: null +kind: ConfigMap +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: o2F37Lr + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: bbshm +--- +# Source: console/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + annotations: + 4yhZo: zLVEslN + Amz4VM: QAvK + IPCS: b1R + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: o2F37Lr + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: bbshm + namespace: default +spec: + ports: + - name: http + port: 400 + protocol: TCP + targetPort: 329 + selector: + app.kubernetes.io/instance: console + app.kubernetes.io/name: o2F37Lr + type: dPOD9Kzb +--- +# Source: console/templates/ingress.yaml +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: o2F37Lr + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: bbshm +spec: + ingressClassName: qyKUEOUT4u + rules: + - host: chart-example.local + http: + paths: + - backend: + service: + name: bbshm + port: + number: 400 + path: / + pathType: ImplementationSpecific + tls: + - hosts: + - F7m23 + - "7" + secretName: M +-- testdata/case-040.yaml.golden -- +--- +# Source: console/templates/configmap.yaml +apiVersion: v1 +data: + config.yaml: | + # from .Values.console.config + {} +kind: ConfigMap +metadata: + creationTimestamp: null + labels: + X: zjmrl + "Y": yG0 + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: 6sW + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: KchYZFsbB3 +--- +# Source: console/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + annotations: {} + creationTimestamp: null + labels: + X: zjmrl + "Y": yG0 + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: 6sW + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: KchYZFsbB3 + namespace: default +spec: + ports: + - name: http + port: 424 + protocol: TCP + targetPort: 17 + selector: + app.kubernetes.io/instance: console + app.kubernetes.io/name: 6sW + type: oZi +--- +# Source: console/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: {} + creationTimestamp: null + labels: + X: zjmrl + "Y": yG0 + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: 6sW + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: KchYZFsbB3 + namespace: default +spec: + replicas: 291 + selector: + matchLabels: + app.kubernetes.io/instance: console + app.kubernetes.io/name: 6sW + strategy: + rollingUpdate: {} + type: G阏发6s + template: + metadata: + annotations: + checksum/config: 6f40381c972fd418dd311a992b76c4181a57129add8096d427da1c5284bcdd8a + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/name: 6sW + spec: + affinity: + nodeAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - preference: + matchExpressions: + - key: 7RRFnuao + operator: 鑿梞e璺瀧敢tȱ + - key: 3qz030r9N4 + operator: 脟óȨq駥Ƽx垤R$L + - key: 4egJ + operator: 敕ƒ洀ņ+Ō轲C丼Ʒij.ƾ蚯ƺ痻3皆咒 + values: + - "" + - J66saNw8 + - xBRUfDKhiA + matchFields: + - key: Kgp4qFm + operator: 桋iz<ïŃǃ襶D齿 + - key: 7F + operator: "" + values: + - iquNT + - aFPIw + - lYMJn4Un3 + weight: -954635927 + - preference: + matchExpressions: + - key: ePHgEs + operator: 撹ł + weight: -2109244754 + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: gK + operator: 垭ʮȌ)"彛 + values: + - Vvo + - "" + - key: n0 + operator: 挪VɱȒ + values: + - 595ST + - sHQoTQgQ + - ZyYxnGB + matchFields: + - key: "8" + operator: 餒ơ鋦r)锟壃m汇 + values: + - H8 + - matchExpressions: + - key: nErJm + operator: Ûɟ敀淽 + values: + - sbjW + - 1l + - go + matchFields: + - key: ozzkD4D + operator: Ʌ\h崭蠒ȓ旉蹖楚_掁S5 + values: + - NrN0Id15O + - VrahPz + - YJfhO + - {} + podAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: qiGNj + operator: jƯȨ穞ɿPȧ + - key: HPRR + operator: ž8ƃKKDz蠽ƚ0ƻ + values: + - NAx + - Pr2F + matchLabels: + LY: ZRjD + matchLabelKeys: + - ikCO + - n25 + - IY0AqNStYm + mismatchLabelKeys: + - uO6G + - EFKfLOM0 + namespaceSelector: + matchExpressions: + - key: frBwUGG + operator: ǧ啯ʖ6džȡ衺Z莋æȘzv + values: + - 68q + - PrId4k5Nk + - 1Izg6c + - key: H5neR + operator: "" + values: + - gf2 + - "" + - key: LTEiVQV + operator: ʅďl$y韙bO儺e籾吕ŃV + values: + - LccIflVn3 + - QX + - kRZLtn + matchLabels: + lccn5: lx6 + topologyKey: AE + - labelSelector: + matchExpressions: + - key: ljGag0 + operator: "" + values: + - 3AlcF9eOiK + - key: XPoIj + operator: ĻĵN稙²x鸴ʊ + - key: "" + operator: m[ɻD«ʯĢĥɖHÃú锺N蓍!f + values: + - cwRFs + - wJtpMgyV1I + matchLabels: + 6gzmw2BW: v1eC + QI6Gl: Ckzyw0v + uRw21: 36kl + mismatchLabelKeys: + - XiX9Mrhv + - Xk2Ri + namespaceSelector: + matchExpressions: + - key: Roq9G + operator: 槓G{? + values: + - YCBJEhS + matchLabels: + 9X5C: TU1y + PG1k: 8j76iX8R + iYq9QLUSh3bk: Mvl2WRQ + namespaces: + - Pp + - z1O9mW5rB + topologyKey: U + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: pqtCgWlk + operator: eŭñZ) + values: + - 6eUrtsX + - GmGeP7 + - pBhe0 + - key: gctw + operator: L?岤紎!蠾黅誽帯÷Ʉ坏q + values: + - G + - "" + - "" + matchLabelKeys: + - IGYc + mismatchLabelKeys: + - C + - XlxD2Y5h + - Eut + namespaceSelector: + matchExpressions: + - key: QNvJq6Uc + operator: Ǔƀ閝遨垛簙UdĢ7ȍ騽¹DŽ + values: + - m4wq + - TmuqVB1 + - key: PTVC + operator: 珙'ɀɒ虃龓楼ƺ譄êǿ + values: + - w + - K + matchLabels: + GQp: tw + namespaces: + - t + topologyKey: I9Ng7D + weight: -278680619 + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: IaZiqfV6 + operator: 幋x:Ȗ + values: + - XmaYG80 + - aaEScB + - DxB + matchLabels: + J3Ny9zUJ2DOTKO: eiUL0RR + lt: bqOs + matchLabelKeys: + - XYHp1S + - JKj1 + namespaceSelector: + matchLabels: + WopugltEP1J: eaGpkiS + namespaces: + - H9w9Q + - A8D + topologyKey: pvkKW + weight: 252280673 + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: lSi + operator: 襚ǫAŇþ腦W[ĕ嘱ʌſœɃ槏Z岪 + matchLabels: + OzmceOBQ: F2mtk + QcoH: qt3OR6ZcjY + t5Cqg1: 1x9WW8EUyyn + matchLabelKeys: + - 0XGJ + mismatchLabelKeys: + - K6T + namespaceSelector: + matchExpressions: + - key: KoofEA + operator: ' íɀ馩Ȭɫġo娤螗暴Û漷ʦO腔' + values: + - nj + - U + - onkfJ4 + - key: 0aO + operator: Ŷű輖+¶)罩ƌ×螂 + matchLabels: + 2hf: GeFfROs4 + pA23: kqkG + rZ: DH6cT + namespaces: + - yvfsu + - L3Pu + topologyKey: BBBCjZel + weight: 392487334 + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchLabels: + 0hp: sd9 + mwTeR: D3HlJbmoK8 + matchLabelKeys: + - MwDkniC + - "" + mismatchLabelKeys: + - VuQB + namespaceSelector: + matchLabels: + 1x: Pj + D3J: 4gFps + bQU: weT0tI + namespaces: + - y9zrYKWApO + - rq0K3 + - 5XUeP7 + topologyKey: P7V + - labelSelector: + matchExpressions: + - key: Jv + operator: 啽ŃŐø + matchLabelKeys: + - s + namespaceSelector: + matchExpressions: + - key: Fy5Deb + operator: 旉錛!荕Ɂ! + values: + - nbiy + - "" + - 6QORDbd6zn + matchLabels: + bba0KJ: NE1j + nYif5xu0Hy9XW: 0s + qAoT: "46" + namespaces: + - 4JHyx + topologyKey: 7621t + automountServiceAccountToken: false + containers: + - args: + - --config.filepath=/etc/console/configs/config.yaml + command: null + env: + - name: cD + value: JW + valueFrom: + configMapKeyRef: + key: "" + name: 8Ri7OfQ + optional: false + fieldRef: + apiVersion: Qc + fieldPath: 6ZYFg + resourceFieldRef: + containerName: qkUV + divisor: "0" + resource: yEf5zz13U + secretKeyRef: + key: xozuxs + name: z + optional: true + - name: "" + value: gea3 + valueFrom: + configMapKeyRef: + key: hwe3l3k2h + name: QX + optional: true + fieldRef: + apiVersion: kx + fieldPath: m7f + resourceFieldRef: + containerName: 0XEGE + divisor: "0" + resource: y4ce5 + secretKeyRef: + key: hmvX + name: 18Z + optional: true + - name: LICENSE + valueFrom: + secretKeyRef: + key: a7Ph + name: zsHNWVcS9 + envFrom: + - configMapRef: + name: DR3hdrvZIv + optional: true + prefix: kGV4HZ8 + secretRef: + name: tR3Yu1G + optional: true + - configMapRef: + name: 6pMd0VA0 + optional: true + prefix: Csp + secretRef: + name: ceqZBJ7fdqP + optional: true + image: cwfXN2KlU/qYQHJ:RIG + imagePullPolicy: -0Ź桛ɼ訚Ņ;秵ňĝ苒9麡ñà臸ʫ + livenessProbe: + failureThreshold: -1894321442 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: 1986051838 + periodSeconds: 541607099 + successThreshold: -1968479306 + timeoutSeconds: 1374945691 + name: console + ports: + - containerPort: 17 + name: http + protocol: TCP + readinessProbe: + failureThreshold: 467513555 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: -6410364 + periodSeconds: -623380707 + successThreshold: 1641270972 + timeoutSeconds: 1203716236 + resources: + limits: + "1": "0" + MrwIP: "0" + hgaW: "0" + requests: + 1lF: "0" + securityContext: + allowPrivilegeEscalation: true + capabilities: + add: + - 阊 + - DIȜO吽解诎-曅 + drop: + - 贎秨Ůɭ懾Ù盾| + privileged: true + procMount: ʪ勪įOew\Ǡ礓 + readOnlyRootFilesystem: true + runAsGroup: -6230225082797374000 + runAsNonRoot: true + runAsUser: -2569068293811685000 + volumeMounts: + - mountPath: /etc/console/configs + name: configs + readOnly: true + - mountPath: d + name: ieSo8V + subPath: "" + - args: + - jlI16Xnnb0 + - x0Z + - Tv6z + command: + - 3MnkZe0L + - OK + - cKvaGI + env: + - name: 7RtgX9 + value: TQH + valueFrom: + configMapKeyRef: + key: "" + name: GE2 + optional: false + fieldRef: + apiVersion: x2H + fieldPath: iVYVzT + resourceFieldRef: + containerName: 3QSG + divisor: "0" + resource: AgMtPE + secretKeyRef: + key: BhGA6 + name: LKemd3Cs9 + optional: false + - name: 9dFxchX + value: huoZj + valueFrom: + configMapKeyRef: + key: skdmo + name: gSEkUx + optional: true + fieldRef: + apiVersion: ymAcwLzaJ00G + fieldPath: de9Q + resourceFieldRef: + containerName: ZgwwQvA + divisor: "0" + resource: OTraA + secretKeyRef: + key: Pe8 + name: 39mCZV7ERv + optional: true + envFrom: + - configMapRef: + name: l + optional: false + prefix: kGdnbCakM + secretRef: + name: JrDM + optional: true + - configMapRef: + name: 0iH67 + optional: true + prefix: 3JVMhcII7 + secretRef: + name: PS1J + optional: true + image: Bx3IW17kjF7 + imagePullPolicy: È8秏糇 + lifecycle: + postStart: + exec: {} + httpGet: + host: EeLx + path: JC + port: 638412697 + scheme: 翔ĩñɁɬj局³喪Eů磘Ʒ唡嬤 + sleep: + seconds: -2739564842418698000 + preStop: + exec: + command: + - zjNyV + - 3i + httpGet: + host: RxhMCXQN + path: Dq + port: -821303664 + scheme: 髒xD>?ǠĆ踃w¬ + sleep: + seconds: 8925361607851383000 + livenessProbe: + exec: {} + failureThreshold: -2015695369 + grpc: + port: 102189788 + service: VG2k6Atq + httpGet: + host: 0dxm + path: Pix7SytH + port: 284583441 + scheme: 畝ǂƬƜ聞|b + initialDelaySeconds: 1150668189 + periodSeconds: 1279412097 + successThreshold: 337444728 + terminationGracePeriodSeconds: -665826210809930800 + timeoutSeconds: -802810999 + name: 1KSo0a + readinessProbe: + exec: + command: + - 3cCL4 + - en + - VN0 + failureThreshold: 448729232 + grpc: + port: -174942651 + service: paUcCUtV8A6 + httpGet: + host: tSEChhvGgDsf + path: Jrr + port: 516172996 + scheme: c{Ƭ臾斡:Ɣ?Í + initialDelaySeconds: -714126900 + periodSeconds: -88316167 + successThreshold: -1820867160 + terminationGracePeriodSeconds: 272130190949654340 + timeoutSeconds: 1803351679 + resources: + limits: + f9GQWFTKPFP: "0" + g5: "0" + requests: + 4A89zLoFG: "0" + SmOBH: "0" + restartPolicy: Ű高ǙG%7BČCaďʥyď + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - H鞕ă鶅镀秀 + - Ŏ昮0yƤɯ斺R妕Je芓BɜCĵ + privileged: false + procMount: ÿʑ鎆乭cŇ陛ǼȠn + readOnlyRootFilesystem: true + runAsGroup: 5591360478943232000 + runAsNonRoot: false + runAsUser: 6381588597473823000 + startupProbe: + exec: + command: + - rV83LKQ + - 87Vc + failureThreshold: -2022114361 + grpc: + port: 1348736621 + service: Gx8f9phR + httpGet: + host: fWnW4CGV + path: yQl0PNEE3g + port: TYi + scheme: 絅xn,ȵ6ʎ癙 + initialDelaySeconds: 205090742 + periodSeconds: -1401542741 + successThreshold: -2130268569 + terminationGracePeriodSeconds: 4104437343850793000 + timeoutSeconds: 604054255 + terminationMessagePath: ec8kHaD + terminationMessagePolicy: 甎i + tty: true + volumeDevices: + - devicePath: NFjF + name: AH + - devicePath: "" + name: u + - devicePath: 0q6A + name: nFe3FY4 + volumeMounts: + - mountPath: ad7JXhGN + mountPropagation: =廄殞+ + name: qVHWCUHp + readOnly: true + subPath: m3RBekA0 + subPathExpr: 7F0F8Ge + workingDir: LmnqIVV + - args: + - 3g94Jb + - "n" + - HxatWli7Qe + env: + - name: yKfn + value: fni0 + valueFrom: + configMapKeyRef: + key: cQjxg02ud + name: DqLUCO + optional: false + fieldRef: + apiVersion: dS + fieldPath: aH + resourceFieldRef: + containerName: BVSH2Bxu + divisor: "0" + resource: ZLW3 + secretKeyRef: + key: J + name: APYyG5qY + optional: false + - name: b4i9WEf + value: Ru + valueFrom: + configMapKeyRef: + key: mzxgZ + name: XgDd + optional: false + fieldRef: + apiVersion: U1l + fieldPath: sG2pcjz + resourceFieldRef: + containerName: Vlc1Ru + divisor: "0" + resource: hZpqB + secretKeyRef: + key: X0W3QpdAhux + name: I3L + optional: true + envFrom: + - configMapRef: + name: DJjN7Phe + optional: true + prefix: 4K2MBzNl + secretRef: + name: s4GF + optional: true + - configMapRef: + name: td0aZ + optional: true + prefix: CYvFW + secretRef: + name: WaBWGCRa8 + optional: true + - configMapRef: + name: ehHs9m + optional: false + prefix: n1x + secretRef: + name: TdUJ + optional: true + image: UNJ6E6 + imagePullPolicy: 砓³绔丬A + lifecycle: + postStart: + exec: + command: + - Qs8Sd + - JGX4Qj + - eCw00uq + httpGet: + host: NNLSd + path: y4tS + port: QzOfwe3a + scheme: º猗ĥɮƅLɘ隮术ƒ赥;,ǝ髳Ĝ7Ĭ嬳 + sleep: + seconds: 1170469124057922000 + preStop: + exec: + command: + - TN62uDLAuIx + - ndI + httpGet: + host: t7H6l2 + port: RHeYpAvJ8 + scheme: KǠɀƴ杔¸Ɉ$毕削peýfv! + sleep: + seconds: -5232306180460338000 + livenessProbe: + exec: {} + failureThreshold: -1900233123 + grpc: + port: -1323381498 + service: wJ + httpGet: + host: pAHsn3 + path: k31zW1 + port: 2elbrK + scheme: 痯秿丌 + initialDelaySeconds: 537756270 + periodSeconds: 1139432456 + successThreshold: -289377675 + terminationGracePeriodSeconds: -709025030374540900 + timeoutSeconds: 254134433 + name: zWs + readinessProbe: + exec: + command: + - x093a + - v1 + - Ef + failureThreshold: 75768089 + grpc: + port: -237977747 + service: "y" + httpGet: + host: EBEth + path: C + port: 790399211 + scheme: ær堹mhʢ + initialDelaySeconds: -157687184 + periodSeconds: 1071897332 + successThreshold: 824432298 + terminationGracePeriodSeconds: -54575953702939670 + timeoutSeconds: -1190752843 + resizePolicy: + - resourceName: R9fM + restartPolicy: ?ʖȒƅƀ逎v鐰wģ籫 + - resourceName: 7C + restartPolicy: óʌF鿯薸k} + - resourceName: Bqy + restartPolicy: E吻X秤} + resources: + limits: + UMJnobyO: "0" + qJmAwr: "0" + requests: + ZktW7e51vRUG: "0" + restartPolicy: '>ŀ鎙莸鼔茷蝼薼Ƽƅ°3貦罌臣洴軟處姼' + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - 儜vƝ¾ + - 輝Ġ$琑+檂 + - 飂 + privileged: false + procMount: ɓĎʙʗG0瑑娄K坢Ö&Ù + readOnlyRootFilesystem: true + runAsGroup: 2234167178876811300 + runAsNonRoot: true + runAsUser: -1191472066985646800 + startupProbe: + exec: + command: + - KGi9U + - D6 + - HZ3aC1 + failureThreshold: -2057203764 + grpc: + port: -1203229903 + service: Xd + httpGet: + host: tTW + path: oWk + port: -1347841801 + scheme: 檸`sȝBULj懄 + initialDelaySeconds: 1386184157 + periodSeconds: 2110004457 + successThreshold: -692279219 + terminationGracePeriodSeconds: -7060466210747559000 + timeoutSeconds: -905577521 + terminationMessagePath: g + terminationMessagePolicy: 頨Ĥ° òȯǤū暓坐ƚă杋鍄 + volumeMounts: + - mountPath: FmQht + mountPropagation: 饌^ǩ朳ųW磀ĥAijƨ+= + name: j5 + subPath: aoEWb7k + subPathExpr: 0ra + workingDir: zmwmt + - command: + - oFEaN2U1 + - HuBj9vk17eCjI + - "" + env: + - name: n3JVvVY + value: U14PEXs + valueFrom: + configMapKeyRef: + key: Ai0Xg3owIe7XlG + name: U4 + optional: false + fieldRef: + apiVersion: ZyO4Jpwkp2hV + fieldPath: roNil + resourceFieldRef: + containerName: gx + divisor: "0" + resource: Z + secretKeyRef: + key: AcP + name: qMy + optional: false + - name: oSWakHA + value: eR + valueFrom: + configMapKeyRef: + key: qsSVOr + name: o + optional: false + fieldRef: + apiVersion: SeP3aPXfjLIcfE + fieldPath: 091i + resourceFieldRef: + containerName: T5hI + divisor: "0" + resource: KxGi43CVGe + secretKeyRef: + key: "" + name: 5uI + optional: true + envFrom: + - configMapRef: + name: MujT + optional: false + prefix: cVRH + secretRef: + name: mpF + optional: true + - configMapRef: + name: MeO3F + optional: false + prefix: w3C4 + secretRef: + name: hnYx + optional: false + - configMapRef: + name: NT5MFmC65 + optional: true + prefix: "7" + secretRef: + name: yl2ze1 + optional: false + image: A8o + imagePullPolicy: ?晐T鴭Xp + lifecycle: + postStart: + exec: + command: + - zaLOG2 + httpGet: + host: kA51kbv + path: LMnFclIJczBo + port: 402299955 + scheme: :踖坯(Iȷ碨劅 + sleep: + seconds: 245674034851902980 + preStop: + exec: + command: + - Tz87qO + httpGet: + host: Xr6sP + path: xxE + port: 1901089000 + scheme: 3媧ş>La芸`Lzuŀɽ坤¦.痻Jǻ + sleep: + seconds: 6906639179439192000 + livenessProbe: + exec: + command: + - yxk0313sz + failureThreshold: 385001414 + grpc: + port: 1589713469 + service: UA + httpGet: + host: ZWfT + path: vTNYug5RZh + port: -192111662 + scheme: e¢dYÜdz + initialDelaySeconds: 1708942834 + periodSeconds: 1356452566 + successThreshold: 1750780088 + terminationGracePeriodSeconds: -1272770054640189000 + timeoutSeconds: 1656218869 + name: FxzTg + ports: + - containerPort: 63673829 + hostIP: 4xjED0VKV0G + hostPort: 2007665826 + name: xbwJ + protocol: ¼vb皪螯ʉwʒR玔È覦劙 + readinessProbe: + exec: + command: + - 0S + - "" + - GkPj + failureThreshold: 1405674719 + grpc: + port: -1659132742 + service: gIFP + httpGet: + host: jYnI3ins7 + path: bIEaFAc1 + port: UHfz + scheme: ʼn + initialDelaySeconds: 1531278754 + periodSeconds: -238235402 + successThreshold: -1690388514 + terminationGracePeriodSeconds: -2788228502880198700 + timeoutSeconds: -567709755 + resizePolicy: + - resourceName: nxpzTS + restartPolicy: ƫŀMs+,ǼƞȒ + - resourceName: 61uCVQ1 + restartPolicy: /澰ɍ½鑀a帷[鞺鏨攬姟壃F$R犬 + resources: + requests: + YfM: "0" + restartPolicy: œ|F彟S崘Ȑ貸1Ũȷ+齳 + securityContext: + allowPrivilegeEscalation: true + capabilities: + drop: + - 鸎dĉç荧 + privileged: true + procMount: "" + readOnlyRootFilesystem: false + runAsGroup: 5795239965908151000 + runAsNonRoot: true + runAsUser: 2409160731771391000 + startupProbe: + exec: + command: + - D6j2Q + failureThreshold: 975103738 + grpc: + port: -2081980063 + service: Nh + httpGet: + host: vdLm3FUXIs + path: jqCqF + port: "" + scheme: Ű"ƆĩNÙ襔冠ʈ + initialDelaySeconds: 524220215 + periodSeconds: 923596095 + successThreshold: 547119693 + terminationGracePeriodSeconds: 7382309226647739000 + timeoutSeconds: -1902082444 + terminationMessagePath: 2i5 + terminationMessagePolicy: 踑ĆĦ荷ýA/ǎ桫 + tty: true + volumeDevices: + - devicePath: KlUUX + name: NWO + - devicePath: W1JLM + name: qNw + - devicePath: BVE + name: c + volumeMounts: + - mountPath: yCztpht + mountPropagation: 巧苄;钽肇謌ʭɿw刄wɰM迵. + name: Mv9 + subPath: RWmlw + subPathExpr: Oy + - mountPath: Gf + mountPropagation: ɩ + name: On78O + readOnly: true + subPath: s7p + subPathExpr: 57aJIvpEm + - mountPath: m + mountPropagation: 崌蠿Ƣ湺 + name: CXSu + subPath: F8oe + subPathExpr: S + imagePullSecrets: + - name: V1 + - name: AyLzRkaGE + - name: 3pZ8 + initContainers: + - 'error unmarshaling JSON: while decoding JSON: json: cannot unmarshal string + into Go value of type []interface {}' + nodeSelector: + y63G: wNiNvOMv + priorityClassName: 3A + securityContext: + fsGroup: 2302511509023017200 + fsGroupChangePolicy: 闦ñ禢`J鉤 + runAsGroup: -2347956389924857000 + runAsNonRoot: true + runAsUser: 1720952380350228700 + supplementalGroups: + - -621944387099711200 + sysctls: + - name: CvGz + value: "" + - name: dO + value: qwZyE + serviceAccountName: Cj + tolerations: [] + topologySpreadConstraints: + - labelSelector: + matchExpressions: + - key: pPoL + operator: ǭȉćŴ讶Y + values: + - "69" + - UC9 + - "7" + - key: 6toZoG + operator: Ġ+kʫȸ颷ʅÓ欽V譵; + values: + - go8adRXrn + - key: S + operator: ĕȻ*Gɝ靿暛_洳瑼Ĩ + matchLabelKeys: + - "" + - V7xIs1 + - eqq + maxSkew: 983843814 + minDomains: 854272231 + nodeAffinityPolicy: '>S篐ö抏茄(6' + nodeTaintsPolicy: e3äTȦ硷B捕萑Ǵ吷Ǿ邂Ǝièø + topologyKey: NoEcMWkg + whenUnsatisfiable: 幗鞲&渶Ÿɪ`鹵N + volumes: + - configMap: + name: KchYZFsbB3 + name: configs + - name: ieSo8V + secret: + defaultMode: 83 + secretName: mD0jl + - name: iPeR + - name: ZgdCb2kUB +--- +# Source: console/templates/tests/test-connection.yaml +apiVersion: v1 +kind: Pod +metadata: + name: "KchYZFsbB3-test-connection" + namespace: "default" + labels: + X: zjmrl + "Y": yG0 + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: 6sW + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + annotations: + "helm.sh/hook": test +spec: + imagePullSecrets: + - name: V1 + - name: AyLzRkaGE + - name: 3pZ8 + containers: + - name: wget + image: busybox + command: ['wget'] + args: ['KchYZFsbB3:424'] + restartPolicy: Never + priorityClassName: 3A +-- testdata/case-041.yaml.golden -- +--- +# Source: console/templates/serviceaccount.yaml +apiVersion: v1 +automountServiceAccountToken: false +kind: ServiceAccount +metadata: + annotations: + 5DCBJ96u: 12Himnm + ZQrRxpb: Aa + abcRNo3AHIw: gH1 + creationTimestamp: null + labels: + T1: pMf7C + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: x + app.kubernetes.io/version: v2.7.0 + cxAL7zvwvb: tmEjSXwTK6 + helm.sh/chart: console-0.7.29 + name: 0Z71mJNQUx + namespace: default +--- +# Source: console/templates/secret.yaml +apiVersion: v1 +kind: Secret +metadata: + creationTimestamp: null + labels: + T1: pMf7C + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: x + app.kubernetes.io/version: v2.7.0 + cxAL7zvwvb: tmEjSXwTK6 + helm.sh/chart: console-0.7.29 + name: Wq +stringData: + enterprise-license: "" + kafka-protobuf-git-basicauth-password: 4uTKbvRNSh + kafka-sasl-aws-msk-iam-secret-key: tfc + kafka-sasl-password: NAMo + kafka-schema-registry-password: 5LUUey + kafka-schemaregistry-tls-ca: "" + kafka-schemaregistry-tls-cert: "" + kafka-schemaregistry-tls-key: i + kafka-tls-ca: Fydyp8 + kafka-tls-cert: R4y + kafka-tls-key: "" + login-github-oauth-client-secret: Y0 + login-github-personal-access-token: xyn + login-google-groups-service-account.json: zFJbYJ + login-google-oauth-client-secret: CsVVc6 + login-jwt-secret: SECRETKEY + login-oidc-client-secret: dsx + login-okta-client-secret: wr9eIA + login-okta-directory-api-token: Dy + redpanda-admin-api-password: O7kPq + redpanda-admin-api-tls-ca: 7ORz + redpanda-admin-api-tls-cert: IT + redpanda-admin-api-tls-key: KR25cT +type: Opaque +--- +# Source: console/templates/configmap.yaml +apiVersion: v1 +data: + config.yaml: | + # from .Values.console.config + {} + role-bindings.yaml: |- + roleBindings: + - EQY9390E: null + WXyS: null + roles.yaml: |- + roles: + - {} +kind: ConfigMap +metadata: + creationTimestamp: null + labels: + T1: pMf7C + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: x + app.kubernetes.io/version: v2.7.0 + cxAL7zvwvb: tmEjSXwTK6 + helm.sh/chart: console-0.7.29 + name: Wq +--- +# Source: console/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + annotations: + Sxsz0HWh: z9cj + creationTimestamp: null + labels: + T1: pMf7C + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: x + app.kubernetes.io/version: v2.7.0 + cxAL7zvwvb: tmEjSXwTK6 + helm.sh/chart: console-0.7.29 + name: Wq + namespace: default +spec: + ports: + - name: http + port: 359 + protocol: TCP + targetPort: 363 + selector: + app.kubernetes.io/instance: console + app.kubernetes.io/name: x + type: tJUW +--- +# Source: console/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: + I4K: K1yz + creationTimestamp: null + labels: + T1: pMf7C + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: x + app.kubernetes.io/version: v2.7.0 + cxAL7zvwvb: tmEjSXwTK6 + helm.sh/chart: console-0.7.29 + name: Wq + namespace: default +spec: + replicas: null + selector: + matchLabels: + app.kubernetes.io/instance: console + app.kubernetes.io/name: x + strategy: + rollingUpdate: {} + type: 稫启玩ɡʂ56 龪o + template: + metadata: + annotations: + checksum/config: 2e1f5f5401bac9a6ca8b2205a50f20ebc4a08fcafa78467ca458eb9e8411b634 + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/name: x + spec: + affinity: + nodeAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - preference: + matchExpressions: + - key: gRchHJ + operator: g>騿b鈐ʃB¾偡医選ȍ恋 + values: + - I + - Ei + - "" + - key: hyf + operator: 斒ʃǜƆƲ + values: + - QUyyD + - key: Bkmx + operator: ư酰姺醪芄堑 + weight: 751548356 + - preference: + matchExpressions: + - key: oLam + operator: 蟹 + values: + - ouUaVpYnKDUI + - key: vjw6GPYYTKt + operator: 竣iN¸嚿×ɮib + values: + - ZTaqp + - key: d8VuBX6qV + operator: 脼Ȩ + values: + - a8aOe1 + matchFields: + - key: twbeCR + operator: óçøG靼Ɏȸ­乷ɍ + values: + - fJAm6rm + - 2h8IU + - zE9 + weight: 291395585 + - preference: + matchExpressions: + - key: qC6uf99en + operator: 鼢犖龆醑IÐ肣ɚòĺIGʖƟ穿ź' + readOnlyRootFilesystem: true + runAsGroup: -6867300864246943000 + runAsNonRoot: true + runAsUser: 972586500223089800 + volumeMounts: + - mountPath: /etc/console/configs + name: configs + readOnly: true + - mountPath: ctE5Qa + name: gcTdF + subPath: "" + - mountPath: n8KpOJZ + name: "4" + subPath: "" + - mountPath: 3Ka7 + name: lBE0nAE + subPath: "" + - mountPath: cIK + mountPropagation: 爂 YLƝ«煘?沀#朚ń鮾+ğÔ + name: orwvhF0 + subPath: ivP1ha4I + subPathExpr: VPCFJYVRHf + - mountPath: s + mountPropagation: m椥扶ȟqÈ倕{峙刷} + name: O35 + subPath: AN + subPathExpr: vm7 + - mountPath: 7P72D19W + mountPropagation: 堂窜B,Ś贃腔Ʈ£顽ąfYR + name: 6Z + readOnly: true + subPath: d7MJ + subPathExpr: LF + - args: + - M5GoLEac + command: + - "" + env: + - name: xn + value: gHloqKCZA0M + valueFrom: + configMapKeyRef: + key: 9EasdvqH1 + name: 3Jm5qlVRdb + optional: false + fieldRef: + apiVersion: IEuh0S + fieldPath: yGW + resourceFieldRef: + containerName: 6ytjPS + divisor: "0" + resource: Z + secretKeyRef: + key: a1KfCCp1 + name: OspUW + optional: false + - name: 1jMB + value: gsvW9h + valueFrom: + configMapKeyRef: + key: lEB1Z + name: sB + optional: true + fieldRef: + fieldPath: zsUJ + resourceFieldRef: + containerName: 11SE1A + divisor: "0" + resource: OFZYobDs5 + secretKeyRef: + key: wwZ + name: 0z + optional: false + envFrom: + - configMapRef: + name: AuPTaMX7 + optional: true + prefix: YNB9WA + secretRef: + name: QyV6 + optional: true + - configMapRef: + name: N5izN44MJ + optional: true + prefix: 103jYU2pj + secretRef: + name: IsJ + optional: true + image: f + imagePullPolicy: ']L7掻钏ĚxǢRʃd×?ŠɓT{' + lifecycle: + postStart: + exec: + command: + - 1Kv + - F2E + - uX1vDFV + httpGet: + host: XQ5sY + path: 5X8E + port: ZEAsx0C5i + scheme: 巇L嶤n蔢ȥ.&h喵趶旃 + sleep: + seconds: 3646722142291548000 + preStop: + exec: + command: + - "98" + httpGet: + host: MWUlhjhJA + path: JM3LkEQY + port: I4x4q + scheme: ʄȀ%ʎ兒餐oc-c + sleep: + seconds: 2358122019278204000 + livenessProbe: + exec: + command: + - dyqr + - 79j + - 6N2YiU + failureThreshold: 1763651267 + grpc: + port: 1387074657 + service: m + httpGet: + host: G + path: 9kp6wlF5 + port: 5zuLtPI + scheme: d輢殣ſē诧Wɹ讏 + initialDelaySeconds: -1520109712 + periodSeconds: -1170771093 + successThreshold: -1383663641 + terminationGracePeriodSeconds: -1296467687071372800 + timeoutSeconds: 1017261975 + name: xf5VXbM9DX + ports: + - containerPort: -1245943187 + hostIP: iVo + hostPort: -1606480480 + protocol: à唿Ň癫俤健ǛƵ虰響 + - containerPort: 1088776251 + hostIP: mN + hostPort: 2006200810 + name: izfW + protocol: 蠣狓j霎緦(Lǫ[ + readinessProbe: + exec: + command: + - w + - ZZzn + failureThreshold: -841549142 + grpc: + port: -1318693763 + service: z3 + httpGet: + host: DK8AT0w + path: TQEPNMTrmL26 + port: -1446467943 + scheme: ś檊:& + initialDelaySeconds: -768827532 + periodSeconds: -2057604270 + successThreshold: -1558550931 + terminationGracePeriodSeconds: 6890017506404353000 + timeoutSeconds: -1558365951 + resizePolicy: + - resourceName: BhJ20rFM28sOexT + restartPolicy: 槟"äÅ緦Xjê荀谆 + resources: + limits: + 3yphxx: "0" + requests: + "71": "0" + qj1cwc9x: "0" + xIH2: "0" + restartPolicy: 兜藄墲皀 + securityContext: + allowPrivilegeEscalation: true + capabilities: + add: + - 翇ƒ\Ý琂麌褶犗錀Ć姉溬[I珵巖â迍Õ + - ȖnS¦ºǀʼndz&ü1 + privileged: false + procMount: ǻ\頧ADȜ[ʋɺɗ鬌ʢ栵鏆W剨 + readOnlyRootFilesystem: true + runAsGroup: -8217745538717204000 + runAsNonRoot: false + runAsUser: 8409092840666673000 + startupProbe: + exec: {} + failureThreshold: 514371514 + grpc: + port: 1386630692 + service: 5k9JljF + httpGet: + host: Yxa + path: KKzxL + port: 1749552838 + scheme: ǁ1钥`岺ȱ$ + initialDelaySeconds: 198009978 + periodSeconds: 1269387330 + successThreshold: 150401625 + terminationGracePeriodSeconds: 756942197968954200 + timeoutSeconds: -1507606503 + stdin: true + stdinOnce: true + terminationMessagePath: Yuuqhx + tty: true + workingDir: cNvZ0 + - args: + - EBJwKsy + - 88iT6Xcn + - XcT28aSWj + command: + - KYgqdbR + envFrom: + - configMapRef: + name: N30BWF9jx + optional: true + prefix: b + secretRef: + name: g + optional: true + - configMapRef: + name: vkY + optional: false + prefix: gn67ft + secretRef: + name: 9bmgS + optional: true + image: mhs + imagePullPolicy: agŒJ!Ǽƴ硴ĘBjp¸ǟ鏔ȫv + lifecycle: + postStart: + exec: {} + httpGet: + host: k1oZic + port: kWma + scheme: /A縊$/Ðl脿ʅK\Yû¡DȜ + sleep: + seconds: 4880710696024837000 + preStop: + exec: + command: + - mE1S + httpGet: + host: wmLvZ + path: P8Lw + port: 2130804875 + scheme: Aɷĝ/éȏ圳%)n帣 + sleep: + seconds: 5681554568621785000 + livenessProbe: + exec: + command: + - g + - 1tbHYej2 + failureThreshold: 721918154 + grpc: + port: 977234381 + service: K8 + httpGet: + host: o1a + path: EL + port: 606530945 + scheme: ɬ憋} + initialDelaySeconds: 527377871 + periodSeconds: 1831783866 + successThreshold: -925249104 + terminationGracePeriodSeconds: -5462814855858063000 + timeoutSeconds: 1067001478 + name: Cyr + ports: + - containerPort: -1582092218 + hostIP: HefrxT + hostPort: -1694778841 + name: "5" + protocol: 5訙奆Ņ蘹Ǭ馲ǧõsg + - containerPort: -1709296974 + hostIP: S + hostPort: -12435236 + name: RQIJVqVp + protocol: ı+=Ŷ\褭昊 + readinessProbe: + exec: + command: + - LxHQI2 + failureThreshold: -1670032382 + grpc: + port: 2038020216 + service: uS1pHYQuE + httpGet: + host: dFCk9 + path: 2YYVJoTxFI + port: 1533020718 + scheme: 侅弴噉讀ŲĨ趚ʉB + initialDelaySeconds: 753694711 + periodSeconds: -620933924 + successThreshold: 1935472803 + terminationGracePeriodSeconds: -1414957386950590200 + timeoutSeconds: 1810571120 + resources: + limits: + SwVZL: "0" + m6OD8E: "0" + requests: + bZQK: "0" + h9G0: "0" + hCGxGGtFgSx: "0" + restartPolicy: 毄鶏疡ɍʛ啔l鹯ą9掇悋ƦjþË + securityContext: + allowPrivilegeEscalation: true + capabilities: + add: + - '*6珛åǪ' + drop: + - qć纣cȈʊ«Ȯ¤u俳糐郭ȉHT5į軌 + - ³R语 + privileged: false + procMount: GɛFȖ黸ȋȤá峠缂蛞·NN + readOnlyRootFilesystem: true + runAsGroup: 2219217566755129900 + runAsNonRoot: false + runAsUser: -6958635490019934000 + startupProbe: + exec: + command: + - VqKEGlA + - h1eQQmyq + failureThreshold: 1344510971 + grpc: + port: 1296412500 + service: 0FZIq + httpGet: + host: Gk + path: J1ncBCi + port: yqdEt689 + scheme: Ƹ陳ƨj>喐蠿鯌ʛB契p + initialDelaySeconds: -879591831 + periodSeconds: 1110714898 + successThreshold: -1301180826 + terminationGracePeriodSeconds: 3872467306429463000 + timeoutSeconds: 674947774 + terminationMessagePath: bm28lY3K2pwh + terminationMessagePolicy: Ȇƍ@¦Ț'±0ž + tty: true + volumeDevices: + - devicePath: o8dr + name: XmhFb + workingDir: 5wQN + - args: + - o0cO9clz7 + - HMSb + - 6uV0c + env: + - name: M3V9WePpx + value: ysO25 + valueFrom: + configMapKeyRef: + key: UqaJg4r + name: RfxtXP + optional: true + fieldRef: + apiVersion: lwe4YmNPx + fieldPath: tQj57vj + resourceFieldRef: + containerName: ZQ + divisor: "0" + resource: T + secretKeyRef: + key: x + name: ny4NEtt3z + optional: false + - name: cc2 + value: L0hw + valueFrom: + configMapKeyRef: + key: 385Ue36 + name: mmjoQw + optional: false + fieldRef: + apiVersion: 6oECJJ + fieldPath: viT + resourceFieldRef: + containerName: gwdJxK + divisor: "0" + resource: ck7 + secretKeyRef: + key: UuNsYAQvXJ0 + name: 1NAqDCU3 + optional: true + envFrom: + - configMapRef: + name: ZFk + optional: true + prefix: bXa4IzYR + secretRef: + name: aAJU + optional: false + image: JPgUP + imagePullPolicy: Q ¶ + lifecycle: + postStart: + exec: + command: + - r1uMNf + - M + - 8G + httpGet: + host: cuhhh + path: lXMriYoe + port: -988033465 + scheme: ',轄kzĒfť' + sleep: + seconds: -8820103652541682000 + preStop: + exec: + command: + - bElmX + httpGet: + host: bCNS + path: A0F + port: "" + scheme: 砘ɁA甜猷14ʣ)ǨƿŊ\ + sleep: + seconds: 821413986956195800 + livenessProbe: + exec: + command: + - M9y + - ay + - sRaY + failureThreshold: 600887441 + grpc: + port: 1597779369 + service: ua8K + httpGet: + host: 0XuF + path: V3 + port: -703127215 + scheme: 舷$趺É螳P阁]嚂驶钋琦袳$ƸO侎 + initialDelaySeconds: -1230549565 + periodSeconds: -335663932 + successThreshold: -1184112514 + terminationGracePeriodSeconds: 9077275487127833000 + timeoutSeconds: 1992088322 + name: pz + readinessProbe: + exec: + command: + - lVaA + - E9DNIWT7reP + - NW1Cc5O2 + failureThreshold: 1119300491 + grpc: + port: 2061347792 + service: fUXdOYJ9On + httpGet: + host: "0" + path: Us3pM3OkquAEW2 + port: -1693856749 + scheme: 鞡|鬟扝}肾~ + initialDelaySeconds: 1307857751 + periodSeconds: 1903760018 + successThreshold: 612917619 + terminationGracePeriodSeconds: -4296518247806248400 + timeoutSeconds: 1025631498 + resizePolicy: + - resourceName: "8" + restartPolicy: ȯy髚ʦ=ǰɮ瓿b:劀ǴáiO3IĮ + - resourceName: 8mFXK1FTs + restartPolicy: ėv|冿瀱Ƥ鐻D[ƼŮ/ + resources: + limits: + TVwPaoBqGL: "0" + juxQS6V3mr: "0" + requests: + igiG: "0" + restartPolicy: 皷ƴȿOvJ郦'欝 + securityContext: + allowPrivilegeEscalation: true + capabilities: + add: + - ǐ缠]館ʚƾó|őɤ + - 6 銨dN_ZɻǦ絛顆麓 + - u鹍u鼓练gʘɍK]痰痁鶄Ȼ咶嚅俊ǙǕ + drop: + - 沎闸埲dz + privileged: false + procMount: "" + readOnlyRootFilesystem: false + runAsGroup: -265773045457612130 + runAsNonRoot: true + runAsUser: -6489119899323829000 + startupProbe: + exec: + command: + - 95NULc + - cCLaGfz + failureThreshold: -414102461 + grpc: + port: 339886942 + service: 7hdbpU + httpGet: + host: bN6EBrngIW + path: Luv09 + port: plsGDEJ + scheme: ʔ垃桪抴痺MM温ǹ + initialDelaySeconds: 2135898388 + periodSeconds: 1107416140 + successThreshold: -648919802 + terminationGracePeriodSeconds: 4653203112295128000 + timeoutSeconds: 1294917615 + terminationMessagePath: C + terminationMessagePolicy: 擎:Ȓ + volumeDevices: + - devicePath: TGjb8dLs + name: QN5Dj50Kuoc + - devicePath: aRIfAur + name: wQ47Fq7W3WPNDG + - devicePath: 2Smu + name: 1Q3d5wRJf6 + volumeMounts: + - mountPath: 5Trbk9 + mountPropagation: 秮驇穁 + name: YvM + readOnly: true + subPath: pFKsUV + subPathExpr: mhIjzA + - mountPath: F3lqb + mountPropagation: 窆f + name: NJXDvoxv + subPath: zVGgP + subPathExpr: H + workingDir: IEObw8N + imagePullSecrets: [] + initContainers: + - 'error unmarshaling JSON: while decoding JSON: json: cannot unmarshal string + into Go value of type []interface {}' + nodeSelector: + JDRn7n: tOGfx + lKq0V88a: uR3S + vXzm2Hny: tURxvlp + priorityClassName: 6ZbHC + securityContext: + fsGroup: 3426922926776119300 + fsGroupChangePolicy: 橣 + runAsGroup: 8316915980597683000 + runAsNonRoot: false + runAsUser: 6270039107728701000 + supplementalGroups: + - -2399342924686736400 + - 620655430084388100 + serviceAccountName: gIkiPRSc53Eb4w + tolerations: + - effect: ć`湇Ȏ2篤螕巴蛬>@ø£鞌q + key: E7p + operator: 畁鼄瓈貔Ĕ釲ĸȚ貺|ǴĄl蔺İɽ糹 + tolerationSeconds: 3092681449541781000 + value: Zmrz8 + topologySpreadConstraints: [] + volumes: + - configMap: + name: eHZ + name: configs + - name: gcTdF + secret: + defaultMode: 210 + secretName: MPU + - name: "4" + secret: + defaultMode: 186 + secretName: s6 + - name: lBE0nAE + secret: + defaultMode: 412 + secretName: RG + - name: "4" + - name: Kry +--- +# Source: console/templates/hpa.yaml +apiVersion: autoscaling/v2 +kind: HorizontalPodAutoscaler +metadata: + creationTimestamp: null + labels: + "": vWjW + G: qF + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: 84QIe + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: eHZ +spec: + maxReplicas: 165 + metrics: + - resource: + name: cpu + target: + averageUtilization: 42 + type: Utilization + type: Resource + - resource: + name: memory + target: + averageUtilization: 454 + type: Utilization + type: Resource + minReplicas: 187 + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: eHZ +--- +# Source: console/templates/tests/test-connection.yaml +apiVersion: v1 +kind: Pod +metadata: + name: "eHZ-test-connection" + namespace: "default" + labels: + "": vWjW + G: qF + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: 84QIe + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + annotations: + "helm.sh/hook": test +spec: + containers: + - name: wget + image: busybox + command: ['wget'] + args: ['eHZ:190'] + restartPolicy: Never + priorityClassName: 6ZbHC +-- testdata/case-043.yaml.golden -- +--- +# Source: console/templates/serviceaccount.yaml +apiVersion: v1 +automountServiceAccountToken: true +kind: ServiceAccount +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: Gma + namespace: default +--- +# Source: console/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: y0pa6pm83 + namespace: default +spec: + ports: + - name: http + port: 11 + protocol: TCP + targetPort: 465 + selector: + app.kubernetes.io/instance: console + app.kubernetes.io/name: console + type: 9TsjJQkJZ +--- +# Source: console/templates/ingress.yaml +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + annotations: + GOF: Fk7wcu + J2: ViiBwn6 + WODaheluZ: jCoFdBnr + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: y0pa6pm83 +spec: + ingressClassName: 4Z1r6JSTY + rules: + - host: chart-example.local + http: + paths: + - backend: + service: + name: y0pa6pm83 + port: + number: 11 + path: / + pathType: ImplementationSpecific + tls: + - hosts: + - hAi45 + - N3wGXf + - 2Og0 + secretName: 11BdzGx + - hosts: + - MPqkMom + - mBwetJrK + - PcEKgK + secretName: HtA + - hosts: null + secretName: jRYKg +-- testdata/case-044.yaml.golden -- +--- +# Source: console/templates/serviceaccount.yaml +apiVersion: v1 +automountServiceAccountToken: true +kind: ServiceAccount +metadata: + annotations: {} + creationTimestamp: null + labels: + BvJq2xZ: jY6O0 + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: tvDI + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: W9k + namespace: default +--- +# Source: console/templates/configmap.yaml +apiVersion: v1 +data: + config.yaml: | + # from .Values.console.config + {} + role-bindings.yaml: |- + roleBindings: + - UiHg9: null + - "": null + mAYLjAybA: null + roles.yaml: |- + roles: + - 0NpG04j: null + UxtPt: null + l5dMdK: null + - J9: null + MzWfEl: null + yNu: null + - "": null + Pv: null + tGJIDyXG: null +kind: ConfigMap +metadata: + creationTimestamp: null + labels: + BvJq2xZ: jY6O0 + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: tvDI + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: resP +--- +# Source: console/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + annotations: + CRHNsVY: Nl04 + creationTimestamp: null + labels: + BvJq2xZ: jY6O0 + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: tvDI + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: resP + namespace: default +spec: + ports: + - name: http + port: 103 + protocol: TCP + targetPort: 329 + selector: + app.kubernetes.io/instance: console + app.kubernetes.io/name: tvDI + type: "" +--- +# Source: console/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: + 4i: zwiMMKf + ZTKUDg2t: qHc7 + fGsx: dIpd + creationTimestamp: null + labels: + BvJq2xZ: jY6O0 + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: tvDI + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: resP + namespace: default +spec: + replicas: 410 + selector: + matchLabels: + app.kubernetes.io/instance: console + app.kubernetes.io/name: tvDI + strategy: + rollingUpdate: {} + type: ɬdW5f + template: + metadata: + annotations: + N0F: vSjZxkjW + checksum/config: 8ebe1d816245b967e7ea3109d93ad79599a2b8a33eed8e72fc85166d6ffa7aaf + creationTimestamp: null + labels: + K1uahi: UMygEU2O2 + app.kubernetes.io/instance: console + app.kubernetes.io/name: tvDI + ecdKkB: "1" + spec: + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: AFOKvXU + operator: ¸藬 + values: + - vIFxLM + podAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchLabels: + ZpWVx: agTJ2kP3DWNYN + matchLabelKeys: + - "4" + mismatchLabelKeys: + - 0qG + namespaceSelector: + matchExpressions: + - key: D8 + operator: d|ɬ曖 + values: + - p3iQYi6Y + - key: c + operator: ǵmV逛鲳鈐譮稹ÚȾČXú + values: + - a + - 3C55L6S7 + - SQaxr + matchLabels: + "5": jC + namespaces: + - oDKjy + - "" + topologyKey: C9jgFk + weight: 1276231314 + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: lGp2 + operator: "" + matchLabels: + "": sKP1q2 + 44krG: UrYUSMsisV + unYZqLh67: tMKQ + matchLabelKeys: + - orDt3ZdEA + - LIBJK3 + mismatchLabelKeys: + - bgz2i + - CNqlQJ + namespaceSelector: + matchExpressions: + - key: 35CZTXLY + operator: 掟0笝润ɲDGĪ1Ɋ乧鴹ǥ + values: + - OOB1s + - o4H + - key: f21 + operator: nȿqh + namespaces: + - L0w7 + - DB9 + - T1mom4CrS + topologyKey: OWKJz + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: WaOHp + operator: Ƥ熅ǒe²敹Ņ0ľ(Ȯɩ6ÿ + - key: 0X + operator: be3蚛鷿_鴈y+圚ʀF虹D + values: + - ZIZDTnyfwD + - B4NWO9ffPz + - 1jsu + matchLabelKeys: + - mXhYg + mismatchLabelKeys: + - mp6 + namespaceSelector: + matchExpressions: + - key: xE + operator: ʩ畕 + values: + - uc7IZ + - Hxl1 + - key: Xb41Q + operator: cʓʁ卡嵷韻 + values: + - pA + namespaces: + - edcrY + topologyKey: sP2BdI + - labelSelector: + matchExpressions: + - key: U0 + operator: 卢ʩ + values: + - OBtefl + - yMIZlx + - key: X + operator: Ǔ%é鵔:ß侙鞅 + values: + - s1qg3meB + - e6J6ZH89 + - key: dhFO + operator: ƋŎ頖,é襺枣Ť卩骏ɰ抟篧JɂǛȝȵ + values: + - R9sJoCz + matchLabels: + 2T: 84ZhksfB + matchLabelKeys: + - Yc41 + mismatchLabelKeys: + - zgncb + - pCwXYOK + - hViR + namespaceSelector: + matchExpressions: + - key: 3hWtuB6Y + operator: ʪ+ʜǻ拎奜跁ª4鶒鲒[ʒJi\ʝ)皡 + values: + - s + - key: xGSn + operator: 羥/Br=Z擧Ŀ泀Ą舨cïŕɘʡȽIJ鉽 + values: + - lOZtQ2cI + - Vk6 + - Ri3t + - key: Z6UDhR9VLqSA + operator: 淸c欨pɝo腛ı廓齩鄬檏繑郭>Ö呡 + values: + - s6hp + topologyKey: wZZTf + - labelSelector: {} + matchLabelKeys: + - afDo + mismatchLabelKeys: + - S + namespaceSelector: + matchExpressions: + - key: AWObA + operator: ĝf表OS厅啬児0~L槩华L稙訐\Tȼ + values: + - M39 + matchLabels: + 0D9: u5 + T1: xiLiZn + v6: nSQp5 + topologyKey: mr + automountServiceAccountToken: false + containers: + - args: + - --config.filepath=/etc/console/configs/config.yaml + command: null + env: + - name: Ahlf + value: UEv + valueFrom: + configMapKeyRef: + key: uwaRvb + name: M8Iklu7qx + optional: true + fieldRef: + apiVersion: H + fieldPath: 43xb + resourceFieldRef: + containerName: t8wgC87mO + divisor: "0" + resource: Z + secretKeyRef: + key: "" + name: EQfJ3z7tv + optional: false + - name: xj + value: lwmxmxP + valueFrom: + configMapKeyRef: + key: "" + name: cdBhO + optional: true + fieldRef: + apiVersion: U + fieldPath: Dj1sswKP + resourceFieldRef: + containerName: 1p3yUdrvd + divisor: "0" + resource: 5A + secretKeyRef: + key: DDcgdcu + name: oD38 + optional: true + - name: LICENSE + valueFrom: + secretKeyRef: + key: x8ik3q + name: K7c7oe + envFrom: + - configMapRef: + name: 2ECaB + optional: true + prefix: bao + secretRef: + name: CA5S95 + optional: false + image: UqWwteW0x/TZqk:0fpMB + imagePullPolicy: 讘ɂȴɩF壜î栒p + livenessProbe: + failureThreshold: 1147871047 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: -470682176 + periodSeconds: 842863336 + successThreshold: 2078067842 + timeoutSeconds: 1252398573 + name: console + ports: + - containerPort: 329 + name: http + protocol: TCP + readinessProbe: + failureThreshold: 1026367217 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: -233395254 + periodSeconds: -96619339 + successThreshold: -2083481091 + timeoutSeconds: 1827269276 + resources: + limits: + eYVLCq: "0" + requests: + P: "0" + VsuQcjg: "0" + jwq: "0" + securityContext: + allowPrivilegeEscalation: true + capabilities: + add: + - ɐ毻sǨ斩麀|髦 + - (波F= + - 2鱶ɥǚ蘃齯ʃE桹蹝Ȓ畸蘋桙0 + drop: + - c掁轖e9\Ǟ¦ + - ȽT下Zź%賂蕄3 + - 乯`ŤĊŸ眸ʞ缔Ň妌嵳楕ǐwč*ǩ妩ɴ + privileged: true + procMount: ŃE诩Ŗś僆 + readOnlyRootFilesystem: true + runAsGroup: 6580465723841054000 + runAsNonRoot: true + runAsUser: -56006153890553620 + volumeMounts: + - mountPath: /etc/console/configs + name: configs + readOnly: true + - mountPath: v + mountPropagation: ?IJ純ʈxɧʅ + name: 9AiRaE35OlCv + readOnly: true + subPath: 2dv5RZ + subPathExpr: H7f + - mountPath: "4" + mountPropagation: 涾頴tOĜʥ朤 + name: ePEz + readOnly: true + subPath: BY + subPathExpr: w + - mountPath: n5FPgiJmk + mountPropagation: Ǵ棢__@ŗɆ4瞑5ŗ­L/ķ{篦ǯ + name: NryERK9Q + readOnly: true + subPath: tINFMAR5 + subPathExpr: VrBKy + - args: + - CCdc + - xnWsPf + - K9Lp8whZH + envFrom: + - configMapRef: + name: eRd + optional: true + prefix: jF9v + secretRef: + name: QS0dQM4 + optional: false + image: UEbFmY + imagePullPolicy: ɂǖ耒ȯ+Ǎ妸ÄĊ wʠB堯¥ƿɤp + lifecycle: + postStart: + exec: + command: + - 89MtW + - LOaqkcP + - JzjyxNZS + httpGet: + host: "3" + path: V + port: RUOELw + scheme: u*暪÷鰦ʭ,0噱D #干 + sleep: + seconds: 7312334685976475000 + preStop: + exec: + command: + - Cmo91luAq + - DTCwI + - d3Q8xly + httpGet: + host: e + port: -1761554680 + scheme: '|' + sleep: + seconds: -8572473558022234000 + livenessProbe: + exec: + command: + - 1K0Fir + - Ws + - jWym + failureThreshold: 1492079208 + grpc: + port: -1612320137 + service: wk3AYU + httpGet: + host: U + path: yLWf + port: dE + scheme: (魠ʫ倳|岺溻IJħu|æ粅 + initialDelaySeconds: -1551121242 + periodSeconds: 101556636 + successThreshold: -690762638 + terminationGracePeriodSeconds: -7606489989577612000 + timeoutSeconds: -947750725 + name: GKPhj2 + ports: + - containerPort: 690563670 + hostIP: mVXvug29A + hostPort: -1389446008 + name: pcUz3a8NWF + protocol: o& + readinessProbe: + exec: {} + failureThreshold: 816403475 + grpc: + port: 2090385753 + service: pp5W00 + httpGet: + host: sP9DV + path: cpLL + port: TNUIzm + scheme: '!敓GĜƝ塀ȏ@{8嶤ɍ|' + initialDelaySeconds: 911169006 + periodSeconds: 257542772 + successThreshold: 1702435185 + terminationGracePeriodSeconds: -4557510245814657500 + timeoutSeconds: -581799810 + resources: + limits: + 5UdZ91O: "0" + TXdC: "0" + bK0pEj0Mb: "0" + requests: + s8hZFXOGF: "0" + tCP: "0" + restartPolicy: Ǩ轡´@ǂȟ + securityContext: + allowPrivilegeEscalation: true + capabilities: + add: + - 鿞;P粜鬌)Ǭ郑&鑉k!f] + - Ċ + drop: + - ?孡渄:Ơ廔晞!ē8瞅@rDZ_ + - cfdú¯'ƱơÅś祏侪 + privileged: true + procMount: ȝ?A@û2蝓撕%o摤絡) + readOnlyRootFilesystem: true + runAsGroup: -2314751572399379000 + runAsNonRoot: true + runAsUser: 989961539055775400 + startupProbe: + exec: {} + failureThreshold: 971752114 + grpc: + port: -1594677871 + service: O + httpGet: + host: EIXRs + path: EA1CukJtUZ + port: g9g0 + scheme: 遱O靑課淁hɕ怡ņ鲥 + initialDelaySeconds: -1020857297 + periodSeconds: 1332161137 + successThreshold: -1412285197 + terminationGracePeriodSeconds: -7087737322486666000 + timeoutSeconds: 563432789 + stdin: true + terminationMessagePath: S + terminationMessagePolicy: =ɑ_èʊâ錯Ɛ窾O亇_ + tty: true + volumeDevices: + - devicePath: 2EtZS + name: "" + - devicePath: glBRF4 + name: e8K + volumeMounts: + - mountPath: L4U + mountPropagation: '}6ʓ蓱9峖3疖售Ʉ朞' + name: 4oVeDs + subPath: RoA + subPathExpr: b + - mountPath: b3TFcP + mountPropagation: ʘʟ| + name: jg4Ya + subPath: F + subPathExpr: flS + workingDir: VZi6ElPHw + - command: + - 3xxCjTRw + env: + - name: 1n + value: cHl + valueFrom: + configMapKeyRef: + key: "95" + name: gi + optional: true + fieldRef: + apiVersion: sQA8hZeZu + fieldPath: xgpJlFJ2 + resourceFieldRef: + containerName: fLR0HyM + divisor: "0" + resource: Sanx4 + secretKeyRef: + key: XgKm5 + name: gvoS9jB + optional: false + - name: s2cwze + value: hu + valueFrom: + configMapKeyRef: + key: fDoUz3 + name: XKG + optional: true + fieldRef: + apiVersion: q0CUy1W + fieldPath: B3Lkh + resourceFieldRef: + containerName: V1gnkr8hpTmU + divisor: "0" + resource: 7PEJNYX + secretKeyRef: + key: IiBIw + name: kiXa5 + optional: false + envFrom: + - configMapRef: + name: JayMLn + optional: true + prefix: Iyk + secretRef: + name: I8 + optional: true + image: uuJKCAGoiYb + imagePullPolicy: '&mɈ{DC鹪ŘƖ暢C镯VĪɮJ樟' + lifecycle: + postStart: + exec: {} + httpGet: + host: TlUl + path: v9nd + port: Khf + scheme: 雦G'獲ɕ垑Ɠ奚 + sleep: + seconds: 3204757101293724700 + preStop: + exec: + command: + - s8505Cg5U + httpGet: + host: hAMBGK + port: LNxGid + scheme: 9?Ɉ + sleep: + seconds: -7512312074000843000 + livenessProbe: + exec: {} + failureThreshold: -1252597876 + grpc: + port: -544919593 + service: "N" + httpGet: + host: xfP + path: ByIZxFF1w + port: 465839308 + scheme: ôȔʄǽȕ$Ɨ嫸% + initialDelaySeconds: 1827740835 + periodSeconds: 1434348082 + successThreshold: 1145653124 + terminationGracePeriodSeconds: -9056662989967493000 + timeoutSeconds: -741454610 + name: pkN5 + readinessProbe: + exec: + command: + - pmJ6cF + failureThreshold: -182850181 + grpc: + port: -30654612 + service: q + httpGet: + host: Vra + path: tovB7 + port: -934938952 + scheme: Ⱥǵ1茆鯨ț]ų1ơñ澂 + initialDelaySeconds: -1966697414 + periodSeconds: -1866944455 + successThreshold: -259752087 + terminationGracePeriodSeconds: -4535014313385885000 + timeoutSeconds: -1545912021 + resizePolicy: + - resourceName: RxDBqX + restartPolicy: 韌ʮ濅& + - resourceName: spCee + restartPolicy: 腋+桯PɆ誎z4µ&ȁou-囈鵼夵v| + resources: + limits: + rElH: "0" + requests: + "": "0" + restartPolicy: 7GK¦碦ǒ抩Z芍緜 + securityContext: + allowPrivilegeEscalation: true + capabilities: + add: + - NjǗA窇ţ + - 逈%Ǵ7QǚƶƜr + drop: + - 鹭Iv0蠤'Ɵ皝ƨ=¨ + privileged: false + procMount: èįƤ;L虥u籖ʄƎ}橃V炖 + readOnlyRootFilesystem: false + runAsGroup: -1041723617216276900 + runAsNonRoot: false + runAsUser: -3933065726531016000 + startupProbe: + exec: {} + failureThreshold: -983644738 + grpc: + port: 1827183629 + service: X7oC1 + httpGet: + host: vGk + path: ohKaYc + port: l1rVsh9 + initialDelaySeconds: -648569392 + periodSeconds: 873065120 + successThreshold: -612441773 + terminationGracePeriodSeconds: 6808330544454598000 + timeoutSeconds: 1534439066 + terminationMessagePath: VYh + terminationMessagePolicy: 唌Üi+ + volumeDevices: + - devicePath: DGsn + name: Ia + volumeMounts: + - mountPath: "14" + mountPropagation: 渉seǝ蕟厪ë嵎ǥ墮@ + name: "" + readOnly: true + subPath: C1G4VS1 + subPathExpr: eU + workingDir: odPxO + imagePullSecrets: [] + initContainers: + - 'error unmarshaling JSON: while decoding JSON: json: cannot unmarshal string + into Go value of type []interface {}' + nodeSelector: + 2i: dRi6btw6 + R4: UsW + fFNJXGk: XBkx + priorityClassName: 8KMLup9vb + securityContext: + fsGroup: -3027126285888131000 + fsGroupChangePolicy: 袺芥ŵ罋o郘渢e堫柝dž + runAsGroup: -3172565869747058000 + runAsNonRoot: true + runAsUser: 5739747577453986000 + supplementalGroups: + - -1289730562709624600 + - 2918948066534341000 + - 8836988143915676000 + sysctls: + - name: ZSspAgrV + value: ES11 + serviceAccountName: W9k + tolerations: [] + topologySpreadConstraints: + - labelSelector: + matchLabels: + 435gSB: cXqM + XuT: nA + sKWX6pPX: YyYe + maxSkew: -1347306472 + minDomains: 1890499147 + nodeAffinityPolicy: 扒Ŕ + nodeTaintsPolicy: 諹uɔM_灢ʫ6ªWŢ庿ɛ + topologyKey: 34nlpPe2Tl + whenUnsatisfiable: šĉ鎨嶕鯖Ťȯ蝲萤ɪeCŒ5ő3|押 + volumes: + - configMap: + name: resP + name: configs + - name: Kt6NIoVzEY + - name: O +--- +# Source: console/templates/tests/test-connection.yaml +apiVersion: v1 +kind: Pod +metadata: + name: "resP-test-connection" + namespace: "default" + labels: + BvJq2xZ: jY6O0 + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: tvDI + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + annotations: + "helm.sh/hook": test +spec: + containers: + - name: wget + image: busybox + command: ['wget'] + args: ['resP:103'] + restartPolicy: Never + priorityClassName: 8KMLup9vb +-- testdata/case-045.yaml.golden -- +--- +# Source: console/templates/serviceaccount.yaml +apiVersion: v1 +automountServiceAccountToken: false +kind: ServiceAccount +metadata: + annotations: + "": zL + EANkzh: rmy + creationTimestamp: null + labels: + M1diW: PVb + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: tOoxEiwdVpT + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: nX5G + namespace: default +--- +# Source: console/templates/secret.yaml +apiVersion: v1 +kind: Secret +metadata: + creationTimestamp: null + labels: + M1diW: PVb + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: tOoxEiwdVpT + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: 9gCm5xz +stringData: + enterprise-license: "" + kafka-protobuf-git-basicauth-password: naFpMBw + kafka-sasl-aws-msk-iam-secret-key: "" + kafka-sasl-password: nKEzr + kafka-schema-registry-password: xU + kafka-schemaregistry-tls-ca: pc + kafka-schemaregistry-tls-cert: fF1z9FE + kafka-schemaregistry-tls-key: tx + kafka-tls-ca: bhhbwypQ + kafka-tls-cert: Dw1477 + kafka-tls-key: "" + login-github-oauth-client-secret: 1UD4N + login-github-personal-access-token: LmFkP6BgmLQ + login-google-groups-service-account.json: "" + login-google-oauth-client-secret: m + login-jwt-secret: SECRETKEY + login-oidc-client-secret: cXdjG + login-okta-client-secret: eF90RohF + login-okta-directory-api-token: 1zXLSJEQ + redpanda-admin-api-password: rr4c4 + redpanda-admin-api-tls-ca: Eonnpq + redpanda-admin-api-tls-cert: aPCNgYI + redpanda-admin-api-tls-key: vlrLQ9I9 +type: Opaque +--- +# Source: console/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + annotations: {} + creationTimestamp: null + labels: + M1diW: PVb + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: tOoxEiwdVpT + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: 9gCm5xz + namespace: default +spec: + ports: + - name: http + port: 314 + protocol: TCP + targetPort: 398 + selector: + app.kubernetes.io/instance: console + app.kubernetes.io/name: tOoxEiwdVpT + type: C +--- +# Source: console/templates/hpa.yaml +apiVersion: autoscaling/v2 +kind: HorizontalPodAutoscaler +metadata: + creationTimestamp: null + labels: + M1diW: PVb + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: tOoxEiwdVpT + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: 9gCm5xz +spec: + maxReplicas: 305 + metrics: + - resource: + name: cpu + target: + averageUtilization: 344 + type: Utilization + type: Resource + - resource: + name: memory + target: + averageUtilization: 186 + type: Utilization + type: Resource + minReplicas: 326 + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: 9gCm5xz +--- +# Source: console/templates/ingress.yaml +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + annotations: {} + creationTimestamp: null + labels: + M1diW: PVb + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: tOoxEiwdVpT + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: 9gCm5xz +spec: + ingressClassName: y6u9o + rules: + - host: V + http: + paths: + - backend: + service: + name: 9gCm5xz + port: + number: 314 + path: VRp3 + pathType: WX + - backend: + service: + name: 9gCm5xz + port: + number: 314 + path: ZXqa + pathType: LXDjotJK + - backend: + service: + name: 9gCm5xz + port: + number: 314 + path: b + pathType: 6l3svu + tls: + - hosts: + - SzMunki + secretName: OT +--- +# Source: console/templates/tests/test-connection.yaml +apiVersion: v1 +kind: Pod +metadata: + name: "9gCm5xz-test-connection" + namespace: "default" + labels: + M1diW: PVb + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: tOoxEiwdVpT + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + annotations: + "helm.sh/hook": test +spec: + imagePullSecrets: + - name: rTO7I + - {} + containers: + - name: wget + image: busybox + command: ['wget'] + args: ['9gCm5xz:314'] + restartPolicy: Never + priorityClassName: Op +-- testdata/case-046.yaml.golden -- +--- +# Source: console/templates/secret.yaml +apiVersion: v1 +kind: Secret +metadata: + creationTimestamp: null + labels: + "": WcYTY + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + rHtDM6k: ZY6Kw + name: fB6TF +stringData: + enterprise-license: "" + kafka-protobuf-git-basicauth-password: BKbdr + kafka-sasl-aws-msk-iam-secret-key: Xs8UvJPyL + kafka-sasl-password: xW3EDKA + kafka-schema-registry-password: Vewx + kafka-schemaregistry-tls-ca: te + kafka-schemaregistry-tls-cert: JxH + kafka-schemaregistry-tls-key: jhxioPhQ + kafka-tls-ca: eP + kafka-tls-cert: H9 + kafka-tls-key: "" + login-github-oauth-client-secret: Q + login-github-personal-access-token: akEcq + login-google-groups-service-account.json: pJ8NQ + login-google-oauth-client-secret: vj6 + login-jwt-secret: SECRETKEY + login-oidc-client-secret: 8SCyi + login-okta-client-secret: Yd + login-okta-directory-api-token: q1rSa + redpanda-admin-api-password: mON + redpanda-admin-api-tls-ca: rNzsp + redpanda-admin-api-tls-cert: UStA + redpanda-admin-api-tls-key: 3E +type: Opaque +--- +# Source: console/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + annotations: + aDeGG7F9S: 5d + creationTimestamp: null + labels: + "": WcYTY + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + rHtDM6k: ZY6Kw + name: fB6TF + namespace: default +spec: + ports: + - name: http + port: 271 + protocol: TCP + targetPort: 481 + selector: + app.kubernetes.io/instance: console + app.kubernetes.io/name: console + type: PK7oH1pcU3 +--- +# Source: console/templates/ingress.yaml +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + annotations: + A4M6T: IUmZ9 + AHN: gcT00IU6 + S: lzi1Q + creationTimestamp: null + labels: + "": WcYTY + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + rHtDM6k: ZY6Kw + name: fB6TF +spec: + ingressClassName: aU0xOzsFN + rules: + - host: chart-example.local + http: + paths: + - backend: + service: + name: fB6TF + port: + number: 271 + path: / + pathType: ImplementationSpecific + tls: + - hosts: + - PV + secretName: aHG1 + - hosts: + - bX + - Cu + - xuscoJ + secretName: fBCynrlb +-- testdata/case-047.yaml.golden -- +--- +# Source: console/templates/serviceaccount.yaml +apiVersion: v1 +automountServiceAccountToken: true +kind: ServiceAccount +metadata: + annotations: + DQxrtk8: buiWLPbYq + HHbP: sAY + Y0DKOcTa: D82Nfh + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: nEojiMtRc + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: DSw7 + namespace: default +--- +# Source: console/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + annotations: + 8v2: JbH + 95cxbjjD7C: JBMaJ + VY: yRV7d + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: nEojiMtRc + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: YUi5JpG + namespace: default +spec: + ports: + - name: http + port: 168 + protocol: TCP + targetPort: 227 + selector: + app.kubernetes.io/instance: console + app.kubernetes.io/name: nEojiMtRc + type: WAAXkZY +--- +# Source: console/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: + Bx5i3M: s + svlaTGpSHD: 7P9k + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: nEojiMtRc + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: YUi5JpG + namespace: default +spec: + replicas: null + selector: + matchLabels: + app.kubernetes.io/instance: console + app.kubernetes.io/name: nEojiMtRc + strategy: + rollingUpdate: {} + type: żʧȟ + template: + metadata: + annotations: + Mfsd: hmi + checksum/config: 74234e98afe7498fb5daf1f36ac2d78acc339464f950703b8c019892f982b90b + creationTimestamp: null + labels: + 6dZAs: xJPaLHKS1Y2 + app.kubernetes.io/instance: console + app.kubernetes.io/name: nEojiMtRc + spec: + affinity: + nodeAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - preference: {} + weight: 182966451 + - preference: {} + weight: -2028220392 + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: [] + podAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: 5a5MXO + operator: kƎǦƙ«嚄ƭr騥邜Fċʐ叧F& + values: + - BRA + - Ywt7JHE + - key: TjE3wFb6 + operator: O`6ƥ縈L:Ckʄ鹟瑧 + values: + - "" + - dxDLfiL + - 0IgsneLlLo + - key: tuBbSOMR + operator: 桛ʫ褛ʒɩWkv濱瘛#Ěi邱CNǖ4孳 + values: + - 9zJ + - 7T3iJAwX + matchLabelKeys: + - ZYcvinlq + - PwQO9 + - M3gb + mismatchLabelKeys: + - e + - K1XrVh + - D1CkR8 + namespaceSelector: + matchExpressions: + - key: uqnyV6k + operator: rĮ'示嶠ĵ攛Ņ + - key: 0ONfMVB + operator: n梷E8ʟ菛晉 + values: + - Q + matchLabels: + IqH8n: pCJ16S + mUE: HyxdirX0F + namespaces: + - gptVP + - L + - 7CmPHtA + topologyKey: XDhewcrvK + weight: 2033587292 + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: jcAfZ5VF + operator: 饀re + - key: sj + operator: U姑R° + values: + - p8zbO + - key: 2LmP5 + operator: ŸȢ庾塁BƖ + values: + - NN + matchLabels: + ApvKyKe: kHE9lIIleR + mismatchLabelKeys: + - n3VRcT5qX + - zGNqgUGNX + - hDZ + namespaceSelector: + matchExpressions: + - key: "7" + operator: 砃=G墈赞飍鵝7d + values: + - Uiz9BnY + - key: hd76 + operator: '{緶ɡnW' + values: + - vc1yj10y + - Je + - eg + - key: 06pjmB + operator: =帛胏 + values: + - RQ10 + - Z5WWhGqt + namespaces: + - seMTT1 + topologyKey: E + - labelSelector: + matchLabels: + oplIL: 67Fs0Yu4 + mismatchLabelKeys: + - T1 + namespaceSelector: + matchExpressions: + - key: hOQWYMD + operator: vǑ壞2â飿"Xʝ簮倏c + values: + - "0" + - key: WWGKqAgL + operator: '''OƼŪ祰ǑŗiU嘏ɮ?Ī語' + values: + - yU5IOsL + - koP + namespaces: + - lDs + - xQZsD + - J + topologyKey: j0k4ds + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: 9nDdXGQwP + operator: '[痵lǝ,ǶÜÂD' + values: + - th + - u8xZ + - ucr3vqZeG + - key: QWVrK8k + operator: ʀăɼy耯#運+3坽« + values: + - 2lcZKn + - G2IQ + - YbYwv + - key: N4bc7Wn + operator: '%7`iɊȑ槦醒}' + values: + - NiSH90 + - 98iHVkt + - 0r3Yu9i + matchLabelKeys: + - zrV + - Ey + - R + namespaceSelector: + matchExpressions: + - key: gEbVS1wo + operator: z + matchLabels: + 2YURuF: "" + CJTjm6: nOFN + oUtlWUD: 0k14ag + topologyKey: M1yF5YA + weight: 477520510 + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: mdjoxbr + operator: V2SŨǰ8嫟淦 + values: + - 3ww0Ei + - 2PjudE + - pmpvETB0n + - key: NFqQGo + operator: 处;Ƕk鎹û絹褡Sy + values: + - V + - key: HuZ + operator: ȓő&ś>S怭ť]E榕 + values: + - sUume + matchLabels: + ef2q: 4ZL0O9b + r8xqG: MJ + matchLabelKeys: + - "" + - "Y" + mismatchLabelKeys: + - djn6fDf + - ukZi8 + namespaceSelector: {} + namespaces: + - dOU1F + - 1ygQdj3xZ3YIf + - wvpeJx + topologyKey: Rq4K6z6 + weight: -1277100698 + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: b + operator: "" + values: + - tmuB5 + - 9qE9GM + - oJpaRDn2 + - key: WY + operator: u酘b + values: + - RhO + - Cs2rDIRrPlii + - nG4bqoAkQU + - key: eMae + operator: ǟĕȴnjI覿9¥H艞ɋ + matchLabels: + ToIBbWL: 4k8X + i2qGkWjvF7QJ: pb0sZq + u12o4B4: Ybz + matchLabelKeys: + - HCKtJC7hm + mismatchLabelKeys: + - 21r0Z + - "" + namespaceSelector: + matchLabels: + 2BNgnKr7Ob: 5RffK5NB3ghhfO + bJC: WTOgH + uA: bxdRwsU + topologyKey: 2CsbupZ + - labelSelector: + matchExpressions: + - key: RIP + operator: Oȝ(氧罻 + values: + - 1bx3Fix9 + - key: eqQoi + operator: 68+ʈĘ + values: + - FgfwmYrR + - mznlyr2aLTGF + - GfAoC8M + matchLabels: + FKwNoJ: aJZxa + cEeo8ix: 3dHunLjp5 + ihSd: qG7x + matchLabelKeys: + - F6LQK + mismatchLabelKeys: + - ULcGW + - RYv + - fF + namespaceSelector: + matchExpressions: + - key: Tkp5 + operator: ȴ潺谡Ƣh躈ŮâÿȒũĔ + values: + - fY9NuWB + - O84 + matchLabels: + 09fI: EDSEVi + Dl: 4u38aD4O + vZCciR: neqAXd7k + namespaces: + - ozziI6FZ + - URQlLJF + topologyKey: SeSq4K + automountServiceAccountToken: true + containers: + - args: + - --config.filepath=/etc/console/configs/config.yaml + command: null + env: + - name: "" + value: YbKo + valueFrom: + configMapKeyRef: + key: bIruuA + name: x8 + optional: true + fieldRef: + apiVersion: EqX + fieldPath: ZOh + resourceFieldRef: + containerName: IDJTm5lv + divisor: "0" + resource: QDC8v + secretKeyRef: + key: "8" + name: LcSdNiKff4 + optional: false + - name: RZHq9C + value: m + valueFrom: + configMapKeyRef: + key: PZVqf + name: x + optional: true + fieldRef: + apiVersion: xQi + fieldPath: vxeo + resourceFieldRef: + divisor: "0" + resource: l7 + secretKeyRef: + key: i3lK + optional: true + - name: LICENSE + valueFrom: + secretKeyRef: + key: nj + name: rl + envFrom: [] + image: zUsK/lQjo:p + imagePullPolicy: ȕ蚧竔/´苅oC + livenessProbe: + failureThreshold: -1392926461 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: -1384385388 + periodSeconds: -1660079876 + successThreshold: 680842396 + timeoutSeconds: 213455290 + name: console + ports: + - containerPort: 227 + name: http + protocol: TCP + readinessProbe: + failureThreshold: 1689894479 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: -1753994274 + periodSeconds: -1189421015 + successThreshold: 1278527365 + timeoutSeconds: -209775227 + resources: + limits: + 8ycM: "0" + requests: + CvglPI: "0" + s5: "0" + uiHB: "0" + securityContext: + allowPrivilegeEscalation: true + capabilities: + add: + - «Ƙz损 + - ɟE鄱Į惪Y桦ŗɘoȍ蠣4ƪ呀R> + - "" + drop: + - 娤b + privileged: false + procMount: ʍ曏(ƶæ + readOnlyRootFilesystem: true + runAsGroup: -406748533537085800 + runAsNonRoot: false + runAsUser: 3238073083343117300 + volumeMounts: + - mountPath: /etc/console/configs + name: configs + readOnly: true + - mountPath: g + name: L8dbWip + subPath: "" + - mountPath: OO0aO6h + mountPropagation: "" + name: kDKM + readOnly: true + subPath: AlRCH + subPathExpr: 7UemLsIe + - mountPath: Z8zdlU + mountPropagation: 醗¡°v:胡 + name: aedAMG + subPath: zo5P1xa + subPathExpr: WmuiME + - mountPath: ufiUx + mountPropagation: '`ʡÔ关Ľ?' + name: PWBh + subPath: 2hslJ + subPathExpr: pUtN3 + - args: + - lW + - lpUVzUh + command: + - 3mEGtoKbEWE2Jw5T + - b1GBFA + env: + - name: hsiWF93 + value: zBco + valueFrom: + configMapKeyRef: + key: 8hvvaoHB + name: "y" + optional: false + fieldRef: + apiVersion: WPT5J + fieldPath: sc + resourceFieldRef: + containerName: 0xbTU4O + divisor: "0" + resource: tPBV2ObG + secretKeyRef: + key: YEKZukl + name: px + optional: false + - name: PM0MyyH3R6R + value: yOzX + valueFrom: + configMapKeyRef: + key: I3pi + name: DC + optional: true + fieldRef: + apiVersion: "25" + fieldPath: "" + resourceFieldRef: + containerName: aZj1E7LU + divisor: "0" + resource: sxs0nE31 + secretKeyRef: + key: Ktb3c4 + name: g98T + optional: true + - name: 6kDq8UgFIS8 + value: L0i4 + valueFrom: + configMapKeyRef: + key: 9WUe9 + name: tZrRUK + optional: false + fieldRef: + apiVersion: GIc + fieldPath: AXTmU + resourceFieldRef: + containerName: E2 + divisor: "0" + resource: a63tq + secretKeyRef: + key: luWp + name: lPdowo + optional: true + envFrom: + - configMapRef: + name: vzVk + optional: true + prefix: DONFyRd + secretRef: + name: 9uct + optional: false + - configMapRef: + name: z5nC9D + optional: true + prefix: 5epUyS1iy5m8 + secretRef: + name: zqRFC + optional: true + - configMapRef: + name: awjfJlZxN + optional: true + prefix: LhArOQgbq1OCR2L + secretRef: + name: mb5axzX5 + optional: true + image: qPLiX + imagePullPolicy: '{Ĩ檽]ĻĹňɋ偌Ȏ.阛魉' + lifecycle: + postStart: + exec: + command: + - yAeOM + - s53um + - 3m + httpGet: + host: GJWsJm + path: iDQ + port: 1781170742 + scheme: 皐ű葺ȝĬ麐&ʉ執dz0娸叹 + sleep: + seconds: -4230531115544534500 + preStop: + exec: + command: + - sIGb5 + httpGet: + host: AbxhPKar + path: 3ZZ5 + port: 88852320 + scheme: 砨Ĝ_筀¤痟氻劊űI俼员z幛F + sleep: + seconds: -4758564920159899000 + livenessProbe: + exec: + command: + - ty6JMTW6vA + failureThreshold: -1459976999 + grpc: + port: -1689493187 + service: ihsDMVYd + httpGet: + host: e9NNlO5d + path: iBo4 + port: 334788778 + scheme: ƿ:ħȠL$ + initialDelaySeconds: 1625633184 + periodSeconds: 1327859251 + successThreshold: 1766792721 + terminationGracePeriodSeconds: -3971501657411371000 + timeoutSeconds: 557348614 + name: U3U + readinessProbe: + exec: + command: + - "Y" + failureThreshold: 391027623 + grpc: + port: -1858356724 + service: hnqm + httpGet: + host: g + path: C48 + port: F + scheme: 苎lɲÁ频×ȊDžȀ9Ď"昽 + initialDelaySeconds: -1404160881 + periodSeconds: 521131323 + successThreshold: 2005094455 + terminationGracePeriodSeconds: -5942417190535485000 + timeoutSeconds: 2118365394 + resources: + limits: + Ms1A: "0" + WkWhM: "0" + requests: + b4kR9nm9BfQZy: "0" + eLg: "0" + huME: "0" + restartPolicy: ľ慔/PpǏ銢9滖ɝ韍I鍌$ʪ辫Uz + securityContext: + allowPrivilegeEscalation: true + capabilities: + add: + - wą&嘪研Z`ȧȢfʘ*ō + drop: + - ƿ`ĉĎ苦Ǧ蘈NJ她笻Ƞ + - 磨3踦煨1JƸc錚捁 ĊZe)ám \ + privileged: true + procMount: 鋶XJm/覹ɋ¶ȉĒȤ瀶|ƻŒ(咡 + readOnlyRootFilesystem: false + runAsGroup: -8452021579348254000 + runAsNonRoot: true + runAsUser: 5983932912975749000 + startupProbe: + exec: + command: + - sZhTLr + - GK + - kqL9aDDm + failureThreshold: 1004086477 + grpc: + port: 1266077274 + service: l1ji1IW1ic + httpGet: + host: rJI + path: H731Dr + port: 1333462733 + scheme: 项鰚ɽ洍êƳ + initialDelaySeconds: 1806670133 + periodSeconds: 1290098703 + successThreshold: -490255445 + terminationGracePeriodSeconds: -206080146769410300 + timeoutSeconds: 270060590 + terminationMessagePath: P1HCGJEbJiD4 + terminationMessagePolicy: ʇ鞯BC鸼樁÷ǹ楺 + tty: true + volumeDevices: + - devicePath: a4 + name: 0bA + - devicePath: VeRXU9 + name: A0XbFJhG + - devicePath: fdim + name: RJf + workingDir: ZoDFb + imagePullSecrets: [] + initContainers: + - 'error unmarshaling JSON: while decoding JSON: json: cannot unmarshal string + into Go value of type []interface {}' + nodeSelector: {} + priorityClassName: 0P6RnoBeb5 + securityContext: + fsGroup: -6567182940167159000 + fsGroupChangePolicy: 6iɰ堂:齐ǪÈ + runAsGroup: -1787219330993537800 + runAsNonRoot: true + runAsUser: -5627543087390805000 + supplementalGroups: + - -3306962996817147400 + - 975882030005456500 + - -5263492609498468000 + sysctls: + - name: YC + value: 7JlDTCP6hs + serviceAccountName: DSw7 + tolerations: [] + topologySpreadConstraints: [] + volumes: + - configMap: + name: YUi5JpG + name: configs + - name: L8dbWip + secret: + defaultMode: 184 + secretName: LF0O +--- +# Source: console/templates/hpa.yaml +apiVersion: autoscaling/v2 +kind: HorizontalPodAutoscaler +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: nEojiMtRc + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: YUi5JpG +spec: + maxReplicas: 122 + metrics: + - resource: + name: cpu + target: + averageUtilization: 218 + type: Utilization + type: Resource + - resource: + name: memory + target: + averageUtilization: 488 + type: Utilization + type: Resource + minReplicas: 449 + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: YUi5JpG +-- testdata/case-048.yaml.golden -- +--- +# Source: console/templates/serviceaccount.yaml +apiVersion: v1 +automountServiceAccountToken: true +kind: ServiceAccount +metadata: + annotations: {} + creationTimestamp: null + labels: + 4kU: mkn8 + Ro: NFx1P + Z1p: WE + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: W7q3X + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: sKa + namespace: default +--- +# Source: console/templates/configmap.yaml +apiVersion: v1 +data: + config.yaml: | + # from .Values.console.config + {} + role-bindings.yaml: |- + roleBindings: + - FZ5NQS6: null + - 0ToI: null + RTwav: null + mWwdgyM: null + - {} +kind: ConfigMap +metadata: + creationTimestamp: null + labels: + 4kU: mkn8 + Ro: NFx1P + Z1p: WE + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: W7q3X + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: 3um +--- +# Source: console/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + annotations: + c: DNy + kDPtPpnL: kFmmx + creationTimestamp: null + labels: + 4kU: mkn8 + Ro: NFx1P + Z1p: WE + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: W7q3X + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: 3um + namespace: default +spec: + ports: + - name: http + port: 311 + protocol: TCP + targetPort: 29 + selector: + app.kubernetes.io/instance: console + app.kubernetes.io/name: W7q3X + type: l5gj +--- +# Source: console/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: + Dgw3Wl: 7aofTp + creationTimestamp: null + labels: + 4kU: mkn8 + Ro: NFx1P + Z1p: WE + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: W7q3X + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: 3um + namespace: default +spec: + replicas: null + selector: + matchLabels: + app.kubernetes.io/instance: console + app.kubernetes.io/name: W7q3X + strategy: + rollingUpdate: {} + type: 顓ǝSm + template: + metadata: + annotations: + checksum/config: 1f1200550e8f17e44439daf44ec8c9721945fe5e499d9d558666a7a6516a4bd3 + eG: vxInc0 + g: BI6yk + xCtSP: rQ + creationTimestamp: null + labels: + ZEXh: zufy + app.kubernetes.io/instance: console + app.kubernetes.io/name: W7q3X + spec: + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchFields: + - key: v + operator: ė + values: + - ln + - lU4zX8iz + - t0Xc + - key: s3fpu + operator: ɥ娿ăʄĠ mʓ銈E'袭ĵ + values: + - ljJlhx + - matchExpressions: + - key: qPBvuBghor + operator: 泱诅ʫt + values: + - a05XZwN + - SiAvFWs + - FhW1 + - key: MVFTcW + operator: º囜N赧0索d + values: + - c + - ghZI + - AjB0J + matchFields: + - key: QzMSpLW + operator: :ɉùȪÇzǥC货°ÕV? + - matchExpressions: + - key: pA7a1gYdV + operator: '[ĪtOK' + values: + - 2bE4Bw + - fyMOYi + - key: wshbw7Ix + operator: J槭~撑MS=ÑƎ薽饵a緗 + values: + - 9jt6 + matchFields: + - key: s1 + operator: 犫茬睶ňv + values: + - XhyH + - Ng1r1 + - nqis + - key: mHLiT + operator: ȁ佝L郗s稷tŻ+f舭拳鰵2e{a + podAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: jdvk + operator: ƶ + values: + - NV + - y4 + - V2XRZS + - key: 9VvAl5 + operator: <坎陸$§¤_ã檠奙Å饉J夗ɓ翩锸辸 + values: + - x26kYkJ + matchLabels: + DziixIJYd: yCXzPc + matchLabelKeys: + - XNuk + - RGLu + mismatchLabelKeys: + - aF3 + - R + - Tnj6SmTq + namespaceSelector: + matchExpressions: + - key: e1XR + operator: Kɞ窏ǿ,鸣ŰcNc + values: + - Yrq + matchLabels: + F2Pe7J: dlwTdhs + lK: nolQ + ys9z: euXWPiaJ3Bv + namespaces: + - tAzvw4OH1G + topologyKey: 6y + weight: -1640008169 + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: XbjQvP + operator: V嶙NZ谡筩ǒ抂 + - key: i + operator: ɔŃ旓Ɍ鬺X + values: + - Zvx + - 7HWJ + - e4ucTP + matchLabelKeys: + - 0LSTZ + - ESk2r + mismatchLabelKeys: + - CKhfvR0Sg + namespaceSelector: + matchExpressions: + - key: A0tc + operator: 辛§ʢ垝V矋n握匞~嶯筪溆¸ + values: + - ML + matchLabels: + K1pr: ROFIwZhJYYo + ODc: 48WQ + namespaces: + - Wv7 + - zenLPw + topologyKey: tIVDde5U + weight: 1977587462 + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: 3YyUamlR + operator: 橯F + values: + - dHitre + - 90jUjk + - key: NtnSL + operator: 臰sR=坵Ěcñ黪:ɻ寊â9dƎ\V + values: + - qqzycK + - key: ICXJGRFS + operator: $貕^eėǭD鳅ʇ + values: + - txX + - SFrkJ9r + - 3jOnwEW1 + matchLabels: + Uwj1kpV: oUXOYkF + o: ts5wRqjTyCy + matchLabelKeys: + - V2DNNCORe7ZRA + - pglXe4D + - w3881 + mismatchLabelKeys: + - xbi5KtUmR + - eZenitLdd + namespaceSelector: + matchExpressions: + - key: fxd5Y + operator: 頣R熗!A麳Ƚ6r爤暓 + values: + - oe46YF + - rT30v + matchLabels: + 4WA: EH + nRhlLLx1yHy: 5UFrj + namespaces: + - 7j92oP + - 2hf + topologyKey: "" + weight: 92207265 + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: wBvol + operator: Ɂüɯ + values: + - eKmyok + - key: B2uj69 + operator: "" + - key: hLrZlh + operator: ȕ嵠味 ɼ_ + mismatchLabelKeys: + - W + namespaceSelector: + matchExpressions: + - key: Qu + operator: 亣i拴ÿ + values: + - OeiUsmYu + - oGXa6Ma + matchLabels: + "": Li + oDV7yR: NP + namespaces: + - PQjQb3LP + topologyKey: Gs1 + - labelSelector: + matchLabels: + "": nF + mismatchLabelKeys: + - YG6aQj + namespaceSelector: + matchExpressions: + - key: HpxPVtw + operator: z畘ŠƽǢ蘟\ɡ忕ɋ蜹5B + values: + - EQ + - RP3fBi + - key: Lv60cZut + operator: 裰ƈ + values: + - I9JbN + - dt + - Cya + - key: 0MGm8N + operator: 遍Ż + matchLabels: + nELvnrAFr: DClM + topologyKey: N57yxG + - labelSelector: + matchExpressions: + - key: "" + operator: KǞ}ɣȿ嚶宗荝«Dž + values: + - CGw32z4JHya + - E + - u5CDtdc + matchLabels: + J5LzcLei: kBwTCGZ + iLpqu: j4bqBNDjAK + jN: jUZ0u + matchLabelKeys: + - lNM + - K3nOO5 + - 9norFQpMiC + namespaceSelector: + matchExpressions: + - key: y4teb + operator: 蚯 + values: + - P + - O0 + - MvxOu + - key: v8w1Ok + operator: 8ƴņŨƊ¹艗胲ƦpYƿ9d脙~Ë + values: + - "4" + - "66" + namespaces: + - OtWsVW + - p + topologyKey: GeF + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: GRLHy + operator: Ä椶 + - key: Z + operator: ė牫ȃ汥Ƈ娍q\桕ɄNǴ + values: + - S1hMkP + - K + - x5coDg + - key: kJzBQ + operator: ʉĻ孺bɧɬʬ柿娤e¯]每) + values: + - DbD1 + - C5dyvNew + matchLabelKeys: + - 8G + - 7cCVU + - lN + mismatchLabelKeys: + - xJ5l + namespaceSelector: + matchExpressions: + - key: U89y + operator: ȓ2浿澰V缐厧钎wň莁願菶ʈ杈 + values: + - 9m6ydjpHu + - CatqpZmUCL + - dJz + - key: SIePbOJc6H + operator: ljR2qɟ$s櫮c雕Ů幔莁沥ʫľƙŝ + values: + - 75tj75r + - XiO + - key: "" + operator: 舄或崙Ĭɐ耼Ī弋禽$ + values: + - HWwXVr4o + - WEkwi8ZNDQ + - f + matchLabels: + fi8w0BX: Z48LRdXmkJ + namespaces: + - Yaw2NnfJ + topologyKey: ElKfd7Eo + weight: 1078166465 + automountServiceAccountToken: true + containers: + - args: + - --config.filepath=/etc/console/configs/config.yaml + command: null + env: + - name: rd10f1l + value: GtUE + valueFrom: + configMapKeyRef: + key: C1N + name: bi + optional: true + fieldRef: + apiVersion: 9GWlMsB + fieldPath: l2 + resourceFieldRef: + containerName: 4t + divisor: "0" + resource: eyjvzsf + secretKeyRef: + key: xBMOaej + name: O8AG + optional: false + - name: C + value: fYlde + valueFrom: + configMapKeyRef: + key: 4HvhDAkW + name: 5bgA7leE7 + optional: false + fieldRef: + fieldPath: zY6rf + resourceFieldRef: + containerName: S3 + divisor: "0" + resource: 3sD + secretKeyRef: + key: s43 + name: LpaQ + optional: true + - name: LICENSE + valueFrom: + secretKeyRef: + key: enterprise-license + name: 3VGefRh + envFrom: [] + image: VHbf77MFq/9Gz:Tg + imagePullPolicy: Ƀşb?師Ğ`3H觉趟糯襖 + livenessProbe: + failureThreshold: 279778022 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: 1098820524 + periodSeconds: 414174316 + successThreshold: 1178515566 + timeoutSeconds: 873461419 + name: console + ports: + - containerPort: 29 + name: http + protocol: TCP + readinessProbe: + failureThreshold: 37001950 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: -396024246 + periodSeconds: -1467409206 + successThreshold: -1328773613 + timeoutSeconds: -1781454259 + resources: + limits: + 8cdWaeK7jVrR: "0" + HYBi6o: "0" + requests: + NOz: "0" + gH: "0" + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - Ɋ闻ǃɗʀd撪 + - 蘑ǪY桼ɮǚɳ爥ňB + drop: + - 乄}ñ0詘蛾牪坣缰ƩǏ薷©瓚`Ʋ虯r + - ǓJğ&ĊƯʝbǠCŪzgì + - ńǜ[ɪ判Uʋ]泘狔 + privileged: false + procMount: 媹:堏_ɟ榧禙Ɲ'瞟 + readOnlyRootFilesystem: false + runAsGroup: 2759228957449300500 + runAsNonRoot: true + runAsUser: -812867783664200800 + volumeMounts: + - mountPath: /etc/console/configs + name: configs + readOnly: true + - mountPath: WsSL4vxNxCkXP + name: Mt1 + subPath: "" + - mountPath: M5 + mountPropagation: 稤Bơ觓Ð琋 + name: yQHj49RtdzN + subPath: GdQkAKF + subPathExpr: Gvswh + - mountPath: QRg + mountPropagation: 搚Kƕ欕K貵蠜d旓ĀÝ虩釓 + name: qCEH27RF + readOnly: true + subPath: nHB05RuTZ + subPathExpr: K0yH + - args: + - 3QF + - k1BJBm + command: + - PMW + - j + - V7MAcfomz + env: + - name: rAzI53 + value: WlHlq + valueFrom: + configMapKeyRef: + key: zzIBsb + name: Bh261F + optional: false + fieldRef: + apiVersion: SlA + fieldPath: "6" + resourceFieldRef: + containerName: q0BBEv + divisor: "0" + resource: JE + secretKeyRef: + key: FvrZgBz + name: ZTBeic + optional: false + - name: uPptX + value: i9 + valueFrom: + configMapKeyRef: + key: JeHwi + name: TiQHOG1EsFUgIE + optional: true + fieldRef: + apiVersion: i7dd + fieldPath: Tu + resourceFieldRef: + containerName: ChdvA + divisor: "0" + resource: Eq1V33RTZQSJRJFg3V + secretKeyRef: + key: ojxn54r + name: L + optional: false + - name: Sl9Py25FX + value: e9 + valueFrom: + configMapKeyRef: + key: Zq80J9tyR0opcz + name: gy00dyvHFa + optional: true + fieldRef: + apiVersion: UJLSQy7zL + fieldPath: Xm4sg5H + resourceFieldRef: + containerName: ZmY7Fno6Fcop3 + divisor: "0" + resource: gqZwW + secretKeyRef: + key: v + name: hJDoWtjkfL + optional: true + envFrom: + - configMapRef: + name: RdWA + optional: true + prefix: Dq + secretRef: + name: BOBOO0sLIWw0e + optional: false + - configMapRef: + name: MoMnWNTC + optional: false + prefix: "3" + secretRef: + name: B58Vvj3 + optional: false + image: Vn5V + imagePullPolicy: 筥ǏŤČ癳嶧GĒH挕ÄHɡ + lifecycle: + postStart: + exec: + command: + - hTIx + - lslygl + - lSgx5G2IfU + httpGet: + host: GNVKz7 + path: d0Y + port: Igi + scheme: 莵łEǐ嫖ʒʔvŊ>ry5贛 + sleep: + seconds: -184172880642712450 + preStop: + exec: {} + httpGet: + host: tD1TkKV0ES + path: s6 + port: OpK5riOe96 + scheme: 琊*i#欱E唂ȧ鐄膶詃7 + sleep: + seconds: -4889549574266894000 + livenessProbe: + exec: {} + failureThreshold: 1591130939 + grpc: + port: -540029946 + service: aoAN2Lx03 + httpGet: + host: vWu + path: Lo + port: 1468671948 + scheme: ȯ煐IŢ + initialDelaySeconds: -1879733088 + periodSeconds: 1106663448 + successThreshold: 240850805 + terminationGracePeriodSeconds: -7405296717602936000 + timeoutSeconds: 524743651 + name: AInfx2Rak + readinessProbe: + exec: + command: + - oIA3 + - H + - 96Uj2 + failureThreshold: -1855887857 + grpc: + port: -495541010 + service: X + httpGet: + host: ZplmMg + path: tAAr + port: 1950182935 + scheme: ʂ綽oa;n轮ęB觼Z=G泇跢揌韇锶 + initialDelaySeconds: 1057136331 + periodSeconds: -2025421367 + successThreshold: -812558156 + terminationGracePeriodSeconds: 4314843605692522000 + timeoutSeconds: -1609986779 + resizePolicy: + - resourceName: EvmpG + restartPolicy: 4ɱ + - resourceName: hTB20ObO1 + restartPolicy: ½ŏ伐Q蔏ʝ噙漃袩J]Ɣ蒘岇 + resources: + limits: + KWlx2c: "0" + O: "0" + requests: + ZCJwGBL: "0" + restartPolicy: 1nĔ:蹮>s蹬ÍǺ + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - 迠寈搣弝渎İ- + drop: + - 檹Ɩ + - ɧ麧ç2ā兛杧蔙團载^P蚡5缿ʒU襩 + - cLD|ƶ虌Ȗ + privileged: false + procMount: ïƋ圏滜ľ転謀ĤP蹥ȅ|髃蒃Q癎æ + readOnlyRootFilesystem: false + runAsGroup: -4850605470374304000 + runAsNonRoot: false + runAsUser: 7731251064648991000 + startupProbe: + exec: + command: + - LqYoUQy3c4BE + - 5N + - Ug + failureThreshold: -1290004088 + grpc: + port: -1721281251 + service: H2p + httpGet: + host: 02CP5 + path: F609y + port: JjwFH + scheme: 珑 + initialDelaySeconds: -402608647 + periodSeconds: -1520214127 + successThreshold: 209058699 + terminationGracePeriodSeconds: -1900030585542850300 + timeoutSeconds: 1686394545 + terminationMessagePath: qixKzKz + terminationMessagePolicy: Ǥ衚蔁ʙ剠Ǡɭf~ + volumeDevices: + - devicePath: zM1 + name: jmc + - devicePath: IZ + name: PS + - devicePath: kN24U + name: Apu0r1U2 + workingDir: WgB + - args: + - 2Z37 + - 75kO + - TjvjkZTrc8s + command: + - M0NtzJ + env: + - name: 2EH + value: O + valueFrom: + configMapKeyRef: + key: J1ozKsuji + name: glLvAIHP7i + optional: true + fieldRef: + apiVersion: 3gAjGu + fieldPath: sNpuR8m + resourceFieldRef: + containerName: oxx + divisor: "0" + resource: PuKq + secretKeyRef: + key: Iua2L1LoCWMs2 + name: YfKwS8s + optional: true + image: PKNM + imagePullPolicy: ÍĪ0魣Ŋʒ + lifecycle: + postStart: + exec: {} + httpGet: + host: fsZ + path: EGnu + port: 765491661 + scheme: ?ğ叆ɂ&pʠ溶Ǚu + sleep: + seconds: 4688626474961013000 + preStop: + exec: {} + httpGet: + host: TB + path: "6" + port: -50369560 + scheme: ~Ǚɇ>ƃ\7]歉sh羘y4 + sleep: + seconds: -5293607398165582000 + livenessProbe: + exec: + command: + - 1g8dewdj + - lRmD + failureThreshold: -125369558 + grpc: + port: -1490211482 + service: R + httpGet: + host: CSGThzhG + path: 9NBKzoiFzs + port: -272474300 + scheme: ŀ + initialDelaySeconds: -1094670881 + periodSeconds: 1768141210 + successThreshold: -985604418 + terminationGracePeriodSeconds: -1297054466922920700 + timeoutSeconds: -1289231356 + name: KtKv6dg + ports: + - containerPort: -632764671 + hostIP: 8CU + hostPort: 917138107 + name: 1VgOx + protocol: 典ȫ窃ÛǪ3m患 + - containerPort: 739656218 + hostIP: dQQ3 + hostPort: -1348301133 + name: "3" + protocol: '?Ū慾ŘLº桒J:茦扰絥ǗȑĎ:' + readinessProbe: + exec: + command: + - qZ2J + failureThreshold: 293719665 + grpc: + port: 1235836411 + service: ig3 + httpGet: + host: Ws + path: FVnJhZq7I + port: -1075951148 + initialDelaySeconds: 321800409 + periodSeconds: -556535717 + successThreshold: -625124830 + terminationGracePeriodSeconds: -4084380722124342300 + timeoutSeconds: -904900305 + resizePolicy: + - resourceName: GKINnuJx + restartPolicy: Řl©=嬈牍]佧& + resources: + requests: + omO: "0" + uga5: "0" + xnRsp6C: "0" + restartPolicy: ʝdŌİ蒘傥>晑|癶x&ĭmŭƙŵ + securityContext: + allowPrivilegeEscalation: true + capabilities: + add: + - 約nɤưHĞ4WƳǤȣ糥蠇t + - ¾ʃŔ冻楟?¿揈h嘼œ + drop: + - 7忭譺屩嫕ƞʅ袬/氼Xg养ȸ陣萓 + - 胨`鯵ƪĽ藹 + privileged: true + procMount: Ulƙxȿƌ乜溬噕瀆储铐\纬 + readOnlyRootFilesystem: true + runAsGroup: 4589112012742887000 + runAsNonRoot: true + runAsUser: 3204614620414442500 + startupProbe: + exec: + command: + - TFJ + failureThreshold: -585814509 + grpc: + port: 178002023 + service: lAuHCrE + httpGet: + host: "88" + path: Th + port: In + scheme: 鷵菭g顲Ⱦ穪 + initialDelaySeconds: -1856697198 + periodSeconds: 1469578394 + successThreshold: 160563852 + terminationGracePeriodSeconds: -4442318275257517600 + timeoutSeconds: -16211809 + terminationMessagePath: 513sVbgA + terminationMessagePolicy: 隓Ǽ屼Å7嗟Ʈ麝0{ȦDžĐ! + tty: true + volumeDevices: + - devicePath: ugQAJ + name: Jf + - devicePath: BFfnTD + name: kfF6CZ + volumeMounts: + - mountPath: C3 + mountPropagation: 呍婻厦ǒ絶偂蠛ƺ蠖蕍v貰Ė + name: DQvHajhHx + subPath: aYHGugq + subPathExpr: MSs + workingDir: OE + imagePullSecrets: [] + initContainers: + - 'error unmarshaling JSON: while decoding JSON: json: cannot unmarshal string + into Go value of type []interface {}' + nodeSelector: + Bm9U: oTYglG6dh + priorityClassName: l4Mowg + securityContext: + fsGroup: -3794452885502571500 + fsGroupChangePolicy: 欲飹Rɦ薕µL<Ĕ + runAsGroup: -3171560656159467000 + runAsNonRoot: true + runAsUser: -4412205905842408400 + supplementalGroups: + - -7215185124091152000 + - 5139656417921063000 + - 600742233156257700 + sysctls: + - name: Te + value: cKzihj + serviceAccountName: sKa + tolerations: + - effect: 嫜ʎ愤wßj硭 + key: JO1 + operator: ȼ¾Pȇ挮ƶȋ'蹑鶚嗵ïG + tolerationSeconds: -6027642013843151000 + value: a3XbyS + topologySpreadConstraints: [] + volumes: + - configMap: + name: 3um + name: configs + - name: Mt1 + secret: + defaultMode: 80 + secretName: ZxXI0Hhv +--- +# Source: console/templates/hpa.yaml +apiVersion: autoscaling/v2 +kind: HorizontalPodAutoscaler +metadata: + creationTimestamp: null + labels: + 4kU: mkn8 + Ro: NFx1P + Z1p: WE + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: W7q3X + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: 3um +spec: + maxReplicas: 1 + metrics: + - resource: + name: cpu + target: + averageUtilization: 468 + type: Utilization + type: Resource + - resource: + name: memory + target: + averageUtilization: 256 + type: Utilization + type: Resource + minReplicas: 224 + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: 3um +-- testdata/case-049.yaml.golden -- +--- +# Source: console/templates/serviceaccount.yaml +apiVersion: v1 +automountServiceAccountToken: true +kind: ServiceAccount +metadata: + annotations: + 5bpPp: ponDVyZ + Ml1: "" + lt: 6VN8BRlJd + creationTimestamp: null + labels: + 0HYkOrz: JCwpSW + 0TgDztQSY: P + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: 8dJzE + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + ztm: qegfb80 + name: z12W + namespace: default +--- +# Source: console/templates/secret.yaml +apiVersion: v1 +kind: Secret +metadata: + creationTimestamp: null + labels: + 0HYkOrz: JCwpSW + 0TgDztQSY: P + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: 8dJzE + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + ztm: qegfb80 + name: 0BIfuN +stringData: + enterprise-license: "" + kafka-protobuf-git-basicauth-password: SBJl + kafka-sasl-aws-msk-iam-secret-key: INqD5 + kafka-sasl-password: 78E + kafka-schema-registry-password: YMuFCG7qR + kafka-schemaregistry-tls-ca: 1y5yRb6O2b + kafka-schemaregistry-tls-cert: NuhkhpMV7b + kafka-schemaregistry-tls-key: 9zcrFj + kafka-tls-ca: 0PF + kafka-tls-cert: wArD + kafka-tls-key: "" + login-github-oauth-client-secret: jdPGF7 + login-github-personal-access-token: y6xqv + login-google-groups-service-account.json: xi1j27Lipj8 + login-google-oauth-client-secret: m6FeI + login-jwt-secret: SECRETKEY + login-oidc-client-secret: zbsTootC + login-okta-client-secret: rHSfT + login-okta-directory-api-token: rOXaN + redpanda-admin-api-password: 8c + redpanda-admin-api-tls-ca: CJbHIM + redpanda-admin-api-tls-cert: uO + redpanda-admin-api-tls-key: uhB0L +type: Opaque +--- +# Source: console/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + annotations: + L: CP + Yf: K4waOjMg + tIYLLgy: d1szIPW6xt + creationTimestamp: null + labels: + 0HYkOrz: JCwpSW + 0TgDztQSY: P + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: 8dJzE + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + ztm: qegfb80 + name: 0BIfuN + namespace: default +spec: + ports: + - name: http + port: 269 + protocol: TCP + targetPort: 479 + selector: + app.kubernetes.io/instance: console + app.kubernetes.io/name: 8dJzE + type: IfYfRoHRG +--- +# Source: console/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: + BceQMZiOm: E1uakdHPkLNL + creationTimestamp: null + labels: + 0HYkOrz: JCwpSW + 0TgDztQSY: P + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: 8dJzE + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + ztm: qegfb80 + name: 0BIfuN + namespace: default +spec: + replicas: null + selector: + matchLabels: + app.kubernetes.io/instance: console + app.kubernetes.io/name: 8dJzE + strategy: + rollingUpdate: {} + type: 擺m鷾DžPĨ + template: + metadata: + annotations: + "": cuRn + checksum/config: 74234e98afe7498fb5daf1f36ac2d78acc339464f950703b8c019892f982b90b + qBdeU: EQv + creationTimestamp: null + labels: + O2n4u: kpFpu + app.kubernetes.io/instance: console + app.kubernetes.io/name: 8dJzE + g1c: XEOMg + spec: + affinity: + nodeAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - preference: + matchExpressions: + - key: L + operator: 域%Ɠ礇!ʘl.ǷŠ该貹&N + values: + - oAk8rvkey + - Fb08GpumY + - key: YJGr + operator: '|4\i事!ų藦x鳜Ǫ' + values: + - 63Yvc + - key: j + operator: ¸瀖čņ!彅搀 + values: + - RnzdW + - Nxs + - unZuno + matchFields: + - key: wLP0QqdHBmd9e + operator: ȑwȼ嶢vC`ȖĜƐ桡牆ēIa,謧ŗ + - key: mdgmMZ + operator: Ō§ȶƔ>#Z骻5S洝岛Ċ啞. + values: + - Fvf6 + - key: GQsV + operator: 涥ȕêȩȋ婍0毙舺糩\DŽŅ饒 + values: + - XccQkxG + weight: -1172839714 + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: JpS0BkW + operator: 聣耥ʒ昼|Ȏ)ß瞖a癨櫒缮{v + - key: HLL3gv + operator: 铡ÞC腢z蟒Á + - key: iDGQV8Bjyu5Q + operator: 舢脛歛ƻ68 + values: + - eLCH7Nc + - QQqPUN + - "" + matchFields: + - key: AY2q9fnL + operator: ȏ伌鎩5桀ʁ + values: + - Uac + - K0q + - bY71A + - key: rBwZz + operator: '*ĴȉǼ矼SN]ʛ源' + values: + - 5yMkn + - key: S1C + operator: ÿƙ彋,嘲樦 + values: + - OXH + - vl1 + - uCYaO8Cn + - {} + podAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: mZ3rAF9 + operator: yŲĺȫ阁笵W®詃Œ + values: + - bhvFz + - key: uiaNXZcXT + operator: "" + - key: AAM + operator: 閸鬼駝洁c奊(Ƅ謍MǍ辰T堍癩)丗 + values: + - "9" + - ESiN3 + matchLabels: + kCSDZtsm5: vVk + oBlyCq: jlh + matchLabelKeys: + - BCZ8FFbh + - A + namespaceSelector: + matchExpressions: + - key: Lsf + operator: L + values: + - a0HB + - C + - key: eoj6ic3 + operator: ż伌oA汄俔ɿ7巪娻% + matchLabels: + Cx: wwPPM + namespaces: + - 9xhG + - JAutZqe4gGeuf + - "" + topologyKey: 1a + weight: 223935020 + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: LtGRhs + operator: 棺ǔ'ɘ砒Æ擑Ɵģ + values: + - GhM4BSJqNOf + matchLabels: + "": 7Ni + matchLabelKeys: + - yxF4 + - 22RoWr + - etRteovEh9 + mismatchLabelKeys: + - 7NOfe + namespaceSelector: + matchExpressions: + - key: 3KCX2 + operator: 臞ʀ¯弄Ɨ橎琜ġ鍳¶ȣ2墛.ɮ濎ɕ磞 + values: + - 5YiE0xEC + - 4spxMd + - vUPA + matchLabels: + YHIq: nS + topologyKey: F4 + weight: 716052627 + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: "9" + operator: ĠƑȥ兾3ŶJ + - key: pPvuyWZ + operator: ;bļo刲+圊}MǏŅ惤ć + values: + - 9pMXT + - Ezwo11 + matchLabels: + 66347W: ccFxZoF9 + X: VrN5kt + mismatchLabelKeys: + - u4LyY1 + - zT + namespaceSelector: + matchExpressions: + - key: qwhutJo + operator: 垴ǞƼ + matchLabels: + OFxMkYx: lhxtM + topologyKey: WN8qbUgigF + weight: -1609734055 + - podAffinityTerm: + labelSelector: {} + matchLabelKeys: + - "" + mismatchLabelKeys: + - XnhP + - "" + - Bk + namespaceSelector: + matchExpressions: + - key: M + operator: Ǽ糨ʡ毺Ɇw + values: + - ntvI + - vs + matchLabels: + "4": 2Y2FBpcbg + namespaces: + - 1S8c + topologyKey: jxiZ4d + weight: 1993833508 + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: EpKkdimp + operator: 额ƀ箰L禼aÅ顙)C舉 + - key: e2Zu7Kb + operator: t潱髦pö鵺b澁6銹 + values: + - z9n + - LdMQ + - r + matchLabels: + F: Nc + Qa2h5toVwd: GGxZ3BQ + l: Z6Rh + matchLabelKeys: + - LsCC + - dgmxxZW + mismatchLabelKeys: + - e + - Cb + - e0DAEluN + namespaceSelector: + matchLabels: + oJ56D: 33m + tkP8tO: mIkfyE6E + namespaces: + - VxN + - hbwB9 + - t + topologyKey: qag0unul + automountServiceAccountToken: true + containers: + - args: + - --config.filepath=/etc/console/configs/config.yaml + command: null + env: + - name: KAFKA_SASL_PASSWORD + valueFrom: + secretKeyRef: + key: kafka-sasl-password + name: 0BIfuN + - name: KAFKA_PROTOBUF_GIT_BASICAUTH_PASSWORD + valueFrom: + secretKeyRef: + key: kafka-protobuf-git-basicauth-password + name: 0BIfuN + - name: KAFKA_SASL_AWSMSKIAM_SECRETKEY + valueFrom: + secretKeyRef: + key: kafka-sasl-aws-msk-iam-secret-key + name: 0BIfuN + - name: KAFKA_TLS_CAFILEPATH + value: /etc/console/secrets/kafka-tls-ca + - name: KAFKA_TLS_CERTFILEPATH + value: /etc/console/secrets/kafka-tls-cert + - name: KAFKA_SCHEMAREGISTRY_TLS_CAFILEPATH + value: /etc/console/secrets/kafka-schemaregistry-tls-ca + - name: KAFKA_SCHEMAREGISTRY_TLS_CERTFILEPATH + value: /etc/console/secrets/kafka-schemaregistry-tls-cert + - name: KAFKA_SCHEMAREGISTRY_TLS_KEYFILEPATH + value: /etc/console/secrets/kafka-schemaregistry-tls-key + - name: KAFKA_SCHEMAREGISTRY_PASSWORD + valueFrom: + secretKeyRef: + key: kafka-schema-registry-password + name: 0BIfuN + - name: LOGIN_JWTSECRET + valueFrom: + secretKeyRef: + key: login-jwt-secret + name: 0BIfuN + - name: LOGIN_GOOGLE_CLIENTSECRET + valueFrom: + secretKeyRef: + key: login-google-oauth-client-secret + name: 0BIfuN + - name: LOGIN_GOOGLE_DIRECTORY_SERVICEACCOUNTFILEPATH + value: /etc/console/secrets/login-google-groups-service-account.json + - name: LOGIN_GITHUB_CLIENTSECRET + valueFrom: + secretKeyRef: + key: login-github-oauth-client-secret + name: 0BIfuN + - name: LOGIN_GITHUB_DIRECTORY_PERSONALACCESSTOKEN + valueFrom: + secretKeyRef: + key: login-github-personal-access-token + name: 0BIfuN + - name: LOGIN_OKTA_CLIENTSECRET + valueFrom: + secretKeyRef: + key: login-okta-client-secret + name: 0BIfuN + - name: LOGIN_OKTA_DIRECTORY_APITOKEN + valueFrom: + secretKeyRef: + key: login-okta-directory-api-token + name: 0BIfuN + - name: LOGIN_OIDC_CLIENTSECRET + valueFrom: + secretKeyRef: + key: login-oidc-client-secret + name: 0BIfuN + - name: REDPANDA_ADMINAPI_PASSWORD + valueFrom: + secretKeyRef: + key: redpanda-admin-api-password + name: 0BIfuN + - name: REDPANDA_ADMINAPI_TLS_CAFILEPATH + value: /etc/console/secrets/redpanda-admin-api-tls-ca + - name: REDPANDA_ADMINAPI_TLS_KEYFILEPATH + value: /etc/console/secrets/redpanda-admin-api-tls-key + - name: REDPANDA_ADMINAPI_TLS_CERTFILEPATH + value: /etc/console/secrets/redpanda-admin-api-tls-cert + envFrom: + - configMapRef: + name: GTjM + optional: true + prefix: GSbKp + secretRef: + name: vhsV8Pl5 + optional: true + - configMapRef: + name: cvXs + optional: false + prefix: cBFtb + secretRef: + name: x9N + optional: false + - configMapRef: + name: rDSrOmdL + optional: false + prefix: 0u3 + secretRef: + name: A6PG37zBJfwNR + optional: false + image: RCYS61Exfql/8ZLfmymq:4BSL9iL + imagePullPolicy: õ鴀铑û + livenessProbe: + failureThreshold: -567921134 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: -507660572 + periodSeconds: 1912372611 + successThreshold: -232304560 + timeoutSeconds: 582403024 + name: console + ports: + - containerPort: 479 + name: http + protocol: TCP + readinessProbe: + failureThreshold: 1010917423 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: -986314779 + periodSeconds: 1763110639 + successThreshold: 1473932979 + timeoutSeconds: 1291669389 + resources: + limits: + x6: "0" + requests: + eeR: "0" + l: "0" + xppI8xB: "0" + securityContext: + allowPrivilegeEscalation: false + capabilities: + add: + - 趩燡º嗂{踦 + - CƮ + drop: + - 殟kĔ=ņŧɋ] + privileged: false + procMount: aŻ釯fȠ埱ɺȚ + readOnlyRootFilesystem: true + runAsGroup: 4284419790643993000 + runAsNonRoot: true + runAsUser: -4828746969388386000 + volumeMounts: + - mountPath: /etc/console/configs + name: configs + readOnly: true + - mountPath: /etc/console/secrets + name: secrets + readOnly: true + - mountPath: AQpWvptFEk7y + name: 99SgdOsZD + subPath: "" + - mountPath: p44 + name: U + subPath: "" + - mountPath: UiI + name: WFd + subPath: "" + - mountPath: De7 + mountPropagation: 1k噟霞ƁĹ + name: 1Z2WnghTc + subPath: Ts5Ful + subPathExpr: YyidD + - mountPath: onM7c3 + mountPropagation: m=Cɬ + name: GC5ZsY07Mr + readOnly: true + subPath: Xt + subPathExpr: r6gZk + - mountPath: 8gPjX7hc + mountPropagation: ƃ柅珚ȭ能 + name: oN + subPath: auYcD + subPathExpr: aheb25w + - args: + - kn0F9 + command: + - M + - Hph3 + - lZfWKF + env: + - name: HBWtNh10A + value: 8guE + valueFrom: + configMapKeyRef: + key: Chnm + name: UlwzEQ + optional: false + fieldRef: + apiVersion: 8pq9 + fieldPath: qpnfP4p + resourceFieldRef: + divisor: "0" + resource: L0tn + secretKeyRef: + key: J + name: gbfgF + optional: true + envFrom: + - configMapRef: + name: n32MM + optional: true + prefix: cp3 + secretRef: + name: Uc + optional: true + - configMapRef: + name: VGBL + optional: true + prefix: NTMU + secretRef: + name: CEg + optional: true + image: zIWYBi7 + imagePullPolicy: 蘂ȱʃ& + lifecycle: + postStart: + exec: + command: + - QpTcv + - MS0T0N + - wiE + httpGet: + host: ZCUJOIH + path: UsXT + port: 8nExSP2u + scheme: 'uŊ6熀: 焆 烷ʫ-Ŗ亾ɣʖ氝"肰' + sleep: + seconds: -2519616411083819500 + preStop: + exec: + command: + - rmQ7 + - GxRXQk + httpGet: + host: UIVpXMrzW + path: 4tHQ + port: 8xLK1VyM + scheme: ƳǃóɃȊ{回żz闓葊G嚥 + sleep: + seconds: 3595323074300269600 + livenessProbe: + exec: {} + failureThreshold: -882825879 + grpc: + port: 503069299 + service: W + httpGet: + host: FilCCd + path: NPZrCEq + port: 6NoPho8wIsxe + scheme: āȹ顺悩錣Xƕ灄ĿG乒 + initialDelaySeconds: 781680731 + periodSeconds: 205458 + successThreshold: 1115648780 + terminationGracePeriodSeconds: 4579765768791485400 + timeoutSeconds: -676867842 + name: 2tf + readinessProbe: + exec: + command: + - edKf + - 0U + - MFr2Oh + failureThreshold: 1812906550 + grpc: + port: -791379232 + service: IAqADBco + httpGet: + host: 55GZ + path: AQC + port: sxTXcp + scheme: ƷMg靚珨嘸ȗʒ鑉Ȝ梒ŗǐkōĕĵ鞍 + initialDelaySeconds: -130429301 + periodSeconds: 876742351 + successThreshold: -1424043483 + terminationGracePeriodSeconds: -1574530902871555300 + timeoutSeconds: 764935409 + resources: + limits: + 9eHi: "0" + rO52puR: "0" + requests: + UF8LV7N: "0" + ao: "0" + cRVsAz8v: "0" + restartPolicy: ɥ]×璳 + securityContext: + allowPrivilegeEscalation: true + capabilities: + add: + - ɖ膵7&ʞíXĦx-ǰİɾ榩聨ŗ% + - DŽ熲鴼玜覲杷ȆƠ沺伤{拢 + - ɉȋʠRÂo霾噜奩ƻv$Áő + drop: + - ɑ摿愻J«ʘA宜ƹ¶ + - 餫aJ矐sǁ隑z36渢X赼 + - )ǜ鄰挺溒ŒV栜Ù涸JH-_d + privileged: false + procMount: Ito縎 + readOnlyRootFilesystem: false + runAsGroup: 2484782727894659600 + runAsNonRoot: false + runAsUser: -6936271037843915000 + startupProbe: + exec: + command: + - X + failureThreshold: -256045507 + grpc: + port: 376282302 + service: wdQrDn0 + httpGet: + host: teaO6 + path: DBHpGkYdgAJ + port: -1625640156 + scheme: Ʌ + initialDelaySeconds: 673272264 + periodSeconds: -1050905915 + successThreshold: 282500457 + terminationGracePeriodSeconds: 5768805478519710000 + timeoutSeconds: -601307290 + stdinOnce: true + terminationMessagePath: POO + terminationMessagePolicy: '#d鿂Hk閎=ɰ蜐ġOʡ蠁żǖ' + tty: true + workingDir: Z3pdGL + - args: + - a7Tqs + - UuID5t + - gRCnbjyp + env: + - name: ZV1KP + value: WrT0 + valueFrom: + configMapKeyRef: + key: zZzTgax + name: 3z3eoets + optional: true + fieldRef: + apiVersion: 88zo + fieldPath: z0vE72 + resourceFieldRef: + containerName: DF4t + divisor: "0" + resource: hfVfYFW4 + secretKeyRef: + key: I6JwpO5 + name: I88w22gsx3 + optional: true + - name: z8 + value: sgj8UHZ + valueFrom: + configMapKeyRef: + key: Q85vN + name: lYGl4 + optional: true + fieldRef: + apiVersion: oQu7 + fieldPath: TYd + resourceFieldRef: + containerName: "Y" + divisor: "0" + resource: Yx + secretKeyRef: + key: f + name: 0Pjf9YBj + optional: false + envFrom: + - configMapRef: + name: fAH + optional: false + prefix: vjjU + secretRef: + name: 9A8OgEQ9 + optional: false + image: R7L + imagePullPolicy: '}m6铤<豎ŵ,#M狥ʬo' + lifecycle: + postStart: + exec: + command: + - 2E + - gzntg + httpGet: + host: BOoVI + path: ns7ZMdNwQC + port: XF + scheme: ky咊ʅ ʂ娼ȟƐ橽ǿ唔ARɨ罙 + sleep: + seconds: -3978858376823544000 + preStop: + exec: + command: + - Hns + httpGet: + host: Lw8 + path: wdo + port: -239095421 + scheme: ƹ禍OÇ + sleep: + seconds: 3838288160382434000 + livenessProbe: + exec: + command: + - 8E + failureThreshold: -1052479375 + grpc: + port: 82058135 + service: S3UA2HwQaN + httpGet: + host: T0 + path: wYV6 + port: cEf + scheme: 斡1{嘫b葎剜屙唯皎図Ǜ錮ơxȒt駦Ƨ + initialDelaySeconds: -1976610733 + periodSeconds: 436460884 + successThreshold: -949159248 + terminationGracePeriodSeconds: 1786907735670591200 + timeoutSeconds: -2035324376 + name: 0ygO + readinessProbe: + exec: + command: + - "" + - YQ + failureThreshold: 1469514474 + grpc: + port: -1835111333 + service: 5WmTypZfT + httpGet: + host: BDf + path: ZY + port: tyrBXIqhX + scheme: 趬扬鉰昵 + initialDelaySeconds: -683847692 + periodSeconds: -95594828 + successThreshold: -1707399501 + terminationGracePeriodSeconds: 3256417681193515500 + timeoutSeconds: -2088454060 + resources: + limits: + zVX: "0" + restartPolicy: 晄d塮@ʥO%驮ÆgǍô + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ' 吓zǘa畷' + - 鲃ʍ瑘ƴɛjV艑ǔpMK杣Ġ + privileged: true + procMount: zɱÙŭǫäƿ诧聉ń醽Ƥ裩5 + readOnlyRootFilesystem: true + runAsGroup: -2381715627246700500 + runAsNonRoot: false + runAsUser: 6590063474480016000 + startupProbe: + exec: + command: + - "9" + - oRMM2F + - "" + failureThreshold: -1711876939 + grpc: + port: 1138187974 + service: OvdS + httpGet: + host: GZWJ + path: vzJeBCvGMHn7 + port: h9p1Pak + initialDelaySeconds: 447733263 + periodSeconds: 1805541821 + successThreshold: -1114184264 + terminationGracePeriodSeconds: 2730048172651207700 + timeoutSeconds: -1850805595 + terminationMessagePath: GK8 + terminationMessagePolicy: ɾDŽ÷郃ɻ玗璺,4 + volumeDevices: + - devicePath: bLf + name: UVN1o + - devicePath: fIT + name: Qiswb + - devicePath: 9b8i + name: h1 + workingDir: 1IOT + imagePullSecrets: + - name: h5x + initContainers: + - 'error unmarshaling JSON: while decoding JSON: json: cannot unmarshal string + into Go value of type []interface {}' + nodeSelector: + ra78: fJ + priorityClassName: JhGfjGXQ + securityContext: + fsGroup: 6449559755791186000 + fsGroupChangePolicy: 慩梱ʂcƎƱ\火ɘ²ɉ_ + runAsGroup: 841256803887707600 + runAsNonRoot: true + runAsUser: -2824253868920734700 + supplementalGroups: + - 8145086042470337000 + - -5005570809576723000 + serviceAccountName: z12W + tolerations: + - key: ka + tolerationSeconds: 2857628758439265300 + value: Ohni9QGx + topologySpreadConstraints: + - labelSelector: + matchLabels: + 3Ym: o2h5aVp + yR4PPZO: 3X + matchLabelKeys: + - vCKujB + - UqCFKCN + - Xnjfai + maxSkew: -943395897 + minDomains: 1955399000 + nodeAffinityPolicy: 噙撢馥櫱m>Q脕擏w梪 + nodeTaintsPolicy: 蝚溄鑝刉=歱Mr踄 + topologyKey: cHyq + whenUnsatisfiable: Q輒ƗȈʑǯƐ| + - labelSelector: + matchLabels: + E: lyK5b9t + UuSjduy: NcK4 + fty: iP6ai + maxSkew: 1881677866 + minDomains: -561571142 + nodeAffinityPolicy: ȫ寴ī嘌.樥'ǹs + nodeTaintsPolicy: ɇ剀ǨUǜ!俛dz餂~匹呃 + topologyKey: pCHj + whenUnsatisfiable: 尘I:Ƒ匌,騸 + volumes: + - configMap: + name: 0BIfuN + name: configs + - name: secrets + secret: + secretName: 0BIfuN + - name: 99SgdOsZD + secret: + defaultMode: 500 + secretName: B6Fq + - name: U + secret: + defaultMode: 337 + secretName: DddF02 + - name: WFd + secret: + defaultMode: 246 + secretName: tz +--- +# Source: console/templates/hpa.yaml +apiVersion: autoscaling/v2 +kind: HorizontalPodAutoscaler +metadata: + creationTimestamp: null + labels: + 0HYkOrz: JCwpSW + 0TgDztQSY: P + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: 8dJzE + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + ztm: qegfb80 + name: 0BIfuN +spec: + maxReplicas: 292 + metrics: + - resource: + name: cpu + target: + averageUtilization: 255 + type: Utilization + type: Resource + - resource: + name: memory + target: + averageUtilization: 99 + type: Utilization + type: Resource + minReplicas: 381 + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: 0BIfuN +--- +# Source: console/templates/tests/test-connection.yaml +apiVersion: v1 +kind: Pod +metadata: + name: "0BIfuN-test-connection" + namespace: "default" + labels: + 0HYkOrz: JCwpSW + 0TgDztQSY: P + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: 8dJzE + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + ztm: qegfb80 + annotations: + "helm.sh/hook": test +spec: + imagePullSecrets: + - name: h5x + containers: + - name: wget + image: busybox + command: ['wget'] + args: ['0BIfuN:269'] + restartPolicy: Never + priorityClassName: JhGfjGXQ +-- testdata/console-config-listen-and-target-port.yaml.golden -- +--- +# Source: console/templates/serviceaccount.yaml +apiVersion: v1 +automountServiceAccountToken: true +kind: ServiceAccount +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: console + namespace: default +--- +# Source: console/templates/secret.yaml +apiVersion: v1 +kind: Secret +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: console +stringData: + enterprise-license: "" + kafka-protobuf-git-basicauth-password: "" + kafka-sasl-aws-msk-iam-secret-key: "" + kafka-sasl-password: "" + kafka-schema-registry-password: "" + kafka-schemaregistry-tls-ca: "" + kafka-schemaregistry-tls-cert: "" + kafka-schemaregistry-tls-key: "" + kafka-tls-ca: "" + kafka-tls-cert: "" + kafka-tls-key: "" + login-github-oauth-client-secret: "" + login-github-personal-access-token: "" + login-google-groups-service-account.json: "" + login-google-oauth-client-secret: "" + login-jwt-secret: SECRETKEY + login-oidc-client-secret: "" + login-okta-client-secret: "" + login-okta-directory-api-token: "" + redpanda-admin-api-password: "" + redpanda-admin-api-tls-ca: "" + redpanda-admin-api-tls-cert: "" + redpanda-admin-api-tls-key: "" +type: Opaque +--- +# Source: console/templates/configmap.yaml +apiVersion: v1 +data: + config.yaml: | + # from .Values.console.config + server: + listenPort: 3333 +kind: ConfigMap +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: console +--- +# Source: console/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: console + namespace: default +spec: + ports: + - name: http + port: 8080 + protocol: TCP + targetPort: 4444 + selector: + app.kubernetes.io/instance: console + app.kubernetes.io/name: console + type: ClusterIP +--- +# Source: console/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: console + namespace: default +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/instance: console + app.kubernetes.io/name: console + strategy: {} + template: + metadata: + annotations: + checksum/config: f57fffad24d8562b91b674515ee68bfe758dbbfe634dcd2bb3497934f70538c9 + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/name: console + spec: + affinity: {} + automountServiceAccountToken: true + containers: + - args: + - --config.filepath=/etc/console/configs/config.yaml + command: null + env: + - name: LOGIN_JWTSECRET + valueFrom: + secretKeyRef: + key: login-jwt-secret + name: console + envFrom: [] + image: docker.redpanda.com/redpandadata/console:v2.7.0 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 3 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: 0 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + name: console + ports: + - containerPort: 3333 + name: http + protocol: TCP + readinessProbe: + failureThreshold: 3 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + resources: {} + securityContext: + runAsNonRoot: true + volumeMounts: + - mountPath: /etc/console/configs + name: configs + readOnly: true + - mountPath: /etc/console/secrets + name: secrets + readOnly: true + imagePullSecrets: [] + initContainers: [] + nodeSelector: {} + priorityClassName: "" + securityContext: + fsGroup: 99 + runAsUser: 99 + serviceAccountName: console + tolerations: [] + topologySpreadConstraints: [] + volumes: + - configMap: + name: console + name: configs + - name: secrets + secret: + secretName: console +--- +# Source: console/templates/tests/test-connection.yaml +apiVersion: v1 +kind: Pod +metadata: + name: "console-test-connection" + namespace: "default" + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + annotations: + "helm.sh/hook": test +spec: + containers: + - name: wget + image: busybox + command: ['wget'] + args: ['console:8080'] + restartPolicy: Never + priorityClassName: +-- testdata/console-config-listen-port.yaml.golden -- +--- +# Source: console/templates/serviceaccount.yaml +apiVersion: v1 +automountServiceAccountToken: true +kind: ServiceAccount +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: console + namespace: default +--- +# Source: console/templates/secret.yaml +apiVersion: v1 +kind: Secret +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: console +stringData: + enterprise-license: "" + kafka-protobuf-git-basicauth-password: "" + kafka-sasl-aws-msk-iam-secret-key: "" + kafka-sasl-password: "" + kafka-schema-registry-password: "" + kafka-schemaregistry-tls-ca: "" + kafka-schemaregistry-tls-cert: "" + kafka-schemaregistry-tls-key: "" + kafka-tls-ca: "" + kafka-tls-cert: "" + kafka-tls-key: "" + login-github-oauth-client-secret: "" + login-github-personal-access-token: "" + login-google-groups-service-account.json: "" + login-google-oauth-client-secret: "" + login-jwt-secret: SECRETKEY + login-oidc-client-secret: "" + login-okta-client-secret: "" + login-okta-directory-api-token: "" + redpanda-admin-api-password: "" + redpanda-admin-api-tls-ca: "" + redpanda-admin-api-tls-cert: "" + redpanda-admin-api-tls-key: "" +type: Opaque +--- +# Source: console/templates/configmap.yaml +apiVersion: v1 +data: + config.yaml: | + # from .Values.console.config + server: + listenPort: 3333 +kind: ConfigMap +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: console +--- +# Source: console/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: console + namespace: default +spec: + ports: + - name: http + port: 8080 + protocol: TCP + targetPort: 0 + selector: + app.kubernetes.io/instance: console + app.kubernetes.io/name: console + type: ClusterIP +--- +# Source: console/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: console + namespace: default +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/instance: console + app.kubernetes.io/name: console + strategy: {} + template: + metadata: + annotations: + checksum/config: f57fffad24d8562b91b674515ee68bfe758dbbfe634dcd2bb3497934f70538c9 + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/name: console + spec: + affinity: {} + automountServiceAccountToken: true + containers: + - args: + - --config.filepath=/etc/console/configs/config.yaml + command: null + env: + - name: LOGIN_JWTSECRET + valueFrom: + secretKeyRef: + key: login-jwt-secret + name: console + envFrom: [] + image: docker.redpanda.com/redpandadata/console:v2.7.0 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 3 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: 0 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + name: console + ports: + - containerPort: 3333 + name: http + protocol: TCP + readinessProbe: + failureThreshold: 3 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + resources: {} + securityContext: + runAsNonRoot: true + volumeMounts: + - mountPath: /etc/console/configs + name: configs + readOnly: true + - mountPath: /etc/console/secrets + name: secrets + readOnly: true + imagePullSecrets: [] + initContainers: [] + nodeSelector: {} + priorityClassName: "" + securityContext: + fsGroup: 99 + runAsUser: 99 + serviceAccountName: console + tolerations: [] + topologySpreadConstraints: [] + volumes: + - configMap: + name: console + name: configs + - name: secrets + secret: + secretName: console +--- +# Source: console/templates/tests/test-connection.yaml +apiVersion: v1 +kind: Pod +metadata: + name: "console-test-connection" + namespace: "default" + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + annotations: + "helm.sh/hook": test +spec: + containers: + - name: wget + image: busybox + command: ['wget'] + args: ['console:8080'] + restartPolicy: Never + priorityClassName: +-- testdata/console-with-role-bindings.yaml.golden -- +--- +# Source: console/templates/serviceaccount.yaml +apiVersion: v1 +automountServiceAccountToken: true +kind: ServiceAccount +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: console + namespace: default +--- +# Source: console/templates/secret.yaml +apiVersion: v1 +kind: Secret +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: console +stringData: + enterprise-license: "" + kafka-protobuf-git-basicauth-password: "" + kafka-sasl-aws-msk-iam-secret-key: "" + kafka-sasl-password: "" + kafka-schema-registry-password: "" + kafka-schemaregistry-tls-ca: "" + kafka-schemaregistry-tls-cert: "" + kafka-schemaregistry-tls-key: "" + kafka-tls-ca: "" + kafka-tls-cert: "" + kafka-tls-key: "" + login-github-oauth-client-secret: "" + login-github-personal-access-token: "" + login-google-groups-service-account.json: "" + login-google-oauth-client-secret: "" + login-jwt-secret: SECRETKEY + login-oidc-client-secret: "" + login-okta-client-secret: "" + login-okta-directory-api-token: "" + redpanda-admin-api-password: "" + redpanda-admin-api-tls-ca: "" + redpanda-admin-api-tls-cert: "" + redpanda-admin-api-tls-key: "" +type: Opaque +--- +# Source: console/templates/configmap.yaml +apiVersion: v1 +data: + config.yaml: | + # from .Values.console.config + {} + role-bindings.yaml: |- + roleBindings: + - metadata: + name: Redpanda POC + roleName: admin + subjects: + - kind: user + name: e2euser + provider: Plain +kind: ConfigMap +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: console +--- +# Source: console/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: console + namespace: default +spec: + ports: + - name: http + port: 8080 + protocol: TCP + targetPort: 0 + selector: + app.kubernetes.io/instance: console + app.kubernetes.io/name: console + type: ClusterIP +--- +# Source: console/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: console + namespace: default +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/instance: console + app.kubernetes.io/name: console + strategy: {} + template: + metadata: + annotations: + checksum/config: fb8e6e138b819f5ea3ae5c413e14f624501b139f2294e15c4f188ec463049755 + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/name: console + spec: + affinity: {} + automountServiceAccountToken: true + containers: + - args: + - --config.filepath=/etc/console/configs/config.yaml + command: null + env: + - name: LOGIN_JWTSECRET + valueFrom: + secretKeyRef: + key: login-jwt-secret + name: console + envFrom: [] + image: docker.redpanda.com/redpandadata/console:v2.7.0 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 3 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: 0 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + name: console + ports: + - containerPort: 8080 + name: http + protocol: TCP + readinessProbe: + failureThreshold: 3 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + resources: {} + securityContext: + runAsNonRoot: true + volumeMounts: + - mountPath: /etc/console/configs + name: configs + readOnly: true + - mountPath: /etc/console/secrets + name: secrets + readOnly: true + imagePullSecrets: [] + initContainers: [] + nodeSelector: {} + priorityClassName: "" + securityContext: + fsGroup: 99 + runAsUser: 99 + serviceAccountName: console + tolerations: [] + topologySpreadConstraints: [] + volumes: + - configMap: + name: console + name: configs + - name: secrets + secret: + secretName: console +--- +# Source: console/templates/tests/test-connection.yaml +apiVersion: v1 +kind: Pod +metadata: + name: "console-test-connection" + namespace: "default" + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + annotations: + "helm.sh/hook": test +spec: + containers: + - name: wget + image: busybox + command: ['wget'] + args: ['console:8080'] + restartPolicy: Never + priorityClassName: +-- testdata/console-with-roles-and-bindings.yaml.golden -- +--- +# Source: console/templates/serviceaccount.yaml +apiVersion: v1 +automountServiceAccountToken: true +kind: ServiceAccount +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: console + namespace: default +--- +# Source: console/templates/secret.yaml +apiVersion: v1 +kind: Secret +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: console +stringData: + enterprise-license: "" + kafka-protobuf-git-basicauth-password: "" + kafka-sasl-aws-msk-iam-secret-key: "" + kafka-sasl-password: "" + kafka-schema-registry-password: "" + kafka-schemaregistry-tls-ca: "" + kafka-schemaregistry-tls-cert: "" + kafka-schemaregistry-tls-key: "" + kafka-tls-ca: "" + kafka-tls-cert: "" + kafka-tls-key: "" + login-github-oauth-client-secret: "" + login-github-personal-access-token: "" + login-google-groups-service-account.json: "" + login-google-oauth-client-secret: "" + login-jwt-secret: SECRETKEY + login-oidc-client-secret: "" + login-okta-client-secret: "" + login-okta-directory-api-token: "" + redpanda-admin-api-password: "" + redpanda-admin-api-tls-ca: "" + redpanda-admin-api-tls-cert: "" + redpanda-admin-api-tls-key: "" +type: Opaque +--- +# Source: console/templates/configmap.yaml +apiVersion: v1 +data: + config.yaml: | + # from .Values.console.config + {} + role-bindings.yaml: |- + roleBindings: + - metadata: + name: Redpanda POC + roleName: admin + subjects: + - kind: user + name: e2euser + provider: Plain + roles.yaml: |- + roles: + - name: my-role + permissions: + - allowedActions: + - '*' + excludes: + - '*' + includes: + - '*' + resource: 1234 +kind: ConfigMap +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: console +--- +# Source: console/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: console + namespace: default +spec: + ports: + - name: http + port: 8080 + protocol: TCP + targetPort: 0 + selector: + app.kubernetes.io/instance: console + app.kubernetes.io/name: console + type: ClusterIP +--- +# Source: console/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: console + namespace: default +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/instance: console + app.kubernetes.io/name: console + strategy: {} + template: + metadata: + annotations: + checksum/config: a586a304567f15fd4a79d95e15044439368fd8985e42a1a93cdcb6d0b540ed57 + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/name: console + spec: + affinity: {} + automountServiceAccountToken: true + containers: + - args: + - --config.filepath=/etc/console/configs/config.yaml + command: null + env: + - name: LOGIN_JWTSECRET + valueFrom: + secretKeyRef: + key: login-jwt-secret + name: console + envFrom: [] + image: docker.redpanda.com/redpandadata/console:v2.7.0 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 3 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: 0 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + name: console + ports: + - containerPort: 8080 + name: http + protocol: TCP + readinessProbe: + failureThreshold: 3 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + resources: {} + securityContext: + runAsNonRoot: true + volumeMounts: + - mountPath: /etc/console/configs + name: configs + readOnly: true + - mountPath: /etc/console/secrets + name: secrets + readOnly: true + imagePullSecrets: [] + initContainers: [] + nodeSelector: {} + priorityClassName: "" + securityContext: + fsGroup: 99 + runAsUser: 99 + serviceAccountName: console + tolerations: [] + topologySpreadConstraints: [] + volumes: + - configMap: + name: console + name: configs + - name: secrets + secret: + secretName: console +--- +# Source: console/templates/tests/test-connection.yaml +apiVersion: v1 +kind: Pod +metadata: + name: "console-test-connection" + namespace: "default" + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + annotations: + "helm.sh/hook": test +spec: + containers: + - name: wget + image: busybox + command: ['wget'] + args: ['console:8080'] + restartPolicy: Never + priorityClassName: +-- testdata/console-with-roles.yaml.golden -- +--- +# Source: console/templates/serviceaccount.yaml +apiVersion: v1 +automountServiceAccountToken: true +kind: ServiceAccount +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: console + namespace: default +--- +# Source: console/templates/secret.yaml +apiVersion: v1 +kind: Secret +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: console +stringData: + enterprise-license: "" + kafka-protobuf-git-basicauth-password: "" + kafka-sasl-aws-msk-iam-secret-key: "" + kafka-sasl-password: "" + kafka-schema-registry-password: "" + kafka-schemaregistry-tls-ca: "" + kafka-schemaregistry-tls-cert: "" + kafka-schemaregistry-tls-key: "" + kafka-tls-ca: "" + kafka-tls-cert: "" + kafka-tls-key: "" + login-github-oauth-client-secret: "" + login-github-personal-access-token: "" + login-google-groups-service-account.json: "" + login-google-oauth-client-secret: "" + login-jwt-secret: SECRETKEY + login-oidc-client-secret: "" + login-okta-client-secret: "" + login-okta-directory-api-token: "" + redpanda-admin-api-password: "" + redpanda-admin-api-tls-ca: "" + redpanda-admin-api-tls-cert: "" + redpanda-admin-api-tls-key: "" +type: Opaque +--- +# Source: console/templates/configmap.yaml +apiVersion: v1 +data: + config.yaml: | + # from .Values.console.config + {} + roles.yaml: |- + roles: + - name: my-role + permissions: + - allowedActions: + - '*' + excludes: + - '*' + includes: + - '*' + resource: 1234 +kind: ConfigMap +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: console +--- +# Source: console/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: console + namespace: default +spec: + ports: + - name: http + port: 8080 + protocol: TCP + targetPort: 0 + selector: + app.kubernetes.io/instance: console + app.kubernetes.io/name: console + type: ClusterIP +--- +# Source: console/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: console + namespace: default +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/instance: console + app.kubernetes.io/name: console + strategy: {} + template: + metadata: + annotations: + checksum/config: 1afc8dfaddbbe103d0707800bfc71b4cc8f14e12334b3e22484d2b73ef5d57c0 + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/name: console + spec: + affinity: {} + automountServiceAccountToken: true + containers: + - args: + - --config.filepath=/etc/console/configs/config.yaml + command: null + env: + - name: LOGIN_JWTSECRET + valueFrom: + secretKeyRef: + key: login-jwt-secret + name: console + envFrom: [] + image: docker.redpanda.com/redpandadata/console:v2.7.0 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 3 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: 0 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + name: console + ports: + - containerPort: 8080 + name: http + protocol: TCP + readinessProbe: + failureThreshold: 3 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + resources: {} + securityContext: + runAsNonRoot: true + volumeMounts: + - mountPath: /etc/console/configs + name: configs + readOnly: true + - mountPath: /etc/console/secrets + name: secrets + readOnly: true + imagePullSecrets: [] + initContainers: [] + nodeSelector: {} + priorityClassName: "" + securityContext: + fsGroup: 99 + runAsUser: 99 + serviceAccountName: console + tolerations: [] + topologySpreadConstraints: [] + volumes: + - configMap: + name: console + name: configs + - name: secrets + secret: + secretName: console +--- +# Source: console/templates/tests/test-connection.yaml +apiVersion: v1 +kind: Pod +metadata: + name: "console-test-connection" + namespace: "default" + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + annotations: + "helm.sh/hook": test +spec: + containers: + - name: wget + image: busybox + command: ['wget'] + args: ['console:8080'] + restartPolicy: Never + priorityClassName: +-- testdata/custom-tag-no-registry.yaml.golden -- +--- +# Source: console/templates/serviceaccount.yaml +apiVersion: v1 +automountServiceAccountToken: true +kind: ServiceAccount +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: console + namespace: default +--- +# Source: console/templates/secret.yaml +apiVersion: v1 +kind: Secret +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: console +stringData: + enterprise-license: "" + kafka-protobuf-git-basicauth-password: "" + kafka-sasl-aws-msk-iam-secret-key: "" + kafka-sasl-password: "" + kafka-schema-registry-password: "" + kafka-schemaregistry-tls-ca: "" + kafka-schemaregistry-tls-cert: "" + kafka-schemaregistry-tls-key: "" + kafka-tls-ca: "" + kafka-tls-cert: "" + kafka-tls-key: "" + login-github-oauth-client-secret: "" + login-github-personal-access-token: "" + login-google-groups-service-account.json: "" + login-google-oauth-client-secret: "" + login-jwt-secret: SECRETKEY + login-oidc-client-secret: "" + login-okta-client-secret: "" + login-okta-directory-api-token: "" + redpanda-admin-api-password: "" + redpanda-admin-api-tls-ca: "" + redpanda-admin-api-tls-cert: "" + redpanda-admin-api-tls-key: "" +type: Opaque +--- +# Source: console/templates/configmap.yaml +apiVersion: v1 +data: + config.yaml: | + # from .Values.console.config + {} +kind: ConfigMap +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: console +--- +# Source: console/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: console + namespace: default +spec: + ports: + - name: http + port: 8080 + protocol: TCP + targetPort: 0 + selector: + app.kubernetes.io/instance: console + app.kubernetes.io/name: console + type: ClusterIP +--- +# Source: console/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: console + namespace: default +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/instance: console + app.kubernetes.io/name: console + strategy: {} + template: + metadata: + annotations: + checksum/config: 4f717eb67ef3f4c7e8737af0264bfe0922c76494c9ee31f7f52c63a13b02de86 + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/name: console + spec: + affinity: {} + automountServiceAccountToken: true + containers: + - args: + - --config.filepath=/etc/console/configs/config.yaml + command: null + env: + - name: LOGIN_JWTSECRET + valueFrom: + secretKeyRef: + key: login-jwt-secret + name: console + envFrom: [] + image: redpandadata/console:my-custom-tag + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 3 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: 0 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + name: console + ports: + - containerPort: 8080 + name: http + protocol: TCP + readinessProbe: + failureThreshold: 3 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + resources: {} + securityContext: + runAsNonRoot: true + volumeMounts: + - mountPath: /etc/console/configs + name: configs + readOnly: true + - mountPath: /etc/console/secrets + name: secrets + readOnly: true + imagePullSecrets: [] + initContainers: [] + nodeSelector: {} + priorityClassName: "" + securityContext: + fsGroup: 99 + runAsUser: 99 + serviceAccountName: console + tolerations: [] + topologySpreadConstraints: [] + volumes: + - configMap: + name: console + name: configs + - name: secrets + secret: + secretName: console +--- +# Source: console/templates/tests/test-connection.yaml +apiVersion: v1 +kind: Pod +metadata: + name: "console-test-connection" + namespace: "default" + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + annotations: + "helm.sh/hook": test +spec: + containers: + - name: wget + image: busybox + command: ['wget'] + args: ['console:8080'] + restartPolicy: Never + priorityClassName: +-- testdata/default-values.yaml.golden -- +--- +# Source: console/templates/serviceaccount.yaml +apiVersion: v1 +automountServiceAccountToken: true +kind: ServiceAccount +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: console + namespace: default +--- +# Source: console/templates/secret.yaml +apiVersion: v1 +kind: Secret +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: console +stringData: + enterprise-license: "" + kafka-protobuf-git-basicauth-password: "" + kafka-sasl-aws-msk-iam-secret-key: "" + kafka-sasl-password: "" + kafka-schema-registry-password: "" + kafka-schemaregistry-tls-ca: "" + kafka-schemaregistry-tls-cert: "" + kafka-schemaregistry-tls-key: "" + kafka-tls-ca: "" + kafka-tls-cert: "" + kafka-tls-key: "" + login-github-oauth-client-secret: "" + login-github-personal-access-token: "" + login-google-groups-service-account.json: "" + login-google-oauth-client-secret: "" + login-jwt-secret: SECRETKEY + login-oidc-client-secret: "" + login-okta-client-secret: "" + login-okta-directory-api-token: "" + redpanda-admin-api-password: "" + redpanda-admin-api-tls-ca: "" + redpanda-admin-api-tls-cert: "" + redpanda-admin-api-tls-key: "" +type: Opaque +--- +# Source: console/templates/configmap.yaml +apiVersion: v1 +data: + config.yaml: | + # from .Values.console.config + {} +kind: ConfigMap +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: console +--- +# Source: console/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: console + namespace: default +spec: + ports: + - name: http + port: 8080 + protocol: TCP + targetPort: 0 + selector: + app.kubernetes.io/instance: console + app.kubernetes.io/name: console + type: ClusterIP +--- +# Source: console/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: console + namespace: default +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/instance: console + app.kubernetes.io/name: console + strategy: {} + template: + metadata: + annotations: + checksum/config: 4f717eb67ef3f4c7e8737af0264bfe0922c76494c9ee31f7f52c63a13b02de86 + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/name: console + spec: + affinity: {} + automountServiceAccountToken: true + containers: + - args: + - --config.filepath=/etc/console/configs/config.yaml + command: null + env: + - name: LOGIN_JWTSECRET + valueFrom: + secretKeyRef: + key: login-jwt-secret + name: console + envFrom: [] + image: docker.redpanda.com/redpandadata/console:v2.7.0 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 3 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: 0 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + name: console + ports: + - containerPort: 8080 + name: http + protocol: TCP + readinessProbe: + failureThreshold: 3 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + resources: {} + securityContext: + runAsNonRoot: true + volumeMounts: + - mountPath: /etc/console/configs + name: configs + readOnly: true + - mountPath: /etc/console/secrets + name: secrets + readOnly: true + imagePullSecrets: [] + initContainers: [] + nodeSelector: {} + priorityClassName: "" + securityContext: + fsGroup: 99 + runAsUser: 99 + serviceAccountName: console + tolerations: [] + topologySpreadConstraints: [] + volumes: + - configMap: + name: console + name: configs + - name: secrets + secret: + secretName: console +--- +# Source: console/templates/tests/test-connection.yaml +apiVersion: v1 +kind: Pod +metadata: + name: "console-test-connection" + namespace: "default" + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + annotations: + "helm.sh/hook": test +spec: + containers: + - name: wget + image: busybox + command: ['wget'] + args: ['console:8080'] + restartPolicy: Never + priorityClassName: +-- testdata/extra-init-containers.yaml.golden -- +--- +# Source: console/templates/serviceaccount.yaml +apiVersion: v1 +automountServiceAccountToken: true +kind: ServiceAccount +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: console + namespace: default +--- +# Source: console/templates/secret.yaml +apiVersion: v1 +kind: Secret +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: console +stringData: + enterprise-license: "" + kafka-protobuf-git-basicauth-password: "" + kafka-sasl-aws-msk-iam-secret-key: "" + kafka-sasl-password: "" + kafka-schema-registry-password: "" + kafka-schemaregistry-tls-ca: "" + kafka-schemaregistry-tls-cert: "" + kafka-schemaregistry-tls-key: "" + kafka-tls-ca: "" + kafka-tls-cert: "" + kafka-tls-key: "" + login-github-oauth-client-secret: "" + login-github-personal-access-token: "" + login-google-groups-service-account.json: "" + login-google-oauth-client-secret: "" + login-jwt-secret: SECRETKEY + login-oidc-client-secret: "" + login-okta-client-secret: "" + login-okta-directory-api-token: "" + redpanda-admin-api-password: "" + redpanda-admin-api-tls-ca: "" + redpanda-admin-api-tls-cert: "" + redpanda-admin-api-tls-key: "" +type: Opaque +--- +# Source: console/templates/configmap.yaml +apiVersion: v1 +data: + config.yaml: | + # from .Values.console.config + {} +kind: ConfigMap +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: console +--- +# Source: console/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: console + namespace: default +spec: + ports: + - name: http + port: 8080 + protocol: TCP + targetPort: 0 + selector: + app.kubernetes.io/instance: console + app.kubernetes.io/name: console + type: ClusterIP +--- +# Source: console/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: console + namespace: default +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/instance: console + app.kubernetes.io/name: console + strategy: {} + template: + metadata: + annotations: + checksum/config: 4f717eb67ef3f4c7e8737af0264bfe0922c76494c9ee31f7f52c63a13b02de86 + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/name: console + spec: + affinity: {} + automountServiceAccountToken: true + containers: + - args: + - --config.filepath=/etc/console/configs/config.yaml + command: null + env: + - name: LOGIN_JWTSECRET + valueFrom: + secretKeyRef: + key: login-jwt-secret + name: console + envFrom: [] + image: docker.redpanda.com/redpandadata/console:v2.7.0 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 3 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: 0 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + name: console + ports: + - containerPort: 8080 + name: http + protocol: TCP + readinessProbe: + failureThreshold: 3 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + resources: {} + securityContext: + runAsNonRoot: true + volumeMounts: + - mountPath: /etc/console/configs + name: configs + readOnly: true + - mountPath: /etc/console/secrets + name: secrets + readOnly: true + imagePullSecrets: [] + initContainers: + - args: + - |- + set -xe + echo "Hello 3!" + command: + - /bin/bash + - -c + image: mintel/docker-alpine-bash-curl-jq:latest + name: test-init-container + nodeSelector: {} + priorityClassName: "" + securityContext: + fsGroup: 99 + runAsUser: 99 + serviceAccountName: console + tolerations: [] + topologySpreadConstraints: [] + volumes: + - configMap: + name: console + name: configs + - name: secrets + secret: + secretName: console +--- +# Source: console/templates/tests/test-connection.yaml +apiVersion: v1 +kind: Pod +metadata: + name: "console-test-connection" + namespace: "default" + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + annotations: + "helm.sh/hook": test +spec: + containers: + - name: wget + image: busybox + command: ['wget'] + args: ['console:8080'] + restartPolicy: Never + priorityClassName: +-- testdata/ingress-templating.yaml.golden -- +--- +# Source: console/templates/serviceaccount.yaml +apiVersion: v1 +automountServiceAccountToken: true +kind: ServiceAccount +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: console + namespace: default +--- +# Source: console/templates/secret.yaml +apiVersion: v1 +kind: Secret +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: console +stringData: + enterprise-license: "" + kafka-protobuf-git-basicauth-password: "" + kafka-sasl-aws-msk-iam-secret-key: "" + kafka-sasl-password: "" + kafka-schema-registry-password: "" + kafka-schemaregistry-tls-ca: "" + kafka-schemaregistry-tls-cert: "" + kafka-schemaregistry-tls-key: "" + kafka-tls-ca: "" + kafka-tls-cert: "" + kafka-tls-key: "" + login-github-oauth-client-secret: "" + login-github-personal-access-token: "" + login-google-groups-service-account.json: "" + login-google-oauth-client-secret: "" + login-jwt-secret: SECRETKEY + login-oidc-client-secret: "" + login-okta-client-secret: "" + login-okta-directory-api-token: "" + redpanda-admin-api-password: "" + redpanda-admin-api-tls-ca: "" + redpanda-admin-api-tls-cert: "" + redpanda-admin-api-tls-key: "" +type: Opaque +--- +# Source: console/templates/configmap.yaml +apiVersion: v1 +data: + config.yaml: | + # from .Values.console.config + {} +kind: ConfigMap +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: console +--- +# Source: console/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: console + namespace: default +spec: + ports: + - name: http + port: 8080 + protocol: TCP + targetPort: 0 + selector: + app.kubernetes.io/instance: console + app.kubernetes.io/name: console + type: ClusterIP +--- +# Source: console/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: console + namespace: default +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/instance: console + app.kubernetes.io/name: console + strategy: {} + template: + metadata: + annotations: + checksum/config: 4f717eb67ef3f4c7e8737af0264bfe0922c76494c9ee31f7f52c63a13b02de86 + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/name: console + spec: + affinity: {} + automountServiceAccountToken: true + containers: + - args: + - --config.filepath=/etc/console/configs/config.yaml + command: null + env: + - name: LOGIN_JWTSECRET + valueFrom: + secretKeyRef: + key: login-jwt-secret + name: console + envFrom: [] + image: docker.redpanda.com/redpandadata/console:v2.7.0 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 3 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: 0 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + name: console + ports: + - containerPort: 8080 + name: http + protocol: TCP + readinessProbe: + failureThreshold: 3 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + resources: {} + securityContext: + runAsNonRoot: true + volumeMounts: + - mountPath: /etc/console/configs + name: configs + readOnly: true + - mountPath: /etc/console/secrets + name: secrets + readOnly: true + imagePullSecrets: [] + initContainers: [] + nodeSelector: {} + priorityClassName: "" + securityContext: + fsGroup: 99 + runAsUser: 99 + serviceAccountName: console + tolerations: [] + topologySpreadConstraints: [] + volumes: + - configMap: + name: console + name: configs + - name: secrets + secret: + secretName: console +--- +# Source: console/templates/ingress.yaml +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + annotations: + ingress: test + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: console +spec: + ingressClassName: null + rules: + - host: '"a-host"' + http: + paths: + - backend: + service: + name: console + port: + number: 8080 + path: / + pathType: Exact + tls: + - hosts: + - '"blah"' + secretName: my-secret +--- +# Source: console/templates/tests/test-connection.yaml +apiVersion: v1 +kind: Pod +metadata: + name: "console-test-connection" + namespace: "default" + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + annotations: + "helm.sh/hook": test +spec: + containers: + - name: wget + image: busybox + command: ['wget'] + args: ['console:8080'] + restartPolicy: Never + priorityClassName: +-- testdata/no-registry.yaml.golden -- +--- +# Source: console/templates/serviceaccount.yaml +apiVersion: v1 +automountServiceAccountToken: true +kind: ServiceAccount +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: console + namespace: default +--- +# Source: console/templates/secret.yaml +apiVersion: v1 +kind: Secret +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: console +stringData: + enterprise-license: "" + kafka-protobuf-git-basicauth-password: "" + kafka-sasl-aws-msk-iam-secret-key: "" + kafka-sasl-password: "" + kafka-schema-registry-password: "" + kafka-schemaregistry-tls-ca: "" + kafka-schemaregistry-tls-cert: "" + kafka-schemaregistry-tls-key: "" + kafka-tls-ca: "" + kafka-tls-cert: "" + kafka-tls-key: "" + login-github-oauth-client-secret: "" + login-github-personal-access-token: "" + login-google-groups-service-account.json: "" + login-google-oauth-client-secret: "" + login-jwt-secret: SECRETKEY + login-oidc-client-secret: "" + login-okta-client-secret: "" + login-okta-directory-api-token: "" + redpanda-admin-api-password: "" + redpanda-admin-api-tls-ca: "" + redpanda-admin-api-tls-cert: "" + redpanda-admin-api-tls-key: "" +type: Opaque +--- +# Source: console/templates/configmap.yaml +apiVersion: v1 +data: + config.yaml: | + # from .Values.console.config + {} +kind: ConfigMap +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: console +--- +# Source: console/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: console + namespace: default +spec: + ports: + - name: http + port: 8080 + protocol: TCP + targetPort: 0 + selector: + app.kubernetes.io/instance: console + app.kubernetes.io/name: console + type: ClusterIP +--- +# Source: console/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: console + namespace: default +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/instance: console + app.kubernetes.io/name: console + strategy: {} + template: + metadata: + annotations: + checksum/config: 4f717eb67ef3f4c7e8737af0264bfe0922c76494c9ee31f7f52c63a13b02de86 + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/name: console + spec: + affinity: {} + automountServiceAccountToken: true + containers: + - args: + - --config.filepath=/etc/console/configs/config.yaml + command: null + env: + - name: LOGIN_JWTSECRET + valueFrom: + secretKeyRef: + key: login-jwt-secret + name: console + envFrom: [] + image: redpandadata/console:v2.7.0 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 3 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: 0 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + name: console + ports: + - containerPort: 8080 + name: http + protocol: TCP + readinessProbe: + failureThreshold: 3 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + resources: {} + securityContext: + runAsNonRoot: true + volumeMounts: + - mountPath: /etc/console/configs + name: configs + readOnly: true + - mountPath: /etc/console/secrets + name: secrets + readOnly: true + imagePullSecrets: [] + initContainers: [] + nodeSelector: {} + priorityClassName: "" + securityContext: + fsGroup: 99 + runAsUser: 99 + serviceAccountName: console + tolerations: [] + topologySpreadConstraints: [] + volumes: + - configMap: + name: console + name: configs + - name: secrets + secret: + secretName: console +--- +# Source: console/templates/tests/test-connection.yaml +apiVersion: v1 +kind: Pod +metadata: + name: "console-test-connection" + namespace: "default" + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + annotations: + "helm.sh/hook": test +spec: + containers: + - name: wget + image: busybox + command: ['wget'] + args: ['console:8080'] + restartPolicy: Never + priorityClassName: +-- testdata/service-nodeport.yaml.golden -- +--- +# Source: console/templates/serviceaccount.yaml +apiVersion: v1 +automountServiceAccountToken: true +kind: ServiceAccount +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: console + namespace: default +--- +# Source: console/templates/secret.yaml +apiVersion: v1 +kind: Secret +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: console +stringData: + enterprise-license: "" + kafka-protobuf-git-basicauth-password: "" + kafka-sasl-aws-msk-iam-secret-key: "" + kafka-sasl-password: "" + kafka-schema-registry-password: "" + kafka-schemaregistry-tls-ca: "" + kafka-schemaregistry-tls-cert: "" + kafka-schemaregistry-tls-key: "" + kafka-tls-ca: "" + kafka-tls-cert: "" + kafka-tls-key: "" + login-github-oauth-client-secret: "" + login-github-personal-access-token: "" + login-google-groups-service-account.json: "" + login-google-oauth-client-secret: "" + login-jwt-secret: SECRETKEY + login-oidc-client-secret: "" + login-okta-client-secret: "" + login-okta-directory-api-token: "" + redpanda-admin-api-password: "" + redpanda-admin-api-tls-ca: "" + redpanda-admin-api-tls-cert: "" + redpanda-admin-api-tls-key: "" +type: Opaque +--- +# Source: console/templates/configmap.yaml +apiVersion: v1 +data: + config.yaml: | + # from .Values.console.config + {} +kind: ConfigMap +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: console +--- +# Source: console/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: console + namespace: default +spec: + ports: + - name: http + port: 8080 + protocol: TCP + targetPort: 2000 + selector: + app.kubernetes.io/instance: console + app.kubernetes.io/name: console + type: NodePort +--- +# Source: console/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: console + namespace: default +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/instance: console + app.kubernetes.io/name: console + strategy: {} + template: + metadata: + annotations: + checksum/config: 4f717eb67ef3f4c7e8737af0264bfe0922c76494c9ee31f7f52c63a13b02de86 + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/name: console + spec: + affinity: {} + automountServiceAccountToken: true + containers: + - args: + - --config.filepath=/etc/console/configs/config.yaml + command: null + env: + - name: LOGIN_JWTSECRET + valueFrom: + secretKeyRef: + key: login-jwt-secret + name: console + envFrom: [] + image: docker.redpanda.com/redpandadata/console:v2.7.0 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 3 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: 0 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + name: console + ports: + - containerPort: 2000 + name: http + protocol: TCP + readinessProbe: + failureThreshold: 3 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + resources: {} + securityContext: + runAsNonRoot: true + volumeMounts: + - mountPath: /etc/console/configs + name: configs + readOnly: true + - mountPath: /etc/console/secrets + name: secrets + readOnly: true + imagePullSecrets: [] + initContainers: [] + nodeSelector: {} + priorityClassName: "" + securityContext: + fsGroup: 99 + runAsUser: 99 + serviceAccountName: console + tolerations: [] + topologySpreadConstraints: [] + volumes: + - configMap: + name: console + name: configs + - name: secrets + secret: + secretName: console +--- +# Source: console/templates/tests/test-connection.yaml +apiVersion: v1 +kind: Pod +metadata: + name: "console-test-connection" + namespace: "default" + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + annotations: + "helm.sh/hook": test +spec: + containers: + - name: wget + image: busybox + command: ['wget'] + args: ['console:8080'] + restartPolicy: Never + priorityClassName: +-- testdata/service-with-nodeport.yaml.golden -- +--- +# Source: console/templates/serviceaccount.yaml +apiVersion: v1 +automountServiceAccountToken: true +kind: ServiceAccount +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: console + namespace: default +--- +# Source: console/templates/secret.yaml +apiVersion: v1 +kind: Secret +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: console +stringData: + enterprise-license: "" + kafka-protobuf-git-basicauth-password: "" + kafka-sasl-aws-msk-iam-secret-key: "" + kafka-sasl-password: "" + kafka-schema-registry-password: "" + kafka-schemaregistry-tls-ca: "" + kafka-schemaregistry-tls-cert: "" + kafka-schemaregistry-tls-key: "" + kafka-tls-ca: "" + kafka-tls-cert: "" + kafka-tls-key: "" + login-github-oauth-client-secret: "" + login-github-personal-access-token: "" + login-google-groups-service-account.json: "" + login-google-oauth-client-secret: "" + login-jwt-secret: SECRETKEY + login-oidc-client-secret: "" + login-okta-client-secret: "" + login-okta-directory-api-token: "" + redpanda-admin-api-password: "" + redpanda-admin-api-tls-ca: "" + redpanda-admin-api-tls-cert: "" + redpanda-admin-api-tls-key: "" +type: Opaque +--- +# Source: console/templates/configmap.yaml +apiVersion: v1 +data: + config.yaml: | + # from .Values.console.config + {} +kind: ConfigMap +metadata: + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: console +--- +# Source: console/templates/service.yaml +apiVersion: v1 +kind: Service +metadata: + annotations: + hello: world + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: console + namespace: default +spec: + ports: + - name: http + nodePort: 1000 + port: 8080 + protocol: TCP + targetPort: 0 + selector: + app.kubernetes.io/instance: console + app.kubernetes.io/name: console + type: NodePort +--- +# Source: console/templates/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + annotations: {} + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + name: console + namespace: default +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/instance: console + app.kubernetes.io/name: console + strategy: {} + template: + metadata: + annotations: + checksum/config: 4f717eb67ef3f4c7e8737af0264bfe0922c76494c9ee31f7f52c63a13b02de86 + creationTimestamp: null + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/name: console + spec: + affinity: {} + automountServiceAccountToken: true + containers: + - args: + - --config.filepath=/etc/console/configs/config.yaml + command: null + env: + - name: LOGIN_JWTSECRET + valueFrom: + secretKeyRef: + key: login-jwt-secret + name: console + envFrom: [] + image: docker.redpanda.com/redpandadata/console:v2.7.0 + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 3 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: 0 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + name: console + ports: + - containerPort: 8080 + name: http + protocol: TCP + readinessProbe: + failureThreshold: 3 + httpGet: + path: /admin/health + port: http + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + resources: {} + securityContext: + runAsNonRoot: true + volumeMounts: + - mountPath: /etc/console/configs + name: configs + readOnly: true + - mountPath: /etc/console/secrets + name: secrets + readOnly: true + imagePullSecrets: [] + initContainers: [] + nodeSelector: {} + priorityClassName: "" + securityContext: + fsGroup: 99 + runAsUser: 99 + serviceAccountName: console + tolerations: [] + topologySpreadConstraints: [] + volumes: + - configMap: + name: console + name: configs + - name: secrets + secret: + secretName: console +--- +# Source: console/templates/tests/test-connection.yaml +apiVersion: v1 +kind: Pod +metadata: + name: "console-test-connection" + namespace: "default" + labels: + app.kubernetes.io/instance: console + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: console + app.kubernetes.io/version: v2.7.0 + helm.sh/chart: console-0.7.29 + annotations: + "helm.sh/hook": test +spec: + containers: + - name: wget + image: busybox + command: ['wget'] + args: ['console:8080'] + restartPolicy: Never + priorityClassName: diff --git a/charts/redpanda/redpanda/5.9.2/charts/console/testdata/template-cases.txtar b/charts/redpanda/redpanda/5.9.2/charts/console/testdata/template-cases.txtar new file mode 100644 index 000000000..804cca4a6 --- /dev/null +++ b/charts/redpanda/redpanda/5.9.2/charts/console/testdata/template-cases.txtar @@ -0,0 +1,136 @@ +Manually crafted test cases for TestTemplate +-- default-values -- +# Intentionally left blank. (test of default values) + +-- console-with-roles -- +# console.roles specified +console: + roles: + - name: my-role + permissions: + - resource: 1234 + includes: + - "*" + excludes: + - "*" + allowedActions: ["*"] + +-- console-with-role-bindings -- +# console.roleBindings specified +console: + roleBindings: + - roleName: admin + metadata: + name: Redpanda POC + subjects: + - kind: user + provider: Plain + name: "e2euser" + +-- console-with-roles-and-bindings -- +# console.roles and console.roleBindings both specified +console: + roles: + - name: my-role + permissions: + - resource: 1234 + includes: + - "*" + excludes: + - "*" + allowedActions: ["*"] + roleBindings: + - roleName: admin + metadata: + name: Redpanda POC + subjects: + - kind: user + provider: Plain + name: "e2euser" + +-- autoscaling-nulls -- +# Autoscaling w/ explicit nulls +autoscaling: + enabled: true + targetCPUUtilizationPercentage: null + targetMemoryUtilizationPercentage: null + +-- autoscaling-cpu -- +# Autoscaling w/ memory no cpu +autoscaling: + enabled: true + targetCPUUtilizationPercentage: null + targetMemoryUtilizationPercentage: 10 + +-- autoscaling-memory -- +# Autoscaling w/ cpu no memory +autoscaling: + enabled: true + targetCPUUtilizationPercentage: 14 + targetMemoryUtilizationPercentage: null + +-- service-nodeport -- +# Service type NodePort +service: + type: "NodePort" + targetPort: 2000 + +-- service-with-nodeport -- +# Service w/ NodePort +service: + type: "NodePort" + nodePort: 1000 + annotations: + hello: world + +-- ingress-templating -- +ingress: + enabled: true + annotations: + ingress: test + hosts: + - host: '{{ "a-host" | quote }}' + paths: + - path: / + pathType: Exact + tls: + - secretName: my-secret + hosts: + - '{{ "blah" | quote }}' + +-- no-registry -- +image: + registry: "" + +-- custom-tag-no-registry -- +image: + registry: "" + tag: my-custom-tag + +-- console-config-listen-port -- +console: + config: + server: + listenPort: 3333 + +-- console-config-listen-and-target-port -- +service: + targetPort: 4444 +console: + config: + server: + listenPort: 3333 + +-- extra-init-containers -- +# NB: Many of the generated tests have an invalid value for extraInitContainers +# as it's just a string and render an error message. This case showcases what +# valid YAML looks like. +initContainers: + extraInitContainers: |- + - name: {{ "test-init-container" | quote }} + image: "mintel/docker-alpine-bash-curl-jq:latest" + command: [ "/bin/bash", "-c" ] + args: + - | + set -xe + echo "Hello {{ add 1 2 }}!" diff --git a/charts/redpanda/redpanda/5.9.2/charts/console/values.go b/charts/redpanda/redpanda/5.9.2/charts/console/values.go new file mode 100644 index 000000000..0a855af59 --- /dev/null +++ b/charts/redpanda/redpanda/5.9.2/charts/console/values.go @@ -0,0 +1,215 @@ +// +gotohelm:ignore=true +package console + +import ( + _ "embed" + + appsv1 "k8s.io/api/apps/v1" + corev1 "k8s.io/api/core/v1" + networkingv1 "k8s.io/api/networking/v1" +) + +var ( + //go:embed values.yaml + DefaultValuesYAML []byte + + //go:embed values.schema.json + ValuesSchemaJSON []byte +) + +type Values struct { + ReplicaCount int32 `json:"replicaCount"` + Image Image `json:"image"` + ImagePullSecrets []corev1.LocalObjectReference `json:"imagePullSecrets"` + NameOverride string `json:"nameOverride"` + FullnameOverride string `json:"fullnameOverride"` + AutomountServiceAccountToken bool `json:"automountServiceAccountToken"` + ServiceAccount ServiceAccountConfig `json:"serviceAccount"` + CommonLabels map[string]string `json:"commonLabels"` + Annotations map[string]string `json:"annotations"` + PodAnnotations map[string]string `json:"podAnnotations"` + PodLabels map[string]string `json:"podLabels"` + PodSecurityContext corev1.PodSecurityContext `json:"podSecurityContext"` + SecurityContext corev1.SecurityContext `json:"securityContext"` + Service ServiceConfig `json:"service"` + Ingress IngressConfig `json:"ingress"` + Resources corev1.ResourceRequirements `json:"resources"` + Autoscaling AutoScaling `json:"autoscaling"` + NodeSelector map[string]string `json:"nodeSelector"` + Tolerations []corev1.Toleration `json:"tolerations"` + Affinity corev1.Affinity `json:"affinity"` + TopologySpreadConstraints []corev1.TopologySpreadConstraint `json:"topologySpreadConstraints"` + PriorityClassName string `json:"priorityClassName"` + Console Console `json:"console"` + ExtraEnv []corev1.EnvVar `json:"extraEnv"` + ExtraEnvFrom []corev1.EnvFromSource `json:"extraEnvFrom"` + ExtraVolumes []corev1.Volume `json:"extraVolumes"` + ExtraVolumeMounts []corev1.VolumeMount `json:"extraVolumeMounts"` + ExtraContainers []corev1.Container `json:"extraContainers"` + InitContainers InitContainers `json:"initContainers"` + SecretMounts []SecretMount `json:"secretMounts"` + Secret SecretConfig `json:"secret"` + Enterprise Enterprise `json:"enterprise"` + LivenessProbe corev1.Probe `json:"livenessProbe"` + ReadinessProbe corev1.Probe `json:"readinessProbe"` + ConfigMap Creatable `json:"configmap"` + Deployment DeploymentConfig `json:"deployment"` + Strategy appsv1.DeploymentStrategy `json:"strategy"` + Tests Enableable `json:"tests"` +} + +type DeploymentConfig struct { + Create bool `json:"create"` + Command []string `json:"command,omitempty"` + ExtraArgs []string `json:"extraArgs,omitempty"` +} + +type Enterprise struct { + LicenseSecretRef SecretKeyRef `json:"licenseSecretRef"` +} + +type ServiceAccountConfig struct { + Create bool `json:"create"` + AutomountServiceAccountToken bool `json:"automountServiceAccountToken"` + Annotations map[string]string `json:"annotations"` + Name string `json:"name"` +} + +type ServiceConfig struct { + Type corev1.ServiceType `json:"type"` + Port int32 `json:"port"` + NodePort *int32 `json:"nodePort,omitempty"` + TargetPort *int32 `json:"targetPort"` + Annotations map[string]string `json:"annotations"` +} + +type IngressConfig struct { + Enabled bool `json:"enabled"` + ClassName *string `json:"className"` + Annotations map[string]string `json:"annotations"` + Hosts []IngressHost `json:"hosts"` + TLS []networkingv1.IngressTLS `json:"tls"` +} + +type IngressHost struct { + Host string `json:"host"` + Paths []IngressPath `json:"paths"` +} + +type IngressPath struct { + Path string `json:"path"` + PathType *networkingv1.PathType `json:"pathType"` +} + +type AutoScaling struct { + Enabled bool `json:"enabled"` + MinReplicas int32 `json:"minReplicas"` + MaxReplicas int32 `json:"maxReplicas"` + TargetCPUUtilizationPercentage *int32 `json:"targetCPUUtilizationPercentage"` + TargetMemoryUtilizationPercentage *int32 `json:"targetMemoryUtilizationPercentage,omitempty"` +} + +// TODO the typing of these values are unclear. All of them get marshalled to +// YAML and then run through tpl which gives no indication of what they are +// aside from YAML marshal-able. +type Console struct { + Config map[string]any `json:"config"` + Roles []map[string]any `json:"roles,omitempty"` + RoleBindings []map[string]any `json:"roleBindings,omitempty"` +} + +type InitContainers struct { + ExtraInitContainers *string `json:"extraInitContainers"` // XXX Templated YAML +} + +type SecretConfig struct { + Create bool `json:"create"` + Kafka KafkaSecrets `json:"kafka"` + Login LoginSecrets `json:"login"` + Enterprise EnterpriseSecrets `json:"enterprise"` + Redpanda RedpandaSecrets `json:"redpanda"` +} + +type SecretMount struct { + Name string `json:"name"` + SecretName string `json:"secretName"` + Path string `json:"path"` + SubPath *string `json:"subPath,omitempty"` + DefaultMode *int32 `json:"defaultMode"` +} + +type KafkaSecrets struct { + SASLPassword *string `json:"saslPassword,omitempty"` + AWSMSKIAMSecretKey *string `json:"awsMskIamSecretKey,omitempty"` + TLSCA *string `json:"tlsCa,omitempty"` + TLSCert *string `json:"tlsCert,omitempty"` + TLSKey *string `json:"tlsKey,omitempty"` + TLSPassphrase *string `json:"tlsPassphrase,omitempty"` + SchemaRegistryPassword *string `json:"schemaRegistryPassword,omitempty"` + SchemaRegistryTLSCA *string `json:"schemaRegistryTlsCa,omitempty"` + SchemaRegistryTLSCert *string `json:"schemaRegistryTlsCert,omitempty"` + SchemaRegistryTLSKey *string `json:"schemaRegistryTlsKey,omitempty"` + ProtobufGitBasicAuthPassword *string `json:"protobufGitBasicAuthPassword,omitempty"` +} + +type LoginSecrets struct { + JWTSecret string `json:"jwtSecret"` + Google GoogleLoginSecrets `json:"google"` + Github GithubLoginSecrets `json:"github"` + Okta OktaLoginSecrets `json:"okta"` + OIDC OIDCLoginSecrets `json:"oidc"` +} + +type GoogleLoginSecrets struct { + ClientSecret *string `json:"clientSecret,omitempty"` + GroupsServiceAccount *string `json:"groupsServiceAccount,omitempty"` +} + +type GithubLoginSecrets struct { + ClientSecret *string `json:"clientSecret,omitempty"` + PersonalAccessToken *string `json:"personalAccessToken,omitempty"` +} + +type OktaLoginSecrets struct { + ClientSecret *string `json:"clientSecret,omitempty"` + DirectoryAPIToken *string `json:"directoryApiToken,omitempty"` +} + +type OIDCLoginSecrets struct { + ClientSecret *string `json:"clientSecret,omitempty"` +} + +type EnterpriseSecrets struct { + License *string `json:"License,omitempty"` +} + +type RedpandaSecrets struct { + AdminAPI RedpandaAdminAPISecrets `json:"adminApi"` +} + +type RedpandaAdminAPISecrets struct { + Password *string `json:"password,omitempty"` + TLSCA *string `json:"tlsCa,omitempty"` + TLSCert *string `json:"tlsCert,omitempty"` + TLSKey *string `json:"tlsKey,omitempty"` +} + +type SecretKeyRef struct { + Name string `json:"name"` + Key string `json:"key"` +} + +type Enableable struct { + Enabled bool `json:"enabled"` +} + +type Creatable struct { + Create bool `json:"create"` +} + +type Image struct { + Registry string `json:"registry"` + Repository string `json:"repository"` + PullPolicy corev1.PullPolicy `json:"pullPolicy"` + Tag *string `json:"tag"` +} diff --git a/charts/redpanda/redpanda/5.9.2/charts/console/values.schema.json b/charts/redpanda/redpanda/5.9.2/charts/console/values.schema.json new file mode 100644 index 000000000..f4f369e98 --- /dev/null +++ b/charts/redpanda/redpanda/5.9.2/charts/console/values.schema.json @@ -0,0 +1,323 @@ +{ + "$schema": "http://json-schema.org/schema#", + "type": "object", + "required": [ + "image" + ], + "properties": { + "affinity": { + "type": "object" + }, + "autoscaling": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + }, + "maxReplicas": { + "type": "integer" + }, + "minReplicas": { + "type": "integer" + }, + "targetCPUUtilizationPercentage": { + "type": "integer" + } + } + }, + "configmap": { + "type": "object", + "properties": { + "create": { + "type": "boolean" + } + } + }, + "console": { + "type": "object" + }, + "deployment": { + "type": "object", + "properties": { + "create": { + "type": "boolean" + } + } + }, + "extraContainers": { + "type": "array" + }, + "extraEnv": { + "type": "array" + }, + "extraEnvFrom": { + "type": "array" + }, + "extraVolumeMounts": { + "type": "array" + }, + "extraVolumes": { + "type": "array" + }, + "fullnameOverride": { + "type": "string" + }, + "image": { + "type": "object", + "required": [ + "repository" + ], + "properties": { + "pullPolicy": { + "type": "string" + }, + "registry": { + "type": "string" + }, + "repository": { + "type": "string", + "minLength": 1 + }, + "tag": { + "type": "string" + } + } + }, + "imagePullSecrets": { + "type": "array" + }, + "ingress": { + "type": "object", + "properties": { + "annotations": { + "type": "object" + }, + "className": { + "type": ["string", "null"] + }, + "enabled": { + "type": "boolean" + }, + "hosts": { + "type": "array", + "items": { + "type": "object", + "properties": { + "host": { + "type": "string" + }, + "paths": { + "type": "array", + "items": { + "type": "object", + "properties": { + "path": { + "type": "string" + }, + "pathType": { + "type": "string" + } + } + } + } + } + } + }, + "tls": { + "type": "array" + } + } + }, + "livenessProbe": { + "type": "object", + "properties": { + "failureThreshold": { + "type": "integer" + }, + "initialDelaySeconds": { + "type": "integer" + }, + "periodSeconds": { + "type": "integer" + }, + "successThreshold": { + "type": "integer" + }, + "timeoutSeconds": { + "type": "integer" + } + } + }, + "nameOverride": { + "type": "string" + }, + "nodeSelector": { + "type": "object" + }, + "annotations": { + "type": "object" + }, + "podAnnotations": { + "type": "object" + }, + "podSecurityContext": { + "type": "object", + "properties": { + "fsGroup": { + "type": "integer" + }, + "runAsUser": { + "type": "integer" + } + } + }, + "readinessProbe": { + "type": "object", + "properties": { + "failureThreshold": { + "type": "integer" + }, + "initialDelaySeconds": { + "type": "integer" + }, + "periodSeconds": { + "type": "integer" + }, + "successThreshold": { + "type": "integer" + }, + "timeoutSeconds": { + "type": "integer" + } + } + }, + "replicaCount": { + "type": "integer" + }, + "resources": { + "type": "object" + }, + "secret": { + "type": "object", + "properties": { + "create": { + "type": "boolean" + }, + "enterprise": { + "type": "object" + }, + "kafka": { + "type": "object" + }, + "login": { + "type": "object", + "properties": { + "jwtSecret": { + "type": "string" + }, + "github": { + "type": "object" + }, + "google": { + "type": "object" + }, + "oidc": { + "type": "object" + }, + "okta": { + "type": "object" + } + } + }, + "redpanda": { + "type": "object", + "properties": { + "adminApi": { + "type": "object" + } + } + } + } + }, + "secretMounts": { + "type": "array" + }, + "securityContext": { + "type": "object", + "properties": { + "runAsNonRoot": { + "type": "boolean" + } + } + }, + "service": { + "type": "object", + "properties": { + "annotations": { + "type": "object" + }, + "port": { + "type": "integer" + }, + "nodePort": { + "type": "integer" + }, + "targetPort": { + "anyOf": [ + { + "type": "integer" + }, + { + "type": "null" + } + ] + }, + "type": { + "type": "string" + } + } + }, + "automountServiceAccountToken": { + "type": "boolean" + }, + "serviceAccount": { + "type": "object", + "properties": { + "annotations": { + "type": "object" + }, + "create": { + "type": "boolean" + }, + "automountServiceAccountToken": { + "type": "boolean" + }, + "name": { + "type": "string" + } + } + }, + "tolerations": { + "type": "array" + }, + "initContainers": { + "type": "object", + "properties": { + "extraInitContainers": { + "type": "string" + } + } + }, + "strategy": { + "type": "object" + }, + "tests": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + } + } + } + } +} diff --git a/charts/redpanda/redpanda/5.9.2/charts/console/values.yaml b/charts/redpanda/redpanda/5.9.2/charts/console/values.yaml new file mode 100644 index 000000000..4825fc487 --- /dev/null +++ b/charts/redpanda/redpanda/5.9.2/charts/console/values.yaml @@ -0,0 +1,279 @@ +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# Default values for console. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. + +replicaCount: 1 + +# -- Redpanda Console Docker image settings. +image: + registry: docker.redpanda.com + # -- Docker repository from which to pull the Redpanda Docker image. + repository: redpandadata/console + # -- The imagePullPolicy. + pullPolicy: IfNotPresent + # -- The Redpanda Console version. + # See DockerHub for: + # [All stable versions](https://hub.docker.com/r/redpandadata/console/tags) + # and [all unstable versions](https://hub.docker.com/r/redpandadata/console-unstable/tags). + # @default -- `Chart.appVersion` + tag: "" + +# -- Pull secrets may be used to provide credentials to image repositories +# See https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ +imagePullSecrets: [] + +# -- Override `console.name` template. +nameOverride: "" +# -- Override `console.fullname` template. +fullnameOverride: "" + +# -- Automount API credentials for the Service Account into the pod. +automountServiceAccountToken: true + +serviceAccount: + # -- Specifies whether a service account should be created. + create: true + # -- Specifies whether a service account should automount API-Credentials + automountServiceAccountToken: true + # -- Annotations to add to the service account. + annotations: {} + # -- The name of the service account to use. + # If not set and `serviceAccount.create` is `true`, + # a name is generated using the `console.fullname` template + name: "" + +# Common labels to add to all the pods +commonLabels: {} + +# -- Annotations to add to the deployment. +annotations: {} + +podAnnotations: {} + +podLabels: {} + +podSecurityContext: + runAsUser: 99 + fsGroup: 99 + +securityContext: + runAsNonRoot: true + # capabilities: + # drop: + # - ALL + # readOnlyRootFilesystem: true + # runAsNonRoot: true + # runAsUser: 1000 + +service: + type: ClusterIP + port: 8080 + # nodePort: 30001 + # -- Override the value in `console.config.server.listenPort` if not `nil` + targetPort: + annotations: {} + +ingress: + enabled: false + className: + annotations: {} + # kubernetes.io/ingress.class: nginx + # kubernetes.io/tls-acme: "true" + hosts: + - host: chart-example.local + paths: + - path: / + pathType: ImplementationSpecific + tls: [] + # - secretName: chart-example-tls + # hosts: + # - chart-example.local + +resources: {} + # We usually recommend not to specify default resources and to leave this as a conscious + # choice for the user. This also increases chances charts run on environments with little + # resources, such as minikube. If you want to specify resources, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'resources:'. + # limits: + # cpu: 100m + # memory: 128Mi + # requests: + # cpu: 100m + # memory: 128Mi + +autoscaling: + enabled: false + minReplicas: 1 + maxReplicas: 100 + targetCPUUtilizationPercentage: 80 + # targetMemoryUtilizationPercentage: 80 + +nodeSelector: {} + +tolerations: [] + +affinity: {} + +topologySpreadConstraints: [] + +# -- PriorityClassName given to Pods. +# For details, +# see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass). +priorityClassName: "" + +console: + # -- Settings for the `Config.yaml` (required). + # For a reference of configuration settings, + # see the [Redpanda Console documentation](https://docs.redpanda.com/docs/reference/console/config/). + config: {} + # roles: + # roleBindings: + +# -- Additional environment variables for the Redpanda Console Deployment. +extraEnv: [] + # - name: KAFKA_RACKID + # value: "1" + +# -- Additional environment variables for Redpanda Console mapped from Secret or ConfigMap. +extraEnvFrom: [] +# - secretRef: +# name: kowl-config-secret + +# -- Add additional volumes, such as for TLS keys. +extraVolumes: [] +# - name: kafka-certs +# secret: +# secretName: kafka-certs +# - name: config +# configMap: +# name: console-config + +# -- Add additional volume mounts, such as for TLS keys. +extraVolumeMounts: [] +# - name: kafka-certs # Must match the volume name +# mountPath: /etc/kafka/certs +# readOnly: true + +# -- Add additional containers, such as for oauth2-proxy. +extraContainers: [] + +# -- Any initContainers defined should be written here +initContainers: + # -- Additional set of init containers + extraInitContainers: |- +# - name: "test-init-container" +# image: "mintel/docker-alpine-bash-curl-jq:latest" +# command: [ "/bin/bash", "-c" ] +# args: +# - | +# set -xe +# echo "Hello World!" + +# -- SecretMounts is an abstraction to make a Secret available in the container's filesystem. +# Under the hood it creates a volume and a volume mount for the Redpanda Console container. +secretMounts: [] +# - name: kafka-certs +# secretName: kafka-certs +# path: /etc/console/certs +# defaultMode: 0755 + +# -- Create a new Kubernetes Secret for all sensitive configuration inputs. +# Each provided Secret is mounted automatically and made available to the +# Pod. +# If you want to use one or more existing Secrets, +# you can use the `extraEnvFrom` list to mount environment variables from string and secretMounts to mount files such as Certificates from Secrets. +secret: + create: true + + # Secret values in case you want the chart to create a Secret. All Certificates are mounted + # as files and the path to those files are configured through environment variables so + # that Console can automatically pick them up. + # -- Kafka Secrets. + kafka: {} + # saslPassword: + # awsMskIamSecretKey: + # tlsCa: + # tlsCert: + # tlsKey: + # tlsPassphrase: + # schemaRegistryPassword: + # schemaRegistryTlsCa: + # schemaRegistryTlsCert: + # schemaRegistryTlsKey: + # protobufGitBasicAuthPassword + # Enterprise version secrets + # - SSO secrets (Enterprise version). + login: + # Configurable JWT value + jwtSecret: "" + google: {} + # clientSecret: + # groupsServiceAccount: + github: {} + # clientSecret: + # personalAccessToken: + okta: {} + # clientSecret: + # directoryApiToken: + oidc: {} + # clientSecret: + + enterprise: {} + # license: + + redpanda: + adminApi: {} + # password: + # tlsCa: + # tlsCert: + # tlsKey: + +# -- Settings for license key, as an alternative to secret.enterprise when +# a license secret is available +enterprise: + licenseSecretRef: + name: "" + key: "" + +# -- Settings for liveness and readiness probes. +# For details, +# see the [Kubernetes documentation](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-probes/#configure-probes). +livenessProbe: + # initialDelaySeconds: 0 + periodSeconds: 10 + timeoutSeconds: 1 + successThreshold: 1 + failureThreshold: 3 + +readinessProbe: + # -- Grant time to test connectivity to upstream services such as Kafka and Schema Registry. + initialDelaySeconds: 10 + periodSeconds: 10 + timeoutSeconds: 1 + successThreshold: 1 + failureThreshold: 3 + +configmap: + create: true +deployment: + create: true + +strategy: {} + +tests: + enabled: true diff --git a/charts/redpanda/redpanda/5.9.2/charts/console/values_partial.gen.go b/charts/redpanda/redpanda/5.9.2/charts/console/values_partial.gen.go new file mode 100644 index 000000000..723065a25 --- /dev/null +++ b/charts/redpanda/redpanda/5.9.2/charts/console/values_partial.gen.go @@ -0,0 +1,206 @@ +//go:build !generate + +// +gotohelm:ignore=true +// +// Code generated by genpartial DO NOT EDIT. +package console + +import ( + appsv1 "k8s.io/api/apps/v1" + corev1 "k8s.io/api/core/v1" + networkingv1 "k8s.io/api/networking/v1" +) + +type PartialValues struct { + ReplicaCount *int32 "json:\"replicaCount,omitempty\"" + Image *PartialImage "json:\"image,omitempty\"" + ImagePullSecrets []corev1.LocalObjectReference "json:\"imagePullSecrets,omitempty\"" + NameOverride *string "json:\"nameOverride,omitempty\"" + FullnameOverride *string "json:\"fullnameOverride,omitempty\"" + AutomountServiceAccountToken *bool "json:\"automountServiceAccountToken,omitempty\"" + ServiceAccount *PartialServiceAccountConfig "json:\"serviceAccount,omitempty\"" + CommonLabels map[string]string "json:\"commonLabels,omitempty\"" + Annotations map[string]string "json:\"annotations,omitempty\"" + PodAnnotations map[string]string "json:\"podAnnotations,omitempty\"" + PodLabels map[string]string "json:\"podLabels,omitempty\"" + PodSecurityContext *corev1.PodSecurityContext "json:\"podSecurityContext,omitempty\"" + SecurityContext *corev1.SecurityContext "json:\"securityContext,omitempty\"" + Service *PartialServiceConfig "json:\"service,omitempty\"" + Ingress *PartialIngressConfig "json:\"ingress,omitempty\"" + Resources *corev1.ResourceRequirements "json:\"resources,omitempty\"" + Autoscaling *PartialAutoScaling "json:\"autoscaling,omitempty\"" + NodeSelector map[string]string "json:\"nodeSelector,omitempty\"" + Tolerations []corev1.Toleration "json:\"tolerations,omitempty\"" + Affinity *corev1.Affinity "json:\"affinity,omitempty\"" + TopologySpreadConstraints []corev1.TopologySpreadConstraint "json:\"topologySpreadConstraints,omitempty\"" + PriorityClassName *string "json:\"priorityClassName,omitempty\"" + Console *PartialConsole "json:\"console,omitempty\"" + ExtraEnv []corev1.EnvVar "json:\"extraEnv,omitempty\"" + ExtraEnvFrom []corev1.EnvFromSource "json:\"extraEnvFrom,omitempty\"" + ExtraVolumes []corev1.Volume "json:\"extraVolumes,omitempty\"" + ExtraVolumeMounts []corev1.VolumeMount "json:\"extraVolumeMounts,omitempty\"" + ExtraContainers []corev1.Container "json:\"extraContainers,omitempty\"" + InitContainers *PartialInitContainers "json:\"initContainers,omitempty\"" + SecretMounts []PartialSecretMount "json:\"secretMounts,omitempty\"" + Secret *PartialSecretConfig "json:\"secret,omitempty\"" + Enterprise *PartialEnterprise "json:\"enterprise,omitempty\"" + LivenessProbe *corev1.Probe "json:\"livenessProbe,omitempty\"" + ReadinessProbe *corev1.Probe "json:\"readinessProbe,omitempty\"" + ConfigMap *PartialCreatable "json:\"configmap,omitempty\"" + Deployment *PartialDeploymentConfig "json:\"deployment,omitempty\"" + Strategy *appsv1.DeploymentStrategy "json:\"strategy,omitempty\"" + Tests *PartialEnableable "json:\"tests,omitempty\"" +} + +type PartialImage struct { + Registry *string "json:\"registry,omitempty\"" + Repository *string "json:\"repository,omitempty\"" + PullPolicy *corev1.PullPolicy "json:\"pullPolicy,omitempty\"" + Tag *string "json:\"tag,omitempty\"" +} + +type PartialServiceAccountConfig struct { + Create *bool "json:\"create,omitempty\"" + AutomountServiceAccountToken *bool "json:\"automountServiceAccountToken,omitempty\"" + Annotations map[string]string "json:\"annotations,omitempty\"" + Name *string "json:\"name,omitempty\"" +} + +type PartialServiceConfig struct { + Type *corev1.ServiceType "json:\"type,omitempty\"" + Port *int32 "json:\"port,omitempty\"" + NodePort *int32 "json:\"nodePort,omitempty\"" + TargetPort *int32 "json:\"targetPort,omitempty\"" + Annotations map[string]string "json:\"annotations,omitempty\"" +} + +type PartialIngressConfig struct { + Enabled *bool "json:\"enabled,omitempty\"" + ClassName *string "json:\"className,omitempty\"" + Annotations map[string]string "json:\"annotations,omitempty\"" + Hosts []PartialIngressHost "json:\"hosts,omitempty\"" + TLS []networkingv1.IngressTLS "json:\"tls,omitempty\"" +} + +type PartialAutoScaling struct { + Enabled *bool "json:\"enabled,omitempty\"" + MinReplicas *int32 "json:\"minReplicas,omitempty\"" + MaxReplicas *int32 "json:\"maxReplicas,omitempty\"" + TargetCPUUtilizationPercentage *int32 "json:\"targetCPUUtilizationPercentage,omitempty\"" + TargetMemoryUtilizationPercentage *int32 "json:\"targetMemoryUtilizationPercentage,omitempty\"" +} + +type PartialConsole struct { + Config map[string]any "json:\"config,omitempty\"" + Roles []map[string]any "json:\"roles,omitempty\"" + RoleBindings []map[string]any "json:\"roleBindings,omitempty\"" +} + +type PartialInitContainers struct { + ExtraInitContainers *string "json:\"extraInitContainers,omitempty\"" +} + +type PartialSecretConfig struct { + Create *bool "json:\"create,omitempty\"" + Kafka *PartialKafkaSecrets "json:\"kafka,omitempty\"" + Login *PartialLoginSecrets "json:\"login,omitempty\"" + Enterprise *PartialEnterpriseSecrets "json:\"enterprise,omitempty\"" + Redpanda *PartialRedpandaSecrets "json:\"redpanda,omitempty\"" +} + +type PartialEnterprise struct { + LicenseSecretRef *PartialSecretKeyRef "json:\"licenseSecretRef,omitempty\"" +} + +type PartialCreatable struct { + Create *bool "json:\"create,omitempty\"" +} + +type PartialDeploymentConfig struct { + Create *bool "json:\"create,omitempty\"" + Command []string "json:\"command,omitempty\"" + ExtraArgs []string "json:\"extraArgs,omitempty\"" +} + +type PartialEnableable struct { + Enabled *bool "json:\"enabled,omitempty\"" +} + +type PartialSecretMount struct { + Name *string "json:\"name,omitempty\"" + SecretName *string "json:\"secretName,omitempty\"" + Path *string "json:\"path,omitempty\"" + SubPath *string "json:\"subPath,omitempty\"" + DefaultMode *int32 "json:\"defaultMode,omitempty\"" +} + +type PartialKafkaSecrets struct { + SASLPassword *string "json:\"saslPassword,omitempty\"" + AWSMSKIAMSecretKey *string "json:\"awsMskIamSecretKey,omitempty\"" + TLSCA *string "json:\"tlsCa,omitempty\"" + TLSCert *string "json:\"tlsCert,omitempty\"" + TLSKey *string "json:\"tlsKey,omitempty\"" + TLSPassphrase *string "json:\"tlsPassphrase,omitempty\"" + SchemaRegistryPassword *string "json:\"schemaRegistryPassword,omitempty\"" + SchemaRegistryTLSCA *string "json:\"schemaRegistryTlsCa,omitempty\"" + SchemaRegistryTLSCert *string "json:\"schemaRegistryTlsCert,omitempty\"" + SchemaRegistryTLSKey *string "json:\"schemaRegistryTlsKey,omitempty\"" + ProtobufGitBasicAuthPassword *string "json:\"protobufGitBasicAuthPassword,omitempty\"" +} + +type PartialLoginSecrets struct { + JWTSecret *string "json:\"jwtSecret,omitempty\"" + Google *PartialGoogleLoginSecrets "json:\"google,omitempty\"" + Github *PartialGithubLoginSecrets "json:\"github,omitempty\"" + Okta *PartialOktaLoginSecrets "json:\"okta,omitempty\"" + OIDC *PartialOIDCLoginSecrets "json:\"oidc,omitempty\"" +} + +type PartialEnterpriseSecrets struct { + License *string "json:\"License,omitempty\"" +} + +type PartialRedpandaSecrets struct { + AdminAPI *PartialRedpandaAdminAPISecrets "json:\"adminApi,omitempty\"" +} + +type PartialSecretKeyRef struct { + Name *string "json:\"name,omitempty\"" + Key *string "json:\"key,omitempty\"" +} + +type PartialIngressHost struct { + Host *string "json:\"host,omitempty\"" + Paths []PartialIngressPath "json:\"paths,omitempty\"" +} + +type PartialGoogleLoginSecrets struct { + ClientSecret *string "json:\"clientSecret,omitempty\"" + GroupsServiceAccount *string "json:\"groupsServiceAccount,omitempty\"" +} + +type PartialGithubLoginSecrets struct { + ClientSecret *string "json:\"clientSecret,omitempty\"" + PersonalAccessToken *string "json:\"personalAccessToken,omitempty\"" +} + +type PartialOktaLoginSecrets struct { + ClientSecret *string "json:\"clientSecret,omitempty\"" + DirectoryAPIToken *string "json:\"directoryApiToken,omitempty\"" +} + +type PartialOIDCLoginSecrets struct { + ClientSecret *string "json:\"clientSecret,omitempty\"" +} + +type PartialRedpandaAdminAPISecrets struct { + Password *string "json:\"password,omitempty\"" + TLSCA *string "json:\"tlsCa,omitempty\"" + TLSCert *string "json:\"tlsCert,omitempty\"" + TLSKey *string "json:\"tlsKey,omitempty\"" +} + +type PartialIngressPath struct { + Path *string "json:\"path,omitempty\"" + PathType *networkingv1.PathType "json:\"pathType,omitempty\"" +} diff --git a/charts/redpanda/redpanda/5.9.2/templates/NOTES.txt b/charts/redpanda/redpanda/5.9.2/templates/NOTES.txt new file mode 100644 index 000000000..6992f8e36 --- /dev/null +++ b/charts/redpanda/redpanda/5.9.2/templates/NOTES.txt @@ -0,0 +1,26 @@ +{{/* +Licensed to the Apache Software Foundation (ASF) under one or more +contributor license agreements. See the NOTICE file distributed with +this work for additional information regarding copyright ownership. +The ASF licenses this file to You under the Apache License, Version 2.0 +(the "License"); you may not use this file except in compliance with +the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- $warnings := (get ((include "redpanda.Warnings" (dict "a" (list .))) | fromJson) "r") }} +{{- range $_, $warning := $warnings }} +{{ $warning }} +{{- end }} + +{{- $notes := (get ((include "redpanda.Notes" (dict "a" (list .))) | fromJson) "r") }} +{{- range $_, $note := $notes }} +{{ $note }} +{{- end }} diff --git a/charts/redpanda/redpanda/5.9.2/templates/_cert-issuers.go.tpl b/charts/redpanda/redpanda/5.9.2/templates/_cert-issuers.go.tpl new file mode 100644 index 000000000..ce5bf092a --- /dev/null +++ b/charts/redpanda/redpanda/5.9.2/templates/_cert-issuers.go.tpl @@ -0,0 +1,57 @@ +{{- /* Generated from "cert_issuers.go" */ -}} + +{{- define "redpanda.CertIssuers" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $tmp_tuple_1 := (get (fromJson (include "_shims.compact" (dict "a" (list (get (fromJson (include "redpanda.certIssuersAndCAs" (dict "a" (list $dot) ))) "r")) ))) "r") -}} +{{- $issuers := $tmp_tuple_1.T1 -}} +{{- $_is_returning = true -}} +{{- (dict "r" $issuers) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.RootCAs" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $tmp_tuple_2 := (get (fromJson (include "_shims.compact" (dict "a" (list (get (fromJson (include "redpanda.certIssuersAndCAs" (dict "a" (list $dot) ))) "r")) ))) "r") -}} +{{- $cas := $tmp_tuple_2.T2 -}} +{{- $_is_returning = true -}} +{{- (dict "r" $cas) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.certIssuersAndCAs" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $issuers := (coalesce nil) -}} +{{- $certs := (coalesce nil) -}} +{{- if (not (get (fromJson (include "redpanda.TLSEnabled" (dict "a" (list $dot) ))) "r")) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (list $issuers $certs)) | toJson -}} +{{- break -}} +{{- end -}} +{{- range $name, $data := $values.tls.certs -}} +{{- if (or (not (empty $data.secretRef)) (not (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $data.enabled true) ))) "r"))) -}} +{{- continue -}} +{{- end -}} +{{- if (eq $data.issuerRef (coalesce nil)) -}} +{{- $issuers = (concat (default (list ) $issuers) (list (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "spec" (dict ) "status" (dict ) ) (mustMergeOverwrite (dict ) (dict "apiVersion" "cert-manager.io/v1" "kind" "Issuer" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" (printf `%s-%s-selfsigned-issuer` (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r") $name) "namespace" $dot.Release.Namespace "labels" (get (fromJson (include "redpanda.FullLabels" (dict "a" (list $dot) ))) "r") )) "spec" (mustMergeOverwrite (dict ) (mustMergeOverwrite (dict ) (dict "selfSigned" (mustMergeOverwrite (dict ) (dict )) )) (dict )) )))) -}} +{{- end -}} +{{- $issuers = (concat (default (list ) $issuers) (list (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "spec" (dict ) "status" (dict ) ) (mustMergeOverwrite (dict ) (dict "apiVersion" "cert-manager.io/v1" "kind" "Issuer" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" (printf `%s-%s-root-issuer` (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r") $name) "namespace" $dot.Release.Namespace "labels" (get (fromJson (include "redpanda.FullLabels" (dict "a" (list $dot) ))) "r") )) "spec" (mustMergeOverwrite (dict ) (mustMergeOverwrite (dict ) (dict "ca" (mustMergeOverwrite (dict "secretName" "" ) (dict "secretName" (printf `%s-%s-root-certificate` (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r") $name) )) )) (dict )) )))) -}} +{{- $certs = (concat (default (list ) $certs) (list (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "spec" (dict "secretName" "" "issuerRef" (dict "name" "" ) ) "status" (dict ) ) (mustMergeOverwrite (dict ) (dict "apiVersion" "cert-manager.io/v1" "kind" "Certificate" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" (printf `%s-%s-root-certificate` (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r") $name) "namespace" $dot.Release.Namespace "labels" (get (fromJson (include "redpanda.FullLabels" (dict "a" (list $dot) ))) "r") )) "spec" (mustMergeOverwrite (dict "secretName" "" "issuerRef" (dict "name" "" ) ) (dict "duration" (default "43800h" $data.duration) "isCA" true "commonName" (printf `%s-%s-root-certificate` (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r") $name) "secretName" (printf `%s-%s-root-certificate` (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r") $name) "privateKey" (mustMergeOverwrite (dict ) (dict "algorithm" "ECDSA" "size" (256 | int) )) "issuerRef" (mustMergeOverwrite (dict "name" "" ) (dict "name" (printf `%s-%s-selfsigned-issuer` (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r") $name) "kind" "Issuer" "group" "cert-manager.io" )) )) )))) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (list $issuers $certs)) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + diff --git a/charts/redpanda/redpanda/5.9.2/templates/_certs.go.tpl b/charts/redpanda/redpanda/5.9.2/templates/_certs.go.tpl new file mode 100644 index 000000000..b8d1160e5 --- /dev/null +++ b/charts/redpanda/redpanda/5.9.2/templates/_certs.go.tpl @@ -0,0 +1,71 @@ +{{- /* Generated from "certs.go" */ -}} + +{{- define "redpanda.ClientCerts" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- if (not (get (fromJson (include "redpanda.TLSEnabled" (dict "a" (list $dot) ))) "r")) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (list )) | toJson -}} +{{- break -}} +{{- end -}} +{{- $values := $dot.Values.AsMap -}} +{{- $fullname := (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r") -}} +{{- $service := (get (fromJson (include "redpanda.ServiceName" (dict "a" (list $dot) ))) "r") -}} +{{- $ns := $dot.Release.Namespace -}} +{{- $domain := (trimSuffix "." $values.clusterDomain) -}} +{{- $certs := (coalesce nil) -}} +{{- range $name, $data := $values.tls.certs -}} +{{- if (or (not (empty $data.secretRef)) (not (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $data.enabled true) ))) "r"))) -}} +{{- continue -}} +{{- end -}} +{{- $names := (coalesce nil) -}} +{{- if (or (eq $data.issuerRef (coalesce nil)) (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $data.applyInternalDNSNames false) ))) "r")) -}} +{{- $names = (concat (default (list ) $names) (list (printf "%s-cluster.%s.%s.svc.%s" $fullname $service $ns $domain))) -}} +{{- $names = (concat (default (list ) $names) (list (printf "%s-cluster.%s.%s.svc" $fullname $service $ns))) -}} +{{- $names = (concat (default (list ) $names) (list (printf "%s-cluster.%s.%s" $fullname $service $ns))) -}} +{{- $names = (concat (default (list ) $names) (list (printf "*.%s-cluster.%s.%s.svc.%s" $fullname $service $ns $domain))) -}} +{{- $names = (concat (default (list ) $names) (list (printf "*.%s-cluster.%s.%s.svc" $fullname $service $ns))) -}} +{{- $names = (concat (default (list ) $names) (list (printf "*.%s-cluster.%s.%s" $fullname $service $ns))) -}} +{{- $names = (concat (default (list ) $names) (list (printf "%s.%s.svc.%s" $service $ns $domain))) -}} +{{- $names = (concat (default (list ) $names) (list (printf "%s.%s.svc" $service $ns))) -}} +{{- $names = (concat (default (list ) $names) (list (printf "%s.%s" $service $ns))) -}} +{{- $names = (concat (default (list ) $names) (list (printf "*.%s.%s.svc.%s" $service $ns $domain))) -}} +{{- $names = (concat (default (list ) $names) (list (printf "*.%s.%s.svc" $service $ns))) -}} +{{- $names = (concat (default (list ) $names) (list (printf "*.%s.%s" $service $ns))) -}} +{{- end -}} +{{- if (ne $values.external.domain (coalesce nil)) -}} +{{- $names = (concat (default (list ) $names) (list (tpl $values.external.domain $dot))) -}} +{{- $names = (concat (default (list ) $names) (list (tpl (printf "*.%s" $values.external.domain) $dot))) -}} +{{- end -}} +{{- $duration := (default "43800h" $data.duration) -}} +{{- $issuerRef := (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $data.issuerRef (mustMergeOverwrite (dict "name" "" ) (dict "kind" "Issuer" "group" "cert-manager.io" "name" (printf "%s-%s-root-issuer" $fullname $name) ))) ))) "r") -}} +{{- $certs = (concat (default (list ) $certs) (list (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "spec" (dict "secretName" "" "issuerRef" (dict "name" "" ) ) "status" (dict ) ) (mustMergeOverwrite (dict ) (dict "apiVersion" "cert-manager.io/v1" "kind" "Certificate" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" (printf "%s-%s-cert" $fullname $name) "labels" (get (fromJson (include "redpanda.FullLabels" (dict "a" (list $dot) ))) "r") "namespace" $dot.Release.Namespace )) "spec" (mustMergeOverwrite (dict "secretName" "" "issuerRef" (dict "name" "" ) ) (dict "dnsNames" $names "duration" $duration "isCA" false "issuerRef" $issuerRef "secretName" (printf "%s-%s-cert" $fullname $name) "privateKey" (mustMergeOverwrite (dict ) (dict "algorithm" "ECDSA" "size" (256 | int) )) )) )))) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $name := $values.listeners.kafka.tls.cert -}} +{{- $tmp_tuple_1 := (get (fromJson (include "_shims.compact" (dict "a" (list (get (fromJson (include "_shims.dicttest" (dict "a" (list $values.tls.certs $name (coalesce nil)) ))) "r")) ))) "r") -}} +{{- $ok := $tmp_tuple_1.T2 -}} +{{- $data := $tmp_tuple_1.T1 -}} +{{- if (not $ok) -}} +{{- $_ := (fail (printf "Certificate %q referenced but not defined" $name)) -}} +{{- end -}} +{{- if (or (not (empty $data.secretRef)) (not (get (fromJson (include "redpanda.ClientAuthRequired" (dict "a" (list $dot) ))) "r"))) -}} +{{- $_is_returning = true -}} +{{- (dict "r" $certs) | toJson -}} +{{- break -}} +{{- end -}} +{{- $issuerRef := (mustMergeOverwrite (dict "name" "" ) (dict "group" "cert-manager.io" "kind" "Issuer" "name" (printf "%s-%s-root-issuer" $fullname $name) )) -}} +{{- if (ne $data.issuerRef (coalesce nil)) -}} +{{- $issuerRef = $data.issuerRef -}} +{{- $_ := (set $issuerRef "group" "cert-manager.io") -}} +{{- end -}} +{{- $duration := (default "43800h" $data.duration) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (concat (default (list ) $certs) (list (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "spec" (dict "secretName" "" "issuerRef" (dict "name" "" ) ) "status" (dict ) ) (mustMergeOverwrite (dict ) (dict "apiVersion" "cert-manager.io/v1" "kind" "Certificate" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" (printf "%s-client" $fullname) "labels" (get (fromJson (include "redpanda.FullLabels" (dict "a" (list $dot) ))) "r") )) "spec" (mustMergeOverwrite (dict "secretName" "" "issuerRef" (dict "name" "" ) ) (dict "commonName" (printf "%s-client" $fullname) "duration" $duration "isCA" false "secretName" (printf "%s-client" $fullname) "privateKey" (mustMergeOverwrite (dict ) (dict "algorithm" "ECDSA" "size" (256 | int) )) "issuerRef" $issuerRef )) ))))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + diff --git a/charts/redpanda/redpanda/5.9.2/templates/_configmap.go.tpl b/charts/redpanda/redpanda/5.9.2/templates/_configmap.go.tpl new file mode 100644 index 000000000..d9263686c --- /dev/null +++ b/charts/redpanda/redpanda/5.9.2/templates/_configmap.go.tpl @@ -0,0 +1,517 @@ +{{- /* Generated from "configmap.tpl.go" */ -}} + +{{- define "redpanda.ConfigMaps" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $cms := (list (get (fromJson (include "redpanda.RedpandaConfigMap" (dict "a" (list $dot true) ))) "r")) -}} +{{- $cms = (concat (default (list ) $cms) (default (list ) (get (fromJson (include "redpanda.RPKProfile" (dict "a" (list $dot) ))) "r"))) -}} +{{- $_is_returning = true -}} +{{- (dict "r" $cms) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.ConfigMapsWithoutSeedServer" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $cms := (list (get (fromJson (include "redpanda.RedpandaConfigMap" (dict "a" (list $dot false) ))) "r")) -}} +{{- $cms = (concat (default (list ) $cms) (default (list ) (get (fromJson (include "redpanda.RPKProfile" (dict "a" (list $dot) ))) "r"))) -}} +{{- $_is_returning = true -}} +{{- (dict "r" $cms) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.RedpandaConfigMap" -}} +{{- $dot := (index .a 0) -}} +{{- $includeSeedServer := (index .a 1) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $_is_returning = true -}} +{{- (dict "r" (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) ) (mustMergeOverwrite (dict ) (dict "kind" "ConfigMap" "apiVersion" "v1" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r") "namespace" $dot.Release.Namespace "labels" (get (fromJson (include "redpanda.FullLabels" (dict "a" (list $dot) ))) "r") )) "data" (dict "bootstrap.yaml" (get (fromJson (include "redpanda.BootstrapFile" (dict "a" (list $dot) ))) "r") "redpanda.yaml" (get (fromJson (include "redpanda.RedpandaConfigFile" (dict "a" (list $dot $includeSeedServer) ))) "r") ) ))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.BootstrapFile" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $bootstrap := (dict "kafka_enable_authorization" (get (fromJson (include "redpanda.Auth.IsSASLEnabled" (dict "a" (list $values.auth) ))) "r") "enable_sasl" (get (fromJson (include "redpanda.Auth.IsSASLEnabled" (dict "a" (list $values.auth) ))) "r") "enable_rack_awareness" $values.rackAwareness.enabled "storage_min_free_bytes" ((get (fromJson (include "redpanda.Storage.StorageMinFreeBytes" (dict "a" (list $values.storage) ))) "r") | int64) ) -}} +{{- $bootstrap = (merge (dict ) $bootstrap (get (fromJson (include "redpanda.AuditLogging.Translate" (dict "a" (list $values.auditLogging $dot (get (fromJson (include "redpanda.Auth.IsSASLEnabled" (dict "a" (list $values.auth) ))) "r")) ))) "r")) -}} +{{- $bootstrap = (merge (dict ) $bootstrap (get (fromJson (include "redpanda.Logging.Translate" (dict "a" (list $values.logging) ))) "r")) -}} +{{- $bootstrap = (merge (dict ) $bootstrap (get (fromJson (include "redpanda.TunableConfig.Translate" (dict "a" (list $values.config.tunable) ))) "r")) -}} +{{- $bootstrap = (merge (dict ) $bootstrap (get (fromJson (include "redpanda.ClusterConfig.Translate" (dict "a" (list $values.config.cluster ($values.statefulset.replicas | int) false) ))) "r")) -}} +{{- $bootstrap = (merge (dict ) $bootstrap (get (fromJson (include "redpanda.Auth.Translate" (dict "a" (list $values.auth (get (fromJson (include "redpanda.Auth.IsSASLEnabled" (dict "a" (list $values.auth) ))) "r")) ))) "r")) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (toYaml $bootstrap)) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.RedpandaConfigFile" -}} +{{- $dot := (index .a 0) -}} +{{- $includeSeedServer := (index .a 1) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $redpanda := (dict "kafka_enable_authorization" (get (fromJson (include "redpanda.Auth.IsSASLEnabled" (dict "a" (list $values.auth) ))) "r") "enable_sasl" (get (fromJson (include "redpanda.Auth.IsSASLEnabled" (dict "a" (list $values.auth) ))) "r") "empty_seed_starts_cluster" false "storage_min_free_bytes" ((get (fromJson (include "redpanda.Storage.StorageMinFreeBytes" (dict "a" (list $values.storage) ))) "r") | int64) ) -}} +{{- if $includeSeedServer -}} +{{- $_ := (set $redpanda "seed_servers" (get (fromJson (include "redpanda.Listeners.CreateSeedServers" (dict "a" (list $values.listeners ($values.statefulset.replicas | int) (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r") (get (fromJson (include "redpanda.InternalDomain" (dict "a" (list $dot) ))) "r")) ))) "r")) -}} +{{- end -}} +{{- $redpanda = (merge (dict ) $redpanda (get (fromJson (include "redpanda.AuditLogging.Translate" (dict "a" (list $values.auditLogging $dot (get (fromJson (include "redpanda.Auth.IsSASLEnabled" (dict "a" (list $values.auth) ))) "r")) ))) "r")) -}} +{{- $redpanda = (merge (dict ) $redpanda (get (fromJson (include "redpanda.Logging.Translate" (dict "a" (list $values.logging) ))) "r")) -}} +{{- $redpanda = (merge (dict ) $redpanda (get (fromJson (include "redpanda.TunableConfig.Translate" (dict "a" (list $values.config.tunable) ))) "r")) -}} +{{- $redpanda = (merge (dict ) $redpanda (get (fromJson (include "redpanda.ClusterConfig.Translate" (dict "a" (list $values.config.cluster ($values.statefulset.replicas | int) true) ))) "r")) -}} +{{- $redpanda = (merge (dict ) $redpanda (get (fromJson (include "redpanda.Auth.Translate" (dict "a" (list $values.auth (get (fromJson (include "redpanda.Auth.IsSASLEnabled" (dict "a" (list $values.auth) ))) "r")) ))) "r")) -}} +{{- $redpanda = (merge (dict ) $redpanda (get (fromJson (include "redpanda.NodeConfig.Translate" (dict "a" (list $values.config.node) ))) "r")) -}} +{{- $_ := (get (fromJson (include "redpanda.configureListeners" (dict "a" (list $redpanda $dot) ))) "r") -}} +{{- $redpandaYaml := (dict "redpanda" $redpanda "schema_registry" (get (fromJson (include "redpanda.schemaRegistry" (dict "a" (list $dot) ))) "r") "schema_registry_client" (get (fromJson (include "redpanda.kafkaClient" (dict "a" (list $dot) ))) "r") "pandaproxy" (get (fromJson (include "redpanda.pandaProxyListener" (dict "a" (list $dot) ))) "r") "pandaproxy_client" (get (fromJson (include "redpanda.kafkaClient" (dict "a" (list $dot) ))) "r") "rpk" (get (fromJson (include "redpanda.rpkConfiguration" (dict "a" (list $dot) ))) "r") "config_file" "/etc/redpanda/redpanda.yaml" ) -}} +{{- if (and (and (get (fromJson (include "redpanda.RedpandaAtLeast_23_3_0" (dict "a" (list $dot) ))) "r") $values.auditLogging.enabled) (get (fromJson (include "redpanda.Auth.IsSASLEnabled" (dict "a" (list $values.auth) ))) "r")) -}} +{{- $_ := (set $redpandaYaml "audit_log_client" (get (fromJson (include "redpanda.kafkaClient" (dict "a" (list $dot) ))) "r")) -}} +{{- end -}} +{{- $redpandaYaml = (merge (dict ) $redpandaYaml (get (fromJson (include "redpanda.Storage.Translate" (dict "a" (list $values.storage) ))) "r")) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (toYaml $redpandaYaml)) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.RPKProfile" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- if (not $values.external.enabled) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (coalesce nil)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (list (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) ) (mustMergeOverwrite (dict ) (dict "kind" "ConfigMap" "apiVersion" "v1" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" (printf "%s-rpk" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r")) "namespace" $dot.Release.Namespace "labels" (get (fromJson (include "redpanda.FullLabels" (dict "a" (list $dot) ))) "r") )) "data" (dict "profile" (toYaml (get (fromJson (include "redpanda.rpkProfile" (dict "a" (list $dot) ))) "r")) ) )))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.rpkProfile" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $brokerList := (list ) -}} +{{- range $_, $i := untilStep (((0 | int) | int)|int) (($values.statefulset.replicas | int)|int) (1|int) -}} +{{- $brokerList = (concat (default (list ) $brokerList) (list (printf "%s:%d" (get (fromJson (include "redpanda.advertisedHost" (dict "a" (list $dot $i) ))) "r") (((get (fromJson (include "redpanda.advertisedKafkaPort" (dict "a" (list $dot $i) ))) "r") | int) | int)))) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $adminAdvertisedList := (list ) -}} +{{- range $_, $i := untilStep (((0 | int) | int)|int) (($values.statefulset.replicas | int)|int) (1|int) -}} +{{- $adminAdvertisedList = (concat (default (list ) $adminAdvertisedList) (list (printf "%s:%d" (get (fromJson (include "redpanda.advertisedHost" (dict "a" (list $dot $i) ))) "r") (((get (fromJson (include "redpanda.advertisedAdminPort" (dict "a" (list $dot $i) ))) "r") | int) | int)))) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $kafkaTLS := (get (fromJson (include "redpanda.brokersTLSConfiguration" (dict "a" (list $dot) ))) "r") -}} +{{- $tmp_tuple_1 := (get (fromJson (include "_shims.compact" (dict "a" (list (get (fromJson (include "_shims.dicttest" (dict "a" (list $kafkaTLS "truststore_file" (coalesce nil)) ))) "r")) ))) "r") -}} +{{- $ok_1 := $tmp_tuple_1.T2 -}} +{{- if $ok_1 -}} +{{- $_ := (set $kafkaTLS "ca_file" "ca.crt") -}} +{{- $_ := (unset $kafkaTLS "truststore_file") -}} +{{- end -}} +{{- $adminTLS := (get (fromJson (include "redpanda.adminTLSConfiguration" (dict "a" (list $dot) ))) "r") -}} +{{- $tmp_tuple_2 := (get (fromJson (include "_shims.compact" (dict "a" (list (get (fromJson (include "_shims.dicttest" (dict "a" (list $adminTLS "truststore_file" (coalesce nil)) ))) "r")) ))) "r") -}} +{{- $ok_2 := $tmp_tuple_2.T2 -}} +{{- if $ok_2 -}} +{{- $_ := (set $adminTLS "ca_file" "ca.crt") -}} +{{- $_ := (unset $adminTLS "truststore_file") -}} +{{- end -}} +{{- $ka := (dict "brokers" $brokerList "tls" (coalesce nil) ) -}} +{{- if (gt ((get (fromJson (include "_shims.len" (dict "a" (list $kafkaTLS) ))) "r") | int) (0 | int)) -}} +{{- $_ := (set $ka "tls" $kafkaTLS) -}} +{{- end -}} +{{- $aa := (dict "addresses" $adminAdvertisedList "tls" (coalesce nil) ) -}} +{{- if (gt ((get (fromJson (include "_shims.len" (dict "a" (list $adminTLS) ))) "r") | int) (0 | int)) -}} +{{- $_ := (set $aa "tls" $adminTLS) -}} +{{- end -}} +{{- $result := (dict "name" (get (fromJson (include "redpanda.getFirstExternalKafkaListener" (dict "a" (list $dot) ))) "r") "kafka_api" $ka "admin_api" $aa ) -}} +{{- $_is_returning = true -}} +{{- (dict "r" $result) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.advertisedKafkaPort" -}} +{{- $dot := (index .a 0) -}} +{{- $i := (index .a 1) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $externalKafkaListenerName := (get (fromJson (include "redpanda.getFirstExternalKafkaListener" (dict "a" (list $dot) ))) "r") -}} +{{- $listener := (index $values.listeners.kafka.external $externalKafkaListenerName) -}} +{{- $port := (($values.listeners.kafka.port | int) | int) -}} +{{- if (gt (($listener.port | int) | int) ((1 | int) | int)) -}} +{{- $port = (($listener.port | int) | int) -}} +{{- end -}} +{{- if (gt ((get (fromJson (include "_shims.len" (dict "a" (list $listener.advertisedPorts) ))) "r") | int) (1 | int)) -}} +{{- $port = ((index $listener.advertisedPorts $i) | int) -}} +{{- else -}}{{- if (eq ((get (fromJson (include "_shims.len" (dict "a" (list $listener.advertisedPorts) ))) "r") | int) (1 | int)) -}} +{{- $port = ((index $listener.advertisedPorts (0 | int)) | int) -}} +{{- end -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $port) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.advertisedAdminPort" -}} +{{- $dot := (index .a 0) -}} +{{- $i := (index .a 1) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $keys := (keys $values.listeners.admin.external) -}} +{{- $_ := (sortAlpha $keys) -}} +{{- $externalAdminListenerName := (first $keys) -}} +{{- $listener := (index $values.listeners.admin.external (get (fromJson (include "_shims.typeassertion" (dict "a" (list "string" $externalAdminListenerName) ))) "r")) -}} +{{- $port := (($values.listeners.admin.port | int) | int) -}} +{{- if (gt (($listener.port | int) | int) (1 | int)) -}} +{{- $port = (($listener.port | int) | int) -}} +{{- end -}} +{{- if (gt ((get (fromJson (include "_shims.len" (dict "a" (list $listener.advertisedPorts) ))) "r") | int) (1 | int)) -}} +{{- $port = ((index $listener.advertisedPorts $i) | int) -}} +{{- else -}}{{- if (eq ((get (fromJson (include "_shims.len" (dict "a" (list $listener.advertisedPorts) ))) "r") | int) (1 | int)) -}} +{{- $port = ((index $listener.advertisedPorts (0 | int)) | int) -}} +{{- end -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $port) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.advertisedHost" -}} +{{- $dot := (index .a 0) -}} +{{- $i := (index .a 1) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $address := (printf "%s-%d" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r") ($i | int)) -}} +{{- if (ne (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.external.domain "") ))) "r") "") -}} +{{- $address = (printf "%s.%s" $address (tpl $values.external.domain $dot)) -}} +{{- end -}} +{{- if (le ((get (fromJson (include "_shims.len" (dict "a" (list $values.external.addresses) ))) "r") | int) (0 | int)) -}} +{{- $_is_returning = true -}} +{{- (dict "r" $address) | toJson -}} +{{- break -}} +{{- end -}} +{{- if (eq ((get (fromJson (include "_shims.len" (dict "a" (list $values.external.addresses) ))) "r") | int) (1 | int)) -}} +{{- $address = (index $values.external.addresses (0 | int)) -}} +{{- else -}} +{{- $address = (index $values.external.addresses $i) -}} +{{- end -}} +{{- if (ne (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.external.domain "") ))) "r") "") -}} +{{- $address = (printf "%s.%s" $address $values.external.domain) -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $address) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.getFirstExternalKafkaListener" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $keys := (keys $values.listeners.kafka.external) -}} +{{- $_ := (sortAlpha $keys) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (get (fromJson (include "_shims.typeassertion" (dict "a" (list "string" (first $keys)) ))) "r")) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.BrokerList" -}} +{{- $dot := (index .a 0) -}} +{{- $replicas := (index .a 1) -}} +{{- $port := (index .a 2) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $bl := (coalesce nil) -}} +{{- range $_, $i := untilStep (((0 | int) | int)|int) ($replicas|int) (1|int) -}} +{{- $bl = (concat (default (list ) $bl) (list (printf "%s-%d.%s:%d" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r") $i (get (fromJson (include "redpanda.InternalDomain" (dict "a" (list $dot) ))) "r") $port))) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $bl) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.rpkConfiguration" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $brokerList := (get (fromJson (include "redpanda.BrokerList" (dict "a" (list $dot ($values.statefulset.replicas | int) ($values.listeners.kafka.port | int)) ))) "r") -}} +{{- $adminTLS := (coalesce nil) -}} +{{- $tls_3 := (get (fromJson (include "redpanda.adminTLSConfiguration" (dict "a" (list $dot) ))) "r") -}} +{{- if (gt ((get (fromJson (include "_shims.len" (dict "a" (list $tls_3) ))) "r") | int) (0 | int)) -}} +{{- $adminTLS = $tls_3 -}} +{{- end -}} +{{- $brokerTLS := (coalesce nil) -}} +{{- $tls_4 := (get (fromJson (include "redpanda.brokersTLSConfiguration" (dict "a" (list $dot) ))) "r") -}} +{{- if (gt ((get (fromJson (include "_shims.len" (dict "a" (list $tls_4) ))) "r") | int) (0 | int)) -}} +{{- $brokerTLS = $tls_4 -}} +{{- end -}} +{{- $result := (dict "overprovisioned" (get (fromJson (include "redpanda.RedpandaResources.GetOverProvisionValue" (dict "a" (list $values.resources) ))) "r") "enable_memory_locking" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.resources.memory.enable_memory_locking false) ))) "r") "additional_start_flags" (get (fromJson (include "redpanda.RedpandaAdditionalStartFlags" (dict "a" (list $dot ((get (fromJson (include "redpanda.RedpandaSMP" (dict "a" (list $dot) ))) "r") | int64)) ))) "r") "kafka_api" (dict "brokers" $brokerList "tls" $brokerTLS ) "admin_api" (dict "addresses" (get (fromJson (include "redpanda.Listeners.AdminList" (dict "a" (list $values.listeners ($values.statefulset.replicas | int) (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r") (get (fromJson (include "redpanda.InternalDomain" (dict "a" (list $dot) ))) "r")) ))) "r") "tls" $adminTLS ) ) -}} +{{- $result = (merge (dict ) $result (get (fromJson (include "redpanda.Tuning.Translate" (dict "a" (list $values.tuning) ))) "r")) -}} +{{- $result = (merge (dict ) $result (get (fromJson (include "redpanda.Config.CreateRPKConfiguration" (dict "a" (list $values.config) ))) "r")) -}} +{{- $_is_returning = true -}} +{{- (dict "r" $result) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.brokersTLSConfiguration" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- if (not (get (fromJson (include "redpanda.InternalTLS.IsEnabled" (dict "a" (list $values.listeners.kafka.tls $values.tls) ))) "r")) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (dict )) | toJson -}} +{{- break -}} +{{- end -}} +{{- $result := (dict ) -}} +{{- $truststore_5 := (get (fromJson (include "redpanda.InternalTLS.TrustStoreFilePath" (dict "a" (list $values.listeners.kafka.tls $values.tls) ))) "r") -}} +{{- if (ne $truststore_5 "/etc/ssl/certs/ca-certificates.crt") -}} +{{- $_ := (set $result "truststore_file" $truststore_5) -}} +{{- end -}} +{{- if $values.listeners.kafka.tls.requireClientAuth -}} +{{- $_ := (set $result "cert_file" (printf "/etc/tls/certs/%s-client/tls.crt" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r"))) -}} +{{- $_ := (set $result "key_file" (printf "/etc/tls/certs/%s-client/tls.key" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r"))) -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $result) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.adminTLSConfiguration" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $result := (dict ) -}} +{{- if (not (get (fromJson (include "redpanda.InternalTLS.IsEnabled" (dict "a" (list $values.listeners.admin.tls $values.tls) ))) "r")) -}} +{{- $_is_returning = true -}} +{{- (dict "r" $result) | toJson -}} +{{- break -}} +{{- end -}} +{{- $truststore_6 := (get (fromJson (include "redpanda.InternalTLS.TrustStoreFilePath" (dict "a" (list $values.listeners.admin.tls $values.tls) ))) "r") -}} +{{- if (ne $truststore_6 "/etc/ssl/certs/ca-certificates.crt") -}} +{{- $_ := (set $result "truststore_file" $truststore_6) -}} +{{- end -}} +{{- if $values.listeners.admin.tls.requireClientAuth -}} +{{- $_ := (set $result "cert_file" (printf "/etc/tls/certs/%s-client/tls.crt" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r"))) -}} +{{- $_ := (set $result "key_file" (printf "/etc/tls/certs/%s-client/tls.key" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r"))) -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $result) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.kafkaClient" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $brokerList := (list ) -}} +{{- range $_, $i := untilStep (((0 | int) | int)|int) (($values.statefulset.replicas | int)|int) (1|int) -}} +{{- $brokerList = (concat (default (list ) $brokerList) (list (dict "address" (printf "%s-%d.%s" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r") $i (get (fromJson (include "redpanda.InternalDomain" (dict "a" (list $dot) ))) "r")) "port" ($values.listeners.kafka.port | int) ))) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $kafkaTLS := $values.listeners.kafka.tls -}} +{{- $brokerTLS := (coalesce nil) -}} +{{- if (get (fromJson (include "redpanda.InternalTLS.IsEnabled" (dict "a" (list $values.listeners.kafka.tls $values.tls) ))) "r") -}} +{{- $brokerTLS = (dict "enabled" true "cert_file" (printf "/etc/tls/certs/%s/tls.crt" $kafkaTLS.cert) "key_file" (printf "/etc/tls/certs/%s/tls.key" $kafkaTLS.cert) "require_client_auth" $kafkaTLS.requireClientAuth "truststore_file" (get (fromJson (include "redpanda.InternalTLS.TrustStoreFilePath" (dict "a" (list $kafkaTLS $values.tls) ))) "r") ) -}} +{{- end -}} +{{- $cfg := (dict "brokers" $brokerList ) -}} +{{- if (gt ((get (fromJson (include "_shims.len" (dict "a" (list $brokerTLS) ))) "r") | int) (0 | int)) -}} +{{- $_ := (set $cfg "broker_tls" $brokerTLS) -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $cfg) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.configureListeners" -}} +{{- $redpanda := (index .a 0) -}} +{{- $dot := (index .a 1) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $_ := (set $redpanda "admin" (get (fromJson (include "redpanda.AdminListeners.Listeners" (dict "a" (list $values.listeners.admin) ))) "r")) -}} +{{- $_ := (set $redpanda "kafka_api" (get (fromJson (include "redpanda.KafkaListeners.Listeners" (dict "a" (list $values.listeners.kafka $values.auth) ))) "r")) -}} +{{- $_ := (set $redpanda "rpc_server" (get (fromJson (include "redpanda.rpcListeners" (dict "a" (list $dot) ))) "r")) -}} +{{- $_ := (set $redpanda "admin_api_tls" (coalesce nil)) -}} +{{- $tls_7 := (get (fromJson (include "redpanda.AdminListeners.ListenersTLS" (dict "a" (list $values.listeners.admin $values.tls) ))) "r") -}} +{{- if (gt ((get (fromJson (include "_shims.len" (dict "a" (list $tls_7) ))) "r") | int) (0 | int)) -}} +{{- $_ := (set $redpanda "admin_api_tls" $tls_7) -}} +{{- end -}} +{{- $_ := (set $redpanda "kafka_api_tls" (coalesce nil)) -}} +{{- $tls_8 := (get (fromJson (include "redpanda.KafkaListeners.ListenersTLS" (dict "a" (list $values.listeners.kafka $values.tls) ))) "r") -}} +{{- if (gt ((get (fromJson (include "_shims.len" (dict "a" (list $tls_8) ))) "r") | int) (0 | int)) -}} +{{- $_ := (set $redpanda "kafka_api_tls" $tls_8) -}} +{{- end -}} +{{- $tls_9 := (get (fromJson (include "redpanda.rpcListenersTLS" (dict "a" (list $dot) ))) "r") -}} +{{- if (gt ((get (fromJson (include "_shims.len" (dict "a" (list $tls_9) ))) "r") | int) (0 | int)) -}} +{{- $_ := (set $redpanda "rpc_server_tls" $tls_9) -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.pandaProxyListener" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $pandaProxy := (dict ) -}} +{{- $_ := (set $pandaProxy "pandaproxy_api" (get (fromJson (include "redpanda.HTTPListeners.Listeners" (dict "a" (list $values.listeners.http (get (fromJson (include "redpanda.Auth.IsSASLEnabled" (dict "a" (list $values.auth) ))) "r")) ))) "r")) -}} +{{- $_ := (set $pandaProxy "pandaproxy_api_tls" (coalesce nil)) -}} +{{- $tls_10 := (get (fromJson (include "redpanda.HTTPListeners.ListenersTLS" (dict "a" (list $values.listeners.http $values.tls) ))) "r") -}} +{{- if (gt ((get (fromJson (include "_shims.len" (dict "a" (list $tls_10) ))) "r") | int) (0 | int)) -}} +{{- $_ := (set $pandaProxy "pandaproxy_api_tls" $tls_10) -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $pandaProxy) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.schemaRegistry" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $schemaReg := (dict ) -}} +{{- $_ := (set $schemaReg "schema_registry_api" (get (fromJson (include "redpanda.SchemaRegistryListeners.Listeners" (dict "a" (list $values.listeners.schemaRegistry (get (fromJson (include "redpanda.Auth.IsSASLEnabled" (dict "a" (list $values.auth) ))) "r")) ))) "r")) -}} +{{- $_ := (set $schemaReg "schema_registry_api_tls" (coalesce nil)) -}} +{{- $tls_11 := (get (fromJson (include "redpanda.SchemaRegistryListeners.ListenersTLS" (dict "a" (list $values.listeners.schemaRegistry $values.tls) ))) "r") -}} +{{- if (gt ((get (fromJson (include "_shims.len" (dict "a" (list $tls_11) ))) "r") | int) (0 | int)) -}} +{{- $_ := (set $schemaReg "schema_registry_api_tls" $tls_11) -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $schemaReg) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.rpcListenersTLS" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $r := $values.listeners.rpc -}} +{{- if (and (not ((or (or (get (fromJson (include "redpanda.RedpandaAtLeast_22_2_atleast_22_2_10" (dict "a" (list $dot) ))) "r") (get (fromJson (include "redpanda.RedpandaAtLeast_22_3_atleast_22_3_13" (dict "a" (list $dot) ))) "r")) (get (fromJson (include "redpanda.RedpandaAtLeast_23_1_2" (dict "a" (list $dot) ))) "r")))) ((or (and (eq $r.tls.enabled (coalesce nil)) $values.tls.enabled) (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $r.tls.enabled false) ))) "r")))) -}} +{{- $_ := (fail (printf "Redpanda version v%s does not support TLS on the RPC port. Please upgrade. See technical service bulletin 2023-01." (trimPrefix "v" (get (fromJson (include "redpanda.Tag" (dict "a" (list $dot) ))) "r")))) -}} +{{- end -}} +{{- if (not (get (fromJson (include "redpanda.InternalTLS.IsEnabled" (dict "a" (list $r.tls $values.tls) ))) "r")) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (dict )) | toJson -}} +{{- break -}} +{{- end -}} +{{- $certName := $r.tls.cert -}} +{{- $_is_returning = true -}} +{{- (dict "r" (dict "enabled" true "cert_file" (printf "/etc/tls/certs/%s/tls.crt" $certName) "key_file" (printf "/etc/tls/certs/%s/tls.key" $certName) "require_client_auth" $r.tls.requireClientAuth "truststore_file" (get (fromJson (include "redpanda.InternalTLS.TrustStoreFilePath" (dict "a" (list $r.tls $values.tls) ))) "r") )) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.rpcListeners" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $_is_returning = true -}} +{{- (dict "r" (dict "address" "0.0.0.0" "port" ($values.listeners.rpc.port | int) )) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.createInternalListenerTLSCfg" -}} +{{- $tls := (index .a 0) -}} +{{- $internal := (index .a 1) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- if (not (get (fromJson (include "redpanda.InternalTLS.IsEnabled" (dict "a" (list $internal $tls) ))) "r")) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (dict )) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (dict "name" "internal" "enabled" true "cert_file" (printf "/etc/tls/certs/%s/tls.crt" $internal.cert) "key_file" (printf "/etc/tls/certs/%s/tls.key" $internal.cert) "require_client_auth" $internal.requireClientAuth "truststore_file" (get (fromJson (include "redpanda.InternalTLS.TrustStoreFilePath" (dict "a" (list $internal $tls) ))) "r") )) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.createInternalListenerCfg" -}} +{{- $port := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $_is_returning = true -}} +{{- (dict "r" (dict "name" "internal" "address" "0.0.0.0" "port" $port )) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.RedpandaAdditionalStartFlags" -}} +{{- $dot := (index .a 0) -}} +{{- $smp := (index .a 1) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $chartFlags := (dict "smp" (printf "%d" ($smp | int)) "memory" (printf "%dM" (((get (fromJson (include "redpanda.RedpandaMemory" (dict "a" (list $dot) ))) "r") | int64) | int)) "reserve-memory" (printf "%dM" (((get (fromJson (include "redpanda.RedpandaReserveMemory" (dict "a" (list $dot) ))) "r") | int64) | int)) "default-log-level" $values.logging.logLevel ) -}} +{{- if (eq (index $values.config.node "developer_mode") true) -}} +{{- $_ := (unset $chartFlags "reserve-memory") -}} +{{- end -}} +{{- range $flag, $_ := $chartFlags -}} +{{- range $_, $userFlag := $values.statefulset.additionalRedpandaCmdFlags -}} +{{- if (regexMatch (printf "^--%s" $flag) $userFlag) -}} +{{- $_ := (unset $chartFlags $flag) -}} +{{- end -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $keys := (keys $chartFlags) -}} +{{- $_ := (sortAlpha $keys) -}} +{{- $flags := (list ) -}} +{{- range $_, $key := $keys -}} +{{- $flags = (concat (default (list ) $flags) (list (printf "--%s=%s" $key (index $chartFlags $key)))) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (concat (default (list ) $flags) (default (list ) $values.statefulset.additionalRedpandaCmdFlags))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + diff --git a/charts/redpanda/redpanda/5.9.2/templates/_console.go.tpl b/charts/redpanda/redpanda/5.9.2/templates/_console.go.tpl new file mode 100644 index 000000000..f8498e998 --- /dev/null +++ b/charts/redpanda/redpanda/5.9.2/templates/_console.go.tpl @@ -0,0 +1,60 @@ +{{- /* Generated from "console.tpl.go" */ -}} + +{{- define "redpanda.ConsoleConfig" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $schemaURLs := (coalesce nil) -}} +{{- if $values.listeners.schemaRegistry.enabled -}} +{{- $schema := "http" -}} +{{- if (get (fromJson (include "redpanda.InternalTLS.IsEnabled" (dict "a" (list $values.listeners.schemaRegistry.tls $values.tls) ))) "r") -}} +{{- $schema = "https" -}} +{{- end -}} +{{- range $_, $i := untilStep (((0 | int) | int)|int) (($values.statefulset.replicas | int)|int) (1|int) -}} +{{- $schemaURLs = (concat (default (list ) $schemaURLs) (list (printf "%s://%s-%d.%s:%d" $schema (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r") $i (get (fromJson (include "redpanda.InternalDomain" (dict "a" (list $dot) ))) "r") ($values.listeners.schemaRegistry.port | int)))) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- end -}} +{{- $schema := "http" -}} +{{- if (get (fromJson (include "redpanda.InternalTLS.IsEnabled" (dict "a" (list $values.listeners.admin.tls $values.tls) ))) "r") -}} +{{- $schema = "https" -}} +{{- end -}} +{{- $c := (dict "kafka" (dict "brokers" (get (fromJson (include "redpanda.BrokerList" (dict "a" (list $dot ($values.statefulset.replicas | int) ($values.listeners.kafka.port | int)) ))) "r") "sasl" (dict "enabled" (get (fromJson (include "redpanda.Auth.IsSASLEnabled" (dict "a" (list $values.auth) ))) "r") ) "tls" (get (fromJson (include "redpanda.KafkaListeners.ConsolemTLS" (dict "a" (list $values.listeners.kafka $values.tls) ))) "r") "schemaRegistry" (dict "enabled" $values.listeners.schemaRegistry.enabled "urls" $schemaURLs "tls" (get (fromJson (include "redpanda.SchemaRegistryListeners.ConsoleTLS" (dict "a" (list $values.listeners.schemaRegistry $values.tls) ))) "r") ) ) "redpanda" (dict "adminApi" (dict "enabled" true "urls" (list (printf "%s://%s:%d" $schema (get (fromJson (include "redpanda.InternalDomain" (dict "a" (list $dot) ))) "r") ($values.listeners.admin.port | int))) "tls" (get (fromJson (include "redpanda.AdminListeners.ConsoleTLS" (dict "a" (list $values.listeners.admin $values.tls) ))) "r") ) ) ) -}} +{{- if $values.connectors.enabled -}} +{{- $port := (dig "connectors" "connectors" "restPort" (8083 | int) $dot.Values.AsMap) -}} +{{- $tmp_tuple_1 := (get (fromJson (include "_shims.compact" (dict "a" (list (get (fromJson (include "_shims.asintegral" (dict "a" (list $port) ))) "r")) ))) "r") -}} +{{- $ok := $tmp_tuple_1.T2 -}} +{{- $p := ($tmp_tuple_1.T1 | int) -}} +{{- if (not $ok) -}} +{{- $_is_returning = true -}} +{{- (dict "r" $c) | toJson -}} +{{- break -}} +{{- end -}} +{{- $connectorsURL := (printf "http://%s.%s.svc.%s:%d" (get (fromJson (include "redpanda.ConnectorsFullName" (dict "a" (list $dot) ))) "r") $dot.Release.Namespace (trimSuffix "." $values.clusterDomain) $p) -}} +{{- $_ := (set $c "connect" (mustMergeOverwrite (dict "enabled" false "clusters" (coalesce nil) "connectTimeout" 0 "readTimeout" 0 "requestTimeout" 0 ) (dict "enabled" $values.connectors.enabled "clusters" (list (mustMergeOverwrite (dict "name" "" "url" "" "tls" (dict "enabled" false "caFilepath" "" "certFilepath" "" "keyFilepath" "" "insecureSkipTlsVerify" false ) "username" "" "password" "" "token" "" ) (dict "name" "connectors" "url" $connectorsURL "tls" (mustMergeOverwrite (dict "enabled" false "caFilepath" "" "certFilepath" "" "keyFilepath" "" "insecureSkipTlsVerify" false ) (dict "enabled" false "caFilepath" "" "certFilepath" "" "keyFilepath" "" "insecureSkipTlsVerify" false )) "username" "" "password" "" "token" "" ))) ))) -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (merge (dict ) $values.console.console.config $c)) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.ConnectorsFullName" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- if (ne (dig "connectors" "connectors" "fullnameOverwrite" "" $dot.Values.AsMap) "") -}} +{{- $_is_returning = true -}} +{{- (dict "r" (get (fromJson (include "redpanda.cleanForK8s" (dict "a" (list $values.connectors.connectors.fullnameOverwrite) ))) "r")) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (get (fromJson (include "redpanda.cleanForK8s" (dict "a" (list (printf "%s-connectors" $dot.Release.Name)) ))) "r")) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + diff --git a/charts/redpanda/redpanda/5.9.2/templates/_example-commands.tpl b/charts/redpanda/redpanda/5.9.2/templates/_example-commands.tpl new file mode 100644 index 000000000..9a5c695e3 --- /dev/null +++ b/charts/redpanda/redpanda/5.9.2/templates/_example-commands.tpl @@ -0,0 +1,58 @@ +{{/* +Licensed to the Apache Software Foundation (ASF) under one or more +contributor license agreements. See the NOTICE file distributed with +this work for additional information regarding copyright ownership. +The ASF licenses this file to You under the Apache License, Version 2.0 +(the "License"); you may not use this file except in compliance with +the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + + +{{/* +Any rpk command that's given to the user in NOTES.txt must be defined in this template file +and tested in a test. +*/}} + +{{/* tested in tests/test-kafka-sasl-status.yaml */}} +{{- define "rpk-acl-user-create" -}} +{{- $cmd := (get ((include "redpanda.RpkACLUserCreate" (dict "a" (list .))) | fromJson) "r") }} +{{- $cmd }} +{{- end -}} + +{{/* tested in tests/test-kafka-sasl-status.yaml */}} +{{- define "rpk-acl-create" -}} +{{- $cmd := (get ((include "redpanda.RpkACLCreate" (dict "a" (list .))) | fromJson) "r") }} +{{- $cmd }} +{{- end -}} + +{{/* tested in tests/test-kafka-sasl-status.yaml */}} +{{- define "rpk-cluster-info" -}} +{{- $cmd := (get ((include "redpanda.RpkClusterInfo" (dict "a" (list .))) | fromJson) "r") }} +{{- $cmd }} +{{- end -}} + +{{/* tested in tests/test-kafka-sasl-status.yaml */}} +{{- define "rpk-topic-create" -}} +{{- $cmd := (get ((include "redpanda.RpkTopicCreate" (dict "a" (list .))) | fromJson) "r") }} +{{- $cmd }} +{{- end -}} + +{{/* tested in tests/test-kafka-sasl-status.yaml */}} +{{- define "rpk-topic-describe" -}} +{{- $cmd := (get ((include "redpanda.RpkTopicDescribe" (dict "a" (list .))) | fromJson) "r") }} +{{- $cmd }} +{{- end -}} + +{{/* tested in tests/test-kafka-sasl-status.yaml */}} +{{- define "rpk-topic-delete" -}} +{{- $cmd := (get ((include "redpanda.RpkTopicDelete" (dict "a" (list .))) | fromJson) "r") }} +{{- $cmd }} +{{- end -}} \ No newline at end of file diff --git a/charts/redpanda/redpanda/5.9.2/templates/_helpers.go.tpl b/charts/redpanda/redpanda/5.9.2/templates/_helpers.go.tpl new file mode 100644 index 000000000..c910f646a --- /dev/null +++ b/charts/redpanda/redpanda/5.9.2/templates/_helpers.go.tpl @@ -0,0 +1,535 @@ +{{- /* Generated from "helpers.go" */ -}} + +{{- define "redpanda.Chart" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $_is_returning = true -}} +{{- (dict "r" (get (fromJson (include "redpanda.cleanForK8s" (dict "a" (list (replace "+" "_" (printf "%s-%s" $dot.Chart.Name $dot.Chart.Version))) ))) "r")) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.Name" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $tmp_tuple_1 := (get (fromJson (include "_shims.compact" (dict "a" (list (get (fromJson (include "_shims.typetest" (dict "a" (list "string" (index $dot.Values "nameOverride") "") ))) "r")) ))) "r") -}} +{{- $ok_2 := $tmp_tuple_1.T2 -}} +{{- $override_1 := $tmp_tuple_1.T1 -}} +{{- if (and $ok_2 (ne $override_1 "")) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (get (fromJson (include "redpanda.cleanForK8s" (dict "a" (list $override_1) ))) "r")) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (get (fromJson (include "redpanda.cleanForK8s" (dict "a" (list $dot.Chart.Name) ))) "r")) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.Fullname" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $tmp_tuple_2 := (get (fromJson (include "_shims.compact" (dict "a" (list (get (fromJson (include "_shims.typetest" (dict "a" (list "string" (index $dot.Values "fullnameOverride") "") ))) "r")) ))) "r") -}} +{{- $ok_4 := $tmp_tuple_2.T2 -}} +{{- $override_3 := $tmp_tuple_2.T1 -}} +{{- if (and $ok_4 (ne $override_3 "")) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (get (fromJson (include "redpanda.cleanForK8s" (dict "a" (list $override_3) ))) "r")) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (get (fromJson (include "redpanda.cleanForK8s" (dict "a" (list $dot.Release.Name) ))) "r")) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.FullLabels" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $labels := (dict ) -}} +{{- if (ne $values.commonLabels (coalesce nil)) -}} +{{- $labels = $values.commonLabels -}} +{{- end -}} +{{- $defaults := (dict "helm.sh/chart" (get (fromJson (include "redpanda.Chart" (dict "a" (list $dot) ))) "r") "app.kubernetes.io/name" (get (fromJson (include "redpanda.Name" (dict "a" (list $dot) ))) "r") "app.kubernetes.io/instance" $dot.Release.Name "app.kubernetes.io/managed-by" $dot.Release.Service "app.kubernetes.io/component" (get (fromJson (include "redpanda.Name" (dict "a" (list $dot) ))) "r") ) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (merge (dict ) $labels $defaults)) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.ServiceAccountName" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $serviceAccount := $values.serviceAccount -}} +{{- if (and $serviceAccount.create (ne $serviceAccount.name "")) -}} +{{- $_is_returning = true -}} +{{- (dict "r" $serviceAccount.name) | toJson -}} +{{- break -}} +{{- else -}}{{- if $serviceAccount.create -}} +{{- $_is_returning = true -}} +{{- (dict "r" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r")) | toJson -}} +{{- break -}} +{{- else -}}{{- if (ne $serviceAccount.name "") -}} +{{- $_is_returning = true -}} +{{- (dict "r" $serviceAccount.name) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" "default") | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.Tag" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $tag := (toString $values.image.tag) -}} +{{- if (eq $tag "") -}} +{{- $tag = $dot.Chart.AppVersion -}} +{{- end -}} +{{- $pattern := "^v(0|[1-9]\\d*)\\.(0|[1-9]\\d*)\\.(0|[1-9]\\d*)(?:-((?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\\.(?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\\+([0-9a-zA-Z-]+(?:\\.[0-9a-zA-Z-]+)*))?$" -}} +{{- if (not (regexMatch $pattern $tag)) -}} +{{- $_ := (fail "image.tag must start with a 'v' and be a valid semver") -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $tag) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.ServiceName" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- if (and (ne $values.service (coalesce nil)) (ne $values.service.name (coalesce nil))) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (get (fromJson (include "redpanda.cleanForK8s" (dict "a" (list $values.service.name) ))) "r")) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r")) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.InternalDomain" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $service := (get (fromJson (include "redpanda.ServiceName" (dict "a" (list $dot) ))) "r") -}} +{{- $ns := $dot.Release.Namespace -}} +{{- $domain := (trimSuffix "." $values.clusterDomain) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (printf "%s.%s.svc.%s." $service $ns $domain)) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.TLSEnabled" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- if $values.tls.enabled -}} +{{- $_is_returning = true -}} +{{- (dict "r" true) | toJson -}} +{{- break -}} +{{- end -}} +{{- $listeners := (list "kafka" "admin" "schemaRegistry" "rpc" "http") -}} +{{- range $_, $listener := $listeners -}} +{{- $tlsCert := (dig "listeners" $listener "tls" "cert" false $dot.Values.AsMap) -}} +{{- $tlsEnabled := (dig "listeners" $listener "tls" "enabled" false $dot.Values.AsMap) -}} +{{- if (and (not (empty $tlsEnabled)) (not (empty $tlsCert))) -}} +{{- $_is_returning = true -}} +{{- (dict "r" true) | toJson -}} +{{- break -}} +{{- end -}} +{{- $external := (dig "listeners" $listener "external" false $dot.Values.AsMap) -}} +{{- if (empty $external) -}} +{{- continue -}} +{{- end -}} +{{- $keys := (keys (get (fromJson (include "_shims.typeassertion" (dict "a" (list (printf "map[%s]%s" "string" "interface {}") $external) ))) "r")) -}} +{{- range $_, $key := $keys -}} +{{- $enabled := (dig "listeners" $listener "external" $key "enabled" false $dot.Values.AsMap) -}} +{{- $tlsCert := (dig "listeners" $listener "external" $key "tls" "cert" false $dot.Values.AsMap) -}} +{{- $tlsEnabled := (dig "listeners" $listener "external" $key "tls" "enabled" false $dot.Values.AsMap) -}} +{{- if (and (and (not (empty $enabled)) (not (empty $tlsCert))) (not (empty $tlsEnabled))) -}} +{{- $_is_returning = true -}} +{{- (dict "r" true) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" false) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.ClientAuthRequired" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $listeners := (list "kafka" "admin" "schemaRegistry" "rpc" "http") -}} +{{- range $_, $listener := $listeners -}} +{{- $required := (dig "listeners" $listener "tls" "requireClientAuth" false $dot.Values.AsMap) -}} +{{- if (not (empty $required)) -}} +{{- $_is_returning = true -}} +{{- (dict "r" true) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" false) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.DefaultMounts" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $_is_returning = true -}} +{{- (dict "r" (concat (default (list ) (list (mustMergeOverwrite (dict "name" "" "mountPath" "" ) (dict "name" "config" "mountPath" "/etc/redpanda" )))) (default (list ) (get (fromJson (include "redpanda.CommonMounts" (dict "a" (list $dot) ))) "r")))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.CommonMounts" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $mounts := (list ) -}} +{{- $sasl_5 := $values.auth.sasl -}} +{{- if (and $sasl_5.enabled (ne $sasl_5.secretRef "")) -}} +{{- $mounts = (concat (default (list ) $mounts) (list (mustMergeOverwrite (dict "name" "" "mountPath" "" ) (dict "name" "users" "mountPath" "/etc/secrets/users" "readOnly" true )))) -}} +{{- end -}} +{{- if (get (fromJson (include "redpanda.TLSEnabled" (dict "a" (list $dot) ))) "r") -}} +{{- $certNames := (keys $values.tls.certs) -}} +{{- $_ := (sortAlpha $certNames) -}} +{{- range $_, $name := $certNames -}} +{{- $cert := (index $values.tls.certs $name) -}} +{{- if (not (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $cert.enabled true) ))) "r")) -}} +{{- continue -}} +{{- end -}} +{{- $mounts = (concat (default (list ) $mounts) (list (mustMergeOverwrite (dict "name" "" "mountPath" "" ) (dict "name" (printf "redpanda-%s-cert" $name) "mountPath" (printf "/etc/tls/certs/%s" $name) )))) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $adminTLS := $values.listeners.admin.tls -}} +{{- if $adminTLS.requireClientAuth -}} +{{- $mounts = (concat (default (list ) $mounts) (list (mustMergeOverwrite (dict "name" "" "mountPath" "" ) (dict "name" "mtls-client" "mountPath" (printf "/etc/tls/certs/%s-client" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r")) )))) -}} +{{- end -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $mounts) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.DefaultVolumes" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $_is_returning = true -}} +{{- (dict "r" (concat (default (list ) (list (mustMergeOverwrite (dict "name" "" ) (mustMergeOverwrite (dict ) (dict "configMap" (mustMergeOverwrite (dict ) (mustMergeOverwrite (dict ) (dict "name" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r") )) (dict )) )) (dict "name" "config" )))) (default (list ) (get (fromJson (include "redpanda.CommonVolumes" (dict "a" (list $dot) ))) "r")))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.CommonVolumes" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $volumes := (list ) -}} +{{- $values := $dot.Values.AsMap -}} +{{- if (get (fromJson (include "redpanda.TLSEnabled" (dict "a" (list $dot) ))) "r") -}} +{{- $certNames := (keys $values.tls.certs) -}} +{{- $_ := (sortAlpha $certNames) -}} +{{- range $_, $name := $certNames -}} +{{- $cert := (index $values.tls.certs $name) -}} +{{- if (not (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $cert.enabled true) ))) "r")) -}} +{{- continue -}} +{{- end -}} +{{- $volumes = (concat (default (list ) $volumes) (list (mustMergeOverwrite (dict "name" "" ) (mustMergeOverwrite (dict ) (dict "secret" (mustMergeOverwrite (dict ) (dict "secretName" (get (fromJson (include "redpanda.CertSecretName" (dict "a" (list $dot $name $cert) ))) "r") "defaultMode" (0o440 | int) )) )) (dict "name" (printf "redpanda-%s-cert" $name) )))) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $adminTLS := $values.listeners.admin.tls -}} +{{- $cert := (index $values.tls.certs $adminTLS.cert) -}} +{{- if $adminTLS.requireClientAuth -}} +{{- $secretName := (printf "%s-client" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r")) -}} +{{- if (ne $cert.clientSecretRef (coalesce nil)) -}} +{{- $secretName = $cert.clientSecretRef.name -}} +{{- end -}} +{{- $volumes = (concat (default (list ) $volumes) (list (mustMergeOverwrite (dict "name" "" ) (mustMergeOverwrite (dict ) (dict "secret" (mustMergeOverwrite (dict ) (dict "secretName" $secretName "defaultMode" (0o440 | int) )) )) (dict "name" "mtls-client" )))) -}} +{{- end -}} +{{- end -}} +{{- $sasl_6 := $values.auth.sasl -}} +{{- if (and $sasl_6.enabled (ne $sasl_6.secretRef "")) -}} +{{- $volumes = (concat (default (list ) $volumes) (list (mustMergeOverwrite (dict "name" "" ) (mustMergeOverwrite (dict ) (dict "secret" (mustMergeOverwrite (dict ) (dict "secretName" $sasl_6.secretRef )) )) (dict "name" "users" )))) -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $volumes) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.CertSecretName" -}} +{{- $dot := (index .a 0) -}} +{{- $certName := (index .a 1) -}} +{{- $cert := (index .a 2) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- if (ne $cert.secretRef (coalesce nil)) -}} +{{- $_is_returning = true -}} +{{- (dict "r" $cert.secretRef.name) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (printf "%s-%s-cert" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r") $certName)) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.PodSecurityContext" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $sc := (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.statefulset.podSecurityContext $values.statefulset.securityContext) ))) "r") -}} +{{- $_is_returning = true -}} +{{- (dict "r" (mustMergeOverwrite (dict ) (dict "fsGroup" $sc.fsGroup "fsGroupChangePolicy" $sc.fsGroupChangePolicy ))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.ContainerSecurityContext" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $sc := (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.statefulset.podSecurityContext $values.statefulset.securityContext) ))) "r") -}} +{{- $_is_returning = true -}} +{{- (dict "r" (mustMergeOverwrite (dict ) (dict "runAsUser" $sc.runAsUser "runAsGroup" (get (fromJson (include "redpanda.coalesce" (dict "a" (list (list $sc.runAsGroup $sc.fsGroup)) ))) "r") "allowPrivilegeEscalation" (get (fromJson (include "redpanda.coalesce" (dict "a" (list (list $sc.allowPrivilegeEscalation $sc.allowPriviledgeEscalation)) ))) "r") "runAsNonRoot" $sc.runAsNonRoot ))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.RedpandaAtLeast_22_2_0" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $_is_returning = true -}} +{{- (dict "r" (get (fromJson (include "redpanda.redpandaAtLeast" (dict "a" (list $dot ">=22.2.0-0 || <0.0.1-0") ))) "r")) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.RedpandaAtLeast_22_3_0" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $_is_returning = true -}} +{{- (dict "r" (get (fromJson (include "redpanda.redpandaAtLeast" (dict "a" (list $dot ">=22.3.0-0 || <0.0.1-0") ))) "r")) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.RedpandaAtLeast_23_1_1" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $_is_returning = true -}} +{{- (dict "r" (get (fromJson (include "redpanda.redpandaAtLeast" (dict "a" (list $dot ">=23.1.1-0 || <0.0.1-0") ))) "r")) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.RedpandaAtLeast_23_1_2" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $_is_returning = true -}} +{{- (dict "r" (get (fromJson (include "redpanda.redpandaAtLeast" (dict "a" (list $dot ">=23.1.2-0 || <0.0.1-0") ))) "r")) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.RedpandaAtLeast_22_3_atleast_22_3_13" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $_is_returning = true -}} +{{- (dict "r" (get (fromJson (include "redpanda.redpandaAtLeast" (dict "a" (list $dot ">=22.3.13-0,<22.4") ))) "r")) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.RedpandaAtLeast_22_2_atleast_22_2_10" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $_is_returning = true -}} +{{- (dict "r" (get (fromJson (include "redpanda.redpandaAtLeast" (dict "a" (list $dot ">=22.2.10-0,<22.3") ))) "r")) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.RedpandaAtLeast_23_2_1" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $_is_returning = true -}} +{{- (dict "r" (get (fromJson (include "redpanda.redpandaAtLeast" (dict "a" (list $dot ">=23.2.1-0 || <0.0.1-0") ))) "r")) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.RedpandaAtLeast_23_3_0" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $_is_returning = true -}} +{{- (dict "r" (get (fromJson (include "redpanda.redpandaAtLeast" (dict "a" (list $dot ">=23.3.0-0 || <0.0.1-0") ))) "r")) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.redpandaAtLeast" -}} +{{- $dot := (index .a 0) -}} +{{- $constraint := (index .a 1) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $version := (trimPrefix "v" (get (fromJson (include "redpanda.Tag" (dict "a" (list $dot) ))) "r")) -}} +{{- $tmp_tuple_3 := (get (fromJson (include "_shims.compact" (dict "a" (list (list (semverCompare $constraint $version) nil)) ))) "r") -}} +{{- $err := $tmp_tuple_3.T2 -}} +{{- $result := $tmp_tuple_3.T1 -}} +{{- if (ne $err (coalesce nil)) -}} +{{- $_ := (fail $err) -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $result) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.cleanForK8s" -}} +{{- $in := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $_is_returning = true -}} +{{- (dict "r" (trimSuffix "-" (trunc (63 | int) $in))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.RedpandaSMP" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $coresInMillies := ((get (fromJson (include "_shims.resource_MilliValue" (dict "a" (list $values.resources.cpu.cores) ))) "r") | int64) -}} +{{- if (lt $coresInMillies (1000 | int64)) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (1 | int64)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" ((get (fromJson (include "_shims.resource_Value" (dict "a" (list $values.resources.cpu.cores) ))) "r") | int64)) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.coalesce" -}} +{{- $values := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- range $_, $v := $values -}} +{{- if (ne $v (coalesce nil)) -}} +{{- $_is_returning = true -}} +{{- (dict "r" $v) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (coalesce nil)) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.StrategicMergePatch" -}} +{{- $overrides := (index .a 0) -}} +{{- $original := (index .a 1) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- if (ne $overrides.labels (coalesce nil)) -}} +{{- $_ := (set $original.metadata "labels" (merge (dict ) $overrides.labels (default (dict ) $original.metadata.labels))) -}} +{{- end -}} +{{- if (ne $overrides.annotations (coalesce nil)) -}} +{{- $_ := (set $original.metadata "annotations" (merge (dict ) $overrides.annotations (default (dict ) $original.metadata.annotations))) -}} +{{- end -}} +{{- if (ne $overrides.spec.securityContext (coalesce nil)) -}} +{{- $_ := (set $original.spec "securityContext" (merge (dict ) $overrides.spec.securityContext (default (mustMergeOverwrite (dict ) (dict )) $original.spec.securityContext))) -}} +{{- end -}} +{{- $overrideContainers := (dict ) -}} +{{- range $i, $_ := $overrides.spec.containers -}} +{{- $container := (index $overrides.spec.containers $i) -}} +{{- $_ := (set $overrideContainers (toString $container.name) $container) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $merged := (coalesce nil) -}} +{{- range $_, $container := $original.spec.containers -}} +{{- $tmp_tuple_4 := (get (fromJson (include "_shims.compact" (dict "a" (list (get (fromJson (include "_shims.dicttest" (dict "a" (list $overrideContainers $container.name (coalesce nil)) ))) "r")) ))) "r") -}} +{{- $ok_8 := $tmp_tuple_4.T2 -}} +{{- $override_7 := $tmp_tuple_4.T1 -}} +{{- if $ok_8 -}} +{{- $env := (concat (default (list ) $container.env) (default (list ) $override_7.env)) -}} +{{- $container = (merge (dict ) $override_7 $container) -}} +{{- $_ := (set $container "env" $env) -}} +{{- end -}} +{{- if (eq $container.env (coalesce nil)) -}} +{{- $_ := (set $container "env" (list )) -}} +{{- end -}} +{{- $merged = (concat (default (list ) $merged) (list $container)) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $_ := (set $original.spec "containers" $merged) -}} +{{- $_is_returning = true -}} +{{- (dict "r" $original) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + diff --git a/charts/redpanda/redpanda/5.9.2/templates/_helpers.tpl b/charts/redpanda/redpanda/5.9.2/templates/_helpers.tpl new file mode 100644 index 000000000..a885f9dcd --- /dev/null +++ b/charts/redpanda/redpanda/5.9.2/templates/_helpers.tpl @@ -0,0 +1,368 @@ +{{/* +Licensed to the Apache Software Foundation (ASF) under one or more +contributor license agreements. See the NOTICE file distributed with +this work for additional information regarding copyright ownership. +The ASF licenses this file to You under the Apache License, Version 2.0 +(the "License"); you may not use this file except in compliance with +the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} +{{/* +Expand the name of the chart. +*/}} +{{- define "redpanda.name" -}} +{{- get ((include "redpanda.Name" (dict "a" (list .))) | fromJson) "r" }} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +*/}} +{{- define "redpanda.fullname" -}} +{{- get ((include "redpanda.Fullname" (dict "a" (list .))) | fromJson) "r" }} +{{- end -}} + +{{/* +Create a default service name +*/}} +{{- define "redpanda.servicename" -}} +{{- get ((include "redpanda.ServiceName" (dict "a" (list .))) | fromJson) "r" }} +{{- end -}} + +{{/* +full helm labels + common labels +*/}} +{{- define "full.labels" -}} +{{- (get ((include "redpanda.FullLabels" (dict "a" (list .))) | fromJson) "r") | toYaml }} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "redpanda.chart" -}} +{{- get ((include "redpanda.Chart" (dict "a" (list .))) | fromJson) "r" }} +{{- end }} + +{{/* +Create the name of the service account to use +*/}} +{{- define "redpanda.serviceAccountName" -}} +{{- get ((include "redpanda.ServiceAccountName" (dict "a" (list .))) | fromJson) "r" }} +{{- end }} + +{{/* +Use AppVersion if image.tag is not set +*/}} +{{- define "redpanda.tag" -}} +{{- get ((include "redpanda.Tag" (dict "a" (list .))) | fromJson) "r" }} +{{- end -}} + +{{/* Generate internal fqdn */}} +{{- define "redpanda.internal.domain" -}} +{{- get ((include "redpanda.InternalDomain" (dict "a" (list .))) | fromJson) "r" }} +{{- end -}} + +{{/* ConfigMap variables */}} +{{- define "admin-internal-tls-enabled" -}} +{{- toJson (dict "bool" (get ((include "redpanda.InternalTLS.IsEnabled" (dict "a" (list .Values.listeners.admin.tls .Values.tls))) | fromJson) "r")) -}} +{{- end -}} + +{{- define "kafka-internal-tls-enabled" -}} +{{- $listener := .Values.listeners.kafka -}} +{{- toJson (dict "bool" (and (dig "tls" "enabled" .Values.tls.enabled $listener) (not (empty (dig "tls" "cert" "" $listener))))) -}} +{{- end -}} + +{{- define "kafka-external-tls-cert" -}} +{{- dig "tls" "cert" .Values.listeners.kafka.tls.cert .listener -}} +{{- end -}} + +{{- define "http-internal-tls-enabled" -}} +{{- $listener := .Values.listeners.http -}} +{{- toJson (dict "bool" (and (dig "tls" "enabled" .Values.tls.enabled $listener) (not (empty (dig "tls" "cert" "" $listener))))) -}} +{{- end -}} + +{{- define "schemaRegistry-internal-tls-enabled" -}} +{{- $listener := .Values.listeners.schemaRegistry -}} +{{- toJson (dict "bool" (and (dig "tls" "enabled" .Values.tls.enabled $listener) (not (empty (dig "tls" "cert" "" $listener))))) -}} +{{- end -}} + +{{- define "tls-enabled" -}} +{{- $tlsenabled := get ((include "redpanda.TLSEnabled" (dict "a" (list .))) | fromJson) "r" }} +{{- toJson (dict "bool" $tlsenabled) -}} +{{- end -}} + +{{- define "sasl-enabled" -}} +{{- toJson (dict "bool" (dig "enabled" false .Values.auth.sasl)) -}} +{{- end -}} + +{{- define "admin-api-urls" -}} +{{ printf "${SERVICE_NAME}.%s" (include "redpanda.internal.domain" .) }}:{{.Values.listeners.admin.port }} +{{- end -}} + +{{- define "admin-api-service-url" -}} +{{ include "redpanda.internal.domain" .}}:{{.Values.listeners.admin.port }} +{{- end -}} + +{{- define "sasl-mechanism" -}} +{{- dig "sasl" "mechanism" "SCRAM-SHA-512" .Values.auth -}} +{{- end -}} + +{{- define "fail-on-insecure-sasl-logging" -}} +{{- if (include "sasl-enabled" .|fromJson).bool -}} + {{- $check := list + (include "redpanda-atleast-23-1-1" .|fromJson).bool + (include "redpanda-22-3-atleast-22-3-13" .|fromJson).bool + (include "redpanda-22-2-atleast-22-2-10" .|fromJson).bool + -}} + {{- if not (mustHas true $check) -}} + {{- fail "SASL is enabled and the redpanda version specified leaks secrets to the logs. Please choose a newer version of redpanda." -}} + {{- end -}} +{{- end -}} +{{- end -}} + +{{- define "fail-on-unsupported-helm-version" -}} + {{- $helmVer := (fromYaml (toYaml .Capabilities.HelmVersion)).version -}} + {{- if semverCompare "<3.8.0-0" $helmVer -}} + {{- fail (printf "helm version %s is not supported. Please use helm version v3.8.0 or newer." $helmVer) -}} + {{- end -}} +{{- end -}} + +{{- define "redpanda-atleast-22-2-0" -}} +{{- toJson (dict "bool" (get ((include "redpanda.RedpandaAtLeast_22_2_0" (dict "a" (list .))) | fromJson) "r")) }} +{{- end -}} +{{- define "redpanda-atleast-22-3-0" -}} +{{- toJson (dict "bool" (get ((include "redpanda.RedpandaAtLeast_22_3_0" (dict "a" (list .))) | fromJson) "r")) }} +{{- end -}} +{{- define "redpanda-atleast-23-1-1" -}} +{{- toJson (dict "bool" (get ((include "redpanda.RedpandaAtLeast_23_1_1" (dict "a" (list .))) | fromJson) "r")) }} +{{- end -}} +{{- define "redpanda-atleast-23-1-2" -}} +{{- toJson (dict "bool" (get ((include "redpanda.RedpandaAtLeast_23_1_2" (dict "a" (list .))) | fromJson) "r")) }} +{{- end -}} +{{- define "redpanda-22-3-atleast-22-3-13" -}} +{{- toJson (dict "bool" (get ((include "redpanda.RedpandaAtLeast_22_3_atleast_22_3_13" (dict "a" (list .))) | fromJson) "r")) }} +{{- end -}} +{{- define "redpanda-22-2-atleast-22-2-10" -}} +{{- toJson (dict "bool" (get ((include "redpanda.RedpandaAtLeast_22_2_atleast_22_2_10" (dict "a" (list .))) | fromJson) "r")) }} +{{- end -}} +{{- define "redpanda-atleast-23-2-1" -}} +{{- toJson (dict "bool" (get ((include "redpanda.RedpandaAtLeast_23_2_1" (dict "a" (list .))) | fromJson) "r")) }} +{{- end -}} +{{- define "redpanda-atleast-23-3-0" -}} +{{- toJson (dict "bool" (get ((include "redpanda.RedpandaAtLeast_23_3_0" (dict "a" (list .))) | fromJson) "r")) }} +{{- end -}} + +{{- define "redpanda-22-2-x-without-sasl" -}} +{{- $result := (include "redpanda-atleast-22-3-0" . | fromJson).bool -}} +{{- if or (include "sasl-enabled" . | fromJson).bool .Values.listeners.kafka.authenticationMethod -}} +{{- $result := false -}} +{{- end -}} +{{- toJson (dict "bool" $result) -}} +{{- end -}} + +{{- define "pod-security-context" -}} +{{- get ((include "redpanda.PodSecurityContext" (dict "a" (list .))) | fromJson) "r" | toYaml }} +{{- end -}} + +{{- define "container-security-context" -}} +{{- get ((include "redpanda.ContainerSecurityContext" (dict "a" (list .))) | fromJson) "r" | toYaml }} +{{- end -}} + +{{- define "admin-tls-curl-flags" -}} + {{- $result := "" -}} + {{- if (include "admin-internal-tls-enabled" . | fromJson).bool -}} + {{- $path := (printf "/etc/tls/certs/%s" .Values.listeners.admin.tls.cert) -}} + {{- $result = (printf "--cacert %s/tls.crt" $path) -}} + {{- if .Values.listeners.admin.tls.requireClientAuth -}} + {{- $result = (printf "--cacert %s/ca.crt --cert %s/tls.crt --key %s/tls.key" $path $path $path) -}} + {{- end -}} + {{- end -}} + {{- $result -}} +{{- end -}} + +{{- define "admin-http-protocol" -}} + {{- $result := "http" -}} + {{- if (include "admin-internal-tls-enabled" . | fromJson).bool -}} + {{- $result = "https" -}} + {{- end -}} + {{- $result -}} +{{- end -}} + +{{- /* +advertised-port returns either the only advertised port if only one is specified, +or the port specified for this pod ordinal when there is a full list provided. + +This will return a string int or panic if there is more than one port provided, +but not enough ports for the number of replicas requested. +*/ -}} +{{- define "advertised-port" -}} + {{- $port := dig "port" .listenerVals.port .externalVals -}} + {{- if .externalVals.advertisedPorts -}} + {{- if eq (len .externalVals.advertisedPorts) 1 -}} + {{- $port = mustFirst .externalVals.advertisedPorts -}} + {{- else -}} + {{- $port = index .externalVals.advertisedPorts .replicaIndex -}} + {{- end -}} + {{- end -}} + {{ $port }} +{{- end -}} + +{{- /* +advertised-host returns a json string with the data needed for configuring the advertised listener +*/ -}} +{{- define "advertised-host" -}} + {{- $host := dict "name" .externalName "address" .externalAdvertiseAddress "port" .port -}} + {{- if .values.external.addresses -}} + {{- $address := "" -}} + {{- if gt (len .values.external.addresses) 1 -}} + {{- $address = (index .values.external.addresses .replicaIndex) -}} + {{- else -}} + {{- $address = (index .values.external.addresses 0) -}} + {{- end -}} + {{- if ( .values.external.domain | default "" ) }} + {{- $host = dict "name" .externalName "address" (printf "%s.%s" $address .values.external.domain) "port" .port -}} + {{- else -}} + {{- $host = dict "name" .externalName "address" $address "port" .port -}} + {{- end -}} + {{- end -}} + {{- toJson $host -}} +{{- end -}} + +{{- define "is-licensed" -}} +{{- toJson (dict "bool" (or (not (empty (include "enterprise-license" . ))) (not (empty (include "enterprise-secret" . ))))) -}} +{{- end -}} + +{{- define "seed-server-list" -}} + {{- $brokers := list -}} + {{- range $ordinal := until (.Values.statefulset.replicas | int) -}} + {{- $brokers = append $brokers (printf "%s-%d.%s" + (include "redpanda.fullname" $) + $ordinal + (include "redpanda.internal.domain" $)) + -}} + {{- end -}} + {{- toJson $brokers -}} +{{- end -}} + +{{/* +return license checks deprecated values if current values is empty +*/}} +{{- define "enterprise-license" -}} +{{- if dig "license" dict .Values.enterprise -}} + {{- .Values.enterprise.license -}} +{{- else -}} + {{- .Values.license_key -}} +{{- end -}} +{{- end -}} + +{{/* +return licenseSecretRef checks deprecated values entry if current values empty +*/}} +{{- define "enterprise-secret" -}} +{{- if ( dig "licenseSecretRef" dict .Values.enterprise ) -}} + {{- .Values.enterprise.licenseSecretRef -}} +{{- else if not (empty .Values.license_secret_ref ) -}} + {{- .Values.license_secret_ref -}} +{{- end -}} +{{- end -}} + +{{/* +return licenseSecretRef.name checks deprecated values entry if current values empty +*/}} +{{- define "enterprise-secret-name" -}} +{{- if ( dig "licenseSecretRef" dict .Values.enterprise ) -}} + {{- dig "name" "" .Values.enterprise.licenseSecretRef -}} +{{- else if not (empty .Values.license_secret_ref ) -}} + {{- dig "secret_name" "" .Values.license_secret_ref -}} +{{- end -}} +{{- end -}} + +{{/* +return licenseSecretRef.key checks deprecated values entry if current values empty +*/}} +{{- define "enterprise-secret-key" -}} +{{- if ( dig "licenseSecretRef" dict .Values.enterprise ) -}} + {{- dig "key" "" .Values.enterprise.licenseSecretRef -}} +{{- else if not (empty .Values.license_secret_ref ) -}} + {{- dig "secret_key" "" .Values.license_secret_ref -}} +{{- end -}} +{{- end -}} + +{{/* mounts that are common to all containers */}} +{{- define "common-mounts" -}} +{{- $mounts := get ((include "redpanda.CommonMounts" (dict "a" (list .))) | fromJson) "r" }} +{{- if $mounts -}} +{{- toYaml $mounts -}} +{{- end -}} +{{- end -}} + +{{/* mounts that are common to most containers */}} +{{- define "default-mounts" -}} +{{- $mounts := get ((include "redpanda.DefaultMounts" (dict "a" (list .))) | fromJson) "r" }} +{{- if $mounts -}} +{{- toYaml $mounts -}} +{{- end -}} +{{- end -}} + +{{/* volumes that are common to all pods */}} +{{- define "common-volumes" -}} +{{- $volumes := get ((include "redpanda.CommonVolumes" (dict "a" (list .))) | fromJson) "r" }} +{{- if $volumes -}} +{{- toYaml $volumes -}} +{{- end -}} +{{- end -}} + +{{/* the default set of volumes for most pods, except the sts pod */}} +{{- define "default-volumes" -}} +{{- $volumes := get ((include "redpanda.DefaultVolumes" (dict "a" (list .))) | fromJson) "r" }} +{{- if $volumes -}} +{{- toYaml $volumes -}} +{{- end -}} +{{- end -}} + +{{/* support legacy storage.tieredConfig */}} +{{- define "storage-tiered-config" -}} +{{- $cfg := get ((include "redpanda.StorageTieredConfig" (dict "a" (list .))) | fromJson) "r" }} +{{- if $cfg -}} +{{- toYaml $cfg -}} +{{- end -}} +{{- end -}} + +{{/* + rpk sasl environment variables + + this will return a string with the correct environment variables to use for SASL based on the + version of the redpada container being used +*/}} +{{- define "rpk-sasl-environment-variables" -}} +{{- if (include "redpanda-atleast-23-2-1" . | fromJson).bool -}} +RPK_USER RPK_PASS RPK_SASL_MECHANISM +{{- else -}} +REDPANDA_SASL_USERNAME REDPANDA_SASL_PASSWORD REDPANDA_SASL_MECHANISM +{{- end -}} +{{- end -}} + +{{- define "curl-options" -}} +{{- print " -svm3 --fail --retry \"120\" --retry-max-time \"120\" --retry-all-errors -o - -w \"\\nstatus=%{http_code} %{redirect_url} size=%{size_download} time=%{time_total} content-type=\\\"%{content_type}\\\"\\n\" "}} +{{- end -}} + +{{- define "advertised-address-template" -}} + {{- $prefixTemplate := dig "prefixTemplate" "" .externalListener -}} + {{- if empty $prefixTemplate -}} + {{- $prefixTemplate = dig "prefixTemplate" "" .externalVals -}} + {{- end -}} + {{ quote $prefixTemplate }} +{{- end -}} + +{{/* check if client auth is enabled for any of the listeners */}} +{{- define "client-auth-required" -}} +{{- $requireClientAuth := get ((include "redpanda.ClientAuthRequired" (dict "a" (list .))) | fromJson) "r" }} +{{- toJson (dict "bool" $requireClientAuth) -}} +{{- end -}} diff --git a/charts/redpanda/redpanda/5.9.2/templates/_memory.go.tpl b/charts/redpanda/redpanda/5.9.2/templates/_memory.go.tpl new file mode 100644 index 000000000..9f839e66b --- /dev/null +++ b/charts/redpanda/redpanda/5.9.2/templates/_memory.go.tpl @@ -0,0 +1,63 @@ +{{- /* Generated from "memory.go" */ -}} + +{{- define "redpanda.RedpandaReserveMemory" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $rpMem_1 := $values.resources.memory.redpanda -}} +{{- if (and (ne $rpMem_1 (coalesce nil)) (ne $rpMem_1.reserveMemory (coalesce nil))) -}} +{{- $_is_returning = true -}} +{{- (dict "r" ((div ((get (fromJson (include "_shims.resource_Value" (dict "a" (list $rpMem_1.reserveMemory) ))) "r") | int64) ((mul (1024 | int) (1024 | int)))) | int64)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" ((add (((mulf (((get (fromJson (include "redpanda.ContainerMemory" (dict "a" (list $dot) ))) "r") | int64) | float64) 0.002) | float64) | int64) (200 | int64)) | int64)) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.RedpandaMemory" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $memory := ((0 | int64) | int64) -}} +{{- $containerMemory := ((get (fromJson (include "redpanda.ContainerMemory" (dict "a" (list $dot) ))) "r") | int64) -}} +{{- $rpMem_2 := $values.resources.memory.redpanda -}} +{{- if (and (ne $rpMem_2 (coalesce nil)) (ne $rpMem_2.memory (coalesce nil))) -}} +{{- $memory = ((div ((get (fromJson (include "_shims.resource_Value" (dict "a" (list $rpMem_2.memory) ))) "r") | int64) ((mul (1024 | int) (1024 | int)))) | int64) -}} +{{- else -}} +{{- $memory = (((mulf ($containerMemory | float64) 0.8) | float64) | int64) -}} +{{- end -}} +{{- if (eq $memory (0 | int64)) -}} +{{- $_ := (fail "unable to get memory value redpanda-memory") -}} +{{- end -}} +{{- if (lt $memory (256 | int64)) -}} +{{- $_ := (fail (printf "%d is below the minimum value for Redpanda" $memory)) -}} +{{- end -}} +{{- if (gt ((add $memory ((get (fromJson (include "redpanda.RedpandaReserveMemory" (dict "a" (list $dot) ))) "r") | int64)) | int64) $containerMemory) -}} +{{- $_ := (fail (printf "Not enough container memory for Redpanda memory values where Redpanda: %d, reserve: %d, container: %d" $memory ((get (fromJson (include "redpanda.RedpandaReserveMemory" (dict "a" (list $dot) ))) "r") | int64) $containerMemory)) -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $memory) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.ContainerMemory" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- if (ne $values.resources.memory.container.min (coalesce nil)) -}} +{{- $_is_returning = true -}} +{{- (dict "r" ((div ((get (fromJson (include "_shims.resource_Value" (dict "a" (list $values.resources.memory.container.min) ))) "r") | int64) ((mul (1024 | int) (1024 | int)))) | int64)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" ((div ((get (fromJson (include "_shims.resource_Value" (dict "a" (list $values.resources.memory.container.max) ))) "r") | int64) ((mul (1024 | int) (1024 | int)))) | int64)) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + diff --git a/charts/redpanda/redpanda/5.9.2/templates/_notes.go.tpl b/charts/redpanda/redpanda/5.9.2/templates/_notes.go.tpl new file mode 100644 index 000000000..6c1e88a61 --- /dev/null +++ b/charts/redpanda/redpanda/5.9.2/templates/_notes.go.tpl @@ -0,0 +1,167 @@ +{{- /* Generated from "notes.go" */ -}} + +{{- define "redpanda.Warnings" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $warnings := (coalesce nil) -}} +{{- $w_1 := (get (fromJson (include "redpanda.cpuWarning" (dict "a" (list $dot) ))) "r") -}} +{{- if (ne $w_1 "") -}} +{{- $warnings = (concat (default (list ) $warnings) (list (printf `**Warning**: %s` $w_1))) -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $warnings) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.cpuWarning" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $coresInMillis := ((get (fromJson (include "_shims.resource_MilliValue" (dict "a" (list $values.resources.cpu.cores) ))) "r") | int64) -}} +{{- if (lt $coresInMillis (1000 | int64)) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (printf "%dm is below the minimum recommended CPU value for Redpanda" $coresInMillis)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" "") | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.Notes" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $anySASL := (get (fromJson (include "redpanda.Auth.IsSASLEnabled" (dict "a" (list $values.auth) ))) "r") -}} +{{- $notes := (coalesce nil) -}} +{{- $notes = (concat (default (list ) $notes) (list `` `` `` `` (printf `Congratulations on installing %s!` $dot.Chart.Name) `` `The pods will rollout in a few seconds. To check the status:` `` (printf ` kubectl -n %s rollout status statefulset %s --watch` $dot.Release.Namespace (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r")))) -}} +{{- if (and $values.external.enabled (eq $values.external.type "LoadBalancer")) -}} +{{- $notes = (concat (default (list ) $notes) (list `` `If you are using the load balancer service with a cloud provider, the services will likely have automatically-generated addresses. In this scenario the advertised listeners must be updated in order for external access to work. Run the following command once Redpanda is deployed:` `` (printf ` helm upgrade %s redpanda/redpanda --reuse-values -n %s --set $(kubectl get svc -n %s -o jsonpath='{"external.addresses={"}{ range .items[*]}{.status.loadBalancer.ingress[0].ip }{.status.loadBalancer.ingress[0].hostname}{","}{ end }{"}\n"}')` (get (fromJson (include "redpanda.Name" (dict "a" (list $dot) ))) "r") $dot.Release.Namespace $dot.Release.Namespace))) -}} +{{- end -}} +{{- $profiles := (keys $values.listeners.kafka.external) -}} +{{- $_ := (sortAlpha $profiles) -}} +{{- $profileName := (index $profiles (0 | int)) -}} +{{- $notes = (concat (default (list ) $notes) (list `` `Set up rpk for access to your external listeners:`)) -}} +{{- $profile := (index $values.listeners.kafka.external $profileName) -}} +{{- if (get (fromJson (include "redpanda.TLSEnabled" (dict "a" (list $dot) ))) "r") -}} +{{- $external := "" -}} +{{- if (and (ne $profile.tls (coalesce nil)) (ne $profile.tls.cert (coalesce nil))) -}} +{{- $external = $profile.tls.cert -}} +{{- else -}} +{{- $external = $values.listeners.kafka.tls.cert -}} +{{- end -}} +{{- $notes = (concat (default (list ) $notes) (list (printf ` kubectl get secret -n %s %s-%s-cert -o go-template='{{ index .data "ca.crt" | base64decode }}' > ca.crt` $dot.Release.Namespace (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r") $external))) -}} +{{- if (or $values.listeners.kafka.tls.requireClientAuth $values.listeners.admin.tls.requireClientAuth) -}} +{{- $notes = (concat (default (list ) $notes) (list (printf ` kubectl get secret -n %s %s-client -o go-template='{{ index .data "tls.crt" | base64decode }}' > tls.crt` $dot.Release.Namespace (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r")) (printf ` kubectl get secret -n %s %s-client -o go-template='{{ index .data "tls.key" | base64decode }}' > tls.key` $dot.Release.Namespace (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r")))) -}} +{{- end -}} +{{- end -}} +{{- $notes = (concat (default (list ) $notes) (list (printf ` rpk profile create --from-profile <(kubectl get configmap -n %s %s-rpk -o go-template='{{ .data.profile }}') %s` $dot.Release.Namespace (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r") $profileName) `` `Set up dns to look up the pods on their Kubernetes Nodes. You can use this query to get the list of short-names to IP addresses. Add your external domain to the hostnames and you could test by adding these to your /etc/hosts:` `` (printf ` kubectl get pod -n %s -o custom-columns=node:.status.hostIP,name:.metadata.name --no-headers -l app.kubernetes.io/name=redpanda,app.kubernetes.io/component=redpanda-statefulset` $dot.Release.Namespace))) -}} +{{- if $anySASL -}} +{{- $notes = (concat (default (list ) $notes) (list `` `Set the credentials in the environment:` `` (printf ` kubectl -n %s get secret %s -o go-template="{{ range .data }}{{ . | base64decode }}{{ end }}" | IFS=: read -r %s` $dot.Release.Namespace $values.auth.sasl.secretRef (get (fromJson (include "redpanda.RpkSASLEnvironmentVariables" (dict "a" (list $dot) ))) "r")) (printf ` export %s` (get (fromJson (include "redpanda.RpkSASLEnvironmentVariables" (dict "a" (list $dot) ))) "r")))) -}} +{{- end -}} +{{- $notes = (concat (default (list ) $notes) (list `` `Try some sample commands:`)) -}} +{{- if $anySASL -}} +{{- $notes = (concat (default (list ) $notes) (list `Create a user:` `` (printf ` %s` (get (fromJson (include "redpanda.RpkACLUserCreate" (dict "a" (list $dot) ))) "r")) `` `Give the user permissions:` `` (printf ` %s` (get (fromJson (include "redpanda.RpkACLCreate" (dict "a" (list $dot) ))) "r")))) -}} +{{- end -}} +{{- $notes = (concat (default (list ) $notes) (list `` `Get the api status:` `` (printf ` %s` (get (fromJson (include "redpanda.RpkClusterInfo" (dict "a" (list $dot) ))) "r")) `` `Create a topic` `` (printf ` %s` (get (fromJson (include "redpanda.RpkTopicCreate" (dict "a" (list $dot) ))) "r")) `` `Describe the topic:` `` (printf ` %s` (get (fromJson (include "redpanda.RpkTopicDescribe" (dict "a" (list $dot) ))) "r")) `` `Delete the topic:` `` (printf ` %s` (get (fromJson (include "redpanda.RpkTopicDelete" (dict "a" (list $dot) ))) "r")))) -}} +{{- $_is_returning = true -}} +{{- (dict "r" $notes) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.RpkACLUserCreate" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $_is_returning = true -}} +{{- (dict "r" (printf `rpk acl user create myuser --new-password changeme --mechanism %s` (get (fromJson (include "redpanda.SASLMechanism" (dict "a" (list $dot) ))) "r"))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.SASLMechanism" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- if (ne $values.auth.sasl (coalesce nil)) -}} +{{- $_is_returning = true -}} +{{- (dict "r" $values.auth.sasl.mechanism) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" "SCRAM-SHA-512") | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.RpkACLCreate" -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $_is_returning = true -}} +{{- (dict "r" `rpk acl create --allow-principal 'myuser' --allow-host '*' --operation all --topic 'test-topic'`) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.RpkClusterInfo" -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $_is_returning = true -}} +{{- (dict "r" `rpk cluster info`) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.RpkTopicCreate" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $_is_returning = true -}} +{{- (dict "r" (printf `rpk topic create test-topic -p 3 -r %d` (min (3 | int64) (($values.statefulset.replicas | int) | int64)))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.RpkTopicDescribe" -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $_is_returning = true -}} +{{- (dict "r" `rpk topic describe test-topic`) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.RpkTopicDelete" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $_is_returning = true -}} +{{- (dict "r" `rpk topic delete test-topic`) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.RpkSASLEnvironmentVariables" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- if (get (fromJson (include "redpanda.RedpandaAtLeast_23_2_1" (dict "a" (list $dot) ))) "r") -}} +{{- $_is_returning = true -}} +{{- (dict "r" `RPK_USER RPK_PASS RPK_SASL_MECHANISM`) | toJson -}} +{{- break -}} +{{- else -}} +{{- $_is_returning = true -}} +{{- (dict "r" `REDPANDA_SASL_USERNAME REDPANDA_SASL_PASSWORD REDPANDA_SASL_MECHANISM`) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} +{{- end -}} + diff --git a/charts/redpanda/redpanda/5.9.2/templates/_poddisruptionbudget.go.tpl b/charts/redpanda/redpanda/5.9.2/templates/_poddisruptionbudget.go.tpl new file mode 100644 index 000000000..763b7b0bd --- /dev/null +++ b/charts/redpanda/redpanda/5.9.2/templates/_poddisruptionbudget.go.tpl @@ -0,0 +1,21 @@ +{{- /* Generated from "poddisruptionbudget.go" */ -}} + +{{- define "redpanda.PodDisruptionBudget" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $budget := ($values.statefulset.budget.maxUnavailable | int) -}} +{{- $minReplicas := ((div ($values.statefulset.replicas | int) (2 | int)) | int) -}} +{{- if (and (gt $budget (1 | int)) (gt $budget $minReplicas)) -}} +{{- $_ := (fail (printf "statefulset.budget.maxUnavailable is set too high to maintain quorum: %d > %d" $budget $minReplicas)) -}} +{{- end -}} +{{- $maxUnavailable := ($budget | int) -}} +{{- $matchLabels := (get (fromJson (include "redpanda.StatefulSetPodLabelsSelector" (dict "a" (list $dot) ))) "r") -}} +{{- $_ := (set $matchLabels "redpanda.com/poddisruptionbudget" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r")) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "spec" (dict ) "status" (dict "disruptionsAllowed" 0 "currentHealthy" 0 "desiredHealthy" 0 "expectedPods" 0 ) ) (mustMergeOverwrite (dict ) (dict "apiVersion" "policy/v1" "kind" "PodDisruptionBudget" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r") "namespace" $dot.Release.Namespace "labels" (get (fromJson (include "redpanda.FullLabels" (dict "a" (list $dot) ))) "r") )) "spec" (mustMergeOverwrite (dict ) (dict "selector" (mustMergeOverwrite (dict ) (dict "matchLabels" $matchLabels )) "maxUnavailable" $maxUnavailable )) ))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + diff --git a/charts/redpanda/redpanda/5.9.2/templates/_post-install-upgrade-job.go.tpl b/charts/redpanda/redpanda/5.9.2/templates/_post-install-upgrade-job.go.tpl new file mode 100644 index 000000000..0d5635d3e --- /dev/null +++ b/charts/redpanda/redpanda/5.9.2/templates/_post-install-upgrade-job.go.tpl @@ -0,0 +1,233 @@ +{{- /* Generated from "post_install_upgrade_job.go" */ -}} + +{{- define "redpanda.PostInstallUpgradeJob" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- if (not $values.post_install_job.enabled) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (coalesce nil)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $job := (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "spec" (dict "template" (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "spec" (dict "containers" (coalesce nil) ) ) ) "status" (dict ) ) (mustMergeOverwrite (dict ) (dict "apiVersion" "batch/v1" "kind" "Job" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" (printf "%s-configuration" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r")) "namespace" $dot.Release.Namespace "labels" (merge (dict ) (get (fromJson (include "redpanda.FullLabels" (dict "a" (list $dot) ))) "r") (default (dict ) $values.post_install_job.labels)) "annotations" (merge (dict ) (dict "helm.sh/hook" "post-install,post-upgrade" "helm.sh/hook-delete-policy" "before-hook-creation" "helm.sh/hook-weight" "-5" ) (default (dict ) $values.post_install_job.annotations)) )) "spec" (mustMergeOverwrite (dict "template" (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "spec" (dict "containers" (coalesce nil) ) ) ) (dict "template" (get (fromJson (include "redpanda.StrategicMergePatch" (dict "a" (list $values.post_install_job.podTemplate (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "spec" (dict "containers" (coalesce nil) ) ) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "generateName" (printf "%s-post-" $dot.Release.Name) "labels" (merge (dict ) (dict "app.kubernetes.io/name" (get (fromJson (include "redpanda.Name" (dict "a" (list $dot) ))) "r") "app.kubernetes.io/instance" $dot.Release.Name "app.kubernetes.io/component" (printf "%.50s-post-install" (get (fromJson (include "redpanda.Name" (dict "a" (list $dot) ))) "r")) ) (default (dict ) $values.commonLabels)) )) "spec" (mustMergeOverwrite (dict "containers" (coalesce nil) ) (dict "nodeSelector" $values.nodeSelector "affinity" (get (fromJson (include "redpanda.postInstallJobAffinity" (dict "a" (list $dot) ))) "r") "tolerations" (get (fromJson (include "redpanda.tolerations" (dict "a" (list $dot) ))) "r") "restartPolicy" "Never" "securityContext" (get (fromJson (include "redpanda.PodSecurityContext" (dict "a" (list $dot) ))) "r") "imagePullSecrets" (default (coalesce nil) $values.imagePullSecrets) "containers" (list (mustMergeOverwrite (dict "name" "" "resources" (dict ) ) (dict "name" "post-install" "image" (printf "%s:%s" $values.image.repository (get (fromJson (include "redpanda.Tag" (dict "a" (list $dot) ))) "r")) "env" (get (fromJson (include "redpanda.PostInstallUpgradeEnvironmentVariables" (dict "a" (list $dot) ))) "r") "command" (list "bash" "-c") "args" (list ) "resources" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.post_install_job.resources (mustMergeOverwrite (dict ) (dict ))) ))) "r") "securityContext" (merge (dict ) (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.post_install_job.securityContext (mustMergeOverwrite (dict ) (dict ))) ))) "r") (get (fromJson (include "redpanda.ContainerSecurityContext" (dict "a" (list $dot) ))) "r")) "volumeMounts" (get (fromJson (include "redpanda.DefaultMounts" (dict "a" (list $dot) ))) "r") ))) "volumes" (get (fromJson (include "redpanda.DefaultVolumes" (dict "a" (list $dot) ))) "r") "serviceAccountName" (get (fromJson (include "redpanda.ServiceAccountName" (dict "a" (list $dot) ))) "r") )) ))) ))) "r") )) )) -}} +{{- $script := (coalesce nil) -}} +{{- $script = (concat (default (list ) $script) (list `set -e`)) -}} +{{- if (get (fromJson (include "redpanda.RedpandaAtLeast_22_2_0" (dict "a" (list $dot) ))) "r") -}} +{{- $script = (concat (default (list ) $script) (list `if [[ -n "$REDPANDA_LICENSE" ]] then` ` rpk cluster license set "$REDPANDA_LICENSE"` `fi`)) -}} +{{- end -}} +{{- $script = (concat (default (list ) $script) (list `` `` `` `` `rpk cluster config export -f /tmp/cfg.yml` `` `` `for KEY in "${!RPK_@}"; do` ` config="${KEY#*RPK_}"` ` rpk redpanda config set --config /tmp/cfg.yml "${config,,}" "${!KEY}"` `done` `` `` `rpk cluster config import -f /tmp/cfg.yml` ``)) -}} +{{- $_ := (set (index $job.spec.template.spec.containers (0 | int)) "args" (concat (default (list ) (index $job.spec.template.spec.containers (0 | int)).args) (list (join "\n" $script)))) -}} +{{- $_is_returning = true -}} +{{- (dict "r" $job) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.postInstallJobAffinity" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- if (not (empty $values.post_install_job.affinity)) -}} +{{- $_is_returning = true -}} +{{- (dict "r" $values.post_install_job.affinity) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (merge (dict ) $values.post_install_job.affinity $values.affinity)) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.tolerations" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $result := (coalesce nil) -}} +{{- range $_, $t := $values.tolerations -}} +{{- $result = (concat (default (list ) $result) (list (merge (dict ) $t))) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $result) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.PostInstallUpgradeEnvironmentVariables" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $envars := (list ) -}} +{{- $license_1 := (get (fromJson (include "redpanda.GetLicenseLiteral" (dict "a" (list $dot) ))) "r") -}} +{{- $secretReference_2 := (get (fromJson (include "redpanda.GetLicenseSecretReference" (dict "a" (list $dot) ))) "r") -}} +{{- if (ne $license_1 "") -}} +{{- $envars = (concat (default (list ) $envars) (list (mustMergeOverwrite (dict "name" "" ) (dict "name" "REDPANDA_LICENSE" "value" $license_1 )))) -}} +{{- else -}}{{- if (ne $secretReference_2 (coalesce nil)) -}} +{{- $envars = (concat (default (list ) $envars) (list (mustMergeOverwrite (dict "name" "" ) (dict "name" "REDPANDA_LICENSE" "valueFrom" (mustMergeOverwrite (dict ) (dict "secretKeyRef" $secretReference_2 )) )))) -}} +{{- end -}} +{{- end -}} +{{- if (not (get (fromJson (include "redpanda.Storage.IsTieredStorageEnabled" (dict "a" (list $values.storage) ))) "r")) -}} +{{- $_is_returning = true -}} +{{- (dict "r" $envars) | toJson -}} +{{- break -}} +{{- end -}} +{{- $tieredStorageConfig := (get (fromJson (include "redpanda.Storage.GetTieredStorageConfig" (dict "a" (list $values.storage) ))) "r") -}} +{{- $tmp_tuple_1 := (get (fromJson (include "_shims.compact" (dict "a" (list (get (fromJson (include "_shims.dicttest" (dict "a" (list $tieredStorageConfig "cloud_storage_azure_container" (coalesce nil)) ))) "r")) ))) "r") -}} +{{- $azureContainerExists := $tmp_tuple_1.T2 -}} +{{- $ac := $tmp_tuple_1.T1 -}} +{{- $tmp_tuple_2 := (get (fromJson (include "_shims.compact" (dict "a" (list (get (fromJson (include "_shims.dicttest" (dict "a" (list $tieredStorageConfig "cloud_storage_azure_storage_account" (coalesce nil)) ))) "r")) ))) "r") -}} +{{- $azureStorageAccountExists := $tmp_tuple_2.T2 -}} +{{- $asa := $tmp_tuple_2.T1 -}} +{{- if (and (and (and $azureContainerExists (ne $ac (coalesce nil))) $azureStorageAccountExists) (ne $asa (coalesce nil))) -}} +{{- $envars = (concat (default (list ) $envars) (default (list ) (get (fromJson (include "redpanda.addAzureSharedKey" (dict "a" (list $tieredStorageConfig $values) ))) "r"))) -}} +{{- else -}} +{{- $envars = (concat (default (list ) $envars) (default (list ) (get (fromJson (include "redpanda.addCloudStorageSecretKey" (dict "a" (list $tieredStorageConfig $values) ))) "r"))) -}} +{{- end -}} +{{- $envars = (concat (default (list ) $envars) (default (list ) (get (fromJson (include "redpanda.addCloudStorageAccessKey" (dict "a" (list $tieredStorageConfig $values) ))) "r"))) -}} +{{- range $k, $v := $tieredStorageConfig -}} +{{- if (or (or (eq $k "cloud_storage_access_key") (eq $k "cloud_storage_secret_key")) (eq $k "cloud_storage_azure_shared_key")) -}} +{{- continue -}} +{{- end -}} +{{- if (or (eq $v (coalesce nil)) (empty $v)) -}} +{{- continue -}} +{{- end -}} +{{- if (and (eq $k "cloud_storage_cache_size") (ne $v (coalesce nil))) -}} +{{- $envars = (concat (default (list ) $envars) (list (mustMergeOverwrite (dict "name" "" ) (dict "name" (printf "RPK_%s" (upper $k)) "value" (toJson ((get (fromJson (include "_shims.resource_Value" (dict "a" (list $v) ))) "r") | int64)) )))) -}} +{{- continue -}} +{{- end -}} +{{- $tmp_tuple_3 := (get (fromJson (include "_shims.compact" (dict "a" (list (get (fromJson (include "_shims.typetest" (dict "a" (list "string" $v "") ))) "r")) ))) "r") -}} +{{- $ok_4 := $tmp_tuple_3.T2 -}} +{{- $str_3 := $tmp_tuple_3.T1 -}} +{{- if $ok_4 -}} +{{- $envars = (concat (default (list ) $envars) (list (mustMergeOverwrite (dict "name" "" ) (dict "name" (printf "RPK_%s" (upper $k)) "value" $str_3 )))) -}} +{{- else -}} +{{- $envars = (concat (default (list ) $envars) (list (mustMergeOverwrite (dict "name" "" ) (dict "name" (printf "RPK_%s" (upper $k)) "value" (mustToJson $v) )))) -}} +{{- end -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $envars) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.addCloudStorageAccessKey" -}} +{{- $tieredStorageConfig := (index .a 0) -}} +{{- $values := (index .a 1) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $tmp_tuple_4 := (get (fromJson (include "_shims.compact" (dict "a" (list (get (fromJson (include "_shims.dicttest" (dict "a" (list $tieredStorageConfig "cloud_storage_access_key" (coalesce nil)) ))) "r")) ))) "r") -}} +{{- $ok_6 := $tmp_tuple_4.T2 -}} +{{- $v_5 := $tmp_tuple_4.T1 -}} +{{- $ak_7 := $values.storage.tiered.credentialsSecretRef.accessKey -}} +{{- if (and $ok_6 (ne $v_5 "")) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (list (mustMergeOverwrite (dict "name" "" ) (dict "name" "RPK_CLOUD_STORAGE_ACCESS_KEY" "value" (get (fromJson (include "_shims.typeassertion" (dict "a" (list "string" $v_5) ))) "r") )))) | toJson -}} +{{- break -}} +{{- else -}}{{- if (get (fromJson (include "redpanda.SecretRef.IsValid" (dict "a" (list $ak_7) ))) "r") -}} +{{- $_is_returning = true -}} +{{- (dict "r" (list (mustMergeOverwrite (dict "name" "" ) (dict "name" "RPK_CLOUD_STORAGE_ACCESS_KEY" "valueFrom" (mustMergeOverwrite (dict ) (dict "secretKeyRef" (mustMergeOverwrite (dict "key" "" ) (mustMergeOverwrite (dict ) (dict "name" $ak_7.name )) (dict "key" $ak_7.key )) )) )))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (list )) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.addCloudStorageSecretKey" -}} +{{- $tieredStorageConfig := (index .a 0) -}} +{{- $values := (index .a 1) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $tmp_tuple_5 := (get (fromJson (include "_shims.compact" (dict "a" (list (get (fromJson (include "_shims.dicttest" (dict "a" (list $tieredStorageConfig "cloud_storage_secret_key" (coalesce nil)) ))) "r")) ))) "r") -}} +{{- $ok_9 := $tmp_tuple_5.T2 -}} +{{- $v_8 := $tmp_tuple_5.T1 -}} +{{- $sk_10 := $values.storage.tiered.credentialsSecretRef.secretKey -}} +{{- if (and $ok_9 (ne $v_8 "")) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (list (mustMergeOverwrite (dict "name" "" ) (dict "name" "RPK_CLOUD_STORAGE_SECRET_KEY" "value" (get (fromJson (include "_shims.typeassertion" (dict "a" (list "string" $v_8) ))) "r") )))) | toJson -}} +{{- break -}} +{{- else -}}{{- if (get (fromJson (include "redpanda.SecretRef.IsValid" (dict "a" (list $sk_10) ))) "r") -}} +{{- $_is_returning = true -}} +{{- (dict "r" (list (mustMergeOverwrite (dict "name" "" ) (dict "name" "RPK_CLOUD_STORAGE_SECRET_KEY" "valueFrom" (mustMergeOverwrite (dict ) (dict "secretKeyRef" (mustMergeOverwrite (dict "key" "" ) (mustMergeOverwrite (dict ) (dict "name" $sk_10.name )) (dict "key" $sk_10.key )) )) )))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (list )) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.addAzureSharedKey" -}} +{{- $tieredStorageConfig := (index .a 0) -}} +{{- $values := (index .a 1) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $tmp_tuple_6 := (get (fromJson (include "_shims.compact" (dict "a" (list (get (fromJson (include "_shims.dicttest" (dict "a" (list $tieredStorageConfig "cloud_storage_azure_shared_key" (coalesce nil)) ))) "r")) ))) "r") -}} +{{- $ok_12 := $tmp_tuple_6.T2 -}} +{{- $v_11 := $tmp_tuple_6.T1 -}} +{{- $sk_13 := $values.storage.tiered.credentialsSecretRef.secretKey -}} +{{- if (and $ok_12 (ne $v_11 "")) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (list (mustMergeOverwrite (dict "name" "" ) (dict "name" "RPK_CLOUD_STORAGE_AZURE_SHARED_KEY" "value" (get (fromJson (include "_shims.typeassertion" (dict "a" (list "string" $v_11) ))) "r") )))) | toJson -}} +{{- break -}} +{{- else -}}{{- if (get (fromJson (include "redpanda.SecretRef.IsValid" (dict "a" (list $sk_13) ))) "r") -}} +{{- $_is_returning = true -}} +{{- (dict "r" (list (mustMergeOverwrite (dict "name" "" ) (dict "name" "RPK_CLOUD_STORAGE_AZURE_SHARED_KEY" "valueFrom" (mustMergeOverwrite (dict ) (dict "secretKeyRef" (mustMergeOverwrite (dict "key" "" ) (mustMergeOverwrite (dict ) (dict "name" $sk_13.name )) (dict "key" $sk_13.key )) )) )))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (list )) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.GetLicenseLiteral" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- if (ne $values.enterprise.license "") -}} +{{- $_is_returning = true -}} +{{- (dict "r" $values.enterprise.license) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $values.license_key) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.GetLicenseSecretReference" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- if (not (empty $values.enterprise.licenseSecretRef)) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (mustMergeOverwrite (dict "key" "" ) (mustMergeOverwrite (dict ) (dict "name" $values.enterprise.licenseSecretRef.name )) (dict "key" $values.enterprise.licenseSecretRef.key ))) | toJson -}} +{{- break -}} +{{- else -}}{{- if (not (empty $values.license_secret_ref)) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (mustMergeOverwrite (dict "key" "" ) (mustMergeOverwrite (dict ) (dict "name" $values.license_secret_ref.secret_name )) (dict "key" $values.license_secret_ref.secret_key ))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (coalesce nil)) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + diff --git a/charts/redpanda/redpanda/5.9.2/templates/_secrets.go.tpl b/charts/redpanda/redpanda/5.9.2/templates/_secrets.go.tpl new file mode 100644 index 000000000..09a32e197 --- /dev/null +++ b/charts/redpanda/redpanda/5.9.2/templates/_secrets.go.tpl @@ -0,0 +1,385 @@ +{{- /* Generated from "secrets.go" */ -}} + +{{- define "redpanda.Secrets" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $secrets := (coalesce nil) -}} +{{- $secrets = (concat (default (list ) $secrets) (list (get (fromJson (include "redpanda.SecretSTSLifecycle" (dict "a" (list $dot) ))) "r"))) -}} +{{- $saslUsers_1 := (get (fromJson (include "redpanda.SecretSASLUsers" (dict "a" (list $dot) ))) "r") -}} +{{- if (ne $saslUsers_1 (coalesce nil)) -}} +{{- $secrets = (concat (default (list ) $secrets) (list $saslUsers_1)) -}} +{{- end -}} +{{- $configWatcher_2 := (get (fromJson (include "redpanda.SecretConfigWatcher" (dict "a" (list $dot) ))) "r") -}} +{{- if (ne $configWatcher_2 (coalesce nil)) -}} +{{- $secrets = (concat (default (list ) $secrets) (list $configWatcher_2)) -}} +{{- end -}} +{{- $secrets = (concat (default (list ) $secrets) (list (get (fromJson (include "redpanda.SecretConfigurator" (dict "a" (list $dot) ))) "r"))) -}} +{{- $fsValidator_3 := (get (fromJson (include "redpanda.SecretFSValidator" (dict "a" (list $dot) ))) "r") -}} +{{- if (ne $fsValidator_3 (coalesce nil)) -}} +{{- $secrets = (concat (default (list ) $secrets) (list $fsValidator_3)) -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $secrets) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.SecretSTSLifecycle" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $secret := (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) ) (mustMergeOverwrite (dict ) (dict "apiVersion" "v1" "kind" "Secret" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" (printf "%s-sts-lifecycle" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r")) "namespace" $dot.Release.Namespace "labels" (get (fromJson (include "redpanda.FullLabels" (dict "a" (list $dot) ))) "r") )) "type" "Opaque" "stringData" (dict ) )) -}} +{{- $adminCurlFlags := (get (fromJson (include "redpanda.adminTLSCurlFlags" (dict "a" (list $dot) ))) "r") -}} +{{- $_ := (set $secret.stringData "common.sh" (join "\n" (list `#!/usr/bin/env bash` `` `# the SERVICE_NAME comes from the metadata.name of the pod, essentially the POD_NAME` (printf `CURL_URL="%s"` (get (fromJson (include "redpanda.adminInternalURL" (dict "a" (list $dot) ))) "r")) `` `# commands used throughout` (printf `CURL_NODE_ID_CMD="curl --silent --fail %s ${CURL_URL}/v1/node_config"` $adminCurlFlags) `` `CURL_MAINTENANCE_DELETE_CMD_PREFIX='curl -X DELETE --silent -o /dev/null -w "%{http_code}"'` `CURL_MAINTENANCE_PUT_CMD_PREFIX='curl -X PUT --silent -o /dev/null -w "%{http_code}"'` (printf `CURL_MAINTENANCE_GET_CMD="curl -X GET --silent %s ${CURL_URL}/v1/maintenance"` $adminCurlFlags)))) -}} +{{- $postStartSh := (list `#!/usr/bin/env bash` `# This code should be similar if not exactly the same as that found in the panda-operator, see` `# https://github.com/redpanda-data/redpanda/blob/e51d5b7f2ef76d5160ca01b8c7a8cf07593d29b6/src/go/k8s/pkg/resources/secret.go` `` `# path below should match the path defined on the statefulset` `source /var/lifecycle/common.sh` `` `postStartHook () {` ` set -x` `` ` touch /tmp/postStartHookStarted` `` ` until NODE_ID=$(${CURL_NODE_ID_CMD} | grep -o '\"node_id\":[^,}]*' | grep -o '[^: ]*$'); do` ` sleep 0.5` ` done` `` ` echo "Clearing maintenance mode on node ${NODE_ID}"` (printf ` CURL_MAINTENANCE_DELETE_CMD="${CURL_MAINTENANCE_DELETE_CMD_PREFIX} %s ${CURL_URL}/v1/brokers/${NODE_ID}/maintenance"` $adminCurlFlags) ` # a 400 here would mean not in maintenance mode` ` until [ "${status:-}" = '"200"' ] || [ "${status:-}" = '"400"' ]; do` ` status=$(${CURL_MAINTENANCE_DELETE_CMD})` ` sleep 0.5` ` done`) -}} +{{- if (and $values.auth.sasl.enabled (ne $values.auth.sasl.secretRef "")) -}} +{{- $postStartSh = (concat (default (list ) $postStartSh) (list ` # Setup and export SASL bootstrap-user` ` IFS=":" read -r USER_NAME PASSWORD MECHANISM < <(grep "" $(find /etc/secrets/users/* -print))` (printf ` MECHANISM=${MECHANISM:-%s}` (dig "auth" "sasl" "mechanism" "SCRAM-SHA-512" $dot.Values.AsMap)) ` rpk acl user create ${USER_NAME} --password=${PASSWORD} --mechanism ${MECHANISM} || true`)) -}} +{{- end -}} +{{- $postStartSh = (concat (default (list ) $postStartSh) (list `` ` touch /tmp/postStartHookFinished` `}` `` `postStartHook` `true`)) -}} +{{- $_ := (set $secret.stringData "postStart.sh" (join "\n" $postStartSh)) -}} +{{- $preStopSh := (list `#!/usr/bin/env bash` `# This code should be similar if not exactly the same as that found in the panda-operator, see` `# https://github.com/redpanda-data/redpanda/blob/e51d5b7f2ef76d5160ca01b8c7a8cf07593d29b6/src/go/k8s/pkg/resources/secret.go` `` `touch /tmp/preStopHookStarted` `` `# path below should match the path defined on the statefulset` `source /var/lifecycle/common.sh` `` `set -x` `` `preStopHook () {` ` until NODE_ID=$(${CURL_NODE_ID_CMD} | grep -o '\"node_id\":[^,}]*' | grep -o '[^: ]*$'); do` ` sleep 0.5` ` done` `` ` echo "Setting maintenance mode on node ${NODE_ID}"` (printf ` CURL_MAINTENANCE_PUT_CMD="${CURL_MAINTENANCE_PUT_CMD_PREFIX} %s ${CURL_URL}/v1/brokers/${NODE_ID}/maintenance"` $adminCurlFlags) ` until [ "${status:-}" = '"200"' ]; do` ` status=$(${CURL_MAINTENANCE_PUT_CMD})` ` sleep 0.5` ` done` `` ` until [ "${finished:-}" = "true" ] || [ "${draining:-}" = "false" ]; do` ` res=$(${CURL_MAINTENANCE_GET_CMD})` ` finished=$(echo $res | grep -o '\"finished\":[^,}]*' | grep -o '[^: ]*$')` ` draining=$(echo $res | grep -o '\"draining\":[^,}]*' | grep -o '[^: ]*$')` ` sleep 0.5` ` done` `` ` touch /tmp/preStopHookFinished` `}`) -}} +{{- if (and (gt ($values.statefulset.replicas | int) (2 | int)) (not (get (fromJson (include "_shims.typeassertion" (dict "a" (list "bool" (dig "recovery_mode_enabled" false $values.config.node)) ))) "r"))) -}} +{{- $preStopSh = (concat (default (list ) $preStopSh) (list `preStopHook`)) -}} +{{- else -}} +{{- $preStopSh = (concat (default (list ) $preStopSh) (list `touch /tmp/preStopHookFinished` `echo "Not enough replicas or in recovery mode, cannot put a broker into maintenance mode."`)) -}} +{{- end -}} +{{- $preStopSh = (concat (default (list ) $preStopSh) (list `true`)) -}} +{{- $_ := (set $secret.stringData "preStop.sh" (join "\n" $preStopSh)) -}} +{{- $_is_returning = true -}} +{{- (dict "r" $secret) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.SecretSASLUsers" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- if (and (and (ne $values.auth.sasl.secretRef "") $values.auth.sasl.enabled) (gt ((get (fromJson (include "_shims.len" (dict "a" (list $values.auth.sasl.users) ))) "r") | int) (0 | int))) -}} +{{- $secret := (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) ) (mustMergeOverwrite (dict ) (dict "apiVersion" "v1" "kind" "Secret" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" $values.auth.sasl.secretRef "namespace" $dot.Release.Namespace "labels" (get (fromJson (include "redpanda.FullLabels" (dict "a" (list $dot) ))) "r") )) "type" "Opaque" "stringData" (dict ) )) -}} +{{- $usersTxt := (list ) -}} +{{- range $_, $user := $values.auth.sasl.users -}} +{{- if (empty $user.mechanism) -}} +{{- $usersTxt = (concat (default (list ) $usersTxt) (list (printf "%s:%s" $user.name $user.password))) -}} +{{- else -}} +{{- $usersTxt = (concat (default (list ) $usersTxt) (list (printf "%s:%s:%s" $user.name $user.password $user.mechanism))) -}} +{{- end -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $_ := (set $secret.stringData "users.txt" (join "\n" $usersTxt)) -}} +{{- $_is_returning = true -}} +{{- (dict "r" $secret) | toJson -}} +{{- break -}} +{{- else -}}{{- if (and $values.auth.sasl.enabled (eq $values.auth.sasl.secretRef "")) -}} +{{- $_ := (fail "auth.sasl.secretRef cannot be empty when auth.sasl.enabled=true") -}} +{{- else -}} +{{- $_is_returning = true -}} +{{- (dict "r" (coalesce nil)) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.SecretConfigWatcher" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- if (not $values.statefulset.sideCars.configWatcher.enabled) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (coalesce nil)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $sasl := $values.auth.sasl -}} +{{- $secret := (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) ) (mustMergeOverwrite (dict ) (dict "apiVersion" "v1" "kind" "Secret" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" (printf "%s-config-watcher" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r")) "namespace" $dot.Release.Namespace "labels" (get (fromJson (include "redpanda.FullLabels" (dict "a" (list $dot) ))) "r") )) "type" "Opaque" "stringData" (dict ) )) -}} +{{- $saslUserSh := (coalesce nil) -}} +{{- $saslUserSh = (concat (default (list ) $saslUserSh) (list `#!/usr/bin/env bash` `` `trap 'error_handler $? $LINENO' ERR` `` `error_handler() {` ` echo "Error: ($1) occurred at line $2"` `}` `` `set -e` `` `# rpk cluster health can exit non-zero if it's unable to dial brokers. This` `# can happen for many reasons but we never want this script to crash as it` `# would take down yet another broker and make a bad situation worse.` `# Instead, just wait for the command to eventually exit zero.` `echo "Waiting for cluster to be ready"` `until rpk cluster health --watch --exit-when-healthy; do` ` echo "rpk cluster health failed. Waiting 5 seconds before trying again..."` ` sleep 5` `done`)) -}} +{{- if (and $sasl.enabled (ne $sasl.secretRef "")) -}} +{{- $saslUserSh = (concat (default (list ) $saslUserSh) (list `while true; do` ` echo "RUNNING: Monitoring and Updating SASL users"` ` USERS_DIR="/etc/secrets/users"` `` ` new_users_list(){` ` LIST=$1` ` NEW_USER=$2` ` if [[ -n "${LIST}" ]]; then` ` LIST="${NEW_USER},${LIST}"` ` else` ` LIST="${NEW_USER}"` ` fi` `` ` echo "${LIST}"` ` }` `` ` process_users() {` ` USERS_DIR=${1-"/etc/secrets/users"}` ` USERS_FILE=$(find ${USERS_DIR}/* -print)` ` USERS_LIST=""` ` READ_LIST_SUCCESS=0` ` # Read line by line, handle a missing EOL at the end of file` ` while read p || [ -n "$p" ] ; do` ` IFS=":" read -r USER_NAME PASSWORD MECHANISM <<< $p` ` # Do not process empty lines` ` if [ -z "$USER_NAME" ]; then` ` continue` ` fi` ` if [[ "${USER_NAME// /}" != "$USER_NAME" ]]; then` ` continue` ` fi` ` echo "Creating user ${USER_NAME}..."` (printf ` MECHANISM=${MECHANISM:-%s}` (dig "auth" "sasl" "mechanism" "SCRAM-SHA-512" $dot.Values.AsMap)) ` creation_result=$(rpk acl user create ${USER_NAME} --password=${PASSWORD} --mechanism ${MECHANISM} 2>&1) && creation_result_exit_code=$? || creation_result_exit_code=$? # On a non-success exit code` ` if [[ $creation_result_exit_code -ne 0 ]]; then` ` # Check if the stderr contains "User already exists"` ` # this error occurs when password has changed` ` if [[ $creation_result == *"User already exists"* ]]; then` ` echo "Update user ${USER_NAME}"` ` # we will try to update by first deleting` ` deletion_result=$(rpk acl user delete ${USER_NAME} 2>&1) && deletion_result_exit_code=$? || deletion_result_exit_code=$?` ` if [[ $deletion_result_exit_code -ne 0 ]]; then` ` echo "deletion of user ${USER_NAME} failed: ${deletion_result}"` ` READ_LIST_SUCCESS=1` ` break` ` fi` ` # Now we update the user` ` update_result=$(rpk acl user create ${USER_NAME} --password=${PASSWORD} --mechanism ${MECHANISM} 2>&1) && update_result_exit_code=$? || update_result_exit_code=$? # On a non-success exit code` ` if [[ $update_result_exit_code -ne 0 ]]; then` ` echo "updating user ${USER_NAME} failed: ${update_result}"` ` READ_LIST_SUCCESS=1` ` break` ` else` ` echo "Updated user ${USER_NAME}..."` ` USERS_LIST=$(new_users_list "${USERS_LIST}" "${USER_NAME}")` ` fi` ` else` ` # Another error occurred, so output the original message and exit code` ` echo "error creating user ${USER_NAME}: ${creation_result}"` ` READ_LIST_SUCCESS=1` ` break` ` fi` ` # On a success, the user was created so output that` ` else` ` echo "Created user ${USER_NAME}..."` ` USERS_LIST=$(new_users_list "${USERS_LIST}" "${USER_NAME}")` ` fi` ` done < $USERS_FILE` `` ` if [[ -n "${USERS_LIST}" && ${READ_LIST_SUCCESS} ]]; then` ` echo "Setting superusers configurations with users [${USERS_LIST}]"` ` superuser_result=$(rpk cluster config set superusers [${USERS_LIST}] 2>&1) && superuser_result_exit_code=$? || superuser_result_exit_code=$?` ` if [[ $superuser_result_exit_code -ne 0 ]]; then` ` echo "Setting superusers configurations failed: ${superuser_result}"` ` else` ` echo "Completed setting superusers configurations"` ` fi` ` fi` ` }` `` ` # first time processing` ` process_users $USERS_DIR` `` ` # subsequent changes detected here` ` # watching delete_self as documented in https://ahmet.im/blog/kubernetes-inotify/` ` USERS_FILE=$(find ${USERS_DIR}/* -print)` ` while RES=$(inotifywait -q -e delete_self ${USERS_FILE}); do` ` process_users $USERS_DIR` ` done` `done`)) -}} +{{- else -}} +{{- $saslUserSh = (concat (default (list ) $saslUserSh) (list `echo "Nothing to do. Sleeping..."` `sleep infinity`)) -}} +{{- end -}} +{{- $_ := (set $secret.stringData "sasl-user.sh" (join "\n" $saslUserSh)) -}} +{{- $_is_returning = true -}} +{{- (dict "r" $secret) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.SecretFSValidator" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- if (not $values.statefulset.initContainers.fsValidator.enabled) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (coalesce nil)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $secret := (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) ) (mustMergeOverwrite (dict ) (dict "apiVersion" "v1" "kind" "Secret" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" (printf "%s-fs-validator" (substr 0 (49 | int) (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r"))) "namespace" $dot.Release.Namespace "labels" (get (fromJson (include "redpanda.FullLabels" (dict "a" (list $dot) ))) "r") )) "type" "Opaque" "stringData" (dict ) )) -}} +{{- $_ := (set $secret.stringData "fsValidator.sh" `set -e +EXPECTED_FS_TYPE=$1 + +DATA_DIR="/var/lib/redpanda/data" +TEST_FILE="testfile" + +echo "checking data directory exist..." +if [ ! -d "${DATA_DIR}" ]; then + echo "data directory does not exists, exiting" + exit 1 +fi + +echo "checking filesystem type..." +FS_TYPE=$(df -T $DATA_DIR | tail -n +2 | awk '{print $2}') + +if [ "${FS_TYPE}" != "${EXPECTED_FS_TYPE}" ]; then + echo "file system found to be ${FS_TYPE} when expected ${EXPECTED_FS_TYPE}" + exit 1 +fi + +echo "checking if able to create a test file..." + +touch ${DATA_DIR}/${TEST_FILE} +result=$(touch ${DATA_DIR}/${TEST_FILE} 2> /dev/null; echo $?) +if [ "${result}" != "0" ]; then + echo "could not write testfile, may not have write permission" + exit 1 +fi + +echo "checking if able to delete a test file..." + +result=$(rm ${DATA_DIR}/${TEST_FILE} 2> /dev/null; echo $?) +if [ "${result}" != "0" ]; then + echo "could not delete testfile" + exit 1 +fi + +echo "passed"`) -}} +{{- $_is_returning = true -}} +{{- (dict "r" $secret) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.SecretConfigurator" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $secret := (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) ) (mustMergeOverwrite (dict ) (dict "apiVersion" "v1" "kind" "Secret" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" (printf "%.51s-configurator" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r")) "namespace" $dot.Release.Namespace "labels" (get (fromJson (include "redpanda.FullLabels" (dict "a" (list $dot) ))) "r") )) "type" "Opaque" "stringData" (dict ) )) -}} +{{- $configuratorSh := (list ) -}} +{{- $configuratorSh = (concat (default (list ) $configuratorSh) (list `set -xe` `SERVICE_NAME=$1` `KUBERNETES_NODE_NAME=$2` `POD_ORDINAL=${SERVICE_NAME##*-}` "BROKER_INDEX=`expr $POD_ORDINAL + 1`" `` `CONFIG=/etc/redpanda/redpanda.yaml` `` `# Setup config files` `cp /tmp/base-config/redpanda.yaml "${CONFIG}"` `cp /tmp/base-config/bootstrap.yaml /etc/redpanda/.bootstrap.yaml`)) -}} +{{- if (not (get (fromJson (include "redpanda.RedpandaAtLeast_22_3_0" (dict "a" (list $dot) ))) "r")) -}} +{{- $configuratorSh = (concat (default (list ) $configuratorSh) (list `` `# Configure bootstrap` `## Not used for Redpanda v22.3.0+` `rpk --config "${CONFIG}" redpanda config set redpanda.node_id "${POD_ORDINAL}"` `if [ "${POD_ORDINAL}" = "0" ]; then` ` rpk --config "${CONFIG}" redpanda config set redpanda.seed_servers '[]' --format yaml` `fi`)) -}} +{{- end -}} +{{- $kafkaSnippet := (get (fromJson (include "redpanda.secretConfiguratorKafkaConfig" (dict "a" (list $dot) ))) "r") -}} +{{- $configuratorSh = (concat (default (list ) $configuratorSh) (default (list ) $kafkaSnippet)) -}} +{{- $httpSnippet := (get (fromJson (include "redpanda.secretConfiguratorHTTPConfig" (dict "a" (list $dot) ))) "r") -}} +{{- $configuratorSh = (concat (default (list ) $configuratorSh) (default (list ) $httpSnippet)) -}} +{{- if (and (get (fromJson (include "redpanda.RedpandaAtLeast_22_3_0" (dict "a" (list $dot) ))) "r") $values.rackAwareness.enabled) -}} +{{- $configuratorSh = (concat (default (list ) $configuratorSh) (list `` `# Configure Rack Awareness` `set +x` (printf `RACK=$(curl --silent --cacert /run/secrets/kubernetes.io/serviceaccount/ca.crt --fail -H 'Authorization: Bearer '$(cat /run/secrets/kubernetes.io/serviceaccount/token) "https://${KUBERNETES_SERVICE_HOST}:${KUBERNETES_SERVICE_PORT_HTTPS}/api/v1/nodes/${KUBERNETES_NODE_NAME}?pretty=true" | grep %s | grep -v '\"key\":' | sed 's/.*": "\([^"]\+\).*/\1/')` (squote (quote $values.rackAwareness.nodeAnnotation))) `set -x` `rpk --config "$CONFIG" redpanda config set redpanda.rack "${RACK}"`)) -}} +{{- end -}} +{{- $_ := (set $secret.stringData "configurator.sh" (join "\n" $configuratorSh)) -}} +{{- $_is_returning = true -}} +{{- (dict "r" $secret) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.secretConfiguratorKafkaConfig" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $internalAdvertiseAddress := (printf "%s.%s" "${SERVICE_NAME}" (get (fromJson (include "redpanda.InternalDomain" (dict "a" (list $dot) ))) "r")) -}} +{{- $snippet := (coalesce nil) -}} +{{- $listenerName := "kafka" -}} +{{- $listenerAdvertisedName := $listenerName -}} +{{- $redpandaConfigPart := "redpanda" -}} +{{- $snippet = (concat (default (list ) $snippet) (list `` (printf `LISTENER=%s` (quote (toJson (dict "name" "internal" "address" $internalAdvertiseAddress "port" ($values.listeners.kafka.port | int) )))) (printf `rpk redpanda config --config "$CONFIG" set %s.advertised_%s_api[0] "$LISTENER"` $redpandaConfigPart $listenerAdvertisedName))) -}} +{{- if (gt ((get (fromJson (include "_shims.len" (dict "a" (list $values.listeners.kafka.external) ))) "r") | int) (0 | int)) -}} +{{- $externalCounter := (0 | int) -}} +{{- range $externalName, $externalVals := $values.listeners.kafka.external -}} +{{- $externalCounter = ((add $externalCounter (1 | int)) | int) -}} +{{- $snippet = (concat (default (list ) $snippet) (list `` (printf `ADVERTISED_%s_ADDRESSES=()` (upper $listenerName)))) -}} +{{- range $_, $replicaIndex := (until (($values.statefulset.replicas | int) | int)) -}} +{{- $port := ($externalVals.port | int) -}} +{{- if (gt ((get (fromJson (include "_shims.len" (dict "a" (list $externalVals.advertisedPorts) ))) "r") | int) (0 | int)) -}} +{{- if (eq ((get (fromJson (include "_shims.len" (dict "a" (list $externalVals.advertisedPorts) ))) "r") | int) (1 | int)) -}} +{{- $port = (index $externalVals.advertisedPorts (0 | int)) -}} +{{- else -}} +{{- $port = (index $externalVals.advertisedPorts $replicaIndex) -}} +{{- end -}} +{{- end -}} +{{- $host := (get (fromJson (include "redpanda.advertisedHostJSON" (dict "a" (list $dot $externalName $port $replicaIndex) ))) "r") -}} +{{- $address := (toJson $host) -}} +{{- $prefixTemplate := (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $externalVals.prefixTemplate "") ))) "r") -}} +{{- if (eq $prefixTemplate "") -}} +{{- $prefixTemplate = (default "" $values.external.prefixTemplate) -}} +{{- end -}} +{{- $snippet = (concat (default (list ) $snippet) (list `` (printf `PREFIX_TEMPLATE=%s` (quote $prefixTemplate)) (printf `ADVERTISED_%s_ADDRESSES+=(%s)` (upper $listenerName) (quote $address)))) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $snippet = (concat (default (list ) $snippet) (list `` (printf `rpk redpanda config --config "$CONFIG" set %s.advertised_%s_api[%d] "${ADVERTISED_%s_ADDRESSES[$POD_ORDINAL]}"` $redpandaConfigPart $listenerAdvertisedName $externalCounter (upper $listenerName)))) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $snippet) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.secretConfiguratorHTTPConfig" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $internalAdvertiseAddress := (printf "%s.%s" "${SERVICE_NAME}" (get (fromJson (include "redpanda.InternalDomain" (dict "a" (list $dot) ))) "r")) -}} +{{- $snippet := (coalesce nil) -}} +{{- $listenerName := "http" -}} +{{- $listenerAdvertisedName := "pandaproxy" -}} +{{- $redpandaConfigPart := "pandaproxy" -}} +{{- $snippet = (concat (default (list ) $snippet) (list `` (printf `LISTENER=%s` (quote (toJson (dict "name" "internal" "address" $internalAdvertiseAddress "port" ($values.listeners.http.port | int) )))) (printf `rpk redpanda config --config "$CONFIG" set %s.advertised_%s_api[0] "$LISTENER"` $redpandaConfigPart $listenerAdvertisedName))) -}} +{{- if (gt ((get (fromJson (include "_shims.len" (dict "a" (list $values.listeners.http.external) ))) "r") | int) (0 | int)) -}} +{{- $externalCounter := (0 | int) -}} +{{- range $externalName, $externalVals := $values.listeners.http.external -}} +{{- $externalCounter = ((add $externalCounter (1 | int)) | int) -}} +{{- $snippet = (concat (default (list ) $snippet) (list `` (printf `ADVERTISED_%s_ADDRESSES=()` (upper $listenerName)))) -}} +{{- range $_, $replicaIndex := (until (($values.statefulset.replicas | int) | int)) -}} +{{- $port := ($externalVals.port | int) -}} +{{- if (gt ((get (fromJson (include "_shims.len" (dict "a" (list $externalVals.advertisedPorts) ))) "r") | int) (0 | int)) -}} +{{- if (eq ((get (fromJson (include "_shims.len" (dict "a" (list $externalVals.advertisedPorts) ))) "r") | int) (1 | int)) -}} +{{- $port = (index $externalVals.advertisedPorts (0 | int)) -}} +{{- else -}} +{{- $port = (index $externalVals.advertisedPorts $replicaIndex) -}} +{{- end -}} +{{- end -}} +{{- $host := (get (fromJson (include "redpanda.advertisedHostJSON" (dict "a" (list $dot $externalName $port $replicaIndex) ))) "r") -}} +{{- $address := (toJson $host) -}} +{{- $prefixTemplate := (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $externalVals.prefixTemplate "") ))) "r") -}} +{{- if (eq $prefixTemplate "") -}} +{{- $prefixTemplate = (default "" $values.external.prefixTemplate) -}} +{{- end -}} +{{- $snippet = (concat (default (list ) $snippet) (list `` (printf `PREFIX_TEMPLATE=%s` (quote $prefixTemplate)) (printf `ADVERTISED_%s_ADDRESSES+=(%s)` (upper $listenerName) (quote $address)))) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $snippet = (concat (default (list ) $snippet) (list `` (printf `rpk redpanda config --config "$CONFIG" set %s.advertised_%s_api[%d] "${ADVERTISED_%s_ADDRESSES[$POD_ORDINAL]}"` $redpandaConfigPart $listenerAdvertisedName $externalCounter (upper $listenerName)))) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $snippet) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.adminTLSCurlFlags" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- if (not (get (fromJson (include "redpanda.InternalTLS.IsEnabled" (dict "a" (list $values.listeners.admin.tls $values.tls) ))) "r")) -}} +{{- $_is_returning = true -}} +{{- (dict "r" "") | toJson -}} +{{- break -}} +{{- end -}} +{{- $path := (printf "/etc/tls/certs/%s" $values.listeners.admin.tls.cert) -}} +{{- if $values.listeners.admin.tls.requireClientAuth -}} +{{- $_is_returning = true -}} +{{- (dict "r" (printf "--cacert %s/ca.crt --cert %s/tls.crt --key %s/tls.key" $path $path $path)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (printf "--cacert %s/ca.crt" $path)) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.externalAdvertiseAddress" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $eaa := "${SERVICE_NAME}" -}} +{{- $externalDomainTemplate := (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.external.domain "") ))) "r") -}} +{{- $expanded := (tpl $externalDomainTemplate $dot) -}} +{{- if (not (empty $expanded)) -}} +{{- $eaa = (printf "%s.%s" "${SERVICE_NAME}" $expanded) -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $eaa) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.advertisedHostJSON" -}} +{{- $dot := (index .a 0) -}} +{{- $externalName := (index .a 1) -}} +{{- $port := (index .a 2) -}} +{{- $replicaIndex := (index .a 3) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $host := (dict "name" $externalName "address" (get (fromJson (include "redpanda.externalAdvertiseAddress" (dict "a" (list $dot) ))) "r") "port" $port ) -}} +{{- if (gt ((get (fromJson (include "_shims.len" (dict "a" (list $values.external.addresses) ))) "r") | int) (0 | int)) -}} +{{- $address := "" -}} +{{- if (gt ((get (fromJson (include "_shims.len" (dict "a" (list $values.external.addresses) ))) "r") | int) (1 | int)) -}} +{{- $address = (index $values.external.addresses $replicaIndex) -}} +{{- else -}} +{{- $address = (index $values.external.addresses (0 | int)) -}} +{{- end -}} +{{- $domain_4 := (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.external.domain "") ))) "r") -}} +{{- if (ne $domain_4 "") -}} +{{- $host = (dict "name" $externalName "address" (printf "%s.%s" $address $domain_4) "port" $port ) -}} +{{- else -}} +{{- $host = (dict "name" $externalName "address" $address "port" $port ) -}} +{{- end -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $host) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.adminInternalHTTPProtocol" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- if (get (fromJson (include "redpanda.InternalTLS.IsEnabled" (dict "a" (list $values.listeners.admin.tls $values.tls) ))) "r") -}} +{{- $_is_returning = true -}} +{{- (dict "r" "https") | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" "http") | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.adminInternalURL" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $_is_returning = true -}} +{{- (dict "r" (printf "%s://%s.%s.%s.svc.%s:%d" (get (fromJson (include "redpanda.adminInternalHTTPProtocol" (dict "a" (list $dot) ))) "r") `${SERVICE_NAME}` (get (fromJson (include "redpanda.ServiceName" (dict "a" (list $dot) ))) "r") $dot.Release.Namespace (trimSuffix "." $values.clusterDomain) ($values.listeners.admin.port | int))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + diff --git a/charts/redpanda/redpanda/5.9.2/templates/_service.internal.go.tpl b/charts/redpanda/redpanda/5.9.2/templates/_service.internal.go.tpl new file mode 100644 index 000000000..9c63aac1c --- /dev/null +++ b/charts/redpanda/redpanda/5.9.2/templates/_service.internal.go.tpl @@ -0,0 +1,38 @@ +{{- /* Generated from "service_internal.go" */ -}} + +{{- define "redpanda.MonitoringEnabledLabel" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $_is_returning = true -}} +{{- (dict "r" (dict "monitoring.redpanda.com/enabled" (printf "%t" $values.monitoring.enabled) )) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.ServiceInternal" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $ports := (list ) -}} +{{- $ports = (concat (default (list ) $ports) (list (mustMergeOverwrite (dict "port" 0 "targetPort" 0 ) (dict "name" "admin" "protocol" "TCP" "appProtocol" $values.listeners.admin.appProtocol "port" ($values.listeners.admin.port | int) "targetPort" ($values.listeners.admin.port | int) )))) -}} +{{- if $values.listeners.http.enabled -}} +{{- $ports = (concat (default (list ) $ports) (list (mustMergeOverwrite (dict "port" 0 "targetPort" 0 ) (dict "name" "http" "protocol" "TCP" "port" ($values.listeners.http.port | int) "targetPort" ($values.listeners.http.port | int) )))) -}} +{{- end -}} +{{- $ports = (concat (default (list ) $ports) (list (mustMergeOverwrite (dict "port" 0 "targetPort" 0 ) (dict "name" "kafka" "protocol" "TCP" "port" ($values.listeners.kafka.port | int) "targetPort" ($values.listeners.kafka.port | int) )))) -}} +{{- $ports = (concat (default (list ) $ports) (list (mustMergeOverwrite (dict "port" 0 "targetPort" 0 ) (dict "name" "rpc" "protocol" "TCP" "port" ($values.listeners.rpc.port | int) "targetPort" ($values.listeners.rpc.port | int) )))) -}} +{{- if $values.listeners.schemaRegistry.enabled -}} +{{- $ports = (concat (default (list ) $ports) (list (mustMergeOverwrite (dict "port" 0 "targetPort" 0 ) (dict "name" "schemaregistry" "protocol" "TCP" "port" ($values.listeners.schemaRegistry.port | int) "targetPort" ($values.listeners.schemaRegistry.port | int) )))) -}} +{{- end -}} +{{- $annotations := (dict ) -}} +{{- if (ne $values.service (coalesce nil)) -}} +{{- $annotations = $values.service.internal.annotations -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "spec" (dict ) "status" (dict "loadBalancer" (dict ) ) ) (mustMergeOverwrite (dict ) (dict "apiVersion" "v1" "kind" "Service" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" (get (fromJson (include "redpanda.ServiceName" (dict "a" (list $dot) ))) "r") "namespace" $dot.Release.Namespace "labels" (merge (dict ) (get (fromJson (include "redpanda.FullLabels" (dict "a" (list $dot) ))) "r") (get (fromJson (include "redpanda.MonitoringEnabledLabel" (dict "a" (list $dot) ))) "r")) "annotations" $annotations )) "spec" (mustMergeOverwrite (dict ) (dict "type" "ClusterIP" "publishNotReadyAddresses" true "clusterIP" "None" "selector" (get (fromJson (include "redpanda.StatefulSetPodLabelsSelector" (dict "a" (list $dot) ))) "r") "ports" $ports )) ))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + diff --git a/charts/redpanda/redpanda/5.9.2/templates/_service.loadbalancer.go.tpl b/charts/redpanda/redpanda/5.9.2/templates/_service.loadbalancer.go.tpl new file mode 100644 index 000000000..dbc754750 --- /dev/null +++ b/charts/redpanda/redpanda/5.9.2/templates/_service.loadbalancer.go.tpl @@ -0,0 +1,101 @@ +{{- /* Generated from "service.loadbalancer.go" */ -}} + +{{- define "redpanda.LoadBalancerServices" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- if (or (not $values.external.enabled) (not $values.external.service.enabled)) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (coalesce nil)) | toJson -}} +{{- break -}} +{{- end -}} +{{- if (ne $values.external.type "LoadBalancer") -}} +{{- $_is_returning = true -}} +{{- (dict "r" (coalesce nil)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $externalDNS := (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.external.externalDns (mustMergeOverwrite (dict "enabled" false ) (dict ))) ))) "r") -}} +{{- $labels := (get (fromJson (include "redpanda.FullLabels" (dict "a" (list $dot) ))) "r") -}} +{{- $_ := (set $labels "repdanda.com/type" "loadbalancer") -}} +{{- $selector := (get (fromJson (include "redpanda.StatefulSetPodLabelsSelector" (dict "a" (list $dot) ))) "r") -}} +{{- $services := (coalesce nil) -}} +{{- $replicas := ($values.statefulset.replicas | int) -}} +{{- range $_, $i := untilStep (((0 | int) | int)|int) (($values.statefulset.replicas | int)|int) (1|int) -}} +{{- $podname := (printf "%s-%d" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r") $i) -}} +{{- $annotations := (dict ) -}} +{{- range $k, $v := $values.external.annotations -}} +{{- $_ := (set $annotations $k $v) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- if $externalDNS.enabled -}} +{{- $prefix := $podname -}} +{{- if (gt ((get (fromJson (include "_shims.len" (dict "a" (list $values.external.addresses) ))) "r") | int) ($i | int)) -}} +{{- $prefix = (index $values.external.addresses $i) -}} +{{- end -}} +{{- $address := (printf "%s.%s" $prefix (tpl $values.external.domain $dot)) -}} +{{- $_ := (set $annotations "external-dns.alpha.kubernetes.io/hostname" $address) -}} +{{- end -}} +{{- $podSelector := (dict ) -}} +{{- range $k, $v := $selector -}} +{{- $_ := (set $podSelector $k $v) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $_ := (set $podSelector "statefulset.kubernetes.io/pod-name" $podname) -}} +{{- $ports := (coalesce nil) -}} +{{- range $name, $listener := $values.listeners.admin.external -}} +{{- if (not (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $listener.enabled $values.external.enabled) ))) "r")) -}} +{{- continue -}} +{{- end -}} +{{- $fallbackPorts := (concat (default (list ) $listener.advertisedPorts) (list ($values.listeners.admin.port | int))) -}} +{{- $ports = (concat (default (list ) $ports) (list (mustMergeOverwrite (dict "port" 0 "targetPort" 0 ) (dict "name" (printf "admin-%s" $name) "protocol" "TCP" "targetPort" ($listener.port | int) "port" ((get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $listener.nodePort (index $fallbackPorts (0 | int))) ))) "r") | int) )))) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- range $name, $listener := $values.listeners.kafka.external -}} +{{- if (not (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $listener.enabled $values.external.enabled) ))) "r")) -}} +{{- continue -}} +{{- end -}} +{{- $fallbackPorts := (concat (default (list ) $listener.advertisedPorts) (list ($listener.port | int))) -}} +{{- $ports = (concat (default (list ) $ports) (list (mustMergeOverwrite (dict "port" 0 "targetPort" 0 ) (dict "name" (printf "kafka-%s" $name) "protocol" "TCP" "targetPort" ($listener.port | int) "port" ((get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $listener.nodePort (index $fallbackPorts (0 | int))) ))) "r") | int) )))) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- range $name, $listener := $values.listeners.http.external -}} +{{- if (not (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $listener.enabled $values.external.enabled) ))) "r")) -}} +{{- continue -}} +{{- end -}} +{{- $fallbackPorts := (concat (default (list ) $listener.advertisedPorts) (list ($listener.port | int))) -}} +{{- $ports = (concat (default (list ) $ports) (list (mustMergeOverwrite (dict "port" 0 "targetPort" 0 ) (dict "name" (printf "http-%s" $name) "protocol" "TCP" "targetPort" ($listener.port | int) "port" ((get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $listener.nodePort (index $fallbackPorts (0 | int))) ))) "r") | int) )))) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- range $name, $listener := $values.listeners.schemaRegistry.external -}} +{{- if (not (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $listener.enabled $values.external.enabled) ))) "r")) -}} +{{- continue -}} +{{- end -}} +{{- $fallbackPorts := (concat (default (list ) $listener.advertisedPorts) (list ($listener.port | int))) -}} +{{- $ports = (concat (default (list ) $ports) (list (mustMergeOverwrite (dict "port" 0 "targetPort" 0 ) (dict "name" (printf "schema-%s" $name) "protocol" "TCP" "targetPort" ($listener.port | int) "port" ((get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $listener.nodePort (index $fallbackPorts (0 | int))) ))) "r") | int) )))) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $svc := (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "spec" (dict ) "status" (dict "loadBalancer" (dict ) ) ) (mustMergeOverwrite (dict ) (dict "apiVersion" "v1" "kind" "Service" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" (printf "lb-%s" $podname) "namespace" $dot.Release.Namespace "labels" $labels "annotations" $annotations )) "spec" (mustMergeOverwrite (dict ) (dict "externalTrafficPolicy" "Local" "loadBalancerSourceRanges" $values.external.sourceRanges "ports" $ports "publishNotReadyAddresses" true "selector" $podSelector "sessionAffinity" "None" "type" "LoadBalancer" )) )) -}} +{{- $services = (concat (default (list ) $services) (list $svc)) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $services) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + diff --git a/charts/redpanda/redpanda/5.9.2/templates/_service.nodeport.go.tpl b/charts/redpanda/redpanda/5.9.2/templates/_service.nodeport.go.tpl new file mode 100644 index 000000000..5bec96af5 --- /dev/null +++ b/charts/redpanda/redpanda/5.9.2/templates/_service.nodeport.go.tpl @@ -0,0 +1,80 @@ +{{- /* Generated from "service.nodeport.go" */ -}} + +{{- define "redpanda.NodePortService" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- if (or (not $values.external.enabled) (not $values.external.service.enabled)) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (coalesce nil)) | toJson -}} +{{- break -}} +{{- end -}} +{{- if (ne $values.external.type "NodePort") -}} +{{- $_is_returning = true -}} +{{- (dict "r" (coalesce nil)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $ports := (coalesce nil) -}} +{{- range $name, $listener := $values.listeners.admin.external -}} +{{- if (not (get (fromJson (include "redpanda.AdminExternal.IsEnabled" (dict "a" (list $listener) ))) "r")) -}} +{{- continue -}} +{{- end -}} +{{- $nodePort := ($listener.port | int) -}} +{{- if (gt ((get (fromJson (include "_shims.len" (dict "a" (list $listener.advertisedPorts) ))) "r") | int) (0 | int)) -}} +{{- $nodePort = (index $listener.advertisedPorts (0 | int)) -}} +{{- end -}} +{{- $ports = (concat (default (list ) $ports) (list (mustMergeOverwrite (dict "port" 0 "targetPort" 0 ) (dict "name" (printf "admin-%s" $name) "protocol" "TCP" "port" ($listener.port | int) "nodePort" $nodePort )))) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- range $name, $listener := $values.listeners.kafka.external -}} +{{- if (not (get (fromJson (include "redpanda.KafkaExternal.IsEnabled" (dict "a" (list $listener) ))) "r")) -}} +{{- continue -}} +{{- end -}} +{{- $nodePort := ($listener.port | int) -}} +{{- if (gt ((get (fromJson (include "_shims.len" (dict "a" (list $listener.advertisedPorts) ))) "r") | int) (0 | int)) -}} +{{- $nodePort = (index $listener.advertisedPorts (0 | int)) -}} +{{- end -}} +{{- $ports = (concat (default (list ) $ports) (list (mustMergeOverwrite (dict "port" 0 "targetPort" 0 ) (dict "name" (printf "kafka-%s" $name) "protocol" "TCP" "port" ($listener.port | int) "nodePort" $nodePort )))) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- range $name, $listener := $values.listeners.http.external -}} +{{- if (not (get (fromJson (include "redpanda.HTTPExternal.IsEnabled" (dict "a" (list $listener) ))) "r")) -}} +{{- continue -}} +{{- end -}} +{{- $nodePort := ($listener.port | int) -}} +{{- if (gt ((get (fromJson (include "_shims.len" (dict "a" (list $listener.advertisedPorts) ))) "r") | int) (0 | int)) -}} +{{- $nodePort = (index $listener.advertisedPorts (0 | int)) -}} +{{- end -}} +{{- $ports = (concat (default (list ) $ports) (list (mustMergeOverwrite (dict "port" 0 "targetPort" 0 ) (dict "name" (printf "http-%s" $name) "protocol" "TCP" "port" ($listener.port | int) "nodePort" $nodePort )))) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- range $name, $listener := $values.listeners.schemaRegistry.external -}} +{{- if (not (get (fromJson (include "redpanda.SchemaRegistryExternal.IsEnabled" (dict "a" (list $listener) ))) "r")) -}} +{{- continue -}} +{{- end -}} +{{- $nodePort := ($listener.port | int) -}} +{{- if (gt ((get (fromJson (include "_shims.len" (dict "a" (list $listener.advertisedPorts) ))) "r") | int) (0 | int)) -}} +{{- $nodePort = (index $listener.advertisedPorts (0 | int)) -}} +{{- end -}} +{{- $ports = (concat (default (list ) $ports) (list (mustMergeOverwrite (dict "port" 0 "targetPort" 0 ) (dict "name" (printf "schema-%s" $name) "protocol" "TCP" "port" ($listener.port | int) "nodePort" $nodePort )))) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $annotations := $values.external.annotations -}} +{{- if (eq $annotations (coalesce nil)) -}} +{{- $annotations = (dict ) -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "spec" (dict ) "status" (dict "loadBalancer" (dict ) ) ) (mustMergeOverwrite (dict ) (dict "apiVersion" "v1" "kind" "Service" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" (printf "%s-external" (get (fromJson (include "redpanda.ServiceName" (dict "a" (list $dot) ))) "r")) "namespace" $dot.Release.Namespace "labels" (get (fromJson (include "redpanda.FullLabels" (dict "a" (list $dot) ))) "r") "annotations" $annotations )) "spec" (mustMergeOverwrite (dict ) (dict "externalTrafficPolicy" "Local" "ports" $ports "publishNotReadyAddresses" true "selector" (get (fromJson (include "redpanda.StatefulSetPodLabelsSelector" (dict "a" (list $dot) ))) "r") "sessionAffinity" "None" "type" "NodePort" )) ))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + diff --git a/charts/redpanda/redpanda/5.9.2/templates/_serviceaccount.go.tpl b/charts/redpanda/redpanda/5.9.2/templates/_serviceaccount.go.tpl new file mode 100644 index 000000000..9122cbd2a --- /dev/null +++ b/charts/redpanda/redpanda/5.9.2/templates/_serviceaccount.go.tpl @@ -0,0 +1,18 @@ +{{- /* Generated from "serviceaccount.go" */ -}} + +{{- define "redpanda.ServiceAccount" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- if (not $values.serviceAccount.create) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (coalesce nil)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) ) (mustMergeOverwrite (dict ) (dict "apiVersion" "v1" "kind" "ServiceAccount" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" (get (fromJson (include "redpanda.ServiceAccountName" (dict "a" (list $dot) ))) "r") "namespace" $dot.Release.Namespace "labels" (get (fromJson (include "redpanda.FullLabels" (dict "a" (list $dot) ))) "r") "annotations" $values.serviceAccount.annotations )) ))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + diff --git a/charts/redpanda/redpanda/5.9.2/templates/_servicemonitor.go.tpl b/charts/redpanda/redpanda/5.9.2/templates/_servicemonitor.go.tpl new file mode 100644 index 000000000..97d3f3325 --- /dev/null +++ b/charts/redpanda/redpanda/5.9.2/templates/_servicemonitor.go.tpl @@ -0,0 +1,26 @@ +{{- /* Generated from "servicemonitor.go" */ -}} + +{{- define "redpanda.ServiceMonitor" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- if (not $values.monitoring.enabled) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (coalesce nil)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $endpoint := (mustMergeOverwrite (dict ) (dict "interval" $values.monitoring.scrapeInterval "path" "/public_metrics" "port" "admin" "enableHttp2" $values.monitoring.enableHttp2 "scheme" "http" )) -}} +{{- if (or (get (fromJson (include "redpanda.InternalTLS.IsEnabled" (dict "a" (list $values.listeners.admin.tls $values.tls) ))) "r") (ne $values.monitoring.tlsConfig (coalesce nil))) -}} +{{- $_ := (set $endpoint "scheme" "https") -}} +{{- $_ := (set $endpoint "tlsConfig" $values.monitoring.tlsConfig) -}} +{{- if (eq $endpoint.tlsConfig (coalesce nil)) -}} +{{- $_ := (set $endpoint "tlsConfig" (mustMergeOverwrite (dict "ca" (dict ) "cert" (dict ) ) (mustMergeOverwrite (dict "ca" (dict ) "cert" (dict ) ) (dict "insecureSkipVerify" true )) (dict ))) -}} +{{- end -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "spec" (dict "endpoints" (coalesce nil) "selector" (dict ) "namespaceSelector" (dict ) ) ) (mustMergeOverwrite (dict ) (dict "apiVersion" "monitoring.coreos.com/v1" "kind" "ServiceMonitor" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r") "namespace" $dot.Release.Namespace "labels" (merge (dict ) (get (fromJson (include "redpanda.FullLabels" (dict "a" (list $dot) ))) "r") $values.monitoring.labels) )) "spec" (mustMergeOverwrite (dict "endpoints" (coalesce nil) "selector" (dict ) "namespaceSelector" (dict ) ) (dict "endpoints" (list $endpoint) "selector" (mustMergeOverwrite (dict ) (dict "matchLabels" (dict "monitoring.redpanda.com/enabled" "true" "app.kubernetes.io/name" (get (fromJson (include "redpanda.Name" (dict "a" (list $dot) ))) "r") "app.kubernetes.io/instance" $dot.Release.Name ) )) )) ))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + diff --git a/charts/redpanda/redpanda/5.9.2/templates/_shims.tpl b/charts/redpanda/redpanda/5.9.2/templates/_shims.tpl new file mode 100644 index 000000000..e3bb40e41 --- /dev/null +++ b/charts/redpanda/redpanda/5.9.2/templates/_shims.tpl @@ -0,0 +1,289 @@ +{{- /* Generated from "bootstrap.go" */ -}} + +{{- define "_shims.typetest" -}} +{{- $typ := (index .a 0) -}} +{{- $value := (index .a 1) -}} +{{- $zero := (index .a 2) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- if (typeIs $typ $value) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (list $value true)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (list $zero false)) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "_shims.typeassertion" -}} +{{- $typ := (index .a 0) -}} +{{- $value := (index .a 1) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- if (not (typeIs $typ $value)) -}} +{{- $_ := (fail (printf "expected type of %q got: %T" $typ $value)) -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $value) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "_shims.dicttest" -}} +{{- $m := (index .a 0) -}} +{{- $key := (index .a 1) -}} +{{- $zero := (index .a 2) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- if (hasKey $m $key) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (list (index $m $key) true)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (list $zero false)) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "_shims.compact" -}} +{{- $args := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $out := (dict ) -}} +{{- range $i, $e := $args -}} +{{- $_ := (set $out (printf "T%d" ((add (1 | int) $i) | int)) $e) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $out) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "_shims.deref" -}} +{{- $ptr := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- if (eq $ptr (coalesce nil)) -}} +{{- $_ := (fail "nil dereference") -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $ptr) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "_shims.len" -}} +{{- $m := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- if (eq $m (coalesce nil)) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (0 | int)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (len $m)) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "_shims.ptr_Deref" -}} +{{- $ptr := (index .a 0) -}} +{{- $def := (index .a 1) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- if (ne $ptr (coalesce nil)) -}} +{{- $_is_returning = true -}} +{{- (dict "r" $ptr) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $def) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "_shims.ptr_Equal" -}} +{{- $a := (index .a 0) -}} +{{- $b := (index .a 1) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- if (and (eq $a (coalesce nil)) (eq $b (coalesce nil))) -}} +{{- $_is_returning = true -}} +{{- (dict "r" true) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (eq $a $b)) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "_shims.lookup" -}} +{{- $apiVersion := (index .a 0) -}} +{{- $kind := (index .a 1) -}} +{{- $namespace := (index .a 2) -}} +{{- $name := (index .a 3) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $result := (lookup $apiVersion $kind $namespace $name) -}} +{{- if (empty $result) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (list (coalesce nil) false)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (list $result true)) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "_shims.asnumeric" -}} +{{- $value := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- if (typeIs "float64" $value) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (list $value true)) | toJson -}} +{{- break -}} +{{- end -}} +{{- if (typeIs "int64" $value) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (list $value true)) | toJson -}} +{{- break -}} +{{- end -}} +{{- if (typeIs "int" $value) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (list $value true)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (list (0 | int) false)) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "_shims.asintegral" -}} +{{- $value := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- if (or (typeIs "int64" $value) (typeIs "int" $value)) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (list $value true)) | toJson -}} +{{- break -}} +{{- end -}} +{{- if (and (typeIs "float64" $value) (eq (floor $value) $value)) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (list $value true)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (list (0 | int) false)) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "_shims.parseResource" -}} +{{- $repr := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- if (typeIs "float64" $repr) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (list (float64 $repr) 1.0)) | toJson -}} +{{- break -}} +{{- end -}} +{{- if (not (typeIs "string" $repr)) -}} +{{- $_ := (fail (printf "invalid Quantity expected string or float64 got: %T (%v)" $repr $repr)) -}} +{{- end -}} +{{- if (not (regexMatch `^[0-9]+(\.[0-9]{0,6})?(k|m|M|G|T|P|Ki|Mi|Gi|Ti|Pi)?$` $repr)) -}} +{{- $_ := (fail (printf "invalid Quantity: %q" $repr)) -}} +{{- end -}} +{{- $reprStr := (toString $repr) -}} +{{- $unit := (regexFind "(k|m|M|G|T|P|Ki|Mi|Gi|Ti|Pi)$" $repr) -}} +{{- $numeric := (float64 (substr (0 | int) ((sub ((get (fromJson (include "_shims.len" (dict "a" (list $reprStr) ))) "r") | int) ((get (fromJson (include "_shims.len" (dict "a" (list $unit) ))) "r") | int)) | int) $reprStr)) -}} +{{- $tmp_tuple_1 := (get (fromJson (include "_shims.compact" (dict "a" (list (get (fromJson (include "_shims.dicttest" (dict "a" (list (dict "" 1.0 "m" 0.001 "k" (1000 | int) "M" (1000000 | int) "G" (1000000000 | int) "T" (1000000000000 | int) "P" (1000000000000000 | int) "Ki" (1024 | int) "Mi" (1048576 | int) "Gi" (1073741824 | int) "Ti" (1099511627776 | int) "Pi" (1125899906842624 | int) ) $unit (coalesce nil)) ))) "r")) ))) "r") -}} +{{- $ok := $tmp_tuple_1.T2 -}} +{{- $scale := ($tmp_tuple_1.T1 | float64) -}} +{{- if (not $ok) -}} +{{- $_ := (fail (printf "unknown unit: %q" $unit)) -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (list $numeric $scale)) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "_shims.resource_MustParse" -}} +{{- $repr := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $tmp_tuple_2 := (get (fromJson (include "_shims.compact" (dict "a" (list (get (fromJson (include "_shims.parseResource" (dict "a" (list $repr) ))) "r")) ))) "r") -}} +{{- $scale := ($tmp_tuple_2.T2 | float64) -}} +{{- $numeric := ($tmp_tuple_2.T1 | float64) -}} +{{- $strs := (list "" "m" "k" "M" "G" "T" "P" "Ki" "Mi" "Gi" "Ti" "Pi") -}} +{{- $scales := (list 1.0 0.001 (1000 | int) (1000000 | int) (1000000000 | int) (1000000000000 | int) (1000000000000000 | int) (1024 | int) (1048576 | int) (1073741824 | int) (1099511627776 | int) (1125899906842624 | int)) -}} +{{- $idx := -1 -}} +{{- range $i, $s := $scales -}} +{{- if (eq ($s | float64) ($scale | float64)) -}} +{{- $idx = $i -}} +{{- break -}} +{{- end -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- if (eq $idx -1) -}} +{{- $_ := (fail (printf "unknown scale: %v" $scale)) -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (printf "%s%s" (toString $numeric) (index $strs $idx))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "_shims.resource_Value" -}} +{{- $repr := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $tmp_tuple_3 := (get (fromJson (include "_shims.compact" (dict "a" (list (get (fromJson (include "_shims.parseResource" (dict "a" (list $repr) ))) "r")) ))) "r") -}} +{{- $scale := ($tmp_tuple_3.T2 | float64) -}} +{{- $numeric := ($tmp_tuple_3.T1 | float64) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (int64 (ceil ((mulf $numeric $scale) | float64)))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "_shims.resource_MilliValue" -}} +{{- $repr := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $tmp_tuple_4 := (get (fromJson (include "_shims.compact" (dict "a" (list (get (fromJson (include "_shims.parseResource" (dict "a" (list $repr) ))) "r")) ))) "r") -}} +{{- $scale := ($tmp_tuple_4.T2 | float64) -}} +{{- $numeric := ($tmp_tuple_4.T1 | float64) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (int64 (ceil ((mulf ((mulf $numeric 1000.0) | float64) $scale) | float64)))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "_shims.render-manifest" -}} +{{- $tpl := (index . 0) -}} +{{- $dot := (index . 1) -}} +{{- $manifests := (get ((include $tpl (dict "a" (list $dot))) | fromJson) "r") -}} +{{- if not (typeIs "[]interface {}" $manifests) -}} +{{- $manifests = (list $manifests) -}} +{{- end -}} +{{- range $_, $manifest := $manifests -}} +{{- if ne $manifest nil }} +--- +{{toYaml (unset (unset $manifest "status") "creationTimestamp")}} +{{- end -}} +{{- end -}} +{{- end -}} diff --git a/charts/redpanda/redpanda/5.9.2/templates/_statefulset.go.tpl b/charts/redpanda/redpanda/5.9.2/templates/_statefulset.go.tpl new file mode 100644 index 000000000..a7b73c98a --- /dev/null +++ b/charts/redpanda/redpanda/5.9.2/templates/_statefulset.go.tpl @@ -0,0 +1,677 @@ +{{- /* Generated from "statefulset.go" */ -}} + +{{- define "redpanda.statefulSetRedpandaEnv" -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $_is_returning = true -}} +{{- (dict "r" (list (mustMergeOverwrite (dict "name" "" ) (dict "name" "SERVICE_NAME" "valueFrom" (mustMergeOverwrite (dict ) (dict "fieldRef" (mustMergeOverwrite (dict "fieldPath" "" ) (dict "fieldPath" "metadata.name" )) )) )) (mustMergeOverwrite (dict "name" "" ) (dict "name" "POD_IP" "valueFrom" (mustMergeOverwrite (dict ) (dict "fieldRef" (mustMergeOverwrite (dict "fieldPath" "" ) (dict "fieldPath" "status.podIP" )) )) )) (mustMergeOverwrite (dict "name" "" ) (dict "name" "HOST_IP" "valueFrom" (mustMergeOverwrite (dict ) (dict "fieldRef" (mustMergeOverwrite (dict "fieldPath" "" ) (dict "fieldPath" "status.hostIP" )) )) )))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.StatefulSetPodLabelsSelector" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- if $dot.Release.IsUpgrade -}} +{{- $tmp_tuple_1 := (get (fromJson (include "_shims.compact" (dict "a" (list (get (fromJson (include "_shims.lookup" (dict "a" (list "apps/v1" "StatefulSet" $dot.Release.Namespace (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r")) ))) "r")) ))) "r") -}} +{{- $ok_2 := $tmp_tuple_1.T2 -}} +{{- $existing_1 := $tmp_tuple_1.T1 -}} +{{- if (and $ok_2 (gt ((get (fromJson (include "_shims.len" (dict "a" (list $existing_1.spec.selector.matchLabels) ))) "r") | int) (0 | int))) -}} +{{- $_is_returning = true -}} +{{- (dict "r" $existing_1.spec.selector.matchLabels) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} +{{- $values := $dot.Values.AsMap -}} +{{- $additionalSelectorLabels := (dict ) -}} +{{- if (ne $values.statefulset.additionalSelectorLabels (coalesce nil)) -}} +{{- $additionalSelectorLabels = $values.statefulset.additionalSelectorLabels -}} +{{- end -}} +{{- $component := (printf "%s-statefulset" (trimSuffix "-" (trunc (51 | int) (get (fromJson (include "redpanda.Name" (dict "a" (list $dot) ))) "r")))) -}} +{{- $defaults := (dict "app.kubernetes.io/component" $component "app.kubernetes.io/instance" $dot.Release.Name "app.kubernetes.io/name" (get (fromJson (include "redpanda.Name" (dict "a" (list $dot) ))) "r") ) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (merge (dict ) $additionalSelectorLabels $defaults)) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.StatefulSetPodLabels" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- if $dot.Release.IsUpgrade -}} +{{- $tmp_tuple_2 := (get (fromJson (include "_shims.compact" (dict "a" (list (get (fromJson (include "_shims.lookup" (dict "a" (list "apps/v1" "StatefulSet" $dot.Release.Namespace (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r")) ))) "r")) ))) "r") -}} +{{- $ok_4 := $tmp_tuple_2.T2 -}} +{{- $existing_3 := $tmp_tuple_2.T1 -}} +{{- if (and $ok_4 (gt ((get (fromJson (include "_shims.len" (dict "a" (list $existing_3.spec.template.metadata.labels) ))) "r") | int) (0 | int))) -}} +{{- $_is_returning = true -}} +{{- (dict "r" $existing_3.spec.template.metadata.labels) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} +{{- $values := $dot.Values.AsMap -}} +{{- $statefulSetLabels := (dict ) -}} +{{- if (ne $values.statefulset.podTemplate.labels (coalesce nil)) -}} +{{- $statefulSetLabels = $values.statefulset.podTemplate.labels -}} +{{- end -}} +{{- $defaults := (dict "redpanda.com/poddisruptionbudget" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r") ) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (merge (dict ) $statefulSetLabels (get (fromJson (include "redpanda.StatefulSetPodLabelsSelector" (dict "a" (list $dot) ))) "r") $defaults (get (fromJson (include "redpanda.FullLabels" (dict "a" (list $dot) ))) "r"))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.StatefulSetPodAnnotations" -}} +{{- $dot := (index .a 0) -}} +{{- $configMapChecksum := (index .a 1) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $configMapChecksumAnnotation := (dict "config.redpanda.com/checksum" $configMapChecksum ) -}} +{{- if (ne $values.statefulset.podTemplate.annotations (coalesce nil)) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (merge (dict ) $values.statefulset.podTemplate.annotations $configMapChecksumAnnotation)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (merge (dict ) $values.statefulset.annotations $configMapChecksumAnnotation)) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.StatefulSetVolumes" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $fullname := (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r") -}} +{{- $volumes := (get (fromJson (include "redpanda.CommonVolumes" (dict "a" (list $dot) ))) "r") -}} +{{- $values := $dot.Values.AsMap -}} +{{- $volumes = (concat (default (list ) $volumes) (default (list ) (list (mustMergeOverwrite (dict "name" "" ) (mustMergeOverwrite (dict ) (dict "secret" (mustMergeOverwrite (dict ) (dict "secretName" (printf "%.50s-sts-lifecycle" $fullname) "defaultMode" (0o775 | int) )) )) (dict "name" "lifecycle-scripts" )) (mustMergeOverwrite (dict "name" "" ) (mustMergeOverwrite (dict ) (dict "configMap" (mustMergeOverwrite (dict ) (mustMergeOverwrite (dict ) (dict "name" $fullname )) (dict )) )) (dict "name" $fullname )) (mustMergeOverwrite (dict "name" "" ) (mustMergeOverwrite (dict ) (dict "emptyDir" (mustMergeOverwrite (dict ) (dict )) )) (dict "name" "config" )) (mustMergeOverwrite (dict "name" "" ) (mustMergeOverwrite (dict ) (dict "secret" (mustMergeOverwrite (dict ) (dict "secretName" (printf "%.51s-configurator" $fullname) "defaultMode" (0o775 | int) )) )) (dict "name" (printf "%.51s-configurator" $fullname) )) (mustMergeOverwrite (dict "name" "" ) (mustMergeOverwrite (dict ) (dict "secret" (mustMergeOverwrite (dict ) (dict "secretName" (printf "%s-config-watcher" $fullname) "defaultMode" (0o775 | int) )) )) (dict "name" (printf "%s-config-watcher" $fullname) ))))) -}} +{{- if $values.statefulset.initContainers.fsValidator.enabled -}} +{{- $volumes = (concat (default (list ) $volumes) (list (mustMergeOverwrite (dict "name" "" ) (mustMergeOverwrite (dict ) (dict "secret" (mustMergeOverwrite (dict ) (dict "secretName" (printf "%.49s-fs-validator" $fullname) "defaultMode" (0o775 | int) )) )) (dict "name" (printf "%.49s-fs-validator" $fullname) )))) -}} +{{- end -}} +{{- $vol_5 := (get (fromJson (include "redpanda.Listeners.TrustStoreVolume" (dict "a" (list $values.listeners $values.tls) ))) "r") -}} +{{- if (ne $vol_5 (coalesce nil)) -}} +{{- $volumes = (concat (default (list ) $volumes) (list $vol_5)) -}} +{{- end -}} +{{- $volumes = (concat (default (list ) $volumes) (default (list ) (get (fromJson (include "redpanda.templateToVolumes" (dict "a" (list $dot $values.statefulset.extraVolumes) ))) "r"))) -}} +{{- $volumes = (concat (default (list ) $volumes) (list (get (fromJson (include "redpanda.statefulSetVolumeDataDir" (dict "a" (list $dot) ))) "r"))) -}} +{{- $v_6 := (get (fromJson (include "redpanda.statefulSetVolumeTieredStorageDir" (dict "a" (list $dot) ))) "r") -}} +{{- if (ne $v_6 (coalesce nil)) -}} +{{- $volumes = (concat (default (list ) $volumes) (list $v_6)) -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $volumes) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.statefulSetVolumeDataDir" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $datadirSource := (mustMergeOverwrite (dict ) (dict "emptyDir" (mustMergeOverwrite (dict ) (dict )) )) -}} +{{- if $values.storage.persistentVolume.enabled -}} +{{- $datadirSource = (mustMergeOverwrite (dict ) (dict "persistentVolumeClaim" (mustMergeOverwrite (dict "claimName" "" ) (dict "claimName" "datadir" )) )) -}} +{{- else -}}{{- if (ne $values.storage.hostPath "") -}} +{{- $datadirSource = (mustMergeOverwrite (dict ) (dict "hostPath" (mustMergeOverwrite (dict "path" "" ) (dict "path" $values.storage.hostPath )) )) -}} +{{- end -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (mustMergeOverwrite (dict "name" "" ) $datadirSource (dict "name" "datadir" ))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.statefulSetVolumeTieredStorageDir" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- if (not (get (fromJson (include "redpanda.Storage.IsTieredStorageEnabled" (dict "a" (list $values.storage) ))) "r")) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (coalesce nil)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $tieredType := (get (fromJson (include "redpanda.Storage.TieredMountType" (dict "a" (list $values.storage) ))) "r") -}} +{{- if (or (eq $tieredType "none") (eq $tieredType "persistentVolume")) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (coalesce nil)) | toJson -}} +{{- break -}} +{{- end -}} +{{- if (eq $tieredType "hostPath") -}} +{{- $_is_returning = true -}} +{{- (dict "r" (mustMergeOverwrite (dict "name" "" ) (mustMergeOverwrite (dict ) (dict "hostPath" (mustMergeOverwrite (dict "path" "" ) (dict "path" (get (fromJson (include "redpanda.Storage.GetTieredStorageHostPath" (dict "a" (list $values.storage) ))) "r") )) )) (dict "name" "tiered-storage-dir" ))) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (mustMergeOverwrite (dict "name" "" ) (mustMergeOverwrite (dict ) (dict "emptyDir" (mustMergeOverwrite (dict ) (dict "sizeLimit" (get (fromJson (include "redpanda.Storage.CloudStorageCacheSize" (dict "a" (list $values.storage) ))) "r") )) )) (dict "name" "tiered-storage-dir" ))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.StatefulSetVolumeMounts" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $mounts := (get (fromJson (include "redpanda.CommonMounts" (dict "a" (list $dot) ))) "r") -}} +{{- $values := $dot.Values.AsMap -}} +{{- $mounts = (concat (default (list ) $mounts) (default (list ) (list (mustMergeOverwrite (dict "name" "" "mountPath" "" ) (dict "name" "config" "mountPath" "/etc/redpanda" )) (mustMergeOverwrite (dict "name" "" "mountPath" "" ) (dict "name" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r") "mountPath" "/tmp/base-config" )) (mustMergeOverwrite (dict "name" "" "mountPath" "" ) (dict "name" "lifecycle-scripts" "mountPath" "/var/lifecycle" )) (mustMergeOverwrite (dict "name" "" "mountPath" "" ) (dict "name" "datadir" "mountPath" "/var/lib/redpanda/data" ))))) -}} +{{- if (gt ((get (fromJson (include "_shims.len" (dict "a" (list (get (fromJson (include "redpanda.Listeners.TrustStores" (dict "a" (list $values.listeners $values.tls) ))) "r")) ))) "r") | int) (0 | int)) -}} +{{- $mounts = (concat (default (list ) $mounts) (list (mustMergeOverwrite (dict "name" "" "mountPath" "" ) (dict "name" "truststores" "mountPath" "/etc/truststores" "readOnly" true )))) -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $mounts) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.StatefulSetInitContainers" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $containers := (coalesce nil) -}} +{{- $c_7 := (get (fromJson (include "redpanda.statefulSetInitContainerTuning" (dict "a" (list $dot) ))) "r") -}} +{{- if (ne $c_7 (coalesce nil)) -}} +{{- $containers = (concat (default (list ) $containers) (list $c_7)) -}} +{{- end -}} +{{- $c_8 := (get (fromJson (include "redpanda.statefulSetInitContainerSetDataDirOwnership" (dict "a" (list $dot) ))) "r") -}} +{{- if (ne $c_8 (coalesce nil)) -}} +{{- $containers = (concat (default (list ) $containers) (list $c_8)) -}} +{{- end -}} +{{- $c_9 := (get (fromJson (include "redpanda.statefulSetInitContainerFSValidator" (dict "a" (list $dot) ))) "r") -}} +{{- if (ne $c_9 (coalesce nil)) -}} +{{- $containers = (concat (default (list ) $containers) (list $c_9)) -}} +{{- end -}} +{{- $c_10 := (get (fromJson (include "redpanda.statefulSetInitContainerSetTieredStorageCacheDirOwnership" (dict "a" (list $dot) ))) "r") -}} +{{- if (ne $c_10 (coalesce nil)) -}} +{{- $containers = (concat (default (list ) $containers) (list $c_10)) -}} +{{- end -}} +{{- $containers = (concat (default (list ) $containers) (list (get (fromJson (include "redpanda.statefulSetInitContainerConfigurator" (dict "a" (list $dot) ))) "r"))) -}} +{{- $containers = (concat (default (list ) $containers) (default (list ) (get (fromJson (include "redpanda.templateToContainers" (dict "a" (list $dot $values.statefulset.initContainers.extraInitContainers) ))) "r"))) -}} +{{- $_is_returning = true -}} +{{- (dict "r" $containers) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.statefulSetInitContainerTuning" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- if (not $values.tuning.tune_aio_events) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (coalesce nil)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (mustMergeOverwrite (dict "name" "" "resources" (dict ) ) (dict "name" "tuning" "image" (printf "%s:%s" $values.image.repository (get (fromJson (include "redpanda.Tag" (dict "a" (list $dot) ))) "r")) "command" (list `/bin/bash` `-c` `rpk redpanda tune all`) "securityContext" (mustMergeOverwrite (dict ) (dict "capabilities" (mustMergeOverwrite (dict ) (dict "add" (list `SYS_RESOURCE`) )) "privileged" true "runAsUser" ((0 | int64) | int64) "runAsGroup" ((0 | int64) | int64) )) "volumeMounts" (concat (default (list ) (concat (default (list ) (get (fromJson (include "redpanda.CommonMounts" (dict "a" (list $dot) ))) "r")) (default (list ) (get (fromJson (include "redpanda.templateToVolumeMounts" (dict "a" (list $dot $values.statefulset.initContainers.tuning.extraVolumeMounts) ))) "r")))) (list (mustMergeOverwrite (dict "name" "" "mountPath" "" ) (dict "name" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r") "mountPath" "/etc/redpanda" )))) "resources" $values.statefulset.initContainers.tuning.resources ))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.statefulSetInitContainerSetDataDirOwnership" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- if (not $values.statefulset.initContainers.setDataDirOwnership.enabled) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (coalesce nil)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $tmp_tuple_3 := (get (fromJson (include "_shims.compact" (dict "a" (list (get (fromJson (include "redpanda.securityContextUidGid" (dict "a" (list $dot "set-datadir-ownership") ))) "r")) ))) "r") -}} +{{- $gid := ($tmp_tuple_3.T2 | int64) -}} +{{- $uid := ($tmp_tuple_3.T1 | int64) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (mustMergeOverwrite (dict "name" "" "resources" (dict ) ) (dict "name" "set-datadir-ownership" "image" (printf "%s:%s" $values.statefulset.initContainerImage.repository $values.statefulset.initContainerImage.tag) "command" (list `/bin/sh` `-c` (printf `chown %d:%d -R /var/lib/redpanda/data` $uid $gid)) "volumeMounts" (concat (default (list ) (concat (default (list ) (get (fromJson (include "redpanda.CommonMounts" (dict "a" (list $dot) ))) "r")) (default (list ) (get (fromJson (include "redpanda.templateToVolumeMounts" (dict "a" (list $dot $values.statefulset.initContainers.setDataDirOwnership.extraVolumeMounts) ))) "r")))) (list (mustMergeOverwrite (dict "name" "" "mountPath" "" ) (dict "name" `datadir` "mountPath" `/var/lib/redpanda/data` )))) "resources" $values.statefulset.initContainers.setDataDirOwnership.resources ))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.securityContextUidGid" -}} +{{- $dot := (index .a 0) -}} +{{- $containerName := (index .a 1) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $uid := $values.statefulset.securityContext.runAsUser -}} +{{- if (and (ne $values.statefulset.podSecurityContext (coalesce nil)) (ne $values.statefulset.podSecurityContext.runAsUser (coalesce nil))) -}} +{{- $uid = $values.statefulset.podSecurityContext.runAsUser -}} +{{- end -}} +{{- if (eq $uid (coalesce nil)) -}} +{{- $_ := (fail (printf `%s container requires runAsUser to be specified` $containerName)) -}} +{{- end -}} +{{- $gid := $values.statefulset.securityContext.fsGroup -}} +{{- if (and (ne $values.statefulset.podSecurityContext (coalesce nil)) (ne $values.statefulset.podSecurityContext.fsGroup (coalesce nil))) -}} +{{- $gid = $values.statefulset.podSecurityContext.fsGroup -}} +{{- end -}} +{{- if (eq $gid (coalesce nil)) -}} +{{- $_ := (fail (printf `%s container requires fsGroup to be specified` $containerName)) -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (list $uid $gid)) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.statefulSetInitContainerFSValidator" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- if (not $values.statefulset.initContainers.fsValidator.enabled) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (coalesce nil)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (mustMergeOverwrite (dict "name" "" "resources" (dict ) ) (dict "name" "fs-validator" "image" (printf "%s:%s" $values.image.repository (get (fromJson (include "redpanda.Tag" (dict "a" (list $dot) ))) "r")) "command" (list `/bin/sh`) "args" (list `-c` (printf `trap "exit 0" TERM; exec /etc/secrets/fs-validator/scripts/fsValidator.sh %s & wait $!` $values.statefulset.initContainers.fsValidator.expectedFS)) "securityContext" (get (fromJson (include "redpanda.ContainerSecurityContext" (dict "a" (list $dot) ))) "r") "volumeMounts" (concat (default (list ) (concat (default (list ) (get (fromJson (include "redpanda.CommonMounts" (dict "a" (list $dot) ))) "r")) (default (list ) (get (fromJson (include "redpanda.templateToVolumeMounts" (dict "a" (list $dot $values.statefulset.initContainers.fsValidator.extraVolumeMounts) ))) "r")))) (list (mustMergeOverwrite (dict "name" "" "mountPath" "" ) (dict "name" (printf `%.49s-fs-validator` (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r")) "mountPath" `/etc/secrets/fs-validator/scripts/` )) (mustMergeOverwrite (dict "name" "" "mountPath" "" ) (dict "name" `datadir` "mountPath" `/var/lib/redpanda/data` )))) "resources" $values.statefulset.initContainers.fsValidator.resources ))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.statefulSetInitContainerSetTieredStorageCacheDirOwnership" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- if (not (get (fromJson (include "redpanda.Storage.IsTieredStorageEnabled" (dict "a" (list $values.storage) ))) "r")) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (coalesce nil)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $tmp_tuple_4 := (get (fromJson (include "_shims.compact" (dict "a" (list (get (fromJson (include "redpanda.securityContextUidGid" (dict "a" (list $dot "set-tiered-storage-cache-dir-ownership") ))) "r")) ))) "r") -}} +{{- $gid := ($tmp_tuple_4.T2 | int64) -}} +{{- $uid := ($tmp_tuple_4.T1 | int64) -}} +{{- $cacheDir := (get (fromJson (include "redpanda.Storage.TieredCacheDirectory" (dict "a" (list $values.storage $dot) ))) "r") -}} +{{- $mounts := (get (fromJson (include "redpanda.CommonMounts" (dict "a" (list $dot) ))) "r") -}} +{{- $mounts = (concat (default (list ) $mounts) (list (mustMergeOverwrite (dict "name" "" "mountPath" "" ) (dict "name" "datadir" "mountPath" "/var/lib/redpanda/data" )))) -}} +{{- if (ne (get (fromJson (include "redpanda.Storage.TieredMountType" (dict "a" (list $values.storage) ))) "r") "none") -}} +{{- $name := "tiered-storage-dir" -}} +{{- if (and (ne $values.storage.persistentVolume (coalesce nil)) (ne $values.storage.persistentVolume.nameOverwrite "")) -}} +{{- $name = $values.storage.persistentVolume.nameOverwrite -}} +{{- end -}} +{{- $mounts = (concat (default (list ) $mounts) (list (mustMergeOverwrite (dict "name" "" "mountPath" "" ) (dict "name" $name "mountPath" $cacheDir )))) -}} +{{- end -}} +{{- $mounts = (concat (default (list ) $mounts) (default (list ) (get (fromJson (include "redpanda.templateToVolumeMounts" (dict "a" (list $dot $values.statefulset.initContainers.setTieredStorageCacheDirOwnership.extraVolumeMounts) ))) "r"))) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (mustMergeOverwrite (dict "name" "" "resources" (dict ) ) (dict "name" `set-tiered-storage-cache-dir-ownership` "image" (printf `%s:%s` $values.statefulset.initContainerImage.repository $values.statefulset.initContainerImage.tag) "command" (list `/bin/sh` `-c` (printf `mkdir -p %s; chown %d:%d -R %s` $cacheDir $uid $gid $cacheDir)) "volumeMounts" $mounts "resources" $values.statefulset.initContainers.setTieredStorageCacheDirOwnership.resources ))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.statefulSetInitContainerConfigurator" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $_is_returning = true -}} +{{- (dict "r" (mustMergeOverwrite (dict "name" "" "resources" (dict ) ) (dict "name" (printf `%.51s-configurator` (get (fromJson (include "redpanda.Name" (dict "a" (list $dot) ))) "r")) "image" (printf `%s:%s` $values.image.repository (get (fromJson (include "redpanda.Tag" (dict "a" (list $dot) ))) "r")) "command" (list `/bin/bash` `-c` `trap "exit 0" TERM; exec $CONFIGURATOR_SCRIPT "${SERVICE_NAME}" "${KUBERNETES_NODE_NAME}" & wait $!`) "env" (list (mustMergeOverwrite (dict "name" "" ) (dict "name" "CONFIGURATOR_SCRIPT" "value" "/etc/secrets/configurator/scripts/configurator.sh" )) (mustMergeOverwrite (dict "name" "" ) (dict "name" "SERVICE_NAME" "valueFrom" (mustMergeOverwrite (dict ) (dict "fieldRef" (mustMergeOverwrite (dict "fieldPath" "" ) (dict "fieldPath" "metadata.name" )) "resourceFieldRef" (coalesce nil) "configMapKeyRef" (coalesce nil) "secretKeyRef" (coalesce nil) )) )) (mustMergeOverwrite (dict "name" "" ) (dict "name" "KUBERNETES_NODE_NAME" "valueFrom" (mustMergeOverwrite (dict ) (dict "fieldRef" (mustMergeOverwrite (dict "fieldPath" "" ) (dict "fieldPath" "spec.nodeName" )) )) )) (mustMergeOverwrite (dict "name" "" ) (dict "name" "HOST_IP_ADDRESS" "valueFrom" (mustMergeOverwrite (dict ) (dict "fieldRef" (mustMergeOverwrite (dict "fieldPath" "" ) (dict "apiVersion" "v1" "fieldPath" "status.hostIP" )) )) ))) "securityContext" (get (fromJson (include "redpanda.ContainerSecurityContext" (dict "a" (list $dot) ))) "r") "volumeMounts" (concat (default (list ) (concat (default (list ) (get (fromJson (include "redpanda.CommonMounts" (dict "a" (list $dot) ))) "r")) (default (list ) (get (fromJson (include "redpanda.templateToVolumeMounts" (dict "a" (list $dot $values.statefulset.initContainers.configurator.extraVolumeMounts) ))) "r")))) (list (mustMergeOverwrite (dict "name" "" "mountPath" "" ) (dict "name" "config" "mountPath" "/etc/redpanda" )) (mustMergeOverwrite (dict "name" "" "mountPath" "" ) (dict "name" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r") "mountPath" "/tmp/base-config" )) (mustMergeOverwrite (dict "name" "" "mountPath" "" ) (dict "name" (printf `%.51s-configurator` (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r")) "mountPath" "/etc/secrets/configurator/scripts/" )))) "resources" $values.statefulset.initContainers.configurator.resources ))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.StatefulSetContainers" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $containers := (coalesce nil) -}} +{{- $containers = (concat (default (list ) $containers) (list (get (fromJson (include "redpanda.statefulSetContainerRedpanda" (dict "a" (list $dot) ))) "r"))) -}} +{{- $c_11 := (get (fromJson (include "redpanda.statefulSetContainerConfigWatcher" (dict "a" (list $dot) ))) "r") -}} +{{- if (ne $c_11 (coalesce nil)) -}} +{{- $containers = (concat (default (list ) $containers) (list $c_11)) -}} +{{- end -}} +{{- $c_12 := (get (fromJson (include "redpanda.statefulSetContainerControllers" (dict "a" (list $dot) ))) "r") -}} +{{- if (ne $c_12 (coalesce nil)) -}} +{{- $containers = (concat (default (list ) $containers) (list $c_12)) -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $containers) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.statefulSetContainerRedpanda" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $internalAdvertiseAddress := (printf "%s.%s" "$(SERVICE_NAME)" (get (fromJson (include "redpanda.InternalDomain" (dict "a" (list $dot) ))) "r")) -}} +{{- $container := (mustMergeOverwrite (dict "name" "" "resources" (dict ) ) (dict "name" (get (fromJson (include "redpanda.Name" (dict "a" (list $dot) ))) "r") "image" (printf `%s:%s` $values.image.repository (get (fromJson (include "redpanda.Tag" (dict "a" (list $dot) ))) "r")) "env" (get (fromJson (include "redpanda.statefulSetRedpandaEnv" (dict "a" (list ) ))) "r") "lifecycle" (mustMergeOverwrite (dict ) (dict "postStart" (mustMergeOverwrite (dict ) (dict "exec" (mustMergeOverwrite (dict ) (dict "command" (list `/bin/bash` `-c` (join "\n" (list (printf `timeout -v %d bash -x /var/lifecycle/postStart.sh` ((div ($values.statefulset.terminationGracePeriodSeconds | int64) (2 | int64)) | int64)) `true` ``))) )) )) "preStop" (mustMergeOverwrite (dict ) (dict "exec" (mustMergeOverwrite (dict ) (dict "command" (list `/bin/bash` `-c` (join "\n" (list (printf `timeout -v %d bash -x /var/lifecycle/preStop.sh` ((div ($values.statefulset.terminationGracePeriodSeconds | int64) (2 | int64)) | int64)) `true # do not fail and cause the pod to terminate` ``))) )) )) )) "startupProbe" (mustMergeOverwrite (dict ) (mustMergeOverwrite (dict ) (dict "exec" (mustMergeOverwrite (dict ) (dict "command" (list `/bin/sh` `-c` (join "\n" (list `set -e` (printf `RESULT=$(curl --silent --fail -k -m 5 %s "%s://%s/v1/status/ready")` (get (fromJson (include "redpanda.adminTLSCurlFlags" (dict "a" (list $dot) ))) "r") (get (fromJson (include "redpanda.adminInternalHTTPProtocol" (dict "a" (list $dot) ))) "r") (get (fromJson (include "redpanda.adminApiURLs" (dict "a" (list $dot) ))) "r")) `echo $RESULT` `echo $RESULT | grep ready` ``))) )) )) (dict "initialDelaySeconds" ($values.statefulset.startupProbe.initialDelaySeconds | int) "periodSeconds" ($values.statefulset.startupProbe.periodSeconds | int) "failureThreshold" ($values.statefulset.startupProbe.failureThreshold | int) )) "livenessProbe" (mustMergeOverwrite (dict ) (mustMergeOverwrite (dict ) (dict "exec" (mustMergeOverwrite (dict ) (dict "command" (list `/bin/sh` `-c` (printf `curl --silent --fail -k -m 5 %s "%s://%s/v1/status/ready"` (get (fromJson (include "redpanda.adminTLSCurlFlags" (dict "a" (list $dot) ))) "r") (get (fromJson (include "redpanda.adminInternalHTTPProtocol" (dict "a" (list $dot) ))) "r") (get (fromJson (include "redpanda.adminApiURLs" (dict "a" (list $dot) ))) "r"))) )) )) (dict "initialDelaySeconds" ($values.statefulset.livenessProbe.initialDelaySeconds | int) "periodSeconds" ($values.statefulset.livenessProbe.periodSeconds | int) "failureThreshold" ($values.statefulset.livenessProbe.failureThreshold | int) )) "command" (list `rpk` `redpanda` `start` (printf `--advertise-rpc-addr=%s:%d` $internalAdvertiseAddress ($values.listeners.rpc.port | int))) "volumeMounts" (concat (default (list ) (get (fromJson (include "redpanda.StatefulSetVolumeMounts" (dict "a" (list $dot) ))) "r")) (default (list ) (get (fromJson (include "redpanda.templateToVolumeMounts" (dict "a" (list $dot $values.statefulset.extraVolumeMounts) ))) "r"))) "securityContext" (get (fromJson (include "redpanda.ContainerSecurityContext" (dict "a" (list $dot) ))) "r") "resources" (mustMergeOverwrite (dict ) (dict )) )) -}} +{{- if (not (get (fromJson (include "_shims.typeassertion" (dict "a" (list "bool" (dig `recovery_mode_enabled` false $values.config.node)) ))) "r")) -}} +{{- $_ := (set $container "readinessProbe" (mustMergeOverwrite (dict ) (mustMergeOverwrite (dict ) (dict "exec" (mustMergeOverwrite (dict ) (dict "command" (list `/bin/sh` `-c` (join "\n" (list `set -x` `RESULT=$(rpk cluster health)` `echo $RESULT` `echo $RESULT | grep 'Healthy:.*true'` ``))) )) )) (dict "initialDelaySeconds" ($values.statefulset.readinessProbe.initialDelaySeconds | int) "timeoutSeconds" ($values.statefulset.readinessProbe.timeoutSeconds | int) "periodSeconds" ($values.statefulset.readinessProbe.periodSeconds | int) "successThreshold" ($values.statefulset.readinessProbe.successThreshold | int) "failureThreshold" ($values.statefulset.readinessProbe.failureThreshold | int) ))) -}} +{{- end -}} +{{- $_ := (set $container "ports" (concat (default (list ) $container.ports) (list (mustMergeOverwrite (dict "containerPort" 0 ) (dict "name" "admin" "containerPort" ($values.listeners.admin.port | int) ))))) -}} +{{- range $externalName, $external := $values.listeners.admin.external -}} +{{- if (get (fromJson (include "redpanda.AdminExternal.IsEnabled" (dict "a" (list $external) ))) "r") -}} +{{- $_ := (set $container "ports" (concat (default (list ) $container.ports) (list (mustMergeOverwrite (dict "containerPort" 0 ) (dict "name" (printf "admin-%.8s" (lower $externalName)) "containerPort" ($external.port | int) ))))) -}} +{{- end -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $_ := (set $container "ports" (concat (default (list ) $container.ports) (list (mustMergeOverwrite (dict "containerPort" 0 ) (dict "name" "http" "containerPort" ($values.listeners.http.port | int) ))))) -}} +{{- range $externalName, $external := $values.listeners.http.external -}} +{{- if (get (fromJson (include "redpanda.HTTPExternal.IsEnabled" (dict "a" (list $external) ))) "r") -}} +{{- $_ := (set $container "ports" (concat (default (list ) $container.ports) (list (mustMergeOverwrite (dict "containerPort" 0 ) (dict "name" (printf "http-%.8s" (lower $externalName)) "containerPort" ($external.port | int) ))))) -}} +{{- end -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $_ := (set $container "ports" (concat (default (list ) $container.ports) (list (mustMergeOverwrite (dict "containerPort" 0 ) (dict "name" "kafka" "containerPort" ($values.listeners.kafka.port | int) ))))) -}} +{{- range $externalName, $external := $values.listeners.kafka.external -}} +{{- if (get (fromJson (include "redpanda.KafkaExternal.IsEnabled" (dict "a" (list $external) ))) "r") -}} +{{- $_ := (set $container "ports" (concat (default (list ) $container.ports) (list (mustMergeOverwrite (dict "containerPort" 0 ) (dict "name" (printf "kafka-%.8s" (lower $externalName)) "containerPort" ($external.port | int) ))))) -}} +{{- end -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $_ := (set $container "ports" (concat (default (list ) $container.ports) (list (mustMergeOverwrite (dict "containerPort" 0 ) (dict "name" "rpc" "containerPort" ($values.listeners.rpc.port | int) ))))) -}} +{{- $_ := (set $container "ports" (concat (default (list ) $container.ports) (list (mustMergeOverwrite (dict "containerPort" 0 ) (dict "name" "schemaregistry" "containerPort" ($values.listeners.schemaRegistry.port | int) ))))) -}} +{{- range $externalName, $external := $values.listeners.schemaRegistry.external -}} +{{- if (get (fromJson (include "redpanda.SchemaRegistryExternal.IsEnabled" (dict "a" (list $external) ))) "r") -}} +{{- $_ := (set $container "ports" (concat (default (list ) $container.ports) (list (mustMergeOverwrite (dict "containerPort" 0 ) (dict "name" (printf "schema-%.8s" (lower $externalName)) "containerPort" ($external.port | int) ))))) -}} +{{- end -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- if (and (get (fromJson (include "redpanda.Storage.IsTieredStorageEnabled" (dict "a" (list $values.storage) ))) "r") (ne (get (fromJson (include "redpanda.Storage.TieredMountType" (dict "a" (list $values.storage) ))) "r") "none")) -}} +{{- $name := "tiered-storage-dir" -}} +{{- if (and (ne $values.storage.persistentVolume (coalesce nil)) (ne $values.storage.persistentVolume.nameOverwrite "")) -}} +{{- $name = $values.storage.persistentVolume.nameOverwrite -}} +{{- end -}} +{{- $_ := (set $container "volumeMounts" (concat (default (list ) $container.volumeMounts) (list (mustMergeOverwrite (dict "name" "" "mountPath" "" ) (dict "name" $name "mountPath" (get (fromJson (include "redpanda.Storage.TieredCacheDirectory" (dict "a" (list $values.storage $dot) ))) "r") ))))) -}} +{{- end -}} +{{- $_ := (set $container.resources "limits" (dict "cpu" $values.resources.cpu.cores "memory" $values.resources.memory.container.max )) -}} +{{- if (ne $values.resources.memory.container.min (coalesce nil)) -}} +{{- $_ := (set $container.resources "requests" (dict "cpu" $values.resources.cpu.cores "memory" $values.resources.memory.container.min )) -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $container) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.adminApiURLs" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $_is_returning = true -}} +{{- (dict "r" (printf `${SERVICE_NAME}.%s:%d` (get (fromJson (include "redpanda.InternalDomain" (dict "a" (list $dot) ))) "r") ($values.listeners.admin.port | int))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.statefulSetContainerConfigWatcher" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- if (not $values.statefulset.sideCars.configWatcher.enabled) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (coalesce nil)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (mustMergeOverwrite (dict "name" "" "resources" (dict ) ) (dict "name" "config-watcher" "image" (printf `%s:%s` $values.image.repository (get (fromJson (include "redpanda.Tag" (dict "a" (list $dot) ))) "r")) "command" (list `/bin/sh`) "args" (list `-c` `trap "exit 0" TERM; exec /etc/secrets/config-watcher/scripts/sasl-user.sh & wait $!`) "resources" $values.statefulset.sideCars.configWatcher.resources "securityContext" $values.statefulset.sideCars.configWatcher.securityContext "volumeMounts" (concat (default (list ) (concat (default (list ) (get (fromJson (include "redpanda.CommonMounts" (dict "a" (list $dot) ))) "r")) (list (mustMergeOverwrite (dict "name" "" "mountPath" "" ) (dict "name" "config" "mountPath" "/etc/redpanda" )) (mustMergeOverwrite (dict "name" "" "mountPath" "" ) (dict "name" (printf `%s-config-watcher` (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r")) "mountPath" "/etc/secrets/config-watcher/scripts" ))))) (default (list ) (get (fromJson (include "redpanda.templateToVolumeMounts" (dict "a" (list $dot $values.statefulset.sideCars.configWatcher.extraVolumeMounts) ))) "r"))) ))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.statefulSetContainerControllers" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- if (or (not $values.rbac.enabled) (not $values.statefulset.sideCars.controllers.enabled)) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (coalesce nil)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (mustMergeOverwrite (dict "name" "" "resources" (dict ) ) (dict "name" "redpanda-controllers" "image" (printf `%s:%s` $values.statefulset.sideCars.controllers.image.repository $values.statefulset.sideCars.controllers.image.tag) "command" (list `/manager`) "args" (list `--operator-mode=false` (printf `--namespace=%s` $dot.Release.Namespace) (printf `--health-probe-bind-address=%s` $values.statefulset.sideCars.controllers.healthProbeAddress) (printf `--metrics-bind-address=%s` $values.statefulset.sideCars.controllers.metricsAddress) (printf `--additional-controllers=%s` (join "," $values.statefulset.sideCars.controllers.run))) "env" (list (mustMergeOverwrite (dict "name" "" ) (dict "name" "REDPANDA_HELM_RELEASE_NAME" "value" $dot.Release.Name ))) "resources" $values.statefulset.sideCars.controllers.resources "securityContext" $values.statefulset.sideCars.controllers.securityContext ))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.templateToVolumeMounts" -}} +{{- $dot := (index .a 0) -}} +{{- $template := (index .a 1) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $result := (tpl $template $dot) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (fromYamlArray $result)) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.templateToVolumes" -}} +{{- $dot := (index .a 0) -}} +{{- $template := (index .a 1) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $result := (tpl $template $dot) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (fromYamlArray $result)) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.templateToContainers" -}} +{{- $dot := (index .a 0) -}} +{{- $template := (index .a 1) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $result := (tpl $template $dot) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (fromYamlArray $result)) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.StatefulSet" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- if (and (not (get (fromJson (include "redpanda.RedpandaAtLeast_22_2_0" (dict "a" (list $dot) ))) "r")) (not $values.force)) -}} +{{- $sv := (get (fromJson (include "redpanda.semver" (dict "a" (list $dot) ))) "r") -}} +{{- $_ := (fail (printf "Error: The Redpanda version (%s) is no longer supported \nTo accept this risk, run the upgrade again adding `--force=true`\n" $sv)) -}} +{{- end -}} +{{- $ss := (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "spec" (dict "selector" (coalesce nil) "template" (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "spec" (dict "containers" (coalesce nil) ) ) "serviceName" "" "updateStrategy" (dict ) ) "status" (dict "replicas" 0 "availableReplicas" 0 ) ) (mustMergeOverwrite (dict ) (dict "apiVersion" "apps/v1" "kind" "StatefulSet" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r") "namespace" $dot.Release.Namespace "labels" (get (fromJson (include "redpanda.FullLabels" (dict "a" (list $dot) ))) "r") )) "spec" (mustMergeOverwrite (dict "selector" (coalesce nil) "template" (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "spec" (dict "containers" (coalesce nil) ) ) "serviceName" "" "updateStrategy" (dict ) ) (dict "selector" (mustMergeOverwrite (dict ) (dict "matchLabels" (get (fromJson (include "redpanda.StatefulSetPodLabelsSelector" (dict "a" (list $dot) ))) "r") )) "serviceName" (get (fromJson (include "redpanda.ServiceName" (dict "a" (list $dot) ))) "r") "replicas" ($values.statefulset.replicas | int) "updateStrategy" $values.statefulset.updateStrategy "podManagementPolicy" "Parallel" "template" (get (fromJson (include "redpanda.StrategicMergePatch" (dict "a" (list $values.statefulset.podTemplate (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "spec" (dict "containers" (coalesce nil) ) ) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "labels" (get (fromJson (include "redpanda.StatefulSetPodLabels" (dict "a" (list $dot) ))) "r") "annotations" (get (fromJson (include "redpanda.StatefulSetPodAnnotations" (dict "a" (list $dot (get (fromJson (include "redpanda.statefulSetChecksumAnnotation" (dict "a" (list $dot) ))) "r")) ))) "r") )) "spec" (mustMergeOverwrite (dict "containers" (coalesce nil) ) (dict "terminationGracePeriodSeconds" ($values.statefulset.terminationGracePeriodSeconds | int64) "securityContext" (get (fromJson (include "redpanda.PodSecurityContext" (dict "a" (list $dot) ))) "r") "serviceAccountName" (get (fromJson (include "redpanda.ServiceAccountName" (dict "a" (list $dot) ))) "r") "imagePullSecrets" (default (coalesce nil) $values.imagePullSecrets) "initContainers" (get (fromJson (include "redpanda.StatefulSetInitContainers" (dict "a" (list $dot) ))) "r") "containers" (get (fromJson (include "redpanda.StatefulSetContainers" (dict "a" (list $dot) ))) "r") "volumes" (get (fromJson (include "redpanda.StatefulSetVolumes" (dict "a" (list $dot) ))) "r") "topologySpreadConstraints" (get (fromJson (include "redpanda.statefulSetTopologySpreadConstraints" (dict "a" (list $dot) ))) "r") "nodeSelector" (get (fromJson (include "redpanda.statefulSetNodeSelectors" (dict "a" (list $dot) ))) "r") "affinity" (get (fromJson (include "redpanda.statefulSetAffinity" (dict "a" (list $dot) ))) "r") "priorityClassName" $values.statefulset.priorityClassName "tolerations" (get (fromJson (include "redpanda.statefulSetTolerations" (dict "a" (list $dot) ))) "r") )) ))) ))) "r") "volumeClaimTemplates" (coalesce nil) )) )) -}} +{{- if (or $values.storage.persistentVolume.enabled ((and (get (fromJson (include "redpanda.Storage.IsTieredStorageEnabled" (dict "a" (list $values.storage) ))) "r") (eq (get (fromJson (include "redpanda.Storage.TieredMountType" (dict "a" (list $values.storage) ))) "r") "persistentVolume")))) -}} +{{- $t_13 := (get (fromJson (include "redpanda.volumeClaimTemplateDatadir" (dict "a" (list $dot) ))) "r") -}} +{{- if (ne $t_13 (coalesce nil)) -}} +{{- $_ := (set $ss.spec "volumeClaimTemplates" (concat (default (list ) $ss.spec.volumeClaimTemplates) (list $t_13))) -}} +{{- end -}} +{{- $t_14 := (get (fromJson (include "redpanda.volumeClaimTemplateTieredStorageDir" (dict "a" (list $dot) ))) "r") -}} +{{- if (ne $t_14 (coalesce nil)) -}} +{{- $_ := (set $ss.spec "volumeClaimTemplates" (concat (default (list ) $ss.spec.volumeClaimTemplates) (list $t_14))) -}} +{{- end -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $ss) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.semver" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $_is_returning = true -}} +{{- (dict "r" (trimPrefix "v" (get (fromJson (include "redpanda.Tag" (dict "a" (list $dot) ))) "r"))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.statefulSetChecksumAnnotation" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $dependencies := (coalesce nil) -}} +{{- $dependencies = (concat (default (list ) $dependencies) (list (get (fromJson (include "redpanda.ConfigMapsWithoutSeedServer" (dict "a" (list $dot) ))) "r"))) -}} +{{- if $values.external.enabled -}} +{{- $dependencies = (concat (default (list ) $dependencies) (list (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.external.domain "") ))) "r"))) -}} +{{- if (empty $values.external.addresses) -}} +{{- $dependencies = (concat (default (list ) $dependencies) (list "")) -}} +{{- else -}} +{{- $dependencies = (concat (default (list ) $dependencies) (list $values.external.addresses)) -}} +{{- end -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (sha256sum (toJson $dependencies))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.statefulSetTolerations" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $_is_returning = true -}} +{{- (dict "r" (default $values.tolerations $values.statefulset.tolerations)) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.statefulSetNodeSelectors" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $_is_returning = true -}} +{{- (dict "r" (default $values.statefulset.nodeSelector $values.nodeSelector)) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.statefulSetAffinity" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $affinity := (mustMergeOverwrite (dict ) (dict )) -}} +{{- if (not (empty $values.statefulset.nodeAffinity)) -}} +{{- $_ := (set $affinity "nodeAffinity" $values.statefulset.nodeAffinity) -}} +{{- else -}}{{- if (not (empty $values.affinity.nodeAffinity)) -}} +{{- $_ := (set $affinity "nodeAffinity" $values.affinity.nodeAffinity) -}} +{{- end -}} +{{- end -}} +{{- if (not (empty $values.statefulset.podAffinity)) -}} +{{- $_ := (set $affinity "podAffinity" $values.statefulset.podAffinity) -}} +{{- else -}}{{- if (not (empty $values.affinity.podAffinity)) -}} +{{- $_ := (set $affinity "podAffinity" $values.affinity.podAffinity) -}} +{{- end -}} +{{- end -}} +{{- if (not (empty $values.statefulset.podAntiAffinity)) -}} +{{- $_ := (set $affinity "podAntiAffinity" (mustMergeOverwrite (dict ) (dict ))) -}} +{{- if (eq $values.statefulset.podAntiAffinity.type "hard") -}} +{{- $_ := (set $affinity.podAntiAffinity "requiredDuringSchedulingIgnoredDuringExecution" (list (mustMergeOverwrite (dict "topologyKey" "" ) (dict "topologyKey" $values.statefulset.podAntiAffinity.topologyKey "labelSelector" (mustMergeOverwrite (dict ) (dict "matchLabels" (get (fromJson (include "redpanda.StatefulSetPodLabelsSelector" (dict "a" (list $dot) ))) "r") )) )))) -}} +{{- else -}}{{- if (eq $values.statefulset.podAntiAffinity.type "soft") -}} +{{- $_ := (set $affinity.podAntiAffinity "preferredDuringSchedulingIgnoredDuringExecution" (list (mustMergeOverwrite (dict "weight" 0 "podAffinityTerm" (dict "topologyKey" "" ) ) (dict "weight" ($values.statefulset.podAntiAffinity.weight | int) "podAffinityTerm" (mustMergeOverwrite (dict "topologyKey" "" ) (dict "topologyKey" $values.statefulset.podAntiAffinity.topologyKey "labelSelector" (mustMergeOverwrite (dict ) (dict "matchLabels" (get (fromJson (include "redpanda.StatefulSetPodLabelsSelector" (dict "a" (list $dot) ))) "r") )) )) )))) -}} +{{- else -}}{{- if (eq $values.statefulset.podAntiAffinity.type "custom") -}} +{{- $_ := (set $affinity "podAntiAffinity" $values.statefulset.podAntiAffinity.custom) -}} +{{- end -}} +{{- end -}} +{{- end -}} +{{- else -}}{{- if (not (empty $values.affinity.podAntiAffinity)) -}} +{{- $_ := (set $affinity "podAntiAffinity" $values.affinity.podAntiAffinity) -}} +{{- end -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $affinity) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.volumeClaimTemplateDatadir" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- if (not $values.storage.persistentVolume.enabled) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (coalesce nil)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $pvc := (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "spec" (dict "resources" (dict ) ) "status" (dict ) ) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" "datadir" "labels" (merge (dict ) (dict `app.kubernetes.io/name` (get (fromJson (include "redpanda.Name" (dict "a" (list $dot) ))) "r") `app.kubernetes.io/instance` $dot.Release.Name `app.kubernetes.io/component` (get (fromJson (include "redpanda.Name" (dict "a" (list $dot) ))) "r") ) $values.storage.persistentVolume.labels $values.commonLabels) "annotations" (default (coalesce nil) $values.storage.persistentVolume.annotations) )) "spec" (mustMergeOverwrite (dict "resources" (dict ) ) (dict "accessModes" (list "ReadWriteOnce") "resources" (mustMergeOverwrite (dict ) (dict "requests" (dict "storage" $values.storage.persistentVolume.size ) )) )) )) -}} +{{- if (not (empty $values.storage.persistentVolume.storageClass)) -}} +{{- if (eq $values.storage.persistentVolume.storageClass "-") -}} +{{- $_ := (set $pvc.spec "storageClassName" "") -}} +{{- else -}} +{{- $_ := (set $pvc.spec "storageClassName" $values.storage.persistentVolume.storageClass) -}} +{{- end -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $pvc) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.volumeClaimTemplateTieredStorageDir" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- if (or (not (get (fromJson (include "redpanda.Storage.IsTieredStorageEnabled" (dict "a" (list $values.storage) ))) "r")) (ne (get (fromJson (include "redpanda.Storage.TieredMountType" (dict "a" (list $values.storage) ))) "r") "persistentVolume")) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (coalesce nil)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $pvc := (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "spec" (dict "resources" (dict ) ) "status" (dict ) ) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" (default "tiered-storage-dir" $values.storage.persistentVolume.nameOverwrite) "labels" (merge (dict ) (dict `app.kubernetes.io/name` (get (fromJson (include "redpanda.Name" (dict "a" (list $dot) ))) "r") `app.kubernetes.io/instance` $dot.Release.Name `app.kubernetes.io/component` (get (fromJson (include "redpanda.Name" (dict "a" (list $dot) ))) "r") ) (get (fromJson (include "redpanda.Storage.TieredPersistentVolumeLabels" (dict "a" (list $values.storage) ))) "r") $values.commonLabels) "annotations" (default (coalesce nil) (get (fromJson (include "redpanda.Storage.TieredPersistentVolumeAnnotations" (dict "a" (list $values.storage) ))) "r")) )) "spec" (mustMergeOverwrite (dict "resources" (dict ) ) (dict "accessModes" (list "ReadWriteOnce") "resources" (mustMergeOverwrite (dict ) (dict "requests" (dict "storage" (index (get (fromJson (include "redpanda.Storage.GetTieredStorageConfig" (dict "a" (list $values.storage) ))) "r") `cloud_storage_cache_size`) ) )) )) )) -}} +{{- $sc_15 := (get (fromJson (include "redpanda.Storage.TieredPersistentVolumeStorageClass" (dict "a" (list $values.storage) ))) "r") -}} +{{- if (eq $sc_15 "-") -}} +{{- $_ := (set $pvc.spec "storageClassName" "") -}} +{{- else -}}{{- if (not (empty $sc_15)) -}} +{{- $_ := (set $pvc.spec "storageClassName" $sc_15) -}} +{{- end -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $pvc) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.statefulSetTopologySpreadConstraints" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $result := (coalesce nil) -}} +{{- $labelSelector := (mustMergeOverwrite (dict ) (dict "matchLabels" (get (fromJson (include "redpanda.StatefulSetPodLabelsSelector" (dict "a" (list $dot) ))) "r") )) -}} +{{- range $_, $v := $values.statefulset.topologySpreadConstraints -}} +{{- $result = (concat (default (list ) $result) (list (mustMergeOverwrite (dict "maxSkew" 0 "topologyKey" "" "whenUnsatisfiable" "" ) (dict "maxSkew" ($v.maxSkew | int) "topologyKey" $v.topologyKey "whenUnsatisfiable" $v.whenUnsatisfiable "labelSelector" $labelSelector )))) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $result) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.StorageTieredConfig" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $_is_returning = true -}} +{{- (dict "r" (get (fromJson (include "redpanda.Storage.GetTieredStorageConfig" (dict "a" (list $values.storage) ))) "r")) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + diff --git a/charts/redpanda/redpanda/5.9.2/templates/_values.go.tpl b/charts/redpanda/redpanda/5.9.2/templates/_values.go.tpl new file mode 100644 index 000000000..1d0eb030f --- /dev/null +++ b/charts/redpanda/redpanda/5.9.2/templates/_values.go.tpl @@ -0,0 +1,1258 @@ +{{- /* Generated from "values.go" */ -}} + +{{- define "redpanda.AuditLogging.Translate" -}} +{{- $a := (index .a 0) -}} +{{- $dot := (index .a 1) -}} +{{- $isSASLEnabled := (index .a 2) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $result := (dict ) -}} +{{- if (not (get (fromJson (include "redpanda.RedpandaAtLeast_23_3_0" (dict "a" (list $dot) ))) "r")) -}} +{{- $_is_returning = true -}} +{{- (dict "r" $result) | toJson -}} +{{- break -}} +{{- end -}} +{{- $enabled := (and $a.enabled $isSASLEnabled) -}} +{{- $_ := (set $result "audit_enabled" $enabled) -}} +{{- if (not $enabled) -}} +{{- $_is_returning = true -}} +{{- (dict "r" $result) | toJson -}} +{{- break -}} +{{- end -}} +{{- if (ne (($a.clientMaxBufferSize | int) | int) (16777216 | int)) -}} +{{- $_ := (set $result "audit_client_max_buffer_size" ($a.clientMaxBufferSize | int)) -}} +{{- end -}} +{{- if (ne (($a.queueDrainIntervalMs | int) | int) (500 | int)) -}} +{{- $_ := (set $result "audit_queue_drain_interval_ms" ($a.queueDrainIntervalMs | int)) -}} +{{- end -}} +{{- if (ne (($a.queueMaxBufferSizePerShard | int) | int) (1048576 | int)) -}} +{{- $_ := (set $result "audit_queue_max_buffer_size_per_shard" ($a.queueMaxBufferSizePerShard | int)) -}} +{{- end -}} +{{- if (ne (($a.partitions | int) | int) (12 | int)) -}} +{{- $_ := (set $result "audit_log_num_partitions" ($a.partitions | int)) -}} +{{- end -}} +{{- if (ne ($a.replicationFactor | int) (0 | int)) -}} +{{- $_ := (set $result "audit_log_replication_factor" ($a.replicationFactor | int)) -}} +{{- end -}} +{{- if (gt ((get (fromJson (include "_shims.len" (dict "a" (list $a.enabledEventTypes) ))) "r") | int) (0 | int)) -}} +{{- $_ := (set $result "audit_enabled_event_types" $a.enabledEventTypes) -}} +{{- end -}} +{{- if (gt ((get (fromJson (include "_shims.len" (dict "a" (list $a.excludedTopics) ))) "r") | int) (0 | int)) -}} +{{- $_ := (set $result "audit_excluded_topics" $a.excludedTopics) -}} +{{- end -}} +{{- if (gt ((get (fromJson (include "_shims.len" (dict "a" (list $a.excludedPrincipals) ))) "r") | int) (0 | int)) -}} +{{- $_ := (set $result "audit_excluded_principals" $a.excludedPrincipals) -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $result) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.Auth.IsSASLEnabled" -}} +{{- $a := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- if (eq $a.sasl (coalesce nil)) -}} +{{- $_is_returning = true -}} +{{- (dict "r" false) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $a.sasl.enabled) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.Auth.Translate" -}} +{{- $a := (index .a 0) -}} +{{- $isSASLEnabled := (index .a 1) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- if (not $isSASLEnabled) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (coalesce nil)) | toJson -}} +{{- break -}} +{{- end -}} +{{- if (eq ((get (fromJson (include "_shims.len" (dict "a" (list $a.sasl.users) ))) "r") | int) (0 | int)) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (coalesce nil)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $users := (list ) -}} +{{- range $_, $u := $a.sasl.users -}} +{{- $users = (concat (default (list ) $users) (list $u.name)) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (dict "superusers" $users )) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.Logging.Translate" -}} +{{- $l := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $result := (dict ) -}} +{{- $clusterID_1 := (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $l.usageStats.clusterId "") ))) "r") -}} +{{- if (ne $clusterID_1 "") -}} +{{- $_ := (set $result "cluster_id" $clusterID_1) -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $result) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.RedpandaResources.GetOverProvisionValue" -}} +{{- $rr := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- if (lt ((get (fromJson (include "_shims.resource_MilliValue" (dict "a" (list $rr.cpu.cores) ))) "r") | int64) (1000 | int64)) -}} +{{- $_is_returning = true -}} +{{- (dict "r" true) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $rr.cpu.overprovisioned false) ))) "r")) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.Storage.IsTieredStorageEnabled" -}} +{{- $s := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $conf := (get (fromJson (include "redpanda.Storage.GetTieredStorageConfig" (dict "a" (list $s) ))) "r") -}} +{{- $tmp_tuple_3 := (get (fromJson (include "_shims.compact" (dict "a" (list (get (fromJson (include "_shims.dicttest" (dict "a" (list $conf "cloud_storage_enabled" (coalesce nil)) ))) "r")) ))) "r") -}} +{{- $ok := $tmp_tuple_3.T2 -}} +{{- $b := $tmp_tuple_3.T1 -}} +{{- $_is_returning = true -}} +{{- (dict "r" (and $ok (get (fromJson (include "_shims.typeassertion" (dict "a" (list "bool" $b) ))) "r"))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.Storage.GetTieredStorageConfig" -}} +{{- $s := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- if (gt ((get (fromJson (include "_shims.len" (dict "a" (list $s.tieredConfig) ))) "r") | int) (0 | int)) -}} +{{- $_is_returning = true -}} +{{- (dict "r" $s.tieredConfig) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $s.tiered.config) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.Storage.GetTieredStorageHostPath" -}} +{{- $s := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $hp := $s.tieredStorageHostPath -}} +{{- if (and (empty $hp) (ne $s.tiered (coalesce nil))) -}} +{{- $hp = $s.tiered.hostPath -}} +{{- end -}} +{{- if (empty $hp) -}} +{{- $_ := (fail (printf `storage.tiered.mountType is "%s" but storage.tiered.hostPath is empty` $s.tiered.mountType)) -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $hp) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.Storage.CloudStorageCacheSize" -}} +{{- $s := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $tmp_tuple_4 := (get (fromJson (include "_shims.compact" (dict "a" (list (get (fromJson (include "_shims.dicttest" (dict "a" (list (get (fromJson (include "redpanda.Storage.GetTieredStorageConfig" (dict "a" (list $s) ))) "r") `cloud_storage_cache_size` (coalesce nil)) ))) "r")) ))) "r") -}} +{{- $ok := $tmp_tuple_4.T2 -}} +{{- $value := $tmp_tuple_4.T1 -}} +{{- if (not $ok) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (coalesce nil)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $value) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.Storage.TieredCacheDirectory" -}} +{{- $s := (index .a 0) -}} +{{- $dot := (index .a 1) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $config := (get (fromJson (include "redpanda.Storage.GetTieredStorageConfig" (dict "a" (list $s) ))) "r") -}} +{{- $dir := (get (fromJson (include "_shims.typeassertion" (dict "a" (list "string" (dig `cloud_storage_cache_directory` "/var/lib/redpanda/data/cloud_storage_cache" $config)) ))) "r") -}} +{{- if (eq $dir "") -}} +{{- $_is_returning = true -}} +{{- (dict "r" "/var/lib/redpanda/data/cloud_storage_cache") | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $dir) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.Storage.TieredMountType" -}} +{{- $s := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- if (and (ne $s.tieredStoragePersistentVolume (coalesce nil)) $s.tieredStoragePersistentVolume.enabled) -}} +{{- $_is_returning = true -}} +{{- (dict "r" "persistentVolume") | toJson -}} +{{- break -}} +{{- end -}} +{{- if (not (empty $s.tieredStorageHostPath)) -}} +{{- $_is_returning = true -}} +{{- (dict "r" "hostPath") | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $s.tiered.mountType) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.Storage.TieredPersistentVolumeLabels" -}} +{{- $s := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- if (ne $s.tieredStoragePersistentVolume (coalesce nil)) -}} +{{- $_is_returning = true -}} +{{- (dict "r" $s.tieredStoragePersistentVolume.labels) | toJson -}} +{{- break -}} +{{- end -}} +{{- if (ne $s.tiered (coalesce nil)) -}} +{{- $_is_returning = true -}} +{{- (dict "r" $s.tiered.persistentVolume.labels) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_ := (fail `storage.tiered.mountType is "persistentVolume" but storage.tiered.persistentVolume is not configured`) -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.Storage.TieredPersistentVolumeAnnotations" -}} +{{- $s := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- if (ne $s.tieredStoragePersistentVolume (coalesce nil)) -}} +{{- $_is_returning = true -}} +{{- (dict "r" $s.tieredStoragePersistentVolume.annotations) | toJson -}} +{{- break -}} +{{- end -}} +{{- if (ne $s.tiered (coalesce nil)) -}} +{{- $_is_returning = true -}} +{{- (dict "r" $s.tiered.persistentVolume.annotations) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_ := (fail `storage.tiered.mountType is "persistentVolume" but storage.tiered.persistentVolume is not configured`) -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.Storage.TieredPersistentVolumeStorageClass" -}} +{{- $s := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- if (ne $s.tieredStoragePersistentVolume (coalesce nil)) -}} +{{- $_is_returning = true -}} +{{- (dict "r" $s.tieredStoragePersistentVolume.storageClass) | toJson -}} +{{- break -}} +{{- end -}} +{{- if (ne $s.tiered (coalesce nil)) -}} +{{- $_is_returning = true -}} +{{- (dict "r" $s.tiered.persistentVolume.storageClass) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_ := (fail `storage.tiered.mountType is "persistentVolume" but storage.tiered.persistentVolume is not configured`) -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.Storage.Translate" -}} +{{- $s := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $result := (dict ) -}} +{{- if (not (get (fromJson (include "redpanda.Storage.IsTieredStorageEnabled" (dict "a" (list $s) ))) "r")) -}} +{{- $_is_returning = true -}} +{{- (dict "r" $result) | toJson -}} +{{- break -}} +{{- end -}} +{{- $tieredStorageConfig := (get (fromJson (include "redpanda.Storage.GetTieredStorageConfig" (dict "a" (list $s) ))) "r") -}} +{{- range $k, $v := $tieredStorageConfig -}} +{{- if (or (eq $v (coalesce nil)) (empty $v)) -}} +{{- continue -}} +{{- end -}} +{{- if (and (eq $k "cloud_storage_cache_size") (ne $v (coalesce nil))) -}} +{{- $_ := (set $result $k (printf "%d" ((get (fromJson (include "_shims.resource_Value" (dict "a" (list $v) ))) "r") | int64))) -}} +{{- continue -}} +{{- end -}} +{{- $tmp_tuple_6 := (get (fromJson (include "_shims.compact" (dict "a" (list (get (fromJson (include "_shims.typetest" (dict "a" (list "string" $v "") ))) "r")) ))) "r") -}} +{{- $ok_3 := $tmp_tuple_6.T2 -}} +{{- $str_2 := $tmp_tuple_6.T1 -}} +{{- $tmp_tuple_7 := (get (fromJson (include "_shims.compact" (dict "a" (list (get (fromJson (include "_shims.typetest" (dict "a" (list "bool" $v false) ))) "r")) ))) "r") -}} +{{- $ok_5 := $tmp_tuple_7.T2 -}} +{{- $b_4 := $tmp_tuple_7.T1 -}} +{{- $tmp_tuple_8 := (get (fromJson (include "_shims.compact" (dict "a" (list (get (fromJson (include "_shims.asnumeric" (dict "a" (list $v) ))) "r")) ))) "r") -}} +{{- $isFloat_7 := $tmp_tuple_8.T2 -}} +{{- $f_6 := ($tmp_tuple_8.T1 | float64) -}} +{{- if $ok_3 -}} +{{- $_ := (set $result $k $str_2) -}} +{{- else -}}{{- if $ok_5 -}} +{{- $_ := (set $result $k $b_4) -}} +{{- else -}}{{- if $isFloat_7 -}} +{{- $_ := (set $result $k ($f_6 | int)) -}} +{{- else -}} +{{- $_ := (set $result $k (mustToJson $v)) -}} +{{- end -}} +{{- end -}} +{{- end -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $result) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.Storage.StorageMinFreeBytes" -}} +{{- $s := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- if (and (ne $s.persistentVolume (coalesce nil)) (not $s.persistentVolume.enabled)) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (5368709120 | int)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $minimumFreeBytes := ((mulf (((get (fromJson (include "_shims.resource_Value" (dict "a" (list $s.persistentVolume.size) ))) "r") | int64) | float64) 0.05) | float64) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (min (5368709120 | int) ($minimumFreeBytes | int64))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.Tuning.Translate" -}} +{{- $t := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $result := (dict ) -}} +{{- $s := (toJson $t) -}} +{{- $tune := (fromJson $s) -}} +{{- $tmp_tuple_9 := (get (fromJson (include "_shims.compact" (dict "a" (list (get (fromJson (include "_shims.typetest" (dict "a" (list (printf "map[%s]%s" "string" "interface {}") $tune (coalesce nil)) ))) "r")) ))) "r") -}} +{{- $ok := $tmp_tuple_9.T2 -}} +{{- $m := $tmp_tuple_9.T1 -}} +{{- if (not $ok) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (dict )) | toJson -}} +{{- break -}} +{{- end -}} +{{- range $k, $v := $m -}} +{{- $_ := (set $result $k $v) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $result) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.Listeners.CreateSeedServers" -}} +{{- $l := (index .a 0) -}} +{{- $replicas := (index .a 1) -}} +{{- $fullname := (index .a 2) -}} +{{- $internalDomain := (index .a 3) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $result := (coalesce nil) -}} +{{- range $_, $i := untilStep (((0 | int) | int)|int) ($replicas|int) (1|int) -}} +{{- $result = (concat (default (list ) $result) (list (dict "host" (dict "address" (printf "%s-%d.%s" $fullname $i $internalDomain) "port" ($l.rpc.port | int) ) ))) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $result) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.Listeners.AdminList" -}} +{{- $l := (index .a 0) -}} +{{- $replicas := (index .a 1) -}} +{{- $fullname := (index .a 2) -}} +{{- $internalDomain := (index .a 3) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $_is_returning = true -}} +{{- (dict "r" (get (fromJson (include "redpanda.ServerList" (dict "a" (list $replicas "" $fullname $internalDomain ($l.admin.port | int)) ))) "r")) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.ServerList" -}} +{{- $replicas := (index .a 0) -}} +{{- $prefix := (index .a 1) -}} +{{- $fullname := (index .a 2) -}} +{{- $internalDomain := (index .a 3) -}} +{{- $port := (index .a 4) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $result := (coalesce nil) -}} +{{- range $_, $i := untilStep (((0 | int) | int)|int) ($replicas|int) (1|int) -}} +{{- $result = (concat (default (list ) $result) (list (printf "%s%s-%d.%s:%d" $prefix $fullname $i $internalDomain ($port | int)))) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $result) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.Listeners.TrustStoreVolume" -}} +{{- $l := (index .a 0) -}} +{{- $tls := (index .a 1) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $cmSources := (dict ) -}} +{{- $secretSources := (dict ) -}} +{{- range $_, $ts := (get (fromJson (include "redpanda.Listeners.TrustStores" (dict "a" (list $l $tls) ))) "r") -}} +{{- $projection := (get (fromJson (include "redpanda.TrustStore.VolumeProjection" (dict "a" (list $ts) ))) "r") -}} +{{- if (ne $projection.secret (coalesce nil)) -}} +{{- $_ := (set $secretSources $projection.secret.name (concat (default (list ) (index $secretSources $projection.secret.name)) (default (list ) $projection.secret.items))) -}} +{{- else -}} +{{- $_ := (set $cmSources $projection.configMap.name (concat (default (list ) (index $cmSources $projection.configMap.name)) (default (list ) $projection.configMap.items))) -}} +{{- end -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $sources := (coalesce nil) -}} +{{- range $_, $name := (sortAlpha (keys $cmSources)) -}} +{{- $keys := (index $cmSources $name) -}} +{{- $sources = (concat (default (list ) $sources) (list (mustMergeOverwrite (dict ) (dict "configMap" (mustMergeOverwrite (dict ) (mustMergeOverwrite (dict ) (dict "name" $name )) (dict "items" (get (fromJson (include "redpanda.dedupKeyToPaths" (dict "a" (list $keys) ))) "r") )) )))) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- range $_, $name := (sortAlpha (keys $secretSources)) -}} +{{- $keys := (index $secretSources $name) -}} +{{- $sources = (concat (default (list ) $sources) (list (mustMergeOverwrite (dict ) (dict "secret" (mustMergeOverwrite (dict ) (mustMergeOverwrite (dict ) (dict "name" $name )) (dict "items" (get (fromJson (include "redpanda.dedupKeyToPaths" (dict "a" (list $keys) ))) "r") )) )))) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- if (lt ((get (fromJson (include "_shims.len" (dict "a" (list $sources) ))) "r") | int) (1 | int)) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (coalesce nil)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (mustMergeOverwrite (dict "name" "" ) (mustMergeOverwrite (dict ) (dict "projected" (mustMergeOverwrite (dict "sources" (coalesce nil) ) (dict "sources" $sources )) )) (dict "name" "truststores" ))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.dedupKeyToPaths" -}} +{{- $items := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $seen := (dict ) -}} +{{- $deduped := (coalesce nil) -}} +{{- range $_, $item := $items -}} +{{- $tmp_tuple_10 := (get (fromJson (include "_shims.compact" (dict "a" (list (get (fromJson (include "_shims.dicttest" (dict "a" (list $seen $item.key (coalesce nil)) ))) "r")) ))) "r") -}} +{{- $ok_8 := $tmp_tuple_10.T2 -}} +{{- if $ok_8 -}} +{{- continue -}} +{{- end -}} +{{- $deduped = (concat (default (list ) $deduped) (list $item)) -}} +{{- $_ := (set $seen $item.key true) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $deduped) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.Listeners.TrustStores" -}} +{{- $l := (index .a 0) -}} +{{- $tls := (index .a 1) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $tss := (get (fromJson (include "redpanda.KafkaListeners.TrustStores" (dict "a" (list $l.kafka $tls) ))) "r") -}} +{{- $tss = (concat (default (list ) $tss) (default (list ) (get (fromJson (include "redpanda.AdminListeners.TrustStores" (dict "a" (list $l.admin $tls) ))) "r"))) -}} +{{- $tss = (concat (default (list ) $tss) (default (list ) (get (fromJson (include "redpanda.HTTPListeners.TrustStores" (dict "a" (list $l.http $tls) ))) "r"))) -}} +{{- $tss = (concat (default (list ) $tss) (default (list ) (get (fromJson (include "redpanda.SchemaRegistryListeners.TrustStores" (dict "a" (list $l.schemaRegistry $tls) ))) "r"))) -}} +{{- $_is_returning = true -}} +{{- (dict "r" $tss) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.Config.CreateRPKConfiguration" -}} +{{- $c := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $result := (dict ) -}} +{{- range $k, $v := $c.rpk -}} +{{- $_ := (set $result $k $v) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $result) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.TLSCertMap.MustGet" -}} +{{- $m := (index .a 0) -}} +{{- $name := (index .a 1) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $tmp_tuple_11 := (get (fromJson (include "_shims.compact" (dict "a" (list (get (fromJson (include "_shims.dicttest" (dict "a" (list $m $name (coalesce nil)) ))) "r")) ))) "r") -}} +{{- $ok := $tmp_tuple_11.T2 -}} +{{- $cert := $tmp_tuple_11.T1 -}} +{{- if (not $ok) -}} +{{- $_ := (fail (printf "Certificate %q referenced, but not found in the tls.certs map" $name)) -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $cert) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.TrustStore.TrustStoreFilePath" -}} +{{- $t := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $_is_returning = true -}} +{{- (dict "r" (printf "%s/%s" "/etc/truststores" (get (fromJson (include "redpanda.TrustStore.RelativePath" (dict "a" (list $t) ))) "r"))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.TrustStore.RelativePath" -}} +{{- $t := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- if (ne $t.configMapKeyRef (coalesce nil)) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (printf "configmaps/%s-%s" $t.configMapKeyRef.name $t.configMapKeyRef.key)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (printf "secrets/%s-%s" $t.secretKeyRef.name $t.secretKeyRef.key)) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.TrustStore.VolumeProjection" -}} +{{- $t := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- if (ne $t.configMapKeyRef (coalesce nil)) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (mustMergeOverwrite (dict ) (dict "configMap" (mustMergeOverwrite (dict ) (mustMergeOverwrite (dict ) (dict "name" $t.configMapKeyRef.name )) (dict "items" (list (mustMergeOverwrite (dict "key" "" "path" "" ) (dict "key" $t.configMapKeyRef.key "path" (get (fromJson (include "redpanda.TrustStore.RelativePath" (dict "a" (list $t) ))) "r") ))) )) ))) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (mustMergeOverwrite (dict ) (dict "secret" (mustMergeOverwrite (dict ) (mustMergeOverwrite (dict ) (dict "name" $t.secretKeyRef.name )) (dict "items" (list (mustMergeOverwrite (dict "key" "" "path" "" ) (dict "key" $t.secretKeyRef.key "path" (get (fromJson (include "redpanda.TrustStore.RelativePath" (dict "a" (list $t) ))) "r") ))) )) ))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.InternalTLS.IsEnabled" -}} +{{- $t := (index .a 0) -}} +{{- $tls := (index .a 1) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $_is_returning = true -}} +{{- (dict "r" (and (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $t.enabled $tls.enabled) ))) "r") (ne $t.cert ""))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.InternalTLS.TrustStoreFilePath" -}} +{{- $t := (index .a 0) -}} +{{- $tls := (index .a 1) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- if (ne $t.trustStore (coalesce nil)) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (get (fromJson (include "redpanda.TrustStore.TrustStoreFilePath" (dict "a" (list $t.trustStore) ))) "r")) | toJson -}} +{{- break -}} +{{- end -}} +{{- if (get (fromJson (include "redpanda.TLSCertMap.MustGet" (dict "a" (list (deepCopy $tls.certs) $t.cert) ))) "r").caEnabled -}} +{{- $_is_returning = true -}} +{{- (dict "r" (printf "/etc/tls/certs/%s/ca.crt" $t.cert)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" "/etc/ssl/certs/ca-certificates.crt") | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.ExternalTLS.GetCert" -}} +{{- $t := (index .a 0) -}} +{{- $i := (index .a 1) -}} +{{- $tls := (index .a 2) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $_is_returning = true -}} +{{- (dict "r" (get (fromJson (include "redpanda.TLSCertMap.MustGet" (dict "a" (list (deepCopy $tls.certs) (get (fromJson (include "redpanda.ExternalTLS.GetCertName" (dict "a" (list $t $i) ))) "r")) ))) "r")) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.ExternalTLS.GetCertName" -}} +{{- $t := (index .a 0) -}} +{{- $i := (index .a 1) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $_is_returning = true -}} +{{- (dict "r" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $t.cert $i.cert) ))) "r")) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.ExternalTLS.TrustStoreFilePath" -}} +{{- $t := (index .a 0) -}} +{{- $i := (index .a 1) -}} +{{- $tls := (index .a 2) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- if (ne $t.trustStore (coalesce nil)) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (get (fromJson (include "redpanda.TrustStore.TrustStoreFilePath" (dict "a" (list $t.trustStore) ))) "r")) | toJson -}} +{{- break -}} +{{- end -}} +{{- if (get (fromJson (include "redpanda.ExternalTLS.GetCert" (dict "a" (list $t $i $tls) ))) "r").caEnabled -}} +{{- $_is_returning = true -}} +{{- (dict "r" (printf "/etc/tls/certs/%s/ca.crt" (get (fromJson (include "redpanda.ExternalTLS.GetCertName" (dict "a" (list $t $i) ))) "r"))) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" "/etc/ssl/certs/ca-certificates.crt") | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.ExternalTLS.IsEnabled" -}} +{{- $t := (index .a 0) -}} +{{- $i := (index .a 1) -}} +{{- $tls := (index .a 2) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- if (eq $t (coalesce nil)) -}} +{{- $_is_returning = true -}} +{{- (dict "r" false) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" (and (ne (get (fromJson (include "redpanda.ExternalTLS.GetCertName" (dict "a" (list $t $i) ))) "r") "") (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $t.enabled (get (fromJson (include "redpanda.InternalTLS.IsEnabled" (dict "a" (list $i $tls) ))) "r")) ))) "r"))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.AdminListeners.ConsoleTLS" -}} +{{- $l := (index .a 0) -}} +{{- $tls := (index .a 1) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $t := (mustMergeOverwrite (dict "enabled" false "caFilepath" "" "certFilepath" "" "keyFilepath" "" "insecureSkipTlsVerify" false ) (dict "enabled" (get (fromJson (include "redpanda.InternalTLS.IsEnabled" (dict "a" (list $l.tls $tls) ))) "r") )) -}} +{{- if (not $t.enabled) -}} +{{- $_is_returning = true -}} +{{- (dict "r" $t) | toJson -}} +{{- break -}} +{{- end -}} +{{- $adminAPIPrefix := "/mnt/cert/adminapi" -}} +{{- $_ := (set $t "caFilepath" (printf "%s/%s/ca.crt" $adminAPIPrefix $l.tls.cert)) -}} +{{- if (not $l.tls.requireClientAuth) -}} +{{- $_is_returning = true -}} +{{- (dict "r" $t) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_ := (set $t "certFilepath" (printf "%s/%s/tls.crt" $adminAPIPrefix $l.tls.cert)) -}} +{{- $_ := (set $t "keyFilepath" (printf "%s/%s/tls.key" $adminAPIPrefix $l.tls.cert)) -}} +{{- $_is_returning = true -}} +{{- (dict "r" $t) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.AdminListeners.Listeners" -}} +{{- $l := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $admin := (list (get (fromJson (include "redpanda.createInternalListenerCfg" (dict "a" (list ($l.port | int)) ))) "r")) -}} +{{- range $k, $lis := $l.external -}} +{{- if (not (get (fromJson (include "redpanda.AdminExternal.IsEnabled" (dict "a" (list $lis) ))) "r")) -}} +{{- continue -}} +{{- end -}} +{{- $admin = (concat (default (list ) $admin) (list (dict "name" $k "port" ($lis.port | int) "address" "0.0.0.0" ))) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $admin) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.AdminListeners.ListenersTLS" -}} +{{- $l := (index .a 0) -}} +{{- $tls := (index .a 1) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $admin := (list ) -}} +{{- $internal := (get (fromJson (include "redpanda.createInternalListenerTLSCfg" (dict "a" (list $tls $l.tls) ))) "r") -}} +{{- if (gt ((get (fromJson (include "_shims.len" (dict "a" (list $internal) ))) "r") | int) (0 | int)) -}} +{{- $admin = (concat (default (list ) $admin) (list $internal)) -}} +{{- end -}} +{{- range $k, $lis := $l.external -}} +{{- if (or (not (get (fromJson (include "redpanda.AdminExternal.IsEnabled" (dict "a" (list $lis) ))) "r")) (not (get (fromJson (include "redpanda.ExternalTLS.IsEnabled" (dict "a" (list $lis.tls $l.tls $tls) ))) "r"))) -}} +{{- continue -}} +{{- end -}} +{{- $certName := (get (fromJson (include "redpanda.ExternalTLS.GetCertName" (dict "a" (list $lis.tls $l.tls) ))) "r") -}} +{{- $admin = (concat (default (list ) $admin) (list (dict "name" $k "enabled" true "cert_file" (printf "/etc/tls/certs/%s/tls.crt" $certName) "key_file" (printf "/etc/tls/certs/%s/tls.key" $certName) "require_client_auth" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $lis.tls.requireClientAuth false) ))) "r") "truststore_file" (get (fromJson (include "redpanda.ExternalTLS.TrustStoreFilePath" (dict "a" (list $lis.tls $l.tls $tls) ))) "r") ))) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $admin) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.AdminListeners.TrustStores" -}} +{{- $l := (index .a 0) -}} +{{- $tls := (index .a 1) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $tss := (list ) -}} +{{- if (and (get (fromJson (include "redpanda.InternalTLS.IsEnabled" (dict "a" (list $l.tls $tls) ))) "r") (ne $l.tls.trustStore (coalesce nil))) -}} +{{- $tss = (concat (default (list ) $tss) (list $l.tls.trustStore)) -}} +{{- end -}} +{{- range $_, $key := (sortAlpha (keys $l.external)) -}} +{{- $lis := (index $l.external $key) -}} +{{- if (or (or (not (get (fromJson (include "redpanda.AdminExternal.IsEnabled" (dict "a" (list $lis) ))) "r")) (not (get (fromJson (include "redpanda.ExternalTLS.IsEnabled" (dict "a" (list $lis.tls $l.tls $tls) ))) "r"))) (eq $lis.tls.trustStore (coalesce nil))) -}} +{{- continue -}} +{{- end -}} +{{- $tss = (concat (default (list ) $tss) (list $lis.tls.trustStore)) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $tss) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.AdminExternal.IsEnabled" -}} +{{- $l := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $_is_returning = true -}} +{{- (dict "r" (and (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $l.enabled true) ))) "r") (gt ($l.port | int) (0 | int)))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.HTTPListeners.Listeners" -}} +{{- $l := (index .a 0) -}} +{{- $saslEnabled := (index .a 1) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $internal := (get (fromJson (include "redpanda.createInternalListenerCfg" (dict "a" (list ($l.port | int)) ))) "r") -}} +{{- if $saslEnabled -}} +{{- $_ := (set $internal "authentication_method" "http_basic") -}} +{{- end -}} +{{- $am_9 := (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $l.authenticationMethod "") ))) "r") -}} +{{- if (ne $am_9 "") -}} +{{- $_ := (set $internal "authentication_method" $am_9) -}} +{{- end -}} +{{- $result := (list $internal) -}} +{{- range $k, $l := $l.external -}} +{{- if (not (get (fromJson (include "redpanda.HTTPExternal.IsEnabled" (dict "a" (list $l) ))) "r")) -}} +{{- continue -}} +{{- end -}} +{{- $listener := (dict "name" $k "port" ($l.port | int) "address" "0.0.0.0" ) -}} +{{- if $saslEnabled -}} +{{- $_ := (set $listener "authentication_method" "http_basic") -}} +{{- end -}} +{{- $am_10 := (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $l.authenticationMethod "") ))) "r") -}} +{{- if (ne $am_10 "") -}} +{{- $_ := (set $listener "authentication_method" $am_10) -}} +{{- end -}} +{{- $result = (concat (default (list ) $result) (list $listener)) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $result) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.HTTPListeners.ListenersTLS" -}} +{{- $l := (index .a 0) -}} +{{- $tls := (index .a 1) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $pp := (list ) -}} +{{- $internal := (get (fromJson (include "redpanda.createInternalListenerTLSCfg" (dict "a" (list $tls $l.tls) ))) "r") -}} +{{- if (gt ((get (fromJson (include "_shims.len" (dict "a" (list $internal) ))) "r") | int) (0 | int)) -}} +{{- $pp = (concat (default (list ) $pp) (list $internal)) -}} +{{- end -}} +{{- range $k, $lis := $l.external -}} +{{- if (or (not (get (fromJson (include "redpanda.HTTPExternal.IsEnabled" (dict "a" (list $lis) ))) "r")) (not (get (fromJson (include "redpanda.ExternalTLS.IsEnabled" (dict "a" (list $lis.tls $l.tls $tls) ))) "r"))) -}} +{{- continue -}} +{{- end -}} +{{- $certName := (get (fromJson (include "redpanda.ExternalTLS.GetCertName" (dict "a" (list $lis.tls $l.tls) ))) "r") -}} +{{- $pp = (concat (default (list ) $pp) (list (dict "name" $k "enabled" true "cert_file" (printf "/etc/tls/certs/%s/tls.crt" $certName) "key_file" (printf "/etc/tls/certs/%s/tls.key" $certName) "require_client_auth" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $lis.tls.requireClientAuth false) ))) "r") "truststore_file" (get (fromJson (include "redpanda.ExternalTLS.TrustStoreFilePath" (dict "a" (list $lis.tls $l.tls $tls) ))) "r") ))) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $pp) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.HTTPListeners.TrustStores" -}} +{{- $l := (index .a 0) -}} +{{- $tls := (index .a 1) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $tss := (coalesce nil) -}} +{{- if (and (get (fromJson (include "redpanda.InternalTLS.IsEnabled" (dict "a" (list $l.tls $tls) ))) "r") (ne $l.tls.trustStore (coalesce nil))) -}} +{{- $tss = (concat (default (list ) $tss) (list $l.tls.trustStore)) -}} +{{- end -}} +{{- range $_, $key := (sortAlpha (keys $l.external)) -}} +{{- $lis := (index $l.external $key) -}} +{{- if (or (or (not (get (fromJson (include "redpanda.HTTPExternal.IsEnabled" (dict "a" (list $lis) ))) "r")) (not (get (fromJson (include "redpanda.ExternalTLS.IsEnabled" (dict "a" (list $lis.tls $l.tls $tls) ))) "r"))) (eq $lis.tls.trustStore (coalesce nil))) -}} +{{- continue -}} +{{- end -}} +{{- $tss = (concat (default (list ) $tss) (list $lis.tls.trustStore)) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $tss) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.HTTPExternal.IsEnabled" -}} +{{- $l := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $_is_returning = true -}} +{{- (dict "r" (and (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $l.enabled true) ))) "r") (gt ($l.port | int) (0 | int)))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.KafkaListeners.Listeners" -}} +{{- $l := (index .a 0) -}} +{{- $auth := (index .a 1) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $internal := (get (fromJson (include "redpanda.createInternalListenerCfg" (dict "a" (list ($l.port | int)) ))) "r") -}} +{{- if (get (fromJson (include "redpanda.Auth.IsSASLEnabled" (dict "a" (list $auth) ))) "r") -}} +{{- $_ := (set $internal "authentication_method" "sasl") -}} +{{- end -}} +{{- $am_11 := (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $l.authenticationMethod "") ))) "r") -}} +{{- if (ne $am_11 "") -}} +{{- $_ := (set $internal "authentication_method" $am_11) -}} +{{- end -}} +{{- $kafka := (list $internal) -}} +{{- range $k, $l := $l.external -}} +{{- if (not (get (fromJson (include "redpanda.KafkaExternal.IsEnabled" (dict "a" (list $l) ))) "r")) -}} +{{- continue -}} +{{- end -}} +{{- $listener := (dict "name" $k "port" ($l.port | int) "address" "0.0.0.0" ) -}} +{{- if (get (fromJson (include "redpanda.Auth.IsSASLEnabled" (dict "a" (list $auth) ))) "r") -}} +{{- $_ := (set $listener "authentication_method" "sasl") -}} +{{- end -}} +{{- $am_12 := (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $l.authenticationMethod "") ))) "r") -}} +{{- if (ne $am_12 "") -}} +{{- $_ := (set $listener "authentication_method" $am_12) -}} +{{- end -}} +{{- $kafka = (concat (default (list ) $kafka) (list $listener)) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $kafka) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.KafkaListeners.ListenersTLS" -}} +{{- $l := (index .a 0) -}} +{{- $tls := (index .a 1) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $kafka := (list ) -}} +{{- $internal := (get (fromJson (include "redpanda.createInternalListenerTLSCfg" (dict "a" (list $tls $l.tls) ))) "r") -}} +{{- if (gt ((get (fromJson (include "_shims.len" (dict "a" (list $internal) ))) "r") | int) (0 | int)) -}} +{{- $kafka = (concat (default (list ) $kafka) (list $internal)) -}} +{{- end -}} +{{- range $k, $lis := $l.external -}} +{{- if (or (not (get (fromJson (include "redpanda.KafkaExternal.IsEnabled" (dict "a" (list $lis) ))) "r")) (not (get (fromJson (include "redpanda.ExternalTLS.IsEnabled" (dict "a" (list $lis.tls $l.tls $tls) ))) "r"))) -}} +{{- continue -}} +{{- end -}} +{{- $certName := (get (fromJson (include "redpanda.ExternalTLS.GetCertName" (dict "a" (list $lis.tls $l.tls) ))) "r") -}} +{{- $kafka = (concat (default (list ) $kafka) (list (dict "name" $k "enabled" true "cert_file" (printf "/etc/tls/certs/%s/tls.crt" $certName) "key_file" (printf "/etc/tls/certs/%s/tls.key" $certName) "require_client_auth" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $lis.tls.requireClientAuth false) ))) "r") "truststore_file" (get (fromJson (include "redpanda.ExternalTLS.TrustStoreFilePath" (dict "a" (list $lis.tls $l.tls $tls) ))) "r") ))) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $kafka) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.KafkaListeners.TrustStores" -}} +{{- $l := (index .a 0) -}} +{{- $tls := (index .a 1) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $tss := (coalesce nil) -}} +{{- if (and (get (fromJson (include "redpanda.InternalTLS.IsEnabled" (dict "a" (list $l.tls $tls) ))) "r") (ne $l.tls.trustStore (coalesce nil))) -}} +{{- $tss = (concat (default (list ) $tss) (list $l.tls.trustStore)) -}} +{{- end -}} +{{- range $_, $key := (sortAlpha (keys $l.external)) -}} +{{- $lis := (index $l.external $key) -}} +{{- if (or (or (not (get (fromJson (include "redpanda.KafkaExternal.IsEnabled" (dict "a" (list $lis) ))) "r")) (not (get (fromJson (include "redpanda.ExternalTLS.IsEnabled" (dict "a" (list $lis.tls $l.tls $tls) ))) "r"))) (eq $lis.tls.trustStore (coalesce nil))) -}} +{{- continue -}} +{{- end -}} +{{- $tss = (concat (default (list ) $tss) (list $lis.tls.trustStore)) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $tss) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.KafkaListeners.ConsolemTLS" -}} +{{- $k := (index .a 0) -}} +{{- $tls := (index .a 1) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $t := (mustMergeOverwrite (dict "enabled" false "caFilepath" "" "certFilepath" "" "keyFilepath" "" "insecureSkipTlsVerify" false ) (dict "enabled" (get (fromJson (include "redpanda.InternalTLS.IsEnabled" (dict "a" (list $k.tls $tls) ))) "r") )) -}} +{{- if (not $t.enabled) -}} +{{- $_is_returning = true -}} +{{- (dict "r" $t) | toJson -}} +{{- break -}} +{{- end -}} +{{- $kafkaPathPrefix := "/mnt/cert/kafka" -}} +{{- $_ := (set $t "caFilepath" (printf "%s/%s/ca.crt" $kafkaPathPrefix $k.tls.cert)) -}} +{{- if (not $k.tls.requireClientAuth) -}} +{{- $_is_returning = true -}} +{{- (dict "r" $t) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_ := (set $t "certFilepath" (printf "%s/%s/tls.crt" $kafkaPathPrefix $k.tls.cert)) -}} +{{- $_ := (set $t "keyFilepath" (printf "%s/%s/tls.key" $kafkaPathPrefix $k.tls.cert)) -}} +{{- $_is_returning = true -}} +{{- (dict "r" $t) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.KafkaExternal.IsEnabled" -}} +{{- $l := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $_is_returning = true -}} +{{- (dict "r" (and (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $l.enabled true) ))) "r") (gt ($l.port | int) (0 | int)))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.SchemaRegistryListeners.Listeners" -}} +{{- $sr := (index .a 0) -}} +{{- $saslEnabled := (index .a 1) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $internal := (get (fromJson (include "redpanda.createInternalListenerCfg" (dict "a" (list ($sr.port | int)) ))) "r") -}} +{{- if $saslEnabled -}} +{{- $_ := (set $internal "authentication_method" "http_basic") -}} +{{- end -}} +{{- $am_13 := (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $sr.authenticationMethod "") ))) "r") -}} +{{- if (ne $am_13 "") -}} +{{- $_ := (set $internal "authentication_method" $am_13) -}} +{{- end -}} +{{- $result := (list $internal) -}} +{{- range $k, $l := $sr.external -}} +{{- if (not (get (fromJson (include "redpanda.SchemaRegistryExternal.IsEnabled" (dict "a" (list $l) ))) "r")) -}} +{{- continue -}} +{{- end -}} +{{- $listener := (dict "name" $k "port" ($l.port | int) "address" "0.0.0.0" ) -}} +{{- if $saslEnabled -}} +{{- $_ := (set $listener "authentication_method" "http_basic") -}} +{{- end -}} +{{- $am_14 := (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $l.authenticationMethod "") ))) "r") -}} +{{- if (ne $am_14 "") -}} +{{- $_ := (set $listener "authentication_method" $am_14) -}} +{{- end -}} +{{- $result = (concat (default (list ) $result) (list $listener)) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $result) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.SchemaRegistryListeners.ListenersTLS" -}} +{{- $l := (index .a 0) -}} +{{- $tls := (index .a 1) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $listeners := (list ) -}} +{{- $internal := (get (fromJson (include "redpanda.createInternalListenerTLSCfg" (dict "a" (list $tls $l.tls) ))) "r") -}} +{{- if (gt ((get (fromJson (include "_shims.len" (dict "a" (list $internal) ))) "r") | int) (0 | int)) -}} +{{- $listeners = (concat (default (list ) $listeners) (list $internal)) -}} +{{- end -}} +{{- range $k, $lis := $l.external -}} +{{- if (or (not (get (fromJson (include "redpanda.SchemaRegistryExternal.IsEnabled" (dict "a" (list $lis) ))) "r")) (not (get (fromJson (include "redpanda.ExternalTLS.IsEnabled" (dict "a" (list $lis.tls $l.tls $tls) ))) "r"))) -}} +{{- continue -}} +{{- end -}} +{{- $certName := (get (fromJson (include "redpanda.ExternalTLS.GetCertName" (dict "a" (list $lis.tls $l.tls) ))) "r") -}} +{{- $listeners = (concat (default (list ) $listeners) (list (dict "name" $k "enabled" true "cert_file" (printf "/etc/tls/certs/%s/tls.crt" $certName) "key_file" (printf "/etc/tls/certs/%s/tls.key" $certName) "require_client_auth" (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $lis.tls.requireClientAuth false) ))) "r") "truststore_file" (get (fromJson (include "redpanda.ExternalTLS.TrustStoreFilePath" (dict "a" (list $lis.tls $l.tls $tls) ))) "r") ))) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $listeners) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.SchemaRegistryListeners.TrustStores" -}} +{{- $l := (index .a 0) -}} +{{- $tls := (index .a 1) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $tss := (coalesce nil) -}} +{{- if (and (get (fromJson (include "redpanda.InternalTLS.IsEnabled" (dict "a" (list $l.tls $tls) ))) "r") (ne $l.tls.trustStore (coalesce nil))) -}} +{{- $tss = (concat (default (list ) $tss) (list $l.tls.trustStore)) -}} +{{- end -}} +{{- range $_, $key := (sortAlpha (keys $l.external)) -}} +{{- $lis := (index $l.external $key) -}} +{{- if (or (or (not (get (fromJson (include "redpanda.SchemaRegistryExternal.IsEnabled" (dict "a" (list $lis) ))) "r")) (not (get (fromJson (include "redpanda.ExternalTLS.IsEnabled" (dict "a" (list $lis.tls $l.tls $tls) ))) "r"))) (eq $lis.tls.trustStore (coalesce nil))) -}} +{{- continue -}} +{{- end -}} +{{- $tss = (concat (default (list ) $tss) (list $lis.tls.trustStore)) -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $tss) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.SchemaRegistryListeners.ConsoleTLS" -}} +{{- $sr := (index .a 0) -}} +{{- $tls := (index .a 1) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $t := (mustMergeOverwrite (dict "enabled" false "caFilepath" "" "certFilepath" "" "keyFilepath" "" "insecureSkipTlsVerify" false ) (dict "enabled" (get (fromJson (include "redpanda.InternalTLS.IsEnabled" (dict "a" (list $sr.tls $tls) ))) "r") )) -}} +{{- if (not $t.enabled) -}} +{{- $_is_returning = true -}} +{{- (dict "r" $t) | toJson -}} +{{- break -}} +{{- end -}} +{{- $schemaRegistryPrefix := "/mnt/cert/schemaregistry" -}} +{{- $_ := (set $t "caFilepath" (printf "%s/%s/ca.crt" $schemaRegistryPrefix $sr.tls.cert)) -}} +{{- if (not $sr.tls.requireClientAuth) -}} +{{- $_is_returning = true -}} +{{- (dict "r" $t) | toJson -}} +{{- break -}} +{{- end -}} +{{- $_ := (set $t "certFilepath" (printf "%s/%s/tls.crt" $schemaRegistryPrefix $sr.tls.cert)) -}} +{{- $_ := (set $t "keyFilepath" (printf "%s/%s/tls.key" $schemaRegistryPrefix $sr.tls.cert)) -}} +{{- $_is_returning = true -}} +{{- (dict "r" $t) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.SchemaRegistryExternal.IsEnabled" -}} +{{- $l := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $_is_returning = true -}} +{{- (dict "r" (and (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $l.enabled true) ))) "r") (gt ($l.port | int) (0 | int)))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.TunableConfig.Translate" -}} +{{- $c := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- if (eq $c (coalesce nil)) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (coalesce nil)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $result := (dict ) -}} +{{- range $k, $v := $c -}} +{{- if (not (empty $v)) -}} +{{- $_ := (set $result $k $v) -}} +{{- end -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $result) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.NodeConfig.Translate" -}} +{{- $c := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $result := (dict ) -}} +{{- range $k, $v := $c -}} +{{- if (not (empty $v)) -}} +{{- $tmp_tuple_14 := (get (fromJson (include "_shims.compact" (dict "a" (list (get (fromJson (include "_shims.asnumeric" (dict "a" (list $v) ))) "r")) ))) "r") -}} +{{- $ok_15 := $tmp_tuple_14.T2 -}} +{{- if $ok_15 -}} +{{- $_ := (set $result $k $v) -}} +{{- else -}}{{- if (kindIs "bool" $v) -}} +{{- $_ := (set $result $k $v) -}} +{{- else -}} +{{- $_ := (set $result $k (toYaml $v)) -}} +{{- end -}} +{{- end -}} +{{- end -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $result) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.ClusterConfig.Translate" -}} +{{- $c := (index .a 0) -}} +{{- $replicas := (index .a 1) -}} +{{- $skipDefaultTopic := (index .a 2) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $result := (dict ) -}} +{{- range $k, $v := $c -}} +{{- if (and (eq $k "default_topic_replications") (not $skipDefaultTopic)) -}} +{{- $r := ($replicas | int) -}} +{{- $input := ($r | int) -}} +{{- $tmp_tuple_15 := (get (fromJson (include "_shims.compact" (dict "a" (list (get (fromJson (include "_shims.asintegral" (dict "a" (list $v) ))) "r")) ))) "r") -}} +{{- $ok_17 := $tmp_tuple_15.T2 -}} +{{- $num_16 := ($tmp_tuple_15.T1 | int) -}} +{{- if $ok_17 -}} +{{- $input = $num_16 -}} +{{- end -}} +{{- $tmp_tuple_16 := (get (fromJson (include "_shims.compact" (dict "a" (list (get (fromJson (include "_shims.asnumeric" (dict "a" (list $v) ))) "r")) ))) "r") -}} +{{- $ok_19 := $tmp_tuple_16.T2 -}} +{{- $f_18 := ($tmp_tuple_16.T1 | float64) -}} +{{- if $ok_19 -}} +{{- $input = ($f_18 | int) -}} +{{- end -}} +{{- $_ := (set $result $k (min ($input | int64) (((sub ((add $r (((mod $r (2 | int)) | int))) | int) (1 | int)) | int) | int64))) -}} +{{- continue -}} +{{- end -}} +{{- $tmp_tuple_17 := (get (fromJson (include "_shims.compact" (dict "a" (list (get (fromJson (include "_shims.typetest" (dict "a" (list "bool" $v false) ))) "r")) ))) "r") -}} +{{- $ok_21 := $tmp_tuple_17.T2 -}} +{{- $b_20 := $tmp_tuple_17.T1 -}} +{{- if $ok_21 -}} +{{- $_ := (set $result $k $b_20) -}} +{{- continue -}} +{{- end -}} +{{- if (not (empty $v)) -}} +{{- $_ := (set $result $k $v) -}} +{{- end -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $_is_returning = true -}} +{{- (dict "r" $result) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.SecretRef.IsValid" -}} +{{- $sr := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $_is_returning = true -}} +{{- (dict "r" (and (and (ne $sr (coalesce nil)) (not (empty $sr.key))) (not (empty $sr.name)))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.TieredStorageCredentials.IsAccessKeyReferenceValid" -}} +{{- $tsc := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $_is_returning = true -}} +{{- (dict "r" (and (and (ne $tsc.accessKey (coalesce nil)) (ne $tsc.accessKey.name "")) (ne $tsc.accessKey.key ""))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.TieredStorageCredentials.IsSecretKeyReferenceValid" -}} +{{- $tsc := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $_is_returning = true -}} +{{- (dict "r" (and (and (ne $tsc.secretKey (coalesce nil)) (ne $tsc.secretKey.name "")) (ne $tsc.secretKey.key ""))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + diff --git a/charts/redpanda/redpanda/5.9.2/templates/cert-issuers.yaml b/charts/redpanda/redpanda/5.9.2/templates/cert-issuers.yaml new file mode 100644 index 000000000..f5c966752 --- /dev/null +++ b/charts/redpanda/redpanda/5.9.2/templates/cert-issuers.yaml @@ -0,0 +1,18 @@ +{{/* +Licensed to the Apache Software Foundation (ASF) under one or more +contributor license agreements. See the NOTICE file distributed with +this work for additional information regarding copyright ownership. +The ASF licenses this file to You under the Apache License, Version 2.0 +(the "License"); you may not use this file except in compliance with +the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} +{{- include "_shims.render-manifest" (list "redpanda.CertIssuers" .) -}} +{{- include "_shims.render-manifest" (list "redpanda.RootCAs" .) -}} diff --git a/charts/redpanda/redpanda/5.9.2/templates/certs.yaml b/charts/redpanda/redpanda/5.9.2/templates/certs.yaml new file mode 100644 index 000000000..08437f58e --- /dev/null +++ b/charts/redpanda/redpanda/5.9.2/templates/certs.yaml @@ -0,0 +1,17 @@ +{{/* +Licensed to the Apache Software Foundation (ASF) under one or more +contributor license agreements. See the NOTICE file distributed with +this work for additional information regarding copyright ownership. +The ASF licenses this file to You under the Apache License, Version 2.0 +(the "License"); you may not use this file except in compliance with +the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} +{{- include "_shims.render-manifest" (list "redpanda.ClientCerts" .) -}} diff --git a/charts/redpanda/redpanda/5.9.2/templates/configmap.yaml b/charts/redpanda/redpanda/5.9.2/templates/configmap.yaml new file mode 100644 index 000000000..8c33ab337 --- /dev/null +++ b/charts/redpanda/redpanda/5.9.2/templates/configmap.yaml @@ -0,0 +1,17 @@ +{{- /* +Licensed to the Apache Software Foundation (ASF) under one or more +contributor license agreements. See the NOTICE file distributed with +this work for additional information regarding copyright ownership. +The ASF licenses this file to You under the Apache License, Version 2.0 +(the "License"); you may not use this file except in compliance with +the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} +{{- include "_shims.render-manifest" (list "redpanda.ConfigMaps" .) -}} diff --git a/charts/redpanda/redpanda/5.9.2/templates/connectors/connectors.yaml b/charts/redpanda/redpanda/5.9.2/templates/connectors/connectors.yaml new file mode 100644 index 000000000..c7dfe6b89 --- /dev/null +++ b/charts/redpanda/redpanda/5.9.2/templates/connectors/connectors.yaml @@ -0,0 +1,108 @@ +{{/* +Licensed to the Apache Software Foundation (ASF) under one or more +contributor license agreements. See the NOTICE file distributed with +this work for additional information regarding copyright ownership. +The ASF licenses this file to You under the Apache License, Version 2.0 +(the "License"); you may not use this file except in compliance with +the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} +{{ if and .Values.connectors.enabled (not .Values.connectors.deployment.create) }} + +{{ $values := .Values }} + +{{/* brokers */}} +{{ $kafkaBrokers := list }} +{{ range (include "seed-server-list" . | mustFromJson) }} + {{ $kafkaBrokers = append $kafkaBrokers (printf "%s:%d" . (int $values.listeners.kafka.port)) }} +{{ end }} + +{{ $connectorsValues := dict + "Values" (dict + "connectors" (dict + "bootstrapServers" (join "," $kafkaBrokers) + "brokerTLS" (dict + "enabled" (include "kafka-internal-tls-enabled" . | fromJson).bool + "ca" (dict + "secretRef" (ternary (printf "%s-default-cert" (include "redpanda.fullname" .)) "" (include "kafka-internal-tls-enabled" . | fromJson).bool) + ) + ) + ) + ) +}} + +{{ $extraVolumes := list }} +{{ $extraVolumeMounts := list }} +{{ $extraEnv := .Values.connectors.deployment.extraEnv }} +{{ $command := list }} +{{ if (include "sasl-enabled" . | fromJson).bool }} + {{ $command = concat $command (list "bash" "-c") }} + {{ $consoleSASLConfig := (printf "set -e; IFS=':' read -r CONNECT_SASL_USERNAME CONNECT_SASL_PASSWORD CONNECT_SASL_MECHANISM < <(grep \"\" $(find /mnt/users/* -print)); CONNECT_SASL_MECHANISM=${CONNECT_SASL_MECHANISM:-%s}; export CONNECT_SASL_USERNAME CONNECT_SASL_PASSWORD CONNECT_SASL_MECHANISM;" ( include "sasl-mechanism" . | lower )) }} + {{ $consoleSASLConfig = cat $consoleSASLConfig " [[ $CONNECT_SASL_MECHANISM == \"SCRAM-SHA-256\" ]] && CONNECT_SASL_MECHANISM=scram-sha-256;" }} + {{ $consoleSASLConfig = cat $consoleSASLConfig " [[ $CONNECT_SASL_MECHANISM == \"SCRAM-SHA-512\" ]] && CONNECT_SASL_MECHANISM=scram-sha-512;" }} + {{ $consoleSASLConfig = cat $consoleSASLConfig " export CONNECT_SASL_MECHANISM;" }} + {{ $consoleSASLConfig = cat $consoleSASLConfig " echo $CONNECT_SASL_PASSWORD > /opt/kafka/connect-password/rc-credentials/password;" }} + {{ $consoleSASLConfig = cat $consoleSASLConfig " exec /opt/kafka/bin/kafka_connect_run.sh" }} + {{ $command = append $command $consoleSASLConfig }} + + {{ $extraVolumes = concat $extraVolumes .Values.connectors.storage.volume }} + + {{ $extraVolumes = append $extraVolumes (dict + "name" (printf "%s-users" (include "redpanda.fullname" .)) + "secret" (dict + "secretName" .Values.auth.sasl.secretRef + ) + )}} + + {{ $extraVolumeMounts = concat $extraVolumeMounts .Values.connectors.storage.volumeMounts }} + + {{ $extraVolumeMounts = append $extraVolumeMounts (dict + "name" (printf "%s-users" (include "redpanda.fullname" .)) + "mountPath" "/mnt/users" + "readOnly" true + )}} + {{ $extraVolumes = append $extraVolumes (dict + "name" (printf "%s-user-password" ((include "redpanda.fullname" .)) | trunc 49) + "emptyDir" (dict) + )}} + {{ $extraVolumeMounts = append $extraVolumeMounts (dict + "name" (printf "%s-user-password" ((include "redpanda.fullname" .)) | trunc 49) + "mountPath" "/opt/kafka/connect-password/rc-credentials" + )}} + {{ $extraEnv = append $extraEnv (dict + "name" "CONNECT_SASL_PASSWORD_FILE" + "value" "rc-credentials/password" + )}} + {{ $connectorsValues := merge $connectorsValues (dict + "Values" (dict + "storage" (dict + "volumeMounts" $extraVolumeMounts + "volume" $extraVolumes + ) + "auth" (dict + "sasl" (dict + "enabled" .Values.auth.sasl.enabled + ) + ) + "deployment" (dict + "command" $command + "extraEnv" $extraEnv + ) + ) + )}} +{{ end }} + +{{ $connectorsValues := merge $connectorsValues (dict "Values" (dict "deployment" (dict "create" (not .Values.connectors.deployment.create)))) }} +{{ $connectorsValues := merge $connectorsValues (dict "Values" (dict "test" (dict "create" (not .Values.connectors.test.create)))) }} +{{ $helmVars := merge $connectorsValues .Subcharts.connectors }} +{{ include (print .Subcharts.connectors.Template.BasePath "/deployment.yaml") $helmVars }} +--- +{{ include (print .Subcharts.connectors.Template.BasePath "/tests/01-mm2-values.yaml") $helmVars }} +{{ end }} diff --git a/charts/redpanda/redpanda/5.9.2/templates/console/configmap-and-deployment.yaml b/charts/redpanda/redpanda/5.9.2/templates/console/configmap-and-deployment.yaml new file mode 100644 index 000000000..358c17ddc --- /dev/null +++ b/charts/redpanda/redpanda/5.9.2/templates/console/configmap-and-deployment.yaml @@ -0,0 +1,231 @@ +{{/* +Licensed to the Apache Software Foundation (ASF) under one or more +contributor license agreements. See the NOTICE file distributed with +this work for additional information regarding copyright ownership. +The ASF licenses this file to You under the Apache License, Version 2.0 +(the "License"); you may not use this file except in compliance with +the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{/* Secret */}} +{{ $secretConfig := dict ( dict + "create" $.Values.console.secret.create + ) +}} +{{/* if the console chart has the creation of the secret disabled, create it here instead if needed */}} +{{ if and .Values.console.enabled (not .Values.console.secret.create) }} +{{ $licenseKey := ( include "enterprise-license" . ) }} +# before license changes, this was not printing a secret, so we gather in which case to print +# for now only if we have a license do we print, however, this may be an issue for some +# since if we do include a license we MUST also print all secret items. + {{ if ( not (empty $licenseKey ) ) }} +{{ $secretConfig = ( dict + "create" true + "enterprise" ( dict "license" $licenseKey) + ) +}} + +{{ $config := dict + "Values" (dict + "secret" $secretConfig + )}} + +{{ $secretValues := merge $config .Subcharts.console }} +{{ $wrappedSecretValues := (dict "Chart" .Subcharts.console.Chart "Release" .Release "Values" (dict "AsMap" $secretValues.Values)) }} +--- +{{- include "_shims.render-manifest" (list "console.Secret" $wrappedSecretValues) -}} + {{ end }} +{{ end }} + +{{ $configmap := dict }} +{{/* if the console chart has the creation of the configmap disabled, create it here instead */}} +{{ if and .Values.console.enabled (not .Values.console.configmap.create) }} +{{ $consoleConfigmap := dict "create" true }} + +{{ $consoleConfig := merge .Values.console.config (get ((include "redpanda.ConsoleConfig" (dict "a" (list .))) | fromJson) "r") }} + +{{ $config := dict + "Values" (dict + "console" (dict "config" $consoleConfig) + "configmap" $consoleConfigmap + "secret" $secretConfig + ) +}} + +{{ $configMapValues := merge $config .Subcharts.console }} +--- +{{ $wrappedSecretValues := (dict "Chart" .Subcharts.console.Chart "Release" .Release "Values" (dict "AsMap" $configMapValues.Values)) }} +{{- include "_shims.render-manifest" (list "console.ConfigMap" $wrappedSecretValues) -}} +{{ $configmap = include "_shims.render-manifest" (list "console.ConfigMap" $wrappedSecretValues) }} +{{ end }} + +{{/* Deployment */}} +{{ if and .Values.console.enabled (not .Values.console.deployment.create) }} + +{{ $extraVolumes := list }} +{{ $extraVolumeMounts := list }} +{{ $command := list }} +{{ if (include "sasl-enabled" . | fromJson).bool }} + {{ $command = concat $command (list "sh" "-c") }} + {{ $consoleSASLConfig := (printf "set -e; IFS=':' read -r KAFKA_SASL_USERNAME KAFKA_SASL_PASSWORD KAFKA_SASL_MECHANISM < <(grep \"\" $(find /mnt/users/* -print)); KAFKA_SASL_MECHANISM=${KAFKA_SASL_MECHANISM:-%s}; export KAFKA_SASL_USERNAME KAFKA_SASL_PASSWORD KAFKA_SASL_MECHANISM;" ( include "sasl-mechanism" . )) }} + {{ $consoleSASLConfig = cat $consoleSASLConfig " export KAFKA_SCHEMAREGISTRY_USERNAME=$KAFKA_SASL_USERNAME;" }} + {{ $consoleSASLConfig = cat $consoleSASLConfig " export KAFKA_SCHEMAREGISTRY_PASSWORD=$KAFKA_SASL_PASSWORD;" }} + {{ $consoleSASLConfig = cat $consoleSASLConfig " /app/console $@" }} + {{ $command = append $command $consoleSASLConfig }} + {{ $command = append $command "--" }} + {{ $extraVolumes = append $extraVolumes (dict + "name" (printf "%s-users" (include "redpanda.fullname" .)) + "secret" (dict + "secretName" .Values.auth.sasl.secretRef + ) + )}} + {{ $extraVolumeMounts = append $extraVolumeMounts (dict + "name" (printf "%s-users" (include "redpanda.fullname" .)) + "mountPath" "/mnt/users" + "readOnly" true + ) }} +{{ end }} + +{{ $kafkaTLS := list }} +{{ if (include "kafka-internal-tls-enabled" . | fromJson).bool }} + {{ $service := .Values.listeners.kafka }} + {{ $cert := get .Values.tls.certs $service.tls.cert }} + {{- $secretName := (printf "%s-%s-cert" (include "redpanda.fullname" .) $service.tls.cert) }} + {{- if $cert.secretRef }} + {{- $secretName = $cert.secretRef.name }} + {{- end }} + {{ if $cert.caEnabled }} + {{ $kafkaTLS = append $kafkaTLS (dict + "name" "KAFKA_TLS_CAFILEPATH" + "value" (printf "/mnt/cert/kafka/%s/ca.crt" $service.tls.cert) + )}} + {{ $extraVolumes = append $extraVolumes (dict + "name" (printf "kafka-%s-cert" $service.tls.cert) + "secret" (dict + "defaultMode" 0420 + "secretName" ( $secretName ) + ))}} + {{ $extraVolumeMounts = append $extraVolumeMounts (dict + "name" (printf "kafka-%s-cert" $service.tls.cert) + "mountPath" (printf "/mnt/cert/kafka/%s" $service.tls.cert) + "readOnly" true + )}} + {{ end }} +{{ end }} + +{{ $schemaRegistryTLS := list }} +{{ if (include "schemaRegistry-internal-tls-enabled" . | fromJson).bool }} + {{ $service := .Values.listeners.schemaRegistry }} + {{ $cert := get .Values.tls.certs $service.tls.cert }} + {{- $secretName := (printf "%s-%s-cert" (include "redpanda.fullname" .) $service.tls.cert) }} + {{- if $cert.secretRef }} + {{- $secretName = $cert.secretRef.name }} + {{- end }} + {{ if $cert.caEnabled }} + {{ $schemaRegistryTLS = append $schemaRegistryTLS (dict + "name" "KAFKA_SCHEMAREGISTRY_TLS_CAFILEPATH" + "value" (printf "/mnt/cert/schemaregistry/%s/ca.crt" $service.tls.cert) + )}} + {{ $extraVolumes = append $extraVolumes (dict + "name" (printf "schemaregistry-%s-cert" $service.tls.cert) + "secret" (dict + "defaultMode" 0420 + "secretName" ( $secretName ) + ))}} + {{ $extraVolumeMounts = append $extraVolumeMounts (dict + "name" (printf "schemaregistry-%s-cert" $service.tls.cert) + "mountPath" (printf "/mnt/cert/schemaregistry/%s" $service.tls.cert) + "readOnly" true + )}} + {{ end }} +{{ end }} + +{{ $adminAPI := list }} +{{ if (include "admin-internal-tls-enabled" . | fromJson).bool }} + {{ $service := .Values.listeners.admin }} + {{ $cert := get .Values.tls.certs $service.tls.cert }} + {{- $secretName := (printf "%s-%s-cert" (include "redpanda.fullname" .) $service.tls.cert) }} + {{- if $cert.secretRef }} + {{- $secretName = $cert.secretRef.name }} + {{- end }} + {{ if $cert.caEnabled }} + {{ $extraVolumes = append $extraVolumes (dict + "name" (printf "adminapi-%s-cert" $service.tls.cert) + "secret" (dict + "defaultMode" 0420 + "secretName" ( $secretName ) + ))}} + {{ $extraVolumeMounts = append $extraVolumeMounts (dict + "name" (printf "adminapi-%s-cert" $service.tls.cert) + "mountPath" (printf "/mnt/cert/adminapi/%s" $service.tls.cert) + "readOnly" true + )}} + {{ end }} +{{ end }} + +{{ $enterprise := dict }} +{{ if ( include "enterprise-secret" .) }} + {{ $enterprise = dict + "licenseSecretRef" ( dict + "name" ( include "enterprise-secret-name" . ) + "key" ( include "enterprise-secret-key" . ) + ) + }} +{{ end }} + +{{ $extraEnv := concat $kafkaTLS $schemaRegistryTLS $adminAPI .Values.console.extraEnv }} +{{ $extraVolumes = concat $extraVolumes .Values.console.extraVolumes }} +{{ $extraVolumeMounts = concat $extraVolumeMounts .Values.console.extraVolumeMounts }} +{{ $consoleValues := dict + "Values" (dict + "extraVolumes" $extraVolumes + "extraVolumeMounts" $extraVolumeMounts + "extraEnv" $extraEnv + "secret" $secretConfig + "enterprise" $enterprise + "image" $.Values.console.image + "autoscaling" .Values.console.autoscaling + "replicaCount" .Values.console.replicaCount + "strategy" .Values.console.strategy + "podAnnotations" .Values.console.podAnnotations + "podLabels" .Values.console.podLabels + "imagePullSecrets" .Values.console.imagePullSecrets + "podSecurityContext" .Values.console.podSecurityContext + "secretMounts" .Values.console.secretMounts + "initContainers" .Values.console.initContainers + "extraArgs" .Values.console.extraArgs + "securityContext" .Values.console.securityContext + "livenessProbe" .Values.console.livenessProbe + "readinessProbe" .Values.console.readinessProbe + "resources" .Values.console.resources + "extraContainers" .Values.console.extraContainers + "nodeSelector" .Values.console.nodeSelector + "affinity" .Values.console.affinity + "topologySpreadConstraints" .Values.console.topologySpreadConstraints + "priorityClassName" .Values.console.priorityClassName + "tolerations" .Values.console.tolerations +)}} + +{{ if not (empty $command) }} + {{ $consoleValues := merge $consoleValues (dict "Values" (dict "deployment" (dict "command" $command))) }} +{{ end }} +{{ $consoleValues := merge $consoleValues (dict "Values" (dict "deployment" (dict "create" (not .Values.console.deployment.create)))) }} + +{{ if and .Values.console.enabled (not .Values.console.configmap.create) }} +{{ $consoleValues := merge $consoleValues (dict "Values" (dict "podAnnotations" (dict "checksum-redpanda-chart/config" ( $configmap | toYaml | sha256sum )))) }} +{{ end }} + +{{ $deploymentValues := merge $consoleValues .Subcharts.console }} +{{ $wrappedDeploymentValues := (dict "Chart" .Subcharts.console.Chart "Release" .Release "Values" (dict "AsMap" $deploymentValues.Values)) }} + +--- +{{- include "_shims.render-manifest" (list "console.Deployment" $wrappedDeploymentValues) -}} +{{ end }} diff --git a/charts/redpanda/redpanda/5.9.2/templates/poddisruptionbudget.yaml b/charts/redpanda/redpanda/5.9.2/templates/poddisruptionbudget.yaml new file mode 100644 index 000000000..28688dd27 --- /dev/null +++ b/charts/redpanda/redpanda/5.9.2/templates/poddisruptionbudget.yaml @@ -0,0 +1,17 @@ +{{/* +Licensed to the Apache Software Foundation (ASF) under one or more +contributor license agreements. See the NOTICE file distributed with +this work for additional information regarding copyright ownership. +The ASF licenses this file to You under the Apache License, Version 2.0 +(the "License"); you may not use this file except in compliance with +the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} +{{- include "_shims.render-manifest" (list "redpanda.PodDisruptionBudget" .) -}} diff --git a/charts/redpanda/redpanda/5.9.2/templates/post-install-upgrade-job.yaml b/charts/redpanda/redpanda/5.9.2/templates/post-install-upgrade-job.yaml new file mode 100644 index 000000000..106872e05 --- /dev/null +++ b/charts/redpanda/redpanda/5.9.2/templates/post-install-upgrade-job.yaml @@ -0,0 +1,17 @@ +{{/* +Licensed to the Apache Software Foundation (ASF) under one or more +contributor license agreements. See the NOTICE file distributed with +this work for additional information regarding copyright ownership. +The ASF licenses this file to You under the Apache License, Version 2.0 +(the "License"); you may not use this file except in compliance with +the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} +{{- include "_shims.render-manifest" (list "redpanda.PostInstallUpgradeJob" .) -}} diff --git a/charts/redpanda/redpanda/5.9.2/templates/post-upgrade.yaml b/charts/redpanda/redpanda/5.9.2/templates/post-upgrade.yaml new file mode 100644 index 000000000..e4775a7d0 --- /dev/null +++ b/charts/redpanda/redpanda/5.9.2/templates/post-upgrade.yaml @@ -0,0 +1,17 @@ +{{/* +Licensed to the Apache Software Foundation (ASF) under one or more +contributor license agreements. See the NOTICE file distributed with +this work for additional information regarding copyright ownership. +The ASF licenses this file to You under the Apache License, Version 2.0 +(the "License"); you may not use this file except in compliance with +the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} +{{- include "_shims.render-manifest" (list "redpanda.PostUpgrade" .) -}} diff --git a/charts/redpanda/redpanda/5.9.2/templates/post_upgrade_job.yaml b/charts/redpanda/redpanda/5.9.2/templates/post_upgrade_job.yaml new file mode 100644 index 000000000..0de92dd69 --- /dev/null +++ b/charts/redpanda/redpanda/5.9.2/templates/post_upgrade_job.yaml @@ -0,0 +1,90 @@ +{{- /* Generated from "post_upgrade_job.go" */ -}} + +{{- define "redpanda.PostUpgrade" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- if (not $values.post_upgrade_job.enabled) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (coalesce nil)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $labels := (default (dict ) $values.post_upgrade_job.labels) -}} +{{- $annotations := (default (dict ) $values.post_upgrade_job.annotations) -}} +{{- $annotations = (merge (dict ) (dict "helm.sh/hook" "post-upgrade" "helm.sh/hook-delete-policy" "before-hook-creation" "helm.sh/hook-weight" "-10" ) $annotations) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "spec" (dict "template" (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "spec" (dict "containers" (coalesce nil) ) ) ) "status" (dict ) ) (mustMergeOverwrite (dict ) (dict "apiVersion" "batch/v1" "kind" "Job" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" (printf "%s-post-upgrade" (get (fromJson (include "redpanda.Name" (dict "a" (list $dot) ))) "r")) "namespace" $dot.Release.Namespace "labels" (merge (dict ) (get (fromJson (include "redpanda.FullLabels" (dict "a" (list $dot) ))) "r") $labels) "annotations" $annotations )) "spec" (mustMergeOverwrite (dict "template" (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "spec" (dict "containers" (coalesce nil) ) ) ) (dict "backoffLimit" $values.post_upgrade_job.backoffLimit "template" (get (fromJson (include "redpanda.StrategicMergePatch" (dict "a" (list $values.post_upgrade_job.podTemplate (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "spec" (dict "containers" (coalesce nil) ) ) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" $dot.Release.Name "labels" (merge (dict ) (dict "app.kubernetes.io/name" (get (fromJson (include "redpanda.Name" (dict "a" (list $dot) ))) "r") "app.kubernetes.io/instance" $dot.Release.Name "app.kubernetes.io/component" (printf "%s-post-upgrade" (trunc (50 | int) (get (fromJson (include "redpanda.Name" (dict "a" (list $dot) ))) "r"))) ) $values.commonLabels) )) "spec" (mustMergeOverwrite (dict "containers" (coalesce nil) ) (dict "nodeSelector" $values.nodeSelector "affinity" (merge (dict ) $values.post_upgrade_job.affinity $values.affinity) "tolerations" $values.tolerations "restartPolicy" "Never" "securityContext" (get (fromJson (include "redpanda.PodSecurityContext" (dict "a" (list $dot) ))) "r") "serviceAccountName" (get (fromJson (include "redpanda.ServiceAccountName" (dict "a" (list $dot) ))) "r") "imagePullSecrets" (default (coalesce nil) $values.imagePullSecrets) "containers" (list (mustMergeOverwrite (dict "name" "" "resources" (dict ) ) (dict "name" "post-upgrade" "image" (printf "%s:%s" $values.image.repository (get (fromJson (include "redpanda.Tag" (dict "a" (list $dot) ))) "r")) "command" (list "/bin/bash" "-c") "args" (list (get (fromJson (include "redpanda.PostUpgradeJobScript" (dict "a" (list $dot) ))) "r")) "env" $values.post_upgrade_job.extraEnv "envFrom" $values.post_upgrade_job.extraEnvFrom "securityContext" (merge (dict ) (get (fromJson (include "_shims.ptr_Deref" (dict "a" (list $values.post_upgrade_job.securityContext (mustMergeOverwrite (dict ) (dict ))) ))) "r") (get (fromJson (include "redpanda.ContainerSecurityContext" (dict "a" (list $dot) ))) "r")) "resources" $values.post_upgrade_job.resources "volumeMounts" (get (fromJson (include "redpanda.DefaultMounts" (dict "a" (list $dot) ))) "r") ))) "volumes" (get (fromJson (include "redpanda.DefaultVolumes" (dict "a" (list $dot) ))) "r") )) ))) ))) "r") )) ))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.PostUpgradeJobScript" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $script := (list `set -e` ``) -}} +{{- range $key, $value := $values.config.cluster -}} +{{- $tmp_tuple_1 := (get (fromJson (include "_shims.compact" (dict "a" (list (get (fromJson (include "_shims.asintegral" (dict "a" (list $value) ))) "r")) ))) "r") -}} +{{- $isInt64 := $tmp_tuple_1.T2 -}} +{{- $asInt64 := ($tmp_tuple_1.T1 | int64) -}} +{{- if (and (eq $key "default_topic_replications") $isInt64) -}} +{{- $r := (($values.statefulset.replicas | int) | int64) -}} +{{- $r = ((sub (((add $r (((mod $r (2 | int64)) | int64))) | int64)) (1 | int64)) | int64) -}} +{{- $asInt64 = (min $asInt64 ($r | int64)) -}} +{{- end -}} +{{- $tmp_tuple_2 := (get (fromJson (include "_shims.compact" (dict "a" (list (get (fromJson (include "_shims.typetest" (dict "a" (list "bool" $value false) ))) "r")) ))) "r") -}} +{{- $ok_2 := $tmp_tuple_2.T2 -}} +{{- $asBool_1 := $tmp_tuple_2.T1 -}} +{{- $tmp_tuple_3 := (get (fromJson (include "_shims.compact" (dict "a" (list (get (fromJson (include "_shims.typetest" (dict "a" (list "string" $value "") ))) "r")) ))) "r") -}} +{{- $ok_4 := $tmp_tuple_3.T2 -}} +{{- $asStr_3 := $tmp_tuple_3.T1 -}} +{{- $tmp_tuple_4 := (get (fromJson (include "_shims.compact" (dict "a" (list (get (fromJson (include "_shims.typetest" (dict "a" (list (printf "[]%s" "interface {}") $value (coalesce nil)) ))) "r")) ))) "r") -}} +{{- $ok_6 := $tmp_tuple_4.T2 -}} +{{- $asSlice_5 := $tmp_tuple_4.T1 -}} +{{- if (and $ok_2 $asBool_1) -}} +{{- $script = (concat (default (list ) $script) (list (printf "rpk cluster config set %s %t" $key $asBool_1))) -}} +{{- else -}}{{- if (and $ok_4 (ne $asStr_3 "")) -}} +{{- $script = (concat (default (list ) $script) (list (printf "rpk cluster config set %s %s" $key $asStr_3))) -}} +{{- else -}}{{- if (and $isInt64 (gt $asInt64 (0 | int64))) -}} +{{- $script = (concat (default (list ) $script) (list (printf "rpk cluster config set %s %d" $key $asInt64))) -}} +{{- else -}}{{- if (and $ok_6 (gt ((get (fromJson (include "_shims.len" (dict "a" (list $asSlice_5) ))) "r") | int) (0 | int))) -}} +{{- $script = (concat (default (list ) $script) (list (printf `rpk cluster config set %s "[ %s ]"` $key (join "," $asSlice_5)))) -}} +{{- else -}}{{- if (not (empty $value)) -}} +{{- $script = (concat (default (list ) $script) (list (printf "rpk cluster config set %s %v" $key $value))) -}} +{{- end -}} +{{- end -}} +{{- end -}} +{{- end -}} +{{- end -}} +{{- end -}} +{{- if $_is_returning -}} +{{- break -}} +{{- end -}} +{{- $tmp_tuple_5 := (get (fromJson (include "_shims.compact" (dict "a" (list (get (fromJson (include "_shims.dicttest" (dict "a" (list $values.config.cluster "storage_min_free_bytes" (coalesce nil)) ))) "r")) ))) "r") -}} +{{- $ok_7 := $tmp_tuple_5.T2 -}} +{{- if (not $ok_7) -}} +{{- $script = (concat (default (list ) $script) (list (printf "rpk cluster config set storage_min_free_bytes %d" ((get (fromJson (include "redpanda.Storage.StorageMinFreeBytes" (dict "a" (list $values.storage) ))) "r") | int64)))) -}} +{{- end -}} +{{- if (get (fromJson (include "redpanda.RedpandaAtLeast_23_2_1" (dict "a" (list $dot) ))) "r") -}} +{{- $service := $values.listeners.admin -}} +{{- $caCert := "" -}} +{{- $scheme := "http" -}} +{{- if (get (fromJson (include "redpanda.InternalTLS.IsEnabled" (dict "a" (list $service.tls $values.tls) ))) "r") -}} +{{- $scheme = "https" -}} +{{- $cert := (get (fromJson (include "redpanda.TLSCertMap.MustGet" (dict "a" (list (deepCopy $values.tls.certs) $service.tls.cert) ))) "r") -}} +{{- if $cert.caEnabled -}} +{{- $caCert = (printf "--cacert /etc/tls/certs/%s/ca.crt" $service.tls.cert) -}} +{{- end -}} +{{- end -}} +{{- $url := (printf "%s://%s:%d/v1/debug/restart_service?service=schema-registry" $scheme (get (fromJson (include "redpanda.InternalDomain" (dict "a" (list $dot) ))) "r") (($service.port | int) | int64)) -}} +{{- $script = (concat (default (list ) $script) (list `if [ -d "/etc/secrets/users/" ]; then` ` IFS=":" read -r USER_NAME PASSWORD MECHANISM < <(grep "" $(find /etc/secrets/users/* -print))` ` curl -svm3 --fail --retry "120" --retry-max-time "120" --retry-all-errors --ssl-reqd \` (printf ` %s \` $caCert) ` -X PUT -u ${USER_NAME}:${PASSWORD} \` (printf ` %s || true` $url) `fi`)) -}} +{{- end -}} +{{- $script = (concat (default (list ) $script) (list "")) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (join "\n" $script)) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + diff --git a/charts/redpanda/redpanda/5.9.2/templates/rbac.go.tpl b/charts/redpanda/redpanda/5.9.2/templates/rbac.go.tpl new file mode 100644 index 000000000..38fe5363f --- /dev/null +++ b/charts/redpanda/redpanda/5.9.2/templates/rbac.go.tpl @@ -0,0 +1,116 @@ +{{- /* Generated from "rbac.go" */ -}} + +{{- define "redpanda.ClusterRoles" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $crs := (coalesce nil) -}} +{{- $cr_1 := (get (fromJson (include "redpanda.SidecarControllersClusterRole" (dict "a" (list $dot) ))) "r") -}} +{{- if (ne $cr_1 (coalesce nil)) -}} +{{- $crs = (concat (default (list ) $crs) (list $cr_1)) -}} +{{- end -}} +{{- if (not $values.rbac.enabled) -}} +{{- $_is_returning = true -}} +{{- (dict "r" $crs) | toJson -}} +{{- break -}} +{{- end -}} +{{- $rpkBundleName := (printf "%s-rpk-bundle" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r")) -}} +{{- $crs = (concat (default (list ) $crs) (default (list ) (list (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "rules" (coalesce nil) ) (mustMergeOverwrite (dict ) (dict "apiVersion" "rbac.authorization.k8s.io/v1" "kind" "ClusterRole" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r") "labels" (get (fromJson (include "redpanda.FullLabels" (dict "a" (list $dot) ))) "r") "annotations" $values.serviceAccount.annotations )) "rules" (list (mustMergeOverwrite (dict "verbs" (coalesce nil) ) (dict "apiGroups" (list "") "resources" (list "nodes") "verbs" (list "get" "list") ))) )) (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "rules" (coalesce nil) ) (mustMergeOverwrite (dict ) (dict "apiVersion" "rbac.authorization.k8s.io/v1" "kind" "ClusterRole" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" $rpkBundleName "labels" (get (fromJson (include "redpanda.FullLabels" (dict "a" (list $dot) ))) "r") "annotations" $values.serviceAccount.annotations )) "rules" (list (mustMergeOverwrite (dict "verbs" (coalesce nil) ) (dict "apiGroups" (list "") "resources" (list "configmaps" "endpoints" "events" "limitranges" "persistentvolumeclaims" "pods" "pods/log" "replicationcontrollers" "resourcequotas" "serviceaccounts" "services") "verbs" (list "get" "list") ))) ))))) -}} +{{- $_is_returning = true -}} +{{- (dict "r" $crs) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.ClusterRoleBindings" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- $crbs := (coalesce nil) -}} +{{- $crb_2 := (get (fromJson (include "redpanda.SidecarControllersClusterRoleBinding" (dict "a" (list $dot) ))) "r") -}} +{{- if (ne $crb_2 (coalesce nil)) -}} +{{- $crbs = (concat (default (list ) $crbs) (list $crb_2)) -}} +{{- end -}} +{{- if (not $values.rbac.enabled) -}} +{{- $_is_returning = true -}} +{{- (dict "r" $crbs) | toJson -}} +{{- break -}} +{{- end -}} +{{- $rpkBundleName := (printf "%s-rpk-bundle" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r")) -}} +{{- $crbs = (concat (default (list ) $crbs) (default (list ) (list (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "roleRef" (dict "apiGroup" "" "kind" "" "name" "" ) ) (mustMergeOverwrite (dict ) (dict "apiVersion" "rbac.authorization.k8s.io/v1" "kind" "ClusterRoleBinding" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r") "labels" (get (fromJson (include "redpanda.FullLabels" (dict "a" (list $dot) ))) "r") "annotations" $values.serviceAccount.annotations )) "roleRef" (mustMergeOverwrite (dict "apiGroup" "" "kind" "" "name" "" ) (dict "apiGroup" "rbac.authorization.k8s.io" "kind" "ClusterRole" "name" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r") )) "subjects" (list (mustMergeOverwrite (dict "kind" "" "name" "" ) (dict "kind" "ServiceAccount" "name" (get (fromJson (include "redpanda.ServiceAccountName" (dict "a" (list $dot) ))) "r") "namespace" $dot.Release.Namespace ))) )) (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "roleRef" (dict "apiGroup" "" "kind" "" "name" "" ) ) (mustMergeOverwrite (dict ) (dict "apiVersion" "rbac.authorization.k8s.io/v1" "kind" "ClusterRoleBinding" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" $rpkBundleName "labels" (get (fromJson (include "redpanda.FullLabels" (dict "a" (list $dot) ))) "r") "annotations" $values.serviceAccount.annotations )) "roleRef" (mustMergeOverwrite (dict "apiGroup" "" "kind" "" "name" "" ) (dict "apiGroup" "rbac.authorization.k8s.io" "kind" "ClusterRole" "name" $rpkBundleName )) "subjects" (list (mustMergeOverwrite (dict "kind" "" "name" "" ) (dict "kind" "ServiceAccount" "name" (get (fromJson (include "redpanda.ServiceAccountName" (dict "a" (list $dot) ))) "r") "namespace" $dot.Release.Namespace ))) ))))) -}} +{{- $_is_returning = true -}} +{{- (dict "r" $crbs) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.SidecarControllersClusterRole" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- if (or (not $values.statefulset.sideCars.controllers.enabled) (not $values.statefulset.sideCars.controllers.createRBAC)) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (coalesce nil)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $sidecarControllerName := (printf "%s-sidecar-controllers" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r")) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "rules" (coalesce nil) ) (mustMergeOverwrite (dict ) (dict "apiVersion" "rbac.authorization.k8s.io/v1" "kind" "ClusterRole" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" $sidecarControllerName "labels" (get (fromJson (include "redpanda.FullLabels" (dict "a" (list $dot) ))) "r") "annotations" $values.serviceAccount.annotations )) "rules" (list (mustMergeOverwrite (dict "verbs" (coalesce nil) ) (dict "apiGroups" (list "") "resources" (list "nodes") "verbs" (list "get" "list" "watch") )) (mustMergeOverwrite (dict "verbs" (coalesce nil) ) (dict "apiGroups" (list "") "resources" (list "persistentvolumes") "verbs" (list "delete" "get" "list" "patch" "update" "watch") ))) ))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.SidecarControllersClusterRoleBinding" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- if (or (not $values.statefulset.sideCars.controllers.enabled) (not $values.statefulset.sideCars.controllers.createRBAC)) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (coalesce nil)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $sidecarControllerName := (printf "%s-sidecar-controllers" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r")) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "roleRef" (dict "apiGroup" "" "kind" "" "name" "" ) ) (mustMergeOverwrite (dict ) (dict "apiVersion" "rbac.authorization.k8s.io/v1" "kind" "ClusterRoleBinding" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" $sidecarControllerName "labels" (get (fromJson (include "redpanda.FullLabels" (dict "a" (list $dot) ))) "r") "annotations" $values.serviceAccount.annotations )) "roleRef" (mustMergeOverwrite (dict "apiGroup" "" "kind" "" "name" "" ) (dict "apiGroup" "rbac.authorization.k8s.io" "kind" "ClusterRole" "name" $sidecarControllerName )) "subjects" (list (mustMergeOverwrite (dict "kind" "" "name" "" ) (dict "kind" "ServiceAccount" "name" (get (fromJson (include "redpanda.ServiceAccountName" (dict "a" (list $dot) ))) "r") "namespace" $dot.Release.Namespace ))) ))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.SidecarControllersRole" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- if (or (not $values.statefulset.sideCars.controllers.enabled) (not $values.statefulset.sideCars.controllers.createRBAC)) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (coalesce nil)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $sidecarControllerName := (printf "%s-sidecar-controllers" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r")) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "rules" (coalesce nil) ) (mustMergeOverwrite (dict ) (dict "apiVersion" "rbac.authorization.k8s.io/v1" "kind" "Role" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" $sidecarControllerName "namespace" $dot.Release.Namespace "labels" (get (fromJson (include "redpanda.FullLabels" (dict "a" (list $dot) ))) "r") "annotations" $values.serviceAccount.annotations )) "rules" (list (mustMergeOverwrite (dict "verbs" (coalesce nil) ) (dict "apiGroups" (list "apps") "resources" (list "statefulsets/status") "verbs" (list "patch" "update") )) (mustMergeOverwrite (dict "verbs" (coalesce nil) ) (dict "apiGroups" (list "") "resources" (list "secrets" "pods") "verbs" (list "get" "list" "watch") )) (mustMergeOverwrite (dict "verbs" (coalesce nil) ) (dict "apiGroups" (list "apps") "resources" (list "statefulsets") "verbs" (list "get" "patch" "update" "list" "watch") )) (mustMergeOverwrite (dict "verbs" (coalesce nil) ) (dict "apiGroups" (list "") "resources" (list "persistentvolumeclaims") "verbs" (list "delete" "get" "list" "patch" "update" "watch") ))) ))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + +{{- define "redpanda.SidecarControllersRoleBinding" -}} +{{- $dot := (index .a 0) -}} +{{- range $_ := (list 1) -}} +{{- $_is_returning := false -}} +{{- $values := $dot.Values.AsMap -}} +{{- if (or (not $values.statefulset.sideCars.controllers.enabled) (not $values.statefulset.sideCars.controllers.createRBAC)) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (coalesce nil)) | toJson -}} +{{- break -}} +{{- end -}} +{{- $sidecarControllerName := (printf "%s-sidecar-controllers" (get (fromJson (include "redpanda.Fullname" (dict "a" (list $dot) ))) "r")) -}} +{{- $_is_returning = true -}} +{{- (dict "r" (mustMergeOverwrite (dict "metadata" (dict "creationTimestamp" (coalesce nil) ) "roleRef" (dict "apiGroup" "" "kind" "" "name" "" ) ) (mustMergeOverwrite (dict ) (dict "apiVersion" "rbac.authorization.k8s.io/v1" "kind" "RoleBinding" )) (dict "metadata" (mustMergeOverwrite (dict "creationTimestamp" (coalesce nil) ) (dict "name" $sidecarControllerName "namespace" $dot.Release.Namespace "labels" (get (fromJson (include "redpanda.FullLabels" (dict "a" (list $dot) ))) "r") "annotations" $values.serviceAccount.annotations )) "roleRef" (mustMergeOverwrite (dict "apiGroup" "" "kind" "" "name" "" ) (dict "apiGroup" "rbac.authorization.k8s.io" "kind" "Role" "name" $sidecarControllerName )) "subjects" (list (mustMergeOverwrite (dict "kind" "" "name" "" ) (dict "kind" "ServiceAccount" "name" (get (fromJson (include "redpanda.ServiceAccountName" (dict "a" (list $dot) ))) "r") "namespace" $dot.Release.Namespace ))) ))) | toJson -}} +{{- break -}} +{{- end -}} +{{- end -}} + diff --git a/charts/redpanda/redpanda/5.9.2/templates/rbac.yaml b/charts/redpanda/redpanda/5.9.2/templates/rbac.yaml new file mode 100644 index 000000000..d746dda30 --- /dev/null +++ b/charts/redpanda/redpanda/5.9.2/templates/rbac.yaml @@ -0,0 +1,20 @@ +{{/* +Licensed to the Apache Software Foundation (ASF) under one or more +contributor license agreements. See the NOTICE file distributed with +this work for additional information regarding copyright ownership. +The ASF licenses this file to You under the Apache License, Version 2.0 +(the "License"); you may not use this file except in compliance with +the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} +{{- include "_shims.render-manifest" (list "redpanda.ClusterRoles" .) -}} +{{- include "_shims.render-manifest" (list "redpanda.ClusterRoleBindings" .) -}} +{{- include "_shims.render-manifest" (list "redpanda.SidecarControllersRole" .) -}} +{{- include "_shims.render-manifest" (list "redpanda.SidecarControllersRoleBinding" .) -}} diff --git a/charts/redpanda/redpanda/5.9.2/templates/secrets.yaml b/charts/redpanda/redpanda/5.9.2/templates/secrets.yaml new file mode 100644 index 000000000..7fa8524d2 --- /dev/null +++ b/charts/redpanda/redpanda/5.9.2/templates/secrets.yaml @@ -0,0 +1,17 @@ +{{/* +Licensed to the Apache Software Foundation (ASF) under one or more +contributor license agreements. See the NOTICE file distributed with +this work for additional information regarding copyright ownership. +The ASF licenses this file to You under the Apache License, Version 2.0 +(the "License"); you may not use this file except in compliance with +the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} +{{- include "_shims.render-manifest" (list "redpanda.Secrets" .) -}} diff --git a/charts/redpanda/redpanda/5.9.2/templates/service.internal.yaml b/charts/redpanda/redpanda/5.9.2/templates/service.internal.yaml new file mode 100644 index 000000000..572550b7a --- /dev/null +++ b/charts/redpanda/redpanda/5.9.2/templates/service.internal.yaml @@ -0,0 +1,17 @@ +{{/* +Licensed to the Apache Software Foundation (ASF) under one or more +contributor license agreements. See the NOTICE file distributed with +this work for additional information regarding copyright ownership. +The ASF licenses this file to You under the Apache License, Version 2.0 +(the "License"); you may not use this file except in compliance with +the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} +{{- include "_shims.render-manifest" (list "redpanda.ServiceInternal" .) -}} diff --git a/charts/redpanda/redpanda/5.9.2/templates/service.loadbalancer.yaml b/charts/redpanda/redpanda/5.9.2/templates/service.loadbalancer.yaml new file mode 100644 index 000000000..12a8562a0 --- /dev/null +++ b/charts/redpanda/redpanda/5.9.2/templates/service.loadbalancer.yaml @@ -0,0 +1,17 @@ +{{/* +Licensed to the Apache Software Foundation (ASF) under one or more +contributor license agreements. See the NOTICE file distributed with +this work for additional information regarding copyright ownership. +The ASF licenses this file to You under the Apache License, Version 2.0 +(the "License"); you may not use this file except in compliance with +the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} +{{- include "_shims.render-manifest" (list "redpanda.LoadBalancerServices" .) -}} diff --git a/charts/redpanda/redpanda/5.9.2/templates/service.nodeport.yaml b/charts/redpanda/redpanda/5.9.2/templates/service.nodeport.yaml new file mode 100644 index 000000000..da82c9e70 --- /dev/null +++ b/charts/redpanda/redpanda/5.9.2/templates/service.nodeport.yaml @@ -0,0 +1,17 @@ +{{/* +Licensed to the Apache Software Foundation (ASF) under one or more +contributor license agreements. See the NOTICE file distributed with +this work for additional information regarding copyright ownership. +The ASF licenses this file to You under the Apache License, Version 2.0 +(the "License"); you may not use this file except in compliance with +the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} +{{- include "_shims.render-manifest" (list "redpanda.NodePortService" .) -}} diff --git a/charts/redpanda/redpanda/5.9.2/templates/serviceaccount.yaml b/charts/redpanda/redpanda/5.9.2/templates/serviceaccount.yaml new file mode 100644 index 000000000..5e62c0ec6 --- /dev/null +++ b/charts/redpanda/redpanda/5.9.2/templates/serviceaccount.yaml @@ -0,0 +1,17 @@ +{{/* +Licensed to the Apache Software Foundation (ASF) under one or more +contributor license agreements. See the NOTICE file distributed with +this work for additional information regarding copyright ownership. +The ASF licenses this file to You under the Apache License, Version 2.0 +(the "License"); you may not use this file except in compliance with +the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} +{{- include "_shims.render-manifest" (list "redpanda.ServiceAccount" .) -}} diff --git a/charts/redpanda/redpanda/5.9.2/templates/servicemonitor.yaml b/charts/redpanda/redpanda/5.9.2/templates/servicemonitor.yaml new file mode 100644 index 000000000..cafedbf91 --- /dev/null +++ b/charts/redpanda/redpanda/5.9.2/templates/servicemonitor.yaml @@ -0,0 +1,17 @@ +{{/* + Licensed to the Apache Software Foundation (ASF) under one or more + contributor license agreements. See the NOTICE file distributed with + this work for additional information regarding copyright ownership. + The ASF licenses this file to You under the Apache License, Version 2.0 + (the "License"); you may not use this file except in compliance with + the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. + */}} +{{- include "_shims.render-manifest" (list "redpanda.ServiceMonitor" .) -}} diff --git a/charts/redpanda/redpanda/5.9.2/templates/statefulset.yaml b/charts/redpanda/redpanda/5.9.2/templates/statefulset.yaml new file mode 100644 index 000000000..d231e4b77 --- /dev/null +++ b/charts/redpanda/redpanda/5.9.2/templates/statefulset.yaml @@ -0,0 +1,21 @@ +{{/* +Licensed to the Apache Software Foundation (ASF) under one or more +contributor license agreements. See the NOTICE file distributed with +this work for additional information regarding copyright ownership. +The ASF licenses this file to You under the Apache License, Version 2.0 +(the "License"); you may not use this file except in compliance with +the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- include "fail-on-unsupported-helm-version" . -}} +{{- include "fail-on-insecure-sasl-logging" . -}} + +{{- include "_shims.render-manifest" (list "redpanda.StatefulSet" .) -}} diff --git a/charts/redpanda/redpanda/5.9.2/templates/tests/test-api-status.yaml b/charts/redpanda/redpanda/5.9.2/templates/tests/test-api-status.yaml new file mode 100644 index 000000000..330a2c4a4 --- /dev/null +++ b/charts/redpanda/redpanda/5.9.2/templates/tests/test-api-status.yaml @@ -0,0 +1,52 @@ +{{/* +Licensed to the Apache Software Foundation (ASF) under one or more +contributor license agreements. See the NOTICE file distributed with +this work for additional information regarding copyright ownership. +The ASF licenses this file to You under the Apache License, Version 2.0 +(the "License"); you may not use this file except in compliance with +the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} +{{- if and .Values.tests.enabled (not (or (include "tls-enabled" . | fromJson).bool (include "sasl-enabled" . | fromJson).bool)) -}} +apiVersion: v1 +kind: Pod +metadata: + name: "{{ include "redpanda.fullname" . }}-test-api-status" + namespace: {{ .Release.Namespace | quote }} + labels: + {{- with include "full.labels" . }} + {{- . | nindent 4 }} + {{- end }} + annotations: + "helm.sh/hook": test + "helm.sh/hook-delete-policy": before-hook-creation +spec: + restartPolicy: Never + securityContext: {{ include "pod-security-context" . | nindent 4 }} + {{- with .Values.imagePullSecrets }} + imagePullSecrets: {{- toYaml . | nindent 4 }} + {{- end }} + containers: + - name: {{ template "redpanda.name" . }} + image: {{ .Values.image.repository }}:{{ template "redpanda.tag" . }} + command: + - /usr/bin/timeout + - "120" + - bash + - -c + - | + until rpk cluster info \ + --brokers {{ include "redpanda.fullname" . }}-0.{{ include "redpanda.internal.domain" . }}:{{ .Values.listeners.kafka.port }} + do sleep 2 + done + volumeMounts: {{ include "default-mounts" . | nindent 8 }} + securityContext: {{ include "container-security-context" . | nindent 8 }} + volumes: {{ include "default-volumes" . | nindent 4 }} +{{- end }} diff --git a/charts/redpanda/redpanda/5.9.2/templates/tests/test-auditLogging.yaml b/charts/redpanda/redpanda/5.9.2/templates/tests/test-auditLogging.yaml new file mode 100644 index 000000000..b7d1d2581 --- /dev/null +++ b/charts/redpanda/redpanda/5.9.2/templates/tests/test-auditLogging.yaml @@ -0,0 +1,91 @@ +{{/* + Licensed to the Apache Software Foundation (ASF) under one or more + contributor license agreements. See the NOTICE file distributed with + this work for additional information regarding copyright ownership. + The ASF licenses this file to You under the Apache License, Version 2.0 + (the "License"); you may not use this file except in compliance with + the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +*/}} +{{/* + This feature is gated by having a license, and it must have sasl enabled, we assume these conditions are met + as part of setting auditLogging being enabled. +*/}} +{{- if and .Values.tests.enabled .Values.auditLogging.enabled (include "redpanda-atleast-23-3-0" . | fromJson).bool }} +{{- $sasl := .Values.auth.sasl }} +apiVersion: v1 +kind: Pod +metadata: + name: "{{ include "redpanda.fullname" . }}-test-audit-logging" + namespace: {{ .Release.Namespace | quote }} + labels: + {{- with include "full.labels" . }} + {{- . | nindent 4 }} + {{- end }} + annotations: + "helm.sh/hook": test + "helm.sh/hook-delete-policy": before-hook-creation +spec: + restartPolicy: Never + securityContext: {{ include "pod-security-context" . | nindent 4 }} + {{- with .Values.imagePullSecrets }} + imagePullSecrets: { { - toYaml . | nindent 4 }} + {{- end }} + containers: + - name: {{ template "redpanda.name" . }} + image: {{ .Values.image.repository }}:{{ template "redpanda.tag" . }} + command: + - /usr/bin/timeout + - "120" + - bash + - -c + - | + set -xe + old_setting=${-//[^x]/} + audit_topic_name="_redpanda.audit_log" + expected_partitions={{ .Values.auditLogging.partitions }} + + # sasl configurations + set +x + IFS=":" read -r {{ include "rpk-sasl-environment-variables" . }} < <(grep "" $(find /etc/secrets/users/* -print)) + {{- if (include "redpanda-atleast-23-2-1" . | fromJson).bool }} + RPK_SASL_MECHANISM=${RPK_SASL_MECHANISM:-{{ .Values.auth.sasl.mechanism | upper }}} + {{- else }} + REDPANDA_SASL_MECHANISM=${REDPANDA_SASL_MECHANISM:-{{ .Values.auth.sasl.mechanism | upper }}} + {{- end }} + export {{ include "rpk-sasl-environment-variables" . }} + if [[ -n "$old_setting" ]]; then set -x; fi + + {{- $i := .Values.statefulset.replicas }} + {{- $default_topic_replicas := sub (add $i (mod $i 2)) 1 }} + # wait for post-upgrade job to update the default_topic_replications value + timeout 600 bash -c "until [[ $(rpk cluster config get default_topic_replications) = {{ $default_topic_replicas }} ]]; do sleep 1; done" + + # now run the to determine if we have the right results + # should describe topic without error + rpk topic describe ${audit_topic_name} + # should get the expected values + result=$(rpk topic list | grep ${audit_topic_name}) + name=$(echo $result | awk '{print $1}') + partitions=$(echo $result | awk '{print $2}') + if [ "${name}" != "${audit_topic_name}" ]; then + echo "expected topic name does not match" + exit 1 + fi + if [ ${partitions} != ${expected_partitions} ]; then + echo "expected partition size did not match" + exit 1 + fi + volumeMounts: {{ include "default-mounts" . | nindent 8 }} + resources: +{{- toYaml .Values.statefulset.resources | nindent 12 }} + securityContext: {{ include "container-security-context" . | nindent 8 }} + volumes: {{ include "default-volumes" . | nindent 4 }} +{{- end }} diff --git a/charts/redpanda/redpanda/5.9.2/templates/tests/test-connector-via-console.yaml b/charts/redpanda/redpanda/5.9.2/templates/tests/test-connector-via-console.yaml new file mode 100644 index 000000000..c50958e54 --- /dev/null +++ b/charts/redpanda/redpanda/5.9.2/templates/tests/test-connector-via-console.yaml @@ -0,0 +1,165 @@ +{{/* +Licensed to the Apache Software Foundation (ASF) under one or more +contributor license agreements. See the NOTICE file distributed with +this work for additional information regarding copyright ownership. +The ASF licenses this file to You under the Apache License, Version 2.0 +(the "License"); you may not use this file except in compliance with +the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} +{{- if and .Values.tests.enabled .Values.connectors.enabled .Values.console.enabled }} +{{- $sasl := .Values.auth.sasl }} +{{- $values := .Values }} +{{ $consoleValues := dict "Values" .Values.console "Release" .Release "Chart" .Subcharts.console.Chart }} +{{ $connectorsVars := dict "Values" .Values.connectors "Release" .Release "Chart" .Subcharts.connectors.Chart }} +{{/* brokers */}} +{{- $kafkaBrokers := list }} +{{- range (include "seed-server-list" . | mustFromJson) }} + {{- $kafkaBrokers = append $kafkaBrokers (printf "%s:%s" . ($values.listeners.kafka.port | toString)) }} +{{- end }} +{{- $brokersString := join "," $kafkaBrokers}} +apiVersion: v1 +kind: Pod +metadata: + name: {{ include "redpanda.fullname" . | trunc 54 }}-test-connectors-via-console + namespace: {{ .Release.Namespace | quote }} + labels: + {{- with include "full.labels" . }} + {{- . | nindent 4 }} + {{- end }} + test-name: test-connectors-via-console + annotations: + test-name: test-connectors-via-console + "helm.sh/hook": test + "helm.sh/hook-delete-policy": before-hook-creation +spec: + restartPolicy: Never + securityContext: {{ include "pod-security-context" . | nindent 4 }} + {{- with .Values.imagePullSecrets }} + imagePullSecrets: {{- toYaml . | nindent 4 }} + {{- end }} + containers: + - name: {{ template "redpanda.name" . }} + image: {{ .Values.image.repository }}:{{ template "redpanda.tag" . }} + env: + - name: TLS_ENABLED + value: {{ (include "kafka-internal-tls-enabled" . | fromJson).bool | quote }} + command: + - /bin/bash + - -c + - | + set -xe + + trap connectorsState ERR + + connectorsState () { + echo check connectors expand status + curl {{ template "curl-options" . }} http://{{ include "connectors.serviceName" $connectorsVars }}:{{ .Values.connectors.connectors.restPort }}/connectors?expand=status + echo check connectors expand info + curl {{ template "curl-options" . }} http://{{ include "connectors.serviceName" $connectorsVars }}:{{ .Values.connectors.connectors.restPort }}/connectors?expand=info + echo check connector configuration + curl {{ template "curl-options" . }} http://{{ include "connectors.serviceName" $connectorsVars }}:{{ .Values.connectors.connectors.restPort }}/connectors/$CONNECTOR_NAME + echo check connector topics + curl {{ template "curl-options" . }} http://{{ include "connectors.serviceName" $connectorsVars }}:{{ .Values.connectors.connectors.restPort }}/connectors/$CONNECTOR_NAME/topics + } + + {{- if .Values.auth.sasl.enabled }} + set -e + set +x + + echo "SASL enabled: reading credentials from $(find /etc/secrets/users/* -print)" + IFS=":" read -r {{ include "rpk-sasl-environment-variables" . }} < <(grep "" $(find /etc/secrets/users/* -print)) + {{- if (include "redpanda-atleast-23-2-1" . | fromJson).bool }} + RPK_SASL_MECHANISM=${RPK_SASL_MECHANISM:-{{ .Values.auth.sasl.mechanism | upper }}} + {{- else }} + REDPANDA_SASL_MECHANISM=${REDPANDA_SASL_MECHANISM:-{{ .Values.auth.sasl.mechanism | upper }}} + RPK_USER="${REDPANDA_SASL_USERNAME}" + RPK_PASS="${REDPANDA_SASL_PASSWORD}" + RPK_SASL_MECHANISM="${REDPANDA_SASL_MECHANISM}" + {{- end }} + export {{ include "rpk-sasl-environment-variables" . }} + + JAAS_CONFIG_SOURCE="\"source.cluster.sasl.jaas.config\": \"org.apache.kafka.common.security.scram.ScramLoginModule required username=\\\\"\"${RPK_USER}\\\\"\" password=\\\\"\"${RPK_PASS}\\\\"\";\"," + JAAS_CONFIG_TARGET="\"target.cluster.sasl.jaas.config\": \"org.apache.kafka.common.security.scram.ScramLoginModule required username=\\\\"\"${RPK_USER}\\\\"\" password=\\\\"\"${RPK_PASS}\\\\"\";\"," + set -x + set +e + {{- end }} + + {{- $testTopic := printf "test-topic-%s" (randNumeric 3) }} + rpk topic create {{ $testTopic }} + rpk topic list + echo "Test message!" | rpk topic produce {{ $testTopic }} + + SECURITY_PROTOCOL=PLAINTEXT + if [[ -n "$RPK_SASL_MECHANISM" && $TLS_ENABLED == "true" ]]; then + SECURITY_PROTOCOL="SASL_SSL" + elif [[ -n "$RPK_SASL_MECHANISM" ]]; then + SECURITY_PROTOCOL="SASL_PLAINTEXT" + elif [[ $TLS_ENABLED == "true" ]]; then + SECURITY_PROTOCOL="SSL" + fi + + CONNECTOR_NAME=mm2-$RANDOM + cat << 'EOF' > /tmp/mm2-conf.json + { + "connectorName": "CONNECTOR_NAME", + "config": { + "connector.class": "org.apache.kafka.connect.mirror.MirrorSourceConnector", + "topics": "{{ $testTopic }}", + "replication.factor": "1", + "tasks.max": "1", + "source.cluster.bootstrap.servers": {{ $brokersString | quote }}, + "target.cluster.bootstrap.servers": {{ $brokersString | quote }}, + "target.cluster.alias": "test-only-redpanda", + "source.cluster.alias": "source", + "key.converter": "org.apache.kafka.connect.converters.ByteArrayConverter", + "value.converter": "org.apache.kafka.connect.converters.ByteArrayConverter", + "source->target.enabled": "true", + "target->source.enabled": "false", + "sync.topic.configs.interval.seconds": "5", + "sync.topics.configs.enabled": "true", + "source.cluster.ssl.truststore.type": "PEM", + "target.cluster.ssl.truststore.type": "PEM", + "source.cluster.ssl.truststore.location": "/opt/kafka/connect-certs/ca/ca.crt", + "target.cluster.ssl.truststore.location": "/opt/kafka/connect-certs/ca/ca.crt", + JAAS_CONFIG_SOURCE + JAAS_CONFIG_TARGET + "source.cluster.security.protocol": "SECURITY_PROTOCOL", + "target.cluster.security.protocol": "SECURITY_PROTOCOL", + "source.cluster.sasl.mechanism": "SASL_MECHANISM", + "target.cluster.sasl.mechanism": "SASL_MECHANISM" + } + } + EOF + + sed -i "s/CONNECTOR_NAME/$CONNECTOR_NAME/g" /tmp/mm2-conf.json + sed -i "s/SASL_MECHANISM/$RPK_SASL_MECHANISM/g" /tmp/mm2-conf.json + sed -i "s/SECURITY_PROTOCOL/$SECURITY_PROTOCOL/g" /tmp/mm2-conf.json + set +x + sed -i "s/JAAS_CONFIG_SOURCE/$JAAS_CONFIG_SOURCE/g" /tmp/mm2-conf.json + sed -i "s/JAAS_CONFIG_TARGET/$JAAS_CONFIG_TARGET/g" /tmp/mm2-conf.json + set -x + + URL=http://{{ include "console.fullname" $consoleValues }}:{{ include "console.containerPort" $consoleValues }}/api/kafka-connect/clusters/connectors/connectors + {{/* outputting to /dev/null because the output contains the user password */}} + echo "Creating mm2 connector" + curl {{ template "curl-options" . }} -H 'Content-Type: application/json' "${URL}" -d @/tmp/mm2-conf.json + + rpk topic consume source.{{ $testTopic }} -n 1 + + echo "Destroying mm2 connector" + curl {{ template "curl-options" . }} -X DELETE "${URL}/${CONNECTOR_NAME}" + + rpk topic list + rpk topic delete {{ $testTopic }} source.{{ $testTopic }} mm2-offset-syncs.test-only-redpanda.internal + volumeMounts: {{ include "default-mounts" . | nindent 8 }} + securityContext: {{ include "container-security-context" . | nindent 8 }} + volumes: {{ include "default-volumes" . | nindent 4 }} +{{- end }} diff --git a/charts/redpanda/redpanda/5.9.2/templates/tests/test-console.yaml b/charts/redpanda/redpanda/5.9.2/templates/tests/test-console.yaml new file mode 100644 index 000000000..aeef1117a --- /dev/null +++ b/charts/redpanda/redpanda/5.9.2/templates/tests/test-console.yaml @@ -0,0 +1,49 @@ +{{/* +Licensed to the Apache Software Foundation (ASF) under one or more +contributor license agreements. See the NOTICE file distributed with +this work for additional information regarding copyright ownership. +The ASF licenses this file to You under the Apache License, Version 2.0 +(the "License"); you may not use this file except in compliance with +the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} +{{- if and .Values.tests.enabled .Values.console.enabled -}} +apiVersion: v1 +kind: Pod +metadata: + name: "{{ include "redpanda.fullname" . }}-test-console" + namespace: {{ .Release.Namespace | quote }} + labels: + {{- with include "full.labels" . }} + {{- . | nindent 4 }} + {{- end }} + annotations: + "helm.sh/hook": test + "helm.sh/hook-delete-policy": before-hook-creation +spec: + restartPolicy: Never + securityContext: {{ include "pod-security-context" . | nindent 4 }} + {{- with .Values.imagePullSecrets }} + imagePullSecrets: {{- toYaml . | nindent 4 }} + {{- end }} + containers: + - name: {{ template "redpanda.name" . }} + image: {{ .Values.image.repository }}:{{ template "redpanda.tag" . }} + command: + - /usr/bin/timeout + - "120" + - bash + - -c + - | + curl {{ template "curl-options" . }} http://{{ include "redpanda.fullname" . }}-console.{{ .Release.Namespace }}.svc:{{ (get (fromJson (include "console.ContainerPort" (dict "a" (list (dict "Values" (dict "AsMap" .Values.console)) )))) "r" ) }}/api/cluster + volumeMounts: {{ include "default-mounts" . | nindent 8 }} + securityContext: {{ include "container-security-context" . | nindent 8 }} + volumes: {{ include "default-volumes" . | nindent 4 }} +{{- end }} diff --git a/charts/redpanda/redpanda/5.9.2/templates/tests/test-internal-external-tls-secrets.yaml b/charts/redpanda/redpanda/5.9.2/templates/tests/test-internal-external-tls-secrets.yaml new file mode 100644 index 000000000..53d75bb1b --- /dev/null +++ b/charts/redpanda/redpanda/5.9.2/templates/tests/test-internal-external-tls-secrets.yaml @@ -0,0 +1,122 @@ +{{/* +Licensed to the Apache Software Foundation (ASF) under one or more +contributor license agreements. See the NOTICE file distributed with +this work for additional information regarding copyright ownership. +The ASF licenses this file to You under the Apache License, Version 2.0 +(the "License"); you may not use this file except in compliance with +the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} +{{- if and .Values.tests.enabled (include "tls-enabled" . | fromJson).bool ( eq .Values.external.type "NodePort" ) }} + {{- $values := .Values }} +apiVersion: v1 +kind: Pod +metadata: + name: {{ include "redpanda.fullname" . }}-test-internal-externals-cert-secrets + namespace: {{ .Release.Namespace | quote }} + labels: + {{- with include "full.labels" . }} + {{- . | nindent 4 }} + {{- end }} + annotations: + "helm.sh/hook": test + "helm.sh/hook-delete-policy": before-hook-creation +spec: + restartPolicy: Never + securityContext: {{ include "pod-security-context" . | nindent 4 }} + {{- with .Values.imagePullSecrets }} + imagePullSecrets: {{- toYaml . | nindent 4 }} + {{- end }} + containers: + - name: {{ template "redpanda.name" . }} + image: {{ .Values.image.repository }}:{{ template "redpanda.tag" . }} + command: + - bash + - -c + - | + set -x + + retry() { + local retries="$1" + local command="$2" + + # Run the command, and save the exit code + bash -c $command + local exit_code=$? + + # If the exit code is non-zero (i.e. command failed), and we have not + # reached the maximum number of retries, run the command again + if [[ $exit_code -ne 0 && $retries -gt 0 ]]; then + retry $(($retries - 1)) "$command" + else + # Return the exit code from the command + return $exit_code + fi + } + + {{- range $name, $cert := $values.tls.certs }} + {{- if $cert.secretRef }} + echo testing cert: {{ $name | quote }} + + {{- if eq $cert.secretRef.name "internal-tls-secret" }} + echo "---> testing internal tls" + retry 5 'openssl s_client -verify_return_error -prexit + {{- if $cert.caEnabled }} + -CAfile {{ printf "/etc/tls/certs/%s" $name }}/ca.crt + {{- end }} + -key {{ printf "/etc/tls/certs/%s" $name }}/tls.key + -connect {{ include "admin-api-urls" $ }}' + {{- end }} + + {{- if eq $cert.secretRef.name "external-tls-secret" }} + echo "---> testing external tls" + + {{- if eq $values.listeners.kafka.external.default.tls.cert $name }} + echo "-----> testing external tls: kafka api" + {{- $port := ( first $values.listeners.kafka.external.default.advertisedPorts ) }} + retry 5 'openssl s_client -verify_return_error -prexit + {{- if $cert.caEnabled }} + -CAfile {{ printf "/etc/tls/certs/%s" $name }}/ca.crt + {{- end }} + -key {{ printf "/etc/tls/certs/%s" $name }}/tls.key + -connect {{ $values.external.domain }}:{{ $port }}' + {{- end }} + + {{- if and (eq $values.listeners.schemaRegistry.external.default.tls.cert $name) (include "redpanda-22-2-x-without-sasl" $ | fromJson).bool }} + echo "-----> testing external tls: schema registry" + {{- $port := ( first $values.listeners.schemaRegistry.external.default.advertisedPorts ) }} + retry 5 'openssl s_client -verify_return_error -prexit + {{- if $cert.caEnabled }} + -CAfile {{ printf "/etc/tls/certs/%s" $name }}/ca.crt + {{- end }} + -key {{ printf "/etc/tls/certs/%s" $name }}/tls.key + -connect {{ $values.external.domain }}:{{ $port }}' + {{- end }} + + {{- if and (eq $values.listeners.http.external.default.tls.cert $name) (include "redpanda-22-2-x-without-sasl" $ | fromJson).bool }} + echo "-----> testing external tls: http api" + {{- $port := ( first $values.listeners.http.external.default.advertisedPorts ) }} + retry 5 'openssl s_client -verify_return_error -prexit + {{- if $cert.caEnabled }} + -CAfile {{ printf "/etc/tls/certs/%s" $name }}/ca.crt + {{- end }} + -key {{ printf "/etc/tls/certs/%s" $name }}/tls.key + -connect {{ $values.external.domain }}:{{ $port }}' + {{- end }} + + {{- end }} + echo "----" + + {{- end }} + {{- end }} + volumeMounts: {{ include "default-mounts" . | nindent 8 }} + securityContext: {{ include "container-security-context" . | nindent 8 }} + volumes: {{ include "default-volumes" . | nindent 4 }} +{{- end }} diff --git a/charts/redpanda/redpanda/5.9.2/templates/tests/test-kafka-internal-tls-status.yaml b/charts/redpanda/redpanda/5.9.2/templates/tests/test-kafka-internal-tls-status.yaml new file mode 100644 index 000000000..dcfc02cbd --- /dev/null +++ b/charts/redpanda/redpanda/5.9.2/templates/tests/test-kafka-internal-tls-status.yaml @@ -0,0 +1,62 @@ +{{/* +Licensed to the Apache Software Foundation (ASF) under one or more +contributor license agreements. See the NOTICE file distributed with +this work for additional information regarding copyright ownership. +The ASF licenses this file to You under the Apache License, Version 2.0 +(the "License"); you may not use this file except in compliance with +the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} +{{- if and .Values.tests.enabled (include "kafka-internal-tls-enabled" . | fromJson).bool (not (include "sasl-enabled" . | fromJson).bool) -}} + {{- $service := .Values.listeners.kafka -}} + {{- $cert := get .Values.tls.certs $service.tls.cert -}} +apiVersion: v1 +kind: Pod +metadata: + name: {{ include "redpanda.fullname" . }}-test-kafka-internal-tls-status + namespace: {{ .Release.Namespace | quote }} + labels: + {{- with include "full.labels" . }} + {{- . | nindent 4 }} + {{- end }} + annotations: + "helm.sh/hook": test + "helm.sh/hook-delete-policy": before-hook-creation +spec: + restartPolicy: Never + securityContext: {{ include "pod-security-context" . | nindent 4 }} + {{- with .Values.imagePullSecrets }} + imagePullSecrets: {{- toYaml . | nindent 4 }} + {{- end }} + containers: + - name: {{ template "redpanda.name" . }} + image: {{ .Values.image.repository }}:{{ template "redpanda.tag" . }} + command: + - /usr/bin/timeout + - "120" + - bash + - -c + - | + until rpk cluster info \ + --brokers {{ include "redpanda.fullname" .}}-0.{{ include "redpanda.internal.domain" . }}:{{ $service.port }} \ + --tls-enabled \ + {{- if $cert.caEnabled }} + --tls-truststore /etc/tls/certs/{{ $service.tls.cert }}/ca.crt + {{- else }} + {{- /* This is a required field so we use the default in the redpanda debian container */}} + --tls-truststore /etc/ssl/certs/ca-certificates.crt + {{- end }} + do sleep 2 + done + resources: {{ toYaml .Values.statefulset.resources | nindent 12 }} + volumeMounts: {{ include "default-mounts" . | nindent 8 }} + securityContext: {{ include "container-security-context" . | nindent 8 }} + volumes: {{ include "default-volumes" . | nindent 4 }} +{{- end }} diff --git a/charts/redpanda/redpanda/5.9.2/templates/tests/test-kafka-nodelete.yaml b/charts/redpanda/redpanda/5.9.2/templates/tests/test-kafka-nodelete.yaml new file mode 100644 index 000000000..188c2927a --- /dev/null +++ b/charts/redpanda/redpanda/5.9.2/templates/tests/test-kafka-nodelete.yaml @@ -0,0 +1,104 @@ +{{/* +Licensed to the Apache Software Foundation (ASF) under one or more +contributor license agreements. See the NOTICE file distributed with +this work for additional information regarding copyright ownership. +The ASF licenses this file to You under the Apache License, Version 2.0 +(the "License"); you may not use this file except in compliance with +the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} +{{- if and .Values.tests.enabled (dig "kafka_nodelete_topics" "[]" $.Values.config.cluster) }} +{{- $noDeleteTopics := .Values.config.cluster.kafka_nodelete_topics }} +{{- $sasl := .Values.auth.sasl }} +apiVersion: v1 +kind: Pod +metadata: + name: {{ include "redpanda.fullname" . }}-test-kafka-nodelete + namespace: {{ .Release.Namespace | quote }} + labels: +{{- with include "full.labels" . }} + {{- . | nindent 4 }} +{{- end }} + annotations: + "helm.sh/hook": test + "helm.sh/hook-delete-policy": before-hook-creation +spec: + restartPolicy: Never + securityContext: {{ include "pod-security-context" . | nindent 4 }} + {{- with .Values.imagePullSecrets }} + imagePullSecrets: {{- toYaml . | nindent 4 }} +{{- end }} + containers: + - name: {{ template "redpanda.name" . }} + image: {{ .Values.image.repository }}:{{ template "redpanda.tag" . }} + env: + - name: REDPANDA_BROKERS + value: "{{ include "redpanda.fullname" . }}.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain | trimSuffix "." }}:{{ .Values.listeners.kafka.port }}" + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + command: + - /usr/bin/timeout + - "120" + - bash + - -c + - | + set -e +{{- $cloudStorageFlags := "" }} +{{- if (include "storage-tiered-config" .|fromJson).cloud_storage_enabled }} + {{- $cloudStorageFlags = "-c retention.bytes=80 -c segment.bytes=40 -c redpanda.remote.read=true -c redpanda.remote.write=true"}} +{{- end }} +{{- if .Values.auth.sasl.enabled }} + old_setting=${-//[^x]/} + set +x + IFS=":" read -r {{ include "rpk-sasl-environment-variables" . }} < <(grep "" $(find /etc/secrets/users/* -print)) + {{- if (include "redpanda-atleast-23-2-1" . | fromJson).bool }} + RPK_SASL_MECHANISM=${RPK_SASL_MECHANISM:-{{ .Values.auth.sasl.mechanism | upper }}} + {{- else }} + REDPANDA_SASL_MECHANISM=${REDPANDA_SASL_MECHANISM:-{{ .Values.auth.sasl.mechanism | upper }}} + {{- end }} + export {{ include "rpk-sasl-environment-variables" . }} + if [[ -n "$old_setting" ]]; then set -x; fi +{{- end }} + {{- $i := .Values.statefulset.replicas }} + {{- $default_topic_replicas := sub (add $i (mod $i 2)) 1 }} + # wait for post-upgrade job to update the default_topic_replications value + timeout 120 bash -c "until [[ $(rpk cluster config get default_topic_replications) = {{ $default_topic_replicas }} ]]; do sleep 1; done" + + exists=$(rpk topic list | grep my_sample_topic | awk '{print $1}') + if [[ "$exists" != "my_sample_topic" ]]; then + until rpk topic create my_sample_topic {{ $cloudStorageFlags }} + do sleep 2 + done + fi + + {{- range $i := until 100 }} + echo "Pandas are awesome!" | rpk topic produce my_sample_topic + {{- end }} + sleep 2 + rpk topic consume my_sample_topic -n 1 | grep "Pandas are awesome!" + + # now check if we can delete the topic (we should not) + rpk topic delete my_sample_topic + + {{- if has "my_sample_topic" $noDeleteTopics }} + result=$(rpk topic list | grep my_sample_topic | awk '{print $1}') + if [[ "$result" != "my_sample_topic" ]]; then + echo "topic should not have been deleted" + exit 1 + fi + {{- end }} + + volumeMounts: {{ include "default-mounts" . | nindent 8 }} + resources: {{ toYaml .Values.statefulset.resources | nindent 12 }} + securityContext: {{ include "container-security-context" . | nindent 8 }} + volumes: {{ include "default-volumes" . | nindent 4 }} +{{- end }} diff --git a/charts/redpanda/redpanda/5.9.2/templates/tests/test-kafka-produce-consume.yaml b/charts/redpanda/redpanda/5.9.2/templates/tests/test-kafka-produce-consume.yaml new file mode 100644 index 000000000..247acc57a --- /dev/null +++ b/charts/redpanda/redpanda/5.9.2/templates/tests/test-kafka-produce-consume.yaml @@ -0,0 +1,87 @@ +{{/* +Licensed to the Apache Software Foundation (ASF) under one or more +contributor license agreements. See the NOTICE file distributed with +this work for additional information regarding copyright ownership. +The ASF licenses this file to You under the Apache License, Version 2.0 +(the "License"); you may not use this file except in compliance with +the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} +{{- if .Values.tests.enabled }} +{{- $sasl := .Values.auth.sasl }} +apiVersion: v1 +kind: Pod +metadata: + name: {{ include "redpanda.fullname" . }}-test-kafka-produce-consume + namespace: {{ .Release.Namespace | quote }} + labels: +{{- with include "full.labels" . }} + {{- . | nindent 4 }} +{{- end }} + annotations: + "helm.sh/hook": test + "helm.sh/hook-delete-policy": before-hook-creation +spec: + restartPolicy: Never + securityContext: {{ include "pod-security-context" . | nindent 4 }} + {{- with .Values.imagePullSecrets }} + imagePullSecrets: {{- toYaml . | nindent 4 }} +{{- end }} + containers: + - name: {{ template "redpanda.name" . }} + image: {{ .Values.image.repository }}:{{ template "redpanda.tag" . }} + env: + - name: REDPANDA_BROKERS + value: "{{ include "redpanda.fullname" . }}.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain | trimSuffix "." }}:{{ .Values.listeners.kafka.port }}" + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + command: + - /usr/bin/timeout + - "120" + - bash + - -c + - | + set -e +{{- $cloudStorageFlags := "" }} +{{- if (include "storage-tiered-config" .|fromJson).cloud_storage_enabled }} + {{- $cloudStorageFlags = "-c retention.bytes=80 -c segment.bytes=40 -c redpanda.remote.read=true -c redpanda.remote.write=true"}} +{{- end }} +{{- if .Values.auth.sasl.enabled }} + old_setting=${-//[^x]/} + set +x + IFS=":" read -r {{ include "rpk-sasl-environment-variables" . }} < <(grep "" $(find /etc/secrets/users/* -print)) + {{- if (include "redpanda-atleast-23-2-1" . | fromJson).bool }} + RPK_SASL_MECHANISM=${RPK_SASL_MECHANISM:-{{ .Values.auth.sasl.mechanism | upper }}} + {{- else }} + REDPANDA_SASL_MECHANISM=${REDPANDA_SASL_MECHANISM:-{{ .Values.auth.sasl.mechanism | upper }}} + {{- end }} + export {{ include "rpk-sasl-environment-variables" . }} + if [[ -n "$old_setting" ]]; then set -x; fi +{{- end }} + {{- $i := .Values.statefulset.replicas }} + {{- $default_topic_replicas := sub (add $i (mod $i 2)) 1 }} + # wait for post-upgrade job to update the default_topic_replications value + timeout 600 bash -c "until [[ $(rpk cluster config get default_topic_replications) = {{ $default_topic_replicas }} ]]; do sleep 1; done" + until rpk topic create produce.consume.test.$POD_NAME {{ $cloudStorageFlags }} + do sleep 2 + done + {{- range $i := until 100 }} + echo "Pandas are awesome!" | rpk topic produce produce.consume.test.$POD_NAME + {{- end }} + sleep 2 + rpk topic consume produce.consume.test.$POD_NAME -n 1 | grep "Pandas are awesome!" + rpk topic delete produce.consume.test.$POD_NAME + volumeMounts: {{ include "default-mounts" . | nindent 8 }} + resources: {{ toYaml .Values.statefulset.resources | nindent 12 }} + securityContext: {{ include "container-security-context" . | nindent 8 }} + volumes: {{ include "default-volumes" . | nindent 4 }} +{{- end }} diff --git a/charts/redpanda/redpanda/5.9.2/templates/tests/test-kafka-sasl-status.yaml b/charts/redpanda/redpanda/5.9.2/templates/tests/test-kafka-sasl-status.yaml new file mode 100644 index 000000000..0519c44bb --- /dev/null +++ b/charts/redpanda/redpanda/5.9.2/templates/tests/test-kafka-sasl-status.yaml @@ -0,0 +1,79 @@ +{{/* +Licensed to the Apache Software Foundation (ASF) under one or more +contributor license agreements. See the NOTICE file distributed with +this work for additional information regarding copyright ownership. +The ASF licenses this file to You under the Apache License, Version 2.0 +(the "License"); you may not use this file except in compliance with +the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} +{{- if and .Values.tests.enabled (include "sasl-enabled" . | fromJson).bool }} +{{- $sasl := .Values.auth.sasl }} +apiVersion: v1 +kind: Pod +metadata: + name: "{{ include "redpanda.fullname" . }}-test-kafka-sasl-status" + namespace: {{ .Release.Namespace | quote }} + labels: +{{- with include "full.labels" . }} + {{- . | nindent 4 }} +{{- end }} + annotations: + "helm.sh/hook": test + "helm.sh/hook-delete-policy": before-hook-creation +spec: + restartPolicy: Never + securityContext: {{ include "pod-security-context" . | nindent 4 }} + {{- with .Values.imagePullSecrets }} + imagePullSecrets: {{- toYaml . | nindent 4 }} + {{- end }} + containers: + - name: {{ template "redpanda.name" . }} + image: {{ .Values.image.repository }}:{{ template "redpanda.tag" . }} + command: + - /usr/bin/timeout + - "120" + - bash + - -c + - | + set -xe + +{{- if .Values.auth.sasl.enabled }} + old_setting=${-//[^x]/} + set +x + IFS=":" read -r {{ include "rpk-sasl-environment-variables" . }} < <(grep "" $(find /etc/secrets/users/* -print)) + {{- if (include "redpanda-atleast-23-2-1" . | fromJson).bool }} + RPK_SASL_MECHANISM=${RPK_SASL_MECHANISM:-{{ .Values.auth.sasl.mechanism | upper }}} + {{- else }} + REDPANDA_SASL_MECHANISM=${REDPANDA_SASL_MECHANISM:-{{ .Values.auth.sasl.mechanism | upper }}} + {{- end }} + export {{ include "rpk-sasl-environment-variables" . }} + if [[ -n "$old_setting" ]]; then set -x; fi +{{- end }} + + until rpk acl user delete myuser + do sleep 2 + done + sleep 3 + + {{ include "rpk-cluster-info" $ }} + {{ include "rpk-acl-user-create" $ }} + {{ include "rpk-acl-create" $ }} + sleep 3 + {{ include "rpk-topic-create" $ }} + {{ include "rpk-topic-describe" $ }} + {{ include "rpk-topic-delete" $ }} + rpk acl user delete myuser + volumeMounts: {{ include "default-mounts" . | nindent 8 }} + resources: +{{- toYaml .Values.statefulset.resources | nindent 12 }} + securityContext: {{ include "container-security-context" . | nindent 8 }} + volumes: {{ include "default-volumes" . | nindent 4 }} +{{- end }} diff --git a/charts/redpanda/redpanda/5.9.2/templates/tests/test-license-with-console.yaml b/charts/redpanda/redpanda/5.9.2/templates/tests/test-license-with-console.yaml new file mode 100644 index 000000000..1edf7a350 --- /dev/null +++ b/charts/redpanda/redpanda/5.9.2/templates/tests/test-license-with-console.yaml @@ -0,0 +1,61 @@ +{{/* +Licensed to the Apache Software Foundation (ASF) under one or more +contributor license agreements. See the NOTICE file distributed with +this work for additional information regarding copyright ownership. +The ASF licenses this file to You under the Apache License, Version 2.0 +(the "License"); you may not use this file except in compliance with +the License. You may obtain a copy of the License at + +http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} +{{- if and .Values.tests.enabled (include "is-licensed" . | fromJson).bool .Values.console.enabled }} +{{- $consolePort := (get (fromJson (include "console.ContainerPort" (dict "a" (list (dict "Values" (dict "AsMap" .Values.console)) )))) "r" ) }} +apiVersion: v1 +kind: Pod +metadata: + name: "{{ include "redpanda.fullname" . }}-test-license-with-console" + namespace: {{ .Release.Namespace | quote }} + labels: + {{- with include "full.labels" . }} + {{- . | nindent 4 }} + {{- end }} + annotations: + "helm.sh/hook": test + "helm.sh/hook-delete-policy": before-hook-creation +spec: + restartPolicy: Never + securityContext: + runAsUser: 65535 + runAsGroup: 65535 + {{- with .Values.imagePullSecrets }} + imagePullSecrets: {{- toYaml . | nindent 4 }} + {{- end }} + containers: + - name: {{ template "redpanda.name" . }} + image: mintel/docker-alpine-bash-curl-jq:latest + command: [ "/bin/bash", "-c" ] + args: + - | + echo "testing that we do NOT have an open source license" + set -xe + + max_iteration=10 + curl -vm3 --fail --retry "120" --retry-max-time "120" http://{{ include "redpanda.fullname" . }}-console.{{ .Release.Namespace }}.svc:{{$consolePort}}/api/cluster/overview | jq . + type=$(curl -svm3 --fail --retry "120" --retry-max-time "120" http://{{ include "redpanda.fullname" . }}-console.{{ .Release.Namespace }}.svc:{{$consolePort}}/api/cluster/overview | jq -r .console.license.type) + while [[ $max_iteration -gt 0 && ("$type" == "open_source" || "$type" == "") ]]; do + max_iteration=$(( max_iteration - 1 )) + type=$(curl -svm3 --fail --retry "120" --retry-max-time "120" http://{{ include "redpanda.fullname" . }}-console.{{ .Release.Namespace }}.svc:{{$consolePort}}/api/cluster/overview | jq -r .console.license.type) + done + if [[ "$type" == "open_source" || "$type" == "" ]]; then + curl -svm3 --fail --retry "120" --retry-max-time "120" http://{{ include "redpanda.fullname" . }}-console.{{ .Release.Namespace }}.svc:{{$consolePort}}/api/cluster/overview | jq . + exit 1 + fi + set +x + echo "license test passed." +{{- end }} diff --git a/charts/redpanda/redpanda/5.9.2/templates/tests/test-lifecycle-scripts.yaml b/charts/redpanda/redpanda/5.9.2/templates/tests/test-lifecycle-scripts.yaml new file mode 100644 index 000000000..5c72e1d9f --- /dev/null +++ b/charts/redpanda/redpanda/5.9.2/templates/tests/test-lifecycle-scripts.yaml @@ -0,0 +1,66 @@ +{{/* +Licensed to the Apache Software Foundation (ASF) under one or more +contributor license agreements. See the NOTICE file distributed with +this work for additional information regarding copyright ownership. +The ASF licenses this file to You under the Apache License, Version 2.0 +(the "License"); you may not use this file except in compliance with +the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} +{{- if .Values.tests.enabled }} +apiVersion: v1 +kind: Pod +metadata: + name: "{{ include "redpanda.fullname" . }}-test-lifecycle" + namespace: {{ .Release.Namespace | quote }} + labels: + {{- with include "full.labels" . }} + {{- . | nindent 4 }} + {{- end }} + annotations: + helm.sh/hook: test + helm.sh/hook-delete-policy: before-hook-creation +spec: + restartPolicy: Never + securityContext: {{ include "pod-security-context" . | nindent 4 }} + {{- with .Values.imagePullSecrets }} + imagePullSecrets: {{- toYaml . | nindent 4 }} + {{- end }} + containers: + - name: {{ template "redpanda.name" . }} + image: {{ .Values.image.repository }}:{{ template "redpanda.tag" . }} + env: + - name: SERVICE_NAME + value: {{ include "redpanda.fullname" . }}-0 + command: + - /bin/timeout + - "{{ mul .Values.statefulset.terminationGracePeriodSeconds 2 }}" + - bash + - -xec + - | + /bin/timeout -v {{ div .Values.statefulset.terminationGracePeriodSeconds 2 }} bash -x /var/lifecycle/preStop.sh + ls -l /tmp/preStop* + test -f /tmp/preStopHookStarted + test -f /tmp/preStopHookFinished + + /bin/timeout -v {{ div .Values.statefulset.terminationGracePeriodSeconds 2 }} bash -x /var/lifecycle/postStart.sh + ls -l /tmp/postStart* + test -f /tmp/postStartHookStarted + test -f /tmp/postStartHookFinished + volumeMounts: {{ include "default-mounts" . | nindent 8 }} + - name: lifecycle-scripts + mountPath: /var/lifecycle + securityContext: {{ include "container-security-context" . | nindent 8 }} + volumes: {{ include "default-volumes" . | nindent 4 }} + - name: lifecycle-scripts + secret: + secretName: {{ (include "redpanda.fullname" . | trunc 50 ) }}-sts-lifecycle + defaultMode: 0o775 + {{- end }} \ No newline at end of file diff --git a/charts/redpanda/redpanda/5.9.2/templates/tests/test-loadbalancer-tls.yaml b/charts/redpanda/redpanda/5.9.2/templates/tests/test-loadbalancer-tls.yaml new file mode 100644 index 000000000..4db3523d2 --- /dev/null +++ b/charts/redpanda/redpanda/5.9.2/templates/tests/test-loadbalancer-tls.yaml @@ -0,0 +1,173 @@ +{{/* + Licensed to the Apache Software Foundation (ASF) under one or more + contributor license agreements. See the NOTICE file distributed with + this work for additional information regarding copyright ownership. + The ASF licenses this file to You under the Apache License, Version 2.0 + (the "License"); you may not use this file except in compliance with + the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. + */}} +{{- if and .Values.tests.enabled .Values.tls.enabled ( eq .Values.external.type "LoadBalancer" ) -}} + {{- $values := .Values }} +apiVersion: v1 +kind: Pod +metadata: + name: {{ include "redpanda.fullname" . }}-test-loadbalancer-tls + namespace: {{ .Release.Namespace | quote }} + labels: + {{- with include "full.labels" . }} + {{- . | nindent 4 }} + {{- end }} + annotations: + "helm.sh/hook": test + "helm.sh/hook-delete-policy": before-hook-creation +spec: + serviceAccountName: test-loadbalancer-tls-redpanda + restartPolicy: Never + securityContext: {{ include "pod-security-context" . | nindent 4 }} + {{- with .Values.imagePullSecrets }} + imagePullSecrets: {{- toYaml . | nindent 4 }} + {{- end }} + containers: + - name: {{ template "redpanda.name" . }} + image: mintel/docker-alpine-bash-curl-jq:latest + command: + - bash + - -c + - | + set -x + export APISERVER=https://kubernetes.default.svc + export SERVICEACCOUNT=/var/run/secrets/kubernetes.io/serviceaccount + export NAMESPACE=$(cat ${SERVICEACCOUNT}/namespace) + export TOKEN=$(cat ${SERVICEACCOUNT}/token) + export CACERT=${SERVICEACCOUNT}/ca.crt + + ip_list="" + + replicas={{ .Values.statefulset.replicas }} + if [ "${replicas}" -lt "1" ]; then + echo "replicas cannot be less than 1" + exit 1 + fi + + range=$(expr $replicas - 1) + ordinal_list=$(seq 0 $range) + + set -e + + for i in $ordinal_list + do + POD_DESC=$(curl --cacert ${CACERT} --header "Authorization: Bearer ${TOKEN}" \ + -X GET ${APISERVER}/api/v1/namespaces/{{ .Release.Namespace }}/services/lb-{{ template "redpanda.fullname" . }}-$i) + ip=$(echo $POD_DESC | jq -r .status.loadBalancer.ingress[0].ip ) + ip_list="$ip $ip_list" + done + + echo test will be run against $ip_list + echo testing LoadBalancer connectivity + + {{- range $name, $cert := $values.tls.certs }} + {{- if $cert.secretRef }} + {{- if eq $cert.secretRef.name "external-tls-secret" }} + echo "---> testing external tls" + + {{- if eq $values.listeners.kafka.external.default.tls.cert $name }} + echo "-----> testing external tls: kafka api" + {{- $port := ( first $values.listeners.kafka.external.default.advertisedPorts ) }} + + for ip in $ip_list + do + openssl s_client -verify_return_error -prexit \ + {{- if $cert.caEnabled -}} + -CAfile {{ printf "/etc/tls/certs/%s" $name }}/ca.crt \ + {{- end -}} + -key {{ printf "/etc/tls/certs/%s" $name }}/tls.key -connect $ip:{{ $port }} + done + {{- end }} + + {{- if (include "redpanda-22-2-x-without-sasl" $ | fromJson).bool }} + {{- if eq $values.listeners.schemaRegistry.external.default.tls.cert $name }} + echo "-----> testing external tls: schema registry" + {{- $port := ( first $values.listeners.schemaRegistry.external.default.advertisedPorts ) }} + for ip in $ip_list + do + openssl s_client -verify_return_error -prexit \ + {{- if $cert.caEnabled -}} + -CAfile {{ printf "/etc/tls/certs/%s" $name }}/ca.crt \ + {{- end -}} + -key {{ printf "/etc/tls/certs/%s" $name }}/tls.key -connect $ip:{{ $port }} + done + {{- end }} + + {{- if eq $values.listeners.http.external.default.tls.cert $name }} + echo "-----> testing external tls: http api" + {{- $port := ( first $values.listeners.http.external.default.advertisedPorts ) }} + for ip in $ip_list + do + openssl s_client -verify_return_error -prexit \ + {{- if $cert.caEnabled -}} + -CAfile {{ printf "/etc/tls/certs/%s" $name }}/ca.crt \ + {{- end -}} + -key {{ printf "/etc/tls/certs/%s" $name }}/tls.key -connect $ip:{{ $port }} + done + {{- end }} + {{- end }} + + {{- end }} + {{- end }} + {{- end }} + volumeMounts: {{ include "default-mounts" . | nindent 8 }} + securityContext: {{ include "container-security-context" . | nindent 8 }} + volumes: {{ include "default-volumes" . | nindent 4 }} +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: test-loadbalancer-tls-redpanda + annotations: + helm.sh/hook-weight: "-100" + helm.sh/hook: test + helm.sh/hook-delete-policy: before-hook-creation +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: test-loadbalancer-tls-redpanda + annotations: + helm.sh/hook-weight: "-100" + helm.sh/hook: test + helm.sh/hook-delete-policy: before-hook-creation +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: test-loadbalancer-tls-redpanda +subjects: + - kind: ServiceAccount + name: test-loadbalancer-tls-redpanda + namespace: {{ .Release.Namespace }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: test-loadbalancer-tls-redpanda + annotations: + helm.sh/hook-weight: "-100" + helm.sh/hook: test + helm.sh/hook-delete-policy: before-hook-creation +rules: + - apiGroups: + - "" + resources: + - pods + - services + verbs: + - get + +{{- end -}} diff --git a/charts/redpanda/redpanda/5.9.2/templates/tests/test-nodeport-tls.yaml b/charts/redpanda/redpanda/5.9.2/templates/tests/test-nodeport-tls.yaml new file mode 100644 index 000000000..4310eaf3a --- /dev/null +++ b/charts/redpanda/redpanda/5.9.2/templates/tests/test-nodeport-tls.yaml @@ -0,0 +1,173 @@ +{{/* + Licensed to the Apache Software Foundation (ASF) under one or more + contributor license agreements. See the NOTICE file distributed with + this work for additional information regarding copyright ownership. + The ASF licenses this file to You under the Apache License, Version 2.0 + (the "License"); you may not use this file except in compliance with + the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. + */}} +{{- if and .Values.tests.enabled .Values.tls.enabled ( eq .Values.external.type "NodePort" ) -}} + {{- $values := .Values }} +apiVersion: v1 +kind: Pod +metadata: + name: {{ include "redpanda.fullname" . }}-test-nodeport-tls + namespace: {{ .Release.Namespace | quote }} + labels: + {{- with include "full.labels" . }} + {{- . | nindent 4 }} + {{- end }} + annotations: + helm.sh/hook: test + helm.sh/hook-delete-policy: before-hook-creation +spec: + serviceAccountName: test-nodeport-tls-redpanda-no-a-test + restartPolicy: Never + securityContext: {{ include "pod-security-context" . | nindent 4 }} + {{- with .Values.imagePullSecrets }} + imagePullSecrets: {{- toYaml . | nindent 4 }} + {{- end }} + containers: + - name: {{ template "redpanda.name" . }} + image: mintel/docker-alpine-bash-curl-jq:latest + command: + - bash + - -c + - | + set -x + export APISERVER=https://kubernetes.default.svc + export SERVICEACCOUNT=/var/run/secrets/kubernetes.io/serviceaccount + export NAMESPACE=$(cat ${SERVICEACCOUNT}/namespace) + export TOKEN=$(cat ${SERVICEACCOUNT}/token) + export CACERT=${SERVICEACCOUNT}/ca.crt + + ip_list="" + + replicas={{ .Values.statefulset.replicas }} + if [ "${replicas}" -lt "1" ]; then + echo "replicas cannot be less than 1" + exit 1 + fi + + range=$(expr $replicas - 1) + ordinal_list=$(seq 0 $range) + + set -e + + for i in $ordinal_list + do + POD_DESC=$(curl --cacert ${CACERT} --header "Authorization: Bearer ${TOKEN}" \ + -X GET ${APISERVER}/api/v1/namespaces/{{ .Release.Namespace }}/pods/{{ template "redpanda.fullname" . }}-$i) + ip=$(echo $POD_DESC | jq -r .status.hostIP ) + ip_list="$ip $ip_list" + done + + echo test will be run against $ip_list + echo testing NodePort connectivity + {{- range $name, $cert := $values.tls.certs }} + {{- if $cert.secretRef }} + {{- if eq $cert.secretRef.name "external-tls-secret" }} + echo "---> testing external tls" + + {{- if eq $values.listeners.kafka.external.default.tls.cert $name }} + echo "-----> testing external tls: kafka api" + {{- $port := ( first $values.listeners.kafka.external.default.advertisedPorts ) }} + for ip in $ip_list + do + openssl s_client -verify_return_error -prexit \ + {{- if $cert.caEnabled }} + -CAfile {{ printf "/etc/tls/certs/%s" $name }}/ca.crt \ + {{- end }} + -key {{ printf "/etc/tls/certs/%s" $name }}/tls.key \ + -connect ${ip}:{{ $port }} + done + {{- end }} + + {{- if (include "redpanda-22-2-x-without-sasl" $ | fromJson).bool }} + {{- if eq $values.listeners.schemaRegistry.external.default.tls.cert $name }} + echo "-----> testing external tls: schema registry" + {{- $port := ( first $values.listeners.schemaRegistry.external.default.advertisedPorts ) }} + for ip in $ip_list + do + openssl s_client -verify_return_error -prexit \ + {{- if $cert.caEnabled }} + -CAfile {{ printf "/etc/tls/certs/%s" $name }}/ca.crt \ + {{- end }} + -key {{ printf "/etc/tls/certs/%s" $name }}/tls.key \ + -connect ${ip}:{{ $port }} + done + {{- end }} + + {{- if eq $values.listeners.http.external.default.tls.cert $name }} + echo "-----> testing external tls: http api" + {{- $port := ( first $values.listeners.http.external.default.advertisedPorts ) }} + for ip in $ip_list + do + openssl s_client -verify_return_error -prexit \ + {{- if $cert.caEnabled }} + -CAfile {{ printf "/etc/tls/certs/%s" $name }}/ca.crt \ + {{- end }} + -key {{ printf "/etc/tls/certs/%s" $name }}/tls.key \ + -connect ${ip}:{{ $port }} + done + {{- end }} + {{- end }} + + {{- end }} + {{- end }} + {{- end }} + volumeMounts: {{ include "default-mounts" . | nindent 8 }} + securityContext: {{ include "container-security-context" . | nindent 8 }} + volumes: {{ include "default-volumes" . | nindent 4 }} +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: test-nodeport-tls-redpanda-no-a-test + annotations: + helm.sh/hook: test + helm.sh/hook-delete-policy: before-hook-creation + helm.sh/hook-weight: "-100" +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: test-nodeport-tls-redpanda-no-a-test + annotations: + helm.sh/hook: test + helm.sh/hook-delete-policy: before-hook-creation + helm.sh/hook-weight: "-100" +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: test-nodeport-tls-redpanda-no-a-test +subjects: + - kind: ServiceAccount + name: test-nodeport-tls-redpanda-no-a-test + namespace: {{ .Release.Namespace }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: test-nodeport-tls-redpanda-no-a-test + annotations: + helm.sh/hook: test + helm.sh/hook-delete-policy: before-hook-creation + helm.sh/hook-weight: "-100" +rules: + - apiGroups: + - "" + resources: + - pods + - services + verbs: + - get +{{- end -}} diff --git a/charts/redpanda/redpanda/5.9.2/templates/tests/test-pandaproxy-internal-tls-status.yaml b/charts/redpanda/redpanda/5.9.2/templates/tests/test-pandaproxy-internal-tls-status.yaml new file mode 100644 index 000000000..4cb6aaa0f --- /dev/null +++ b/charts/redpanda/redpanda/5.9.2/templates/tests/test-pandaproxy-internal-tls-status.yaml @@ -0,0 +1,81 @@ +{{/* +Licensed to the Apache Software Foundation (ASF) under one or more +contributor license agreements. See the NOTICE file distributed with +this work for additional information regarding copyright ownership. +The ASF licenses this file to You under the Apache License, Version 2.0 +(the "License"); you may not use this file except in compliance with +the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} +{{- if and .Values.tests.enabled (include "http-internal-tls-enabled" . | fromJson).bool .Values.listeners.http.enabled (include "redpanda-22-2-x-without-sasl" . | fromJson).bool -}} + {{- $service := .Values.listeners.http -}} + {{- $cert := get .Values.tls.certs $service.tls.cert -}} + {{- $sasl := .Values.auth.sasl }} +apiVersion: v1 +kind: Pod +metadata: + name: {{ include "redpanda.fullname" . }}-test-pandaproxy-internal-tls-status + namespace: {{ .Release.Namespace | quote }} + labels: + {{- with include "full.labels" . }} + {{- . | nindent 4 }} + {{- end }} + annotations: + "helm.sh/hook": test + "helm.sh/hook-delete-policy": before-hook-creation +spec: + restartPolicy: Never + securityContext: {{ include "pod-security-context" . | nindent 4 }} + {{- with .Values.imagePullSecrets }} + imagePullSecrets: {{- toYaml . | nindent 4 }} + {{- end }} + containers: + - name: {{ template "redpanda.name" . }} + image: {{ .Values.image.repository }}:{{ template "redpanda.tag" . }} + command: [ "/bin/bash", "-c" ] + args: + - | + {{- if .Values.auth.sasl.enabled }} + old_setting=${-//[^x]/} + set +x + IFS=":" read -r {{ include "rpk-sasl-environment-variables" . }} < <(grep "" $(find /etc/secrets/users/* -print)) + {{- if (include "redpanda-atleast-23-2-1" . | fromJson).bool }} + RPK_SASL_MECHANISM=${RPK_SASL_MECHANISM:-{{ .Values.auth.sasl.mechanism | upper }}} + {{- else }} + REDPANDA_SASL_MECHANISM=${REDPANDA_SASL_MECHANISM:-{{ .Values.auth.sasl.mechanism | upper }}} + {{- end }} + export {{ include "rpk-sasl-environment-variables" . }} + RPK_USER="${RPK_USER:-${REDPANDA_SASL_USERNAME}}" + RPK_PASS="${RPK_PASS:-${REDPANDA_SASL_PASSWORD}}" + if [[ -n "$old_setting" ]]; then set -x; fi + {{- end }} + + curl -svm3 --fail --retry "120" --retry-max-time "120" --retry-all-errors --ssl-reqd \ + {{- if or (include "sasl-enabled" .|fromJson).bool .Values.listeners.http.authenticationMethod }} + -u ${RPK_USER}:${RPK_PASS} \ + {{- end }} + {{- if $cert.caEnabled }} + --cacert /etc/tls/certs/{{ $service.tls.cert }}/ca.crt \ + {{- end }} + https://{{ include "redpanda.internal.domain" . }}:{{ .Values.listeners.http.port }}/brokers + + curl -svm3 --fail --retry "120" --retry-max-time "120" --retry-all-errors --ssl-reqd \ + {{- if or (include "sasl-enabled" .|fromJson).bool .Values.listeners.http.authenticationMethod }} + -u ${RPK_USER}:${RPK_PASS} \ + {{- end }} + {{- if $cert.caEnabled }} + --cacert /etc/tls/certs/{{ $service.tls.cert }}/ca.crt \ + {{- end }} + https://{{ include "redpanda.internal.domain" . }}:{{ .Values.listeners.http.port }}/topics + volumeMounts: {{ include "default-mounts" . | nindent 8 }} + resources: {{ toYaml .Values.statefulset.resources | nindent 12 }} + securityContext: {{ include "container-security-context" . | nindent 8 }} + volumes: {{ include "default-volumes" . | nindent 4 }} +{{- end -}} diff --git a/charts/redpanda/redpanda/5.9.2/templates/tests/test-pandaproxy-status.yaml b/charts/redpanda/redpanda/5.9.2/templates/tests/test-pandaproxy-status.yaml new file mode 100644 index 000000000..4f5ee6bb7 --- /dev/null +++ b/charts/redpanda/redpanda/5.9.2/templates/tests/test-pandaproxy-status.yaml @@ -0,0 +1,72 @@ +{{/* +Licensed to the Apache Software Foundation (ASF) under one or more +contributor license agreements. See the NOTICE file distributed with +this work for additional information regarding copyright ownership. +The ASF licenses this file to You under the Apache License, Version 2.0 +(the "License"); you may not use this file except in compliance with +the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} +{{- if and .Values.tests.enabled (not (include "http-internal-tls-enabled" . | fromJson).bool) .Values.listeners.http.enabled (include "redpanda-22-2-x-without-sasl" . | fromJson).bool -}} + {{- $sasl := .Values.auth.sasl }} +apiVersion: v1 +kind: Pod +metadata: + name: "{{ include "redpanda.fullname" . }}-test-pandaproxy-status" + namespace: {{ .Release.Namespace | quote }} + labels: + {{- with include "full.labels" . }} + {{- . | nindent 4 }} + {{- end }} + annotations: + "helm.sh/hook": test + "helm.sh/hook-delete-policy": before-hook-creation +spec: + restartPolicy: Never + securityContext: {{ include "pod-security-context" . | nindent 4 }} + {{- with .Values.imagePullSecrets }} + imagePullSecrets: {{- toYaml . | nindent 4 }} + {{- end }} + containers: + - name: {{ template "redpanda.name" . }} + image: {{ .Values.image.repository }}:{{ template "redpanda.tag" . }} + command: [ "/bin/bash", "-c" ] + args: + - | + {{- if .Values.auth.sasl.enabled }} + old_setting=${-//[^x]/} + set +x + IFS=: read -r {{ include "rpk-sasl-environment-variables" . }} < <(grep "" $(find /etc/secrets/users/* -print)) + {{- if (include "redpanda-atleast-23-2-1" . | fromJson).bool }} + RPK_SASL_MECHANISM=${RPK_SASL_MECHANISM:-{{ .Values.auth.sasl.mechanism | upper }}} + {{- else }} + REDPANDA_SASL_MECHANISM=${REDPANDA_SASL_MECHANISM:-{{ .Values.auth.sasl.mechanism | upper }}} + {{- end }} + export {{ include "rpk-sasl-environment-variables" . }} + RPK_USER="${RPK_USER:-${REDPANDA_SASL_USERNAME}}" + RPK_PASS="${RPK_PASS:-${REDPANDA_SASL_PASSWORD}}" + if [[ -n "$old_setting" ]]; then set -x; fi + {{- end }} + + curl {{ template "curl-options" . }} \ + {{- if or (include "sasl-enabled" .|fromJson).bool .Values.listeners.http.authenticationMethod }} + -u ${RPK_USER}:${RPK_PASS} \ + {{- end }} + http://{{ include "redpanda.servicename" . }}:{{ .Values.listeners.http.port }}/brokers + + curl {{ template "curl-options" . }} \ + {{- if or (include "sasl-enabled" .|fromJson).bool .Values.listeners.http.authenticationMethod }} + -u ${RPK_USER}:${RPK_PASS} \ + {{- end }} + http://{{ include "redpanda.servicename" . }}:{{ .Values.listeners.http.port }}/topics + volumeMounts: {{ include "default-mounts" . | nindent 8 }} + securityContext: {{ include "container-security-context" . | nindent 8 }} + volumes: {{ include "default-volumes" . | nindent 4 }} +{{- end }} diff --git a/charts/redpanda/redpanda/5.9.2/templates/tests/test-prometheus-targets.yaml b/charts/redpanda/redpanda/5.9.2/templates/tests/test-prometheus-targets.yaml new file mode 100644 index 000000000..81f83a34e --- /dev/null +++ b/charts/redpanda/redpanda/5.9.2/templates/tests/test-prometheus-targets.yaml @@ -0,0 +1,84 @@ +{{/* + Licensed to the Apache Software Foundation (ASF) under one or more + contributor license agreements. See the NOTICE file distributed with + this work for additional information regarding copyright ownership. + The ASF licenses this file to You under the Apache License, Version 2.0 + (the "License"); you may not use this file except in compliance with + the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. + */}} + +{{- if and .Values.tests.enabled .Values.monitoring.enabled }} +apiVersion: v1 +kind: Pod +metadata: + name: "{{ include "redpanda.fullname" . }}-test-prometheus-targets" + namespace: {{ .Release.Namespace | quote }} + labels: + {{- with include "full.labels" . }} + {{- . | nindent 4 }} + {{- end }} + annotations: + "helm.sh/hook": test + "helm.sh/hook-delete-policy": before-hook-creation +spec: + restartPolicy: Never + securityContext: {{ include "pod-security-context" . | nindent 4 }} + {{- with .Values.imagePullSecrets }} + imagePullSecrets: {{- toYaml . | nindent 4 }} + {{- end }} + containers: + - name: {{ template "redpanda.name" . }} + image: registry.gitlab.com/gitlab-ci-utils/curl-jq:latest + command: [ "/bin/bash", "-c" ] + args: + - | + set -xe + + HEALTHY=$( curl {{ template "curl-options" . }} http://prometheus-operated.prometheus.svc.cluster.local:9090/-/healthy) + if [ $HEALTHY != 200 ]; then + echo "prometheus is not healthy, exiting" + exit 1 + fi + + echo "prometheus is healthy, checking if ready..." + + READY=$( curl {{ template "curl-options" . }} http://prometheus-operated.prometheus.svc.cluster.local:9090/-/ready) + if [ $READY != 200 ]; then + echo "prometheus is not ready, exiting" + exit 1 + fi + + echo "prometheus is ready, requesting target information..." + + + curl_prometheus() { + + # Run the command, and save the exit code + # from: https://prometheus.io/docs/prometheus/latest/querying/api/ + local RESULT=$( curl {{ template "curl-options" . }} http://prometheus-operated.prometheus.svc.cluster.local:9090/api/v1/targets?scrapePool=serviceMonitor/{{ .Release.Namespace }}/{{ include "redpanda.fullname" . }}/0 | jq '.data.activeTargets[].health | select(. == "up")' | wc -l ) + + echo $RESULT + } + for d in $(seq 1 30); do + RESULT=$(curl_prometheus) + if [ $RESULT == {{ .Values.statefulset.replicas }} ]; then + break + fi + sleep 15 + done + + set +x + if [ $RESULT != {{ .Values.statefulset.replicas }} ]; then + curl --fail http://prometheus-operated.prometheus.svc.cluster.local:9090/api/v1/targets?scrapePool=serviceMonitor/{{ .Release.Namespace }}/{{ include "redpanda.fullname" . }}/0 | jq . + echo "the number of targets unexpected; got ${RESULT} targets 'up', but was expecting {{ .Values.statefulset.replicas }}" + exit 1 + fi +{{- end }} diff --git a/charts/redpanda/redpanda/5.9.2/templates/tests/test-rack-awareness.yaml b/charts/redpanda/redpanda/5.9.2/templates/tests/test-rack-awareness.yaml new file mode 100644 index 000000000..82a31937f --- /dev/null +++ b/charts/redpanda/redpanda/5.9.2/templates/tests/test-rack-awareness.yaml @@ -0,0 +1,61 @@ +{{/* +Licensed to the Apache Software Foundation (ASF) under one or more +contributor license agreements. See the NOTICE file distributed with +this work for additional information regarding copyright ownership. +The ASF licenses this file to You under the Apache License, Version 2.0 +(the "License"); you may not use this file except in compliance with +the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} +{{- if .Values.tests.enabled }} +apiVersion: v1 +kind: Pod +metadata: + name: {{ include "redpanda.fullname" . }}-test-rack-awareness + namespace: {{ .Release.Namespace | quote }} +{{- with include "full.labels" . }} + labels: {{- . | nindent 4 }} +{{- end }} + annotations: + "helm.sh/hook": test + "helm.sh/hook-delete-policy": before-hook-creation +spec: + restartPolicy: Never + securityContext: {{ include "pod-security-context" . | nindent 4 }} +{{- with .Values.imagePullSecrets }} + imagePullSecrets: {{- toYaml . | nindent 4 }} +{{- end }} + containers: + - name: {{ template "redpanda.name" . }} + image: {{ .Values.image.repository }}:{{ template "redpanda.tag" . }} + command: + - /bin/bash + - -c + - | + set -e +{{- if and .Values.rackAwareness.enabled (include "redpanda-atleast-22-3-0" . | fromJson).bool }} + curl {{ template "curl-options" . }} \ + {{- if (include "tls-enabled" . | fromJson).bool }} + {{- if (dig "default" "caEnabled" false .Values.tls.certs) }} + --cacert "/etc/tls/certs/default/ca.crt" \ + {{- end }} + https://{{ include "redpanda.internal.domain" . }}:{{ .Values.listeners.admin.port }}/v1/node_config | grep '"rack":"rack[1-4]"' + {{- else }} + http://{{ include "redpanda.internal.domain" . }}:{{ .Values.listeners.admin.port }}/v1/node_config | grep '"rack":"rack[1-4]"' + {{- end }} +{{- end }} + + rpk redpanda admin config print --host {{ include "redpanda.internal.domain" . }}:{{ .Values.listeners.admin.port }} | grep '"enable_rack_awareness": {{ .Values.rackAwareness.enabled }}' + + rpk cluster config get enable_rack_awareness + volumeMounts: {{ include "default-mounts" . | nindent 8 }} + securityContext: {{ include "container-security-context" . | nindent 8 }} + volumes: {{ include "default-volumes" . | nindent 4 }} +{{- end }} \ No newline at end of file diff --git a/charts/redpanda/redpanda/5.9.2/templates/tests/test-rpk-debug-bundle.yaml b/charts/redpanda/redpanda/5.9.2/templates/tests/test-rpk-debug-bundle.yaml new file mode 100644 index 000000000..3230f0881 --- /dev/null +++ b/charts/redpanda/redpanda/5.9.2/templates/tests/test-rpk-debug-bundle.yaml @@ -0,0 +1,104 @@ +{{/* +Licensed to the Apache Software Foundation (ASF) under one or more +contributor license agreements. See the NOTICE file distributed with +this work for additional information regarding copyright ownership. +The ASF licenses this file to You under the Apache License, Version 2.0 +(the "License"); you may not use this file except in compliance with +the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{/* + +This test currently fails because of a bug where when multiple containers exist +The api returns an error. We should be requesting logs from each container. + + +{{- if and .Values.tests.enabled .Values.rbac.enabled (include "redpanda-atleast-23-1-1" .|fromJson).bool -}} + {{- $sasl := .Values.auth.sasl }} + {{- $useSaslSecret := and $sasl.enabled (not (empty $sasl.secretRef )) }} + + +apiVersion: v1 +kind: Pod +metadata: + name: {{ include "redpanda.fullname" . }}-test-rpk-debug-bundle + namespace: {{ .Release.Namespace | quote }} + labels: +{{- with include "full.labels" . }} + {{- . | nindent 4 }} +{{- end }} + annotations: + "helm.sh/hook": test + "helm.sh/hook-delete-policy": before-hook-creation,hook-succeeded +spec: + restartPolicy: Never + securityContext: {{ include "pod-security-context" . | nindent 4 }} + affinity: + podAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchLabels: + statefulset.kubernetes.io/pod-name: {{ include "redpanda.fullname" . }}-0 + topologyKey: kubernetes.io/hostname + {{- with .Values.imagePullSecrets }} + imagePullSecrets: {{- toYaml . | nindent 4 }} + {{- end }} + initContainers: + - name: {{ template "redpanda.name" . }} + image: {{ .Values.image.repository}}:{{ template "redpanda.tag" . }} + volumeMounts: {{ include "default-mounts" . | nindent 8 }} + - name: shared-data + mountPath: /usr/share/redpanda/test + - name: datadir + mountPath: /var/lib/redpanda/data + command: + - /bin/bash + - -c + - | + set -e + {{- if .Values.auth.sasl.enabled }} + old_setting=${-//[^x]/} + set +x + IFS=: read -r {{ include "rpk-sasl-environment-variables" . }} < <(grep "" $(find /etc/secrets/users/* -print)) + {{- if (include "redpanda-atleast-23-2-1" . | fromJson).bool }} + RPK_SASL_MECHANISM=${RPK_SASL_MECHANISM:-{{ .Values.auth.sasl.mechanism | upper }}} + {{- else }} + REDPANDA_SASL_MECHANISM=${REDPANDA_SASL_MECHANISM:-{{ .Values.auth.sasl.mechanism | upper }}} + {{- end }} + export {{ include "rpk-sasl-environment-variables" . }} + if [[ -n "$old_setting" ]]; then set -x; fi + {{- end }} + rpk debug bundle -o /usr/share/redpanda/test/debug-test.zip -n {{ .Release.Namespace }} + containers: + - name: {{ template "redpanda.name" . }}-tester + image: busybox:latest + volumeMounts: {{ include "default-mounts" . | nindent 8 }} + - name: shared-data + mountPath: /test + command: + - /bin/ash + - -c + - | + set -e + unzip /test/debug-test.zip -d /tmp/bundle + + test -f /tmp/bundle/logs/{{ .Release.Namespace }}-0.txt + test -f /tmp/bundle/logs/{{ .Release.Namespace }}-1.txt + test -f /tmp/bundle/logs/{{ .Release.Namespace }}-2.txt + + test -d /tmp/bundle/controller + + test -f /tmp/bundle/k8s/pods.json + test -f /tmp/bundle/k8s/configmaps.json + securityContext: {{ include "container-security-context" . | nindent 8 }} + volumes: {{ include "default-volumes" . | nindent 4 }} +{{- end -}} +*/}} \ No newline at end of file diff --git a/charts/redpanda/redpanda/5.9.2/templates/tests/test-sasl-updated.yaml b/charts/redpanda/redpanda/5.9.2/templates/tests/test-sasl-updated.yaml new file mode 100644 index 000000000..5f61be552 --- /dev/null +++ b/charts/redpanda/redpanda/5.9.2/templates/tests/test-sasl-updated.yaml @@ -0,0 +1,71 @@ +{{/* +Licensed to the Apache Software Foundation (ASF) under one or more +contributor license agreements. See the NOTICE file distributed with +this work for additional information regarding copyright ownership. +The ASF licenses this file to You under the Apache License, Version 2.0 +(the "License"); you may not use this file except in compliance with +the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if and .Values.tests.enabled (include "sasl-enabled" . | fromJson).bool (eq .Values.auth.sasl.secretRef "some-users") -}} +apiVersion: v1 +kind: Pod +metadata: + name: "{{ include "redpanda.fullname" . }}-test-update-sasl-users" + namespace: {{ .Release.Namespace | quote }} + labels: +{{- with include "full.labels" . }} + {{- . | nindent 4 }} +{{- end }} + annotations: + "helm.sh/hook": test + "helm.sh/hook-delete-policy": before-hook-creation +spec: + restartPolicy: Never + securityContext: {{ include "pod-security-context" . | nindent 4 }} + {{- with .Values.imagePullSecrets }} + imagePullSecrets: {{- toYaml . | nindent 4 }} + {{- end }} + containers: + - name: {{ template "redpanda.name" . }} + image: {{ .Values.image.repository }}:{{ template "redpanda.tag" . }} + command: + - /usr/bin/timeout + - "120" + - bash + - -c + - | + set -e + IFS=: read -r {{ include "rpk-sasl-environment-variables" . }} < <(grep "" $(find /etc/secrets/users/* -print)) + {{- if (include "redpanda-atleast-23-2-1" . | fromJson).bool }} + RPK_SASL_MECHANISM=${RPK_SASL_MECHANISM:-{{ .Values.auth.sasl.mechanism | upper }}} + {{- else }} + REDPANDA_SASL_MECHANISM=${REDPANDA_SASL_MECHANISM:-{{ .Values.auth.sasl.mechanism | upper }}} + {{- end }} + export {{ include "rpk-sasl-environment-variables" . }} + + set -x + + # check that the users list did update + ready_result_exit_code=1 + while [[ ${ready_result_exit_code} -ne 0 ]]; do + ready_result=$(rpk acl user list | grep anotheranotherme 2>&1) && ready_result_exit_code=$? + sleep 2 + done + + # check that sasl is not broken + {{ include "rpk-cluster-info" $ }} + volumeMounts: {{ include "default-mounts" . | nindent 8 }} + resources: +{{- toYaml .Values.statefulset.resources | nindent 12 }} + securityContext: {{ include "container-security-context" . | nindent 8 }} + volumes: {{ include "default-volumes" . | nindent 4 }} +{{- end }} diff --git a/charts/redpanda/redpanda/5.9.2/values.schema.json b/charts/redpanda/redpanda/5.9.2/values.schema.json new file mode 100644 index 000000000..d22adcc2b --- /dev/null +++ b/charts/redpanda/redpanda/5.9.2/values.schema.json @@ -0,0 +1,5494 @@ +{ + "$id": "https://github.com/redpanda-data/helm-charts/charts/redpanda/values", + "$schema": "https://json-schema.org/draft/2020-12/schema", + "description": "DO NOT EDIT!. This file was generated by ./cmd/genschema/genschema.go", + "properties": { + "affinity": { + "properties": { + "nodeAffinity": { + "properties": { + "preferredDuringSchedulingIgnoredDuringExecution": { + "items": { + "properties": { + "preference": { + "properties": { + "matchExpressions": { + "items": { + "properties": { + "key": { + "type": "string" + }, + "operator": { + "type": "string" + }, + "values": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "type": "array" + }, + "matchFields": { + "items": { + "properties": { + "key": { + "type": "string" + }, + "operator": { + "type": "string" + }, + "values": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "type": "array" + } + }, + "type": "object" + }, + "weight": { + "type": "integer" + } + }, + "type": "object" + }, + "type": "array" + }, + "requiredDuringSchedulingIgnoredDuringExecution": { + "properties": { + "nodeSelectorTerms": { + "items": { + "properties": { + "matchExpressions": { + "items": { + "properties": { + "key": { + "type": "string" + }, + "operator": { + "type": "string" + }, + "values": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "type": "array" + }, + "matchFields": { + "items": { + "properties": { + "key": { + "type": "string" + }, + "operator": { + "type": "string" + }, + "values": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "type": "array" + } + }, + "type": "object" + }, + "type": "array" + } + }, + "type": "object" + } + }, + "type": "object" + }, + "podAffinity": { + "properties": { + "preferredDuringSchedulingIgnoredDuringExecution": { + "items": { + "properties": { + "podAffinityTerm": { + "properties": { + "labelSelector": { + "properties": { + "matchExpressions": { + "items": { + "properties": { + "key": { + "type": "string" + }, + "operator": { + "type": "string" + }, + "values": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "type": "array" + }, + "matchLabels": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + } + }, + "type": "object" + }, + "matchLabelKeys": { + "items": { + "type": "string" + }, + "type": "array" + }, + "mismatchLabelKeys": { + "items": { + "type": "string" + }, + "type": "array" + }, + "namespaceSelector": { + "properties": { + "matchExpressions": { + "items": { + "properties": { + "key": { + "type": "string" + }, + "operator": { + "type": "string" + }, + "values": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "type": "array" + }, + "matchLabels": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + } + }, + "type": "object" + }, + "namespaces": { + "items": { + "type": "string" + }, + "type": "array" + }, + "topologyKey": { + "type": "string" + } + }, + "type": "object" + }, + "weight": { + "type": "integer" + } + }, + "type": "object" + }, + "type": "array" + }, + "requiredDuringSchedulingIgnoredDuringExecution": { + "items": { + "properties": { + "labelSelector": { + "properties": { + "matchExpressions": { + "items": { + "properties": { + "key": { + "type": "string" + }, + "operator": { + "type": "string" + }, + "values": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "type": "array" + }, + "matchLabels": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + } + }, + "type": "object" + }, + "matchLabelKeys": { + "items": { + "type": "string" + }, + "type": "array" + }, + "mismatchLabelKeys": { + "items": { + "type": "string" + }, + "type": "array" + }, + "namespaceSelector": { + "properties": { + "matchExpressions": { + "items": { + "properties": { + "key": { + "type": "string" + }, + "operator": { + "type": "string" + }, + "values": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "type": "array" + }, + "matchLabels": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + } + }, + "type": "object" + }, + "namespaces": { + "items": { + "type": "string" + }, + "type": "array" + }, + "topologyKey": { + "type": "string" + } + }, + "type": "object" + }, + "type": "array" + } + }, + "type": "object" + }, + "podAntiAffinity": { + "properties": { + "preferredDuringSchedulingIgnoredDuringExecution": { + "items": { + "properties": { + "podAffinityTerm": { + "properties": { + "labelSelector": { + "properties": { + "matchExpressions": { + "items": { + "properties": { + "key": { + "type": "string" + }, + "operator": { + "type": "string" + }, + "values": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "type": "array" + }, + "matchLabels": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + } + }, + "type": "object" + }, + "matchLabelKeys": { + "items": { + "type": "string" + }, + "type": "array" + }, + "mismatchLabelKeys": { + "items": { + "type": "string" + }, + "type": "array" + }, + "namespaceSelector": { + "properties": { + "matchExpressions": { + "items": { + "properties": { + "key": { + "type": "string" + }, + "operator": { + "type": "string" + }, + "values": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "type": "array" + }, + "matchLabels": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + } + }, + "type": "object" + }, + "namespaces": { + "items": { + "type": "string" + }, + "type": "array" + }, + "topologyKey": { + "type": "string" + } + }, + "type": "object" + }, + "weight": { + "type": "integer" + } + }, + "type": "object" + }, + "type": "array" + }, + "requiredDuringSchedulingIgnoredDuringExecution": { + "items": { + "properties": { + "labelSelector": { + "properties": { + "matchExpressions": { + "items": { + "properties": { + "key": { + "type": "string" + }, + "operator": { + "type": "string" + }, + "values": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "type": "array" + }, + "matchLabels": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + } + }, + "type": "object" + }, + "matchLabelKeys": { + "items": { + "type": "string" + }, + "type": "array" + }, + "mismatchLabelKeys": { + "items": { + "type": "string" + }, + "type": "array" + }, + "namespaceSelector": { + "properties": { + "matchExpressions": { + "items": { + "properties": { + "key": { + "type": "string" + }, + "operator": { + "type": "string" + }, + "values": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "type": "array" + }, + "matchLabels": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + } + }, + "type": "object" + }, + "namespaces": { + "items": { + "type": "string" + }, + "type": "array" + }, + "topologyKey": { + "type": "string" + } + }, + "type": "object" + }, + "type": "array" + } + }, + "type": "object" + } + }, + "type": "object" + }, + "auditLogging": { + "properties": { + "clientMaxBufferSize": { + "type": "integer" + }, + "enabled": { + "type": "boolean" + }, + "enabledEventTypes": { + "oneOf": [ + { + "items": { + "type": "string" + }, + "type": "array" + }, + { + "type": "null" + } + ] + }, + "excludedPrincipals": { + "oneOf": [ + { + "items": { + "type": "string" + }, + "type": "array" + }, + { + "type": "null" + } + ] + }, + "excludedTopics": { + "oneOf": [ + { + "items": { + "type": "string" + }, + "type": "array" + }, + { + "type": "null" + } + ] + }, + "listener": { + "type": "string" + }, + "partitions": { + "type": "integer" + }, + "queueDrainIntervalMs": { + "type": "integer" + }, + "queueMaxBufferSizePerShard": { + "type": "integer" + }, + "replicationFactor": { + "oneOf": [ + { + "type": "integer" + }, + { + "type": "null" + } + ] + } + }, + "type": "object" + }, + "auth": { + "properties": { + "sasl": { + "properties": { + "enabled": { + "type": "boolean" + }, + "mechanism": { + "type": "string" + }, + "secretRef": { + "type": "string" + }, + "users": { + "items": { + "properties": { + "mechanism": { + "pattern": "^(SCRAM-SHA-512|SCRAM-SHA-256)$", + "type": "string" + }, + "name": { + "type": "string" + }, + "password": { + "type": "string" + } + }, + "type": "object" + }, + "type": "array" + } + }, + "required": [ + "enabled" + ], + "type": "object" + } + }, + "required": [ + "sasl" + ], + "type": "object" + }, + "clusterDomain": { + "type": "string" + }, + "commonLabels": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + }, + "config": { + "properties": { + "cluster": { + "type": "object" + }, + "node": { + "type": "object" + }, + "pandaproxy_client": { + "properties": { + "consumer_heartbeat_interval_ms": { + "type": "integer" + }, + "consumer_rebalance_timeout_ms": { + "type": "integer" + }, + "consumer_request_max_bytes": { + "type": "integer" + }, + "consumer_request_timeout_ms": { + "type": "integer" + }, + "consumer_session_timeout_ms": { + "type": "integer" + }, + "produce_batch_delay_ms": { + "type": "integer" + }, + "produce_batch_record_count": { + "type": "integer" + }, + "produce_batch_size_bytes": { + "type": "integer" + }, + "retries": { + "type": "integer" + }, + "retry_base_backoff_ms": { + "type": "integer" + } + }, + "type": "object" + }, + "rpk": { + "type": "object" + }, + "schema_registry_client": { + "properties": { + "consumer_heartbeat_interval_ms": { + "type": "integer" + }, + "consumer_rebalance_timeout_ms": { + "type": "integer" + }, + "consumer_request_max_bytes": { + "type": "integer" + }, + "consumer_request_timeout_ms": { + "type": "integer" + }, + "consumer_session_timeout_ms": { + "type": "integer" + }, + "produce_batch_delay_ms": { + "type": "integer" + }, + "produce_batch_record_count": { + "type": "integer" + }, + "produce_batch_size_bytes": { + "type": "integer" + }, + "retries": { + "type": "integer" + }, + "retry_base_backoff_ms": { + "type": "integer" + } + }, + "type": "object" + }, + "tunable": { + "additionalProperties": true, + "properties": { + "group_initial_rebalance_delay": { + "type": "integer" + }, + "log_retention_ms": { + "type": "integer" + } + }, + "type": "object" + } + }, + "required": [ + "cluster", + "node", + "tunable" + ], + "type": "object" + }, + "connectors": { + "properties": { + "connectors": { + "properties": { + "fullnameOverwrite": { + "type": "string" + }, + "restPort": { + "type": "integer" + } + }, + "type": "object" + }, + "enabled": { + "type": "boolean" + } + }, + "type": "object" + }, + "console": { + "properties": { + "console": { + "properties": { + "config": { + "type": "object" + } + }, + "type": "object" + }, + "enabled": { + "type": "boolean" + } + }, + "type": "object" + }, + "enterprise": { + "properties": { + "license": { + "type": "string" + }, + "licenseSecretRef": { + "properties": { + "key": { + "type": "string" + }, + "name": { + "type": "string" + } + }, + "type": "object" + } + }, + "type": "object" + }, + "external": { + "properties": { + "addresses": { + "items": { + "type": "string" + }, + "type": "array" + }, + "annotations": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + }, + "domain": { + "type": "string" + }, + "enabled": { + "type": "boolean" + }, + "externalDns": { + "properties": { + "enabled": { + "type": "boolean" + } + }, + "required": [ + "enabled" + ], + "type": "object" + }, + "prefixTemplate": { + "type": "string" + }, + "service": { + "properties": { + "enabled": { + "type": "boolean" + } + }, + "required": [ + "enabled" + ], + "type": "object" + }, + "sourceRanges": { + "items": { + "type": "string" + }, + "type": "array" + }, + "type": { + "pattern": "^(LoadBalancer|NodePort)$", + "type": "string" + } + }, + "required": [ + "enabled" + ], + "type": "object" + }, + "force": { + "type": "boolean" + }, + "fullnameOverride": { + "type": "string" + }, + "image": { + "description": "Values used to define the container image to be used for Redpanda", + "properties": { + "pullPolicy": { + "description": "The Kubernetes Pod image pull policy.", + "pattern": "^(Always|Never|IfNotPresent)$", + "type": "string" + }, + "repository": { + "default": "docker.redpanda.com/redpandadata/redpanda", + "description": "container image repository", + "type": "string" + }, + "tag": { + "default": "Chart.appVersion", + "description": "The container image tag. Use the Redpanda release version. Must be a valid semver prefixed with a 'v'.", + "pattern": "^v(0|[1-9]\\d*)\\.(0|[1-9]\\d*)\\.(0|[1-9]\\d*)(?:-((?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\\.(?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\\+([0-9a-zA-Z-]+(?:\\.[0-9a-zA-Z-]+)*))?$|^$", + "type": "string" + } + }, + "required": [ + "repository", + "pullPolicy" + ], + "type": "object" + }, + "imagePullSecrets": { + "items": { + "properties": { + "name": { + "type": "string" + } + }, + "type": "object" + }, + "type": "array" + }, + "license_key": { + "deprecated": true, + "pattern": "^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?\\.(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?$|^$", + "type": "string" + }, + "license_secret_ref": { + "deprecated": true, + "properties": { + "secret_key": { + "type": "string" + }, + "secret_name": { + "type": "string" + } + }, + "type": "object" + }, + "listeners": { + "properties": { + "admin": { + "properties": { + "appProtocol": { + "type": "string" + }, + "external": { + "minProperties": 1, + "patternProperties": { + "^[A-Za-z_][A-Za-z0-9_]*$": { + "properties": { + "advertisedPorts": { + "items": { + "type": "integer" + }, + "minItems": 1, + "type": "array" + }, + "enabled": { + "type": "boolean" + }, + "nodePort": { + "type": "integer" + }, + "port": { + "type": "integer" + }, + "tls": { + "properties": { + "cert": { + "type": "string" + }, + "enabled": { + "type": "boolean" + }, + "requireClientAuth": { + "type": "boolean" + }, + "trustStore": { + "maxProperties": 1, + "minProperties": 1, + "properties": { + "configMapKeyRef": { + "properties": { + "key": { + "type": "string" + }, + "name": { + "type": "string" + }, + "optional": { + "type": "boolean" + } + }, + "type": "object" + }, + "secretKeyRef": { + "properties": { + "key": { + "type": "string" + }, + "name": { + "type": "string" + }, + "optional": { + "type": "boolean" + } + }, + "type": "object" + } + }, + "type": "object" + } + }, + "type": "object" + } + }, + "required": [ + "port" + ], + "type": "object" + } + }, + "type": "object" + }, + "port": { + "type": "integer" + }, + "tls": { + "properties": { + "cert": { + "type": "string" + }, + "enabled": { + "type": "boolean" + }, + "requireClientAuth": { + "type": "boolean" + }, + "trustStore": { + "maxProperties": 1, + "minProperties": 1, + "properties": { + "configMapKeyRef": { + "properties": { + "key": { + "type": "string" + }, + "name": { + "type": "string" + }, + "optional": { + "type": "boolean" + } + }, + "type": "object" + }, + "secretKeyRef": { + "properties": { + "key": { + "type": "string" + }, + "name": { + "type": "string" + }, + "optional": { + "type": "boolean" + } + }, + "type": "object" + } + }, + "type": "object" + } + }, + "required": [ + "cert", + "requireClientAuth" + ], + "type": "object" + } + }, + "required": [ + "port", + "tls" + ], + "type": "object" + }, + "http": { + "properties": { + "authenticationMethod": { + "oneOf": [ + { + "enum": [ + "none", + "http_basic" + ], + "type": "string" + }, + { + "type": "null" + } + ] + }, + "enabled": { + "type": "boolean" + }, + "external": { + "minProperties": 1, + "patternProperties": { + "^[A-Za-z_][A-Za-z0-9_]*$": { + "properties": { + "advertisedPorts": { + "items": { + "type": "integer" + }, + "minItems": 1, + "type": "array" + }, + "authenticationMethod": { + "oneOf": [ + { + "enum": [ + "none", + "http_basic" + ], + "type": "string" + }, + { + "type": "null" + } + ] + }, + "enabled": { + "type": "boolean" + }, + "nodePort": { + "type": "integer" + }, + "port": { + "type": "integer" + }, + "prefixTemplate": { + "type": "string" + }, + "tls": { + "properties": { + "cert": { + "type": "string" + }, + "enabled": { + "type": "boolean" + }, + "requireClientAuth": { + "type": "boolean" + }, + "trustStore": { + "maxProperties": 1, + "minProperties": 1, + "properties": { + "configMapKeyRef": { + "properties": { + "key": { + "type": "string" + }, + "name": { + "type": "string" + }, + "optional": { + "type": "boolean" + } + }, + "type": "object" + }, + "secretKeyRef": { + "properties": { + "key": { + "type": "string" + }, + "name": { + "type": "string" + }, + "optional": { + "type": "boolean" + } + }, + "type": "object" + } + }, + "type": "object" + } + }, + "type": "object" + } + }, + "required": [ + "port" + ], + "type": "object" + } + }, + "type": "object" + }, + "kafkaEndpoint": { + "pattern": "^[A-Za-z_-][A-Za-z0-9_-]*$", + "type": "string" + }, + "port": { + "type": "integer" + }, + "tls": { + "properties": { + "cert": { + "type": "string" + }, + "enabled": { + "type": "boolean" + }, + "requireClientAuth": { + "type": "boolean" + }, + "trustStore": { + "maxProperties": 1, + "minProperties": 1, + "properties": { + "configMapKeyRef": { + "properties": { + "key": { + "type": "string" + }, + "name": { + "type": "string" + }, + "optional": { + "type": "boolean" + } + }, + "type": "object" + }, + "secretKeyRef": { + "properties": { + "key": { + "type": "string" + }, + "name": { + "type": "string" + }, + "optional": { + "type": "boolean" + } + }, + "type": "object" + } + }, + "type": "object" + } + }, + "required": [ + "cert", + "requireClientAuth" + ], + "type": "object" + } + }, + "required": [ + "enabled", + "tls", + "kafkaEndpoint", + "port" + ], + "type": "object" + }, + "kafka": { + "properties": { + "authenticationMethod": { + "oneOf": [ + { + "enum": [ + "sasl", + "none", + "mtls_identity" + ], + "type": "string" + }, + { + "type": "null" + } + ] + }, + "external": { + "minProperties": 1, + "patternProperties": { + "^[A-Za-z_][A-Za-z0-9_]*$": { + "properties": { + "advertisedPorts": { + "items": { + "type": "integer" + }, + "minItems": 1, + "type": "array" + }, + "authenticationMethod": { + "oneOf": [ + { + "enum": [ + "sasl", + "none", + "mtls_identity" + ], + "type": "string" + }, + { + "type": "null" + } + ] + }, + "enabled": { + "type": "boolean" + }, + "nodePort": { + "type": "integer" + }, + "port": { + "type": "integer" + }, + "prefixTemplate": { + "type": "string" + }, + "tls": { + "properties": { + "cert": { + "type": "string" + }, + "enabled": { + "type": "boolean" + }, + "requireClientAuth": { + "type": "boolean" + }, + "trustStore": { + "maxProperties": 1, + "minProperties": 1, + "properties": { + "configMapKeyRef": { + "properties": { + "key": { + "type": "string" + }, + "name": { + "type": "string" + }, + "optional": { + "type": "boolean" + } + }, + "type": "object" + }, + "secretKeyRef": { + "properties": { + "key": { + "type": "string" + }, + "name": { + "type": "string" + }, + "optional": { + "type": "boolean" + } + }, + "type": "object" + } + }, + "type": "object" + } + }, + "type": "object" + } + }, + "required": [ + "port" + ], + "type": "object" + } + }, + "type": "object" + }, + "port": { + "type": "integer" + }, + "tls": { + "properties": { + "cert": { + "type": "string" + }, + "enabled": { + "type": "boolean" + }, + "requireClientAuth": { + "type": "boolean" + }, + "trustStore": { + "maxProperties": 1, + "minProperties": 1, + "properties": { + "configMapKeyRef": { + "properties": { + "key": { + "type": "string" + }, + "name": { + "type": "string" + }, + "optional": { + "type": "boolean" + } + }, + "type": "object" + }, + "secretKeyRef": { + "properties": { + "key": { + "type": "string" + }, + "name": { + "type": "string" + }, + "optional": { + "type": "boolean" + } + }, + "type": "object" + } + }, + "type": "object" + } + }, + "required": [ + "cert", + "requireClientAuth" + ], + "type": "object" + } + }, + "required": [ + "tls", + "port" + ], + "type": "object" + }, + "rpc": { + "properties": { + "port": { + "type": "integer" + }, + "tls": { + "properties": { + "cert": { + "type": "string" + }, + "enabled": { + "type": "boolean" + }, + "requireClientAuth": { + "type": "boolean" + }, + "trustStore": { + "maxProperties": 1, + "minProperties": 1, + "properties": { + "configMapKeyRef": { + "properties": { + "key": { + "type": "string" + }, + "name": { + "type": "string" + }, + "optional": { + "type": "boolean" + } + }, + "type": "object" + }, + "secretKeyRef": { + "properties": { + "key": { + "type": "string" + }, + "name": { + "type": "string" + }, + "optional": { + "type": "boolean" + } + }, + "type": "object" + } + }, + "type": "object" + } + }, + "required": [ + "cert", + "requireClientAuth" + ], + "type": "object" + } + }, + "required": [ + "port", + "tls" + ], + "type": "object" + }, + "schemaRegistry": { + "properties": { + "authenticationMethod": { + "oneOf": [ + { + "enum": [ + "none", + "http_basic" + ], + "type": "string" + }, + { + "type": "null" + } + ] + }, + "enabled": { + "type": "boolean" + }, + "external": { + "minProperties": 1, + "patternProperties": { + "^[A-Za-z_][A-Za-z0-9_]*$": { + "properties": { + "advertisedPorts": { + "items": { + "type": "integer" + }, + "minItems": 1, + "type": "array" + }, + "authenticationMethod": { + "oneOf": [ + { + "enum": [ + "none", + "http_basic" + ], + "type": "string" + }, + { + "type": "null" + } + ] + }, + "enabled": { + "type": "boolean" + }, + "nodePort": { + "type": "integer" + }, + "port": { + "type": "integer" + }, + "tls": { + "properties": { + "cert": { + "type": "string" + }, + "enabled": { + "type": "boolean" + }, + "requireClientAuth": { + "type": "boolean" + }, + "trustStore": { + "maxProperties": 1, + "minProperties": 1, + "properties": { + "configMapKeyRef": { + "properties": { + "key": { + "type": "string" + }, + "name": { + "type": "string" + }, + "optional": { + "type": "boolean" + } + }, + "type": "object" + }, + "secretKeyRef": { + "properties": { + "key": { + "type": "string" + }, + "name": { + "type": "string" + }, + "optional": { + "type": "boolean" + } + }, + "type": "object" + } + }, + "type": "object" + } + }, + "type": "object" + } + }, + "type": "object" + } + }, + "type": "object" + }, + "kafkaEndpoint": { + "pattern": "^[A-Za-z_-][A-Za-z0-9_-]*$", + "type": "string" + }, + "port": { + "type": "integer" + }, + "tls": { + "properties": { + "cert": { + "type": "string" + }, + "enabled": { + "type": "boolean" + }, + "requireClientAuth": { + "type": "boolean" + }, + "trustStore": { + "maxProperties": 1, + "minProperties": 1, + "properties": { + "configMapKeyRef": { + "properties": { + "key": { + "type": "string" + }, + "name": { + "type": "string" + }, + "optional": { + "type": "boolean" + } + }, + "type": "object" + }, + "secretKeyRef": { + "properties": { + "key": { + "type": "string" + }, + "name": { + "type": "string" + }, + "optional": { + "type": "boolean" + } + }, + "type": "object" + } + }, + "type": "object" + } + }, + "required": [ + "cert", + "requireClientAuth" + ], + "type": "object" + } + }, + "required": [ + "enabled", + "kafkaEndpoint", + "port", + "tls" + ], + "type": "object" + } + }, + "required": [ + "admin", + "http", + "kafka", + "schemaRegistry", + "rpc" + ], + "type": "object" + }, + "logging": { + "properties": { + "logLevel": { + "pattern": "^(error|warn|info|debug|trace)$", + "type": "string" + }, + "usageStats": { + "properties": { + "clusterId": { + "type": "string" + }, + "enabled": { + "type": "boolean" + } + }, + "required": [ + "enabled" + ], + "type": "object" + } + }, + "required": [ + "logLevel", + "usageStats" + ], + "type": "object" + }, + "monitoring": { + "properties": { + "enableHttp2": { + "type": "boolean" + }, + "enabled": { + "type": "boolean" + }, + "labels": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + }, + "scrapeInterval": { + "type": "string" + }, + "tlsConfig": { + "properties": { + "ca": { + "properties": { + "configMap": { + "properties": { + "key": { + "type": "string" + }, + "name": { + "type": "string" + }, + "optional": { + "type": "boolean" + } + }, + "type": "object" + }, + "secret": { + "properties": { + "key": { + "type": "string" + }, + "name": { + "type": "string" + }, + "optional": { + "type": "boolean" + } + }, + "type": "object" + } + }, + "type": "object" + }, + "caFile": { + "type": "string" + }, + "cert": { + "properties": { + "configMap": { + "properties": { + "key": { + "type": "string" + }, + "name": { + "type": "string" + }, + "optional": { + "type": "boolean" + } + }, + "type": "object" + }, + "secret": { + "properties": { + "key": { + "type": "string" + }, + "name": { + "type": "string" + }, + "optional": { + "type": "boolean" + } + }, + "type": "object" + } + }, + "type": "object" + }, + "certFile": { + "type": "string" + }, + "insecureSkipVerify": { + "type": "boolean" + }, + "keyFile": { + "type": "string" + }, + "keySecret": { + "properties": { + "key": { + "type": "string" + }, + "name": { + "type": "string" + }, + "optional": { + "type": "boolean" + } + }, + "type": "object" + }, + "serverName": { + "type": "string" + } + }, + "type": "object" + } + }, + "required": [ + "enabled", + "scrapeInterval" + ], + "type": "object" + }, + "nameOverride": { + "type": "string" + }, + "nodeSelector": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + }, + "post_install_job": { + "properties": { + "affinity": { + "properties": { + "nodeAffinity": { + "properties": { + "preferredDuringSchedulingIgnoredDuringExecution": { + "items": { + "properties": { + "preference": { + "properties": { + "matchExpressions": { + "items": { + "properties": { + "key": { + "type": "string" + }, + "operator": { + "type": "string" + }, + "values": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "type": "array" + }, + "matchFields": { + "items": { + "properties": { + "key": { + "type": "string" + }, + "operator": { + "type": "string" + }, + "values": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "type": "array" + } + }, + "type": "object" + }, + "weight": { + "type": "integer" + } + }, + "type": "object" + }, + "type": "array" + }, + "requiredDuringSchedulingIgnoredDuringExecution": { + "properties": { + "nodeSelectorTerms": { + "items": { + "properties": { + "matchExpressions": { + "items": { + "properties": { + "key": { + "type": "string" + }, + "operator": { + "type": "string" + }, + "values": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "type": "array" + }, + "matchFields": { + "items": { + "properties": { + "key": { + "type": "string" + }, + "operator": { + "type": "string" + }, + "values": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "type": "array" + } + }, + "type": "object" + }, + "type": "array" + } + }, + "type": "object" + } + }, + "type": "object" + }, + "podAffinity": { + "properties": { + "preferredDuringSchedulingIgnoredDuringExecution": { + "items": { + "properties": { + "podAffinityTerm": { + "properties": { + "labelSelector": { + "properties": { + "matchExpressions": { + "items": { + "properties": { + "key": { + "type": "string" + }, + "operator": { + "type": "string" + }, + "values": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "type": "array" + }, + "matchLabels": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + } + }, + "type": "object" + }, + "matchLabelKeys": { + "items": { + "type": "string" + }, + "type": "array" + }, + "mismatchLabelKeys": { + "items": { + "type": "string" + }, + "type": "array" + }, + "namespaceSelector": { + "properties": { + "matchExpressions": { + "items": { + "properties": { + "key": { + "type": "string" + }, + "operator": { + "type": "string" + }, + "values": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "type": "array" + }, + "matchLabels": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + } + }, + "type": "object" + }, + "namespaces": { + "items": { + "type": "string" + }, + "type": "array" + }, + "topologyKey": { + "type": "string" + } + }, + "type": "object" + }, + "weight": { + "type": "integer" + } + }, + "type": "object" + }, + "type": "array" + }, + "requiredDuringSchedulingIgnoredDuringExecution": { + "items": { + "properties": { + "labelSelector": { + "properties": { + "matchExpressions": { + "items": { + "properties": { + "key": { + "type": "string" + }, + "operator": { + "type": "string" + }, + "values": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "type": "array" + }, + "matchLabels": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + } + }, + "type": "object" + }, + "matchLabelKeys": { + "items": { + "type": "string" + }, + "type": "array" + }, + "mismatchLabelKeys": { + "items": { + "type": "string" + }, + "type": "array" + }, + "namespaceSelector": { + "properties": { + "matchExpressions": { + "items": { + "properties": { + "key": { + "type": "string" + }, + "operator": { + "type": "string" + }, + "values": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "type": "array" + }, + "matchLabels": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + } + }, + "type": "object" + }, + "namespaces": { + "items": { + "type": "string" + }, + "type": "array" + }, + "topologyKey": { + "type": "string" + } + }, + "type": "object" + }, + "type": "array" + } + }, + "type": "object" + }, + "podAntiAffinity": { + "properties": { + "preferredDuringSchedulingIgnoredDuringExecution": { + "items": { + "properties": { + "podAffinityTerm": { + "properties": { + "labelSelector": { + "properties": { + "matchExpressions": { + "items": { + "properties": { + "key": { + "type": "string" + }, + "operator": { + "type": "string" + }, + "values": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "type": "array" + }, + "matchLabels": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + } + }, + "type": "object" + }, + "matchLabelKeys": { + "items": { + "type": "string" + }, + "type": "array" + }, + "mismatchLabelKeys": { + "items": { + "type": "string" + }, + "type": "array" + }, + "namespaceSelector": { + "properties": { + "matchExpressions": { + "items": { + "properties": { + "key": { + "type": "string" + }, + "operator": { + "type": "string" + }, + "values": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "type": "array" + }, + "matchLabels": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + } + }, + "type": "object" + }, + "namespaces": { + "items": { + "type": "string" + }, + "type": "array" + }, + "topologyKey": { + "type": "string" + } + }, + "type": "object" + }, + "weight": { + "type": "integer" + } + }, + "type": "object" + }, + "type": "array" + }, + "requiredDuringSchedulingIgnoredDuringExecution": { + "items": { + "properties": { + "labelSelector": { + "properties": { + "matchExpressions": { + "items": { + "properties": { + "key": { + "type": "string" + }, + "operator": { + "type": "string" + }, + "values": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "type": "array" + }, + "matchLabels": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + } + }, + "type": "object" + }, + "matchLabelKeys": { + "items": { + "type": "string" + }, + "type": "array" + }, + "mismatchLabelKeys": { + "items": { + "type": "string" + }, + "type": "array" + }, + "namespaceSelector": { + "properties": { + "matchExpressions": { + "items": { + "properties": { + "key": { + "type": "string" + }, + "operator": { + "type": "string" + }, + "values": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "type": "array" + }, + "matchLabels": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + } + }, + "type": "object" + }, + "namespaces": { + "items": { + "type": "string" + }, + "type": "array" + }, + "topologyKey": { + "type": "string" + } + }, + "type": "object" + }, + "type": "array" + } + }, + "type": "object" + } + }, + "type": "object" + }, + "annotations": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + }, + "enabled": { + "type": "boolean" + }, + "labels": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + }, + "podTemplate": { + "properties": { + "annotations": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + }, + "labels": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + }, + "spec": { + "properties": { + "containers": { + "items": { + "properties": { + "env": { + "items": { + "properties": { + "name": { + "type": "string" + }, + "value": { + "type": "string" + }, + "valueFrom": { + "properties": { + "configMapKeyRef": { + "properties": { + "key": { + "type": "string" + }, + "name": { + "type": "string" + }, + "optional": { + "type": "boolean" + } + }, + "type": "object" + }, + "fieldRef": { + "properties": { + "apiVersion": { + "type": "string" + }, + "fieldPath": { + "type": "string" + } + }, + "type": "object" + }, + "resourceFieldRef": { + "properties": { + "containerName": { + "type": "string" + }, + "divisor": { + "oneOf": [ + { + "type": "integer" + }, + { + "pattern": "^[0-9]+(\\.[0-9]){0,1}(m|k|M|G|T|P|Ki|Mi|Gi|Ti|Pi)?$", + "type": "string" + } + ] + }, + "resource": { + "type": "string" + } + }, + "type": "object" + }, + "secretKeyRef": { + "properties": { + "key": { + "type": "string" + }, + "name": { + "type": "string" + }, + "optional": { + "type": "boolean" + } + }, + "type": "object" + } + }, + "type": "object" + } + }, + "type": "object" + }, + "type": "array" + }, + "name": { + "enum": [ + "redpanda", + "post-install", + "post-upgrade" + ], + "type": "string" + }, + "securityContext": { + "properties": { + "allowPrivilegeEscalation": { + "type": "boolean" + }, + "capabilities": { + "properties": { + "add": { + "items": { + "type": "string" + }, + "type": "array" + }, + "drop": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "privileged": { + "type": "boolean" + }, + "procMount": { + "type": "string" + }, + "readOnlyRootFilesystem": { + "type": "boolean" + }, + "runAsGroup": { + "type": "integer" + }, + "runAsNonRoot": { + "type": "boolean" + }, + "runAsUser": { + "type": "integer" + }, + "seLinuxOptions": { + "properties": { + "level": { + "type": "string" + }, + "role": { + "type": "string" + }, + "type": { + "type": "string" + }, + "user": { + "type": "string" + } + }, + "type": "object" + }, + "seccompProfile": { + "properties": { + "localhostProfile": { + "type": "string" + }, + "type": { + "type": "string" + } + }, + "type": "object" + }, + "windowsOptions": { + "properties": { + "gmsaCredentialSpec": { + "type": "string" + }, + "gmsaCredentialSpecName": { + "type": "string" + }, + "hostProcess": { + "type": "boolean" + }, + "runAsUserName": { + "type": "string" + } + }, + "type": "object" + } + }, + "type": "object" + } + }, + "required": [ + "name", + "env" + ], + "type": "object" + }, + "type": "array" + }, + "securityContext": { + "properties": { + "fsGroup": { + "type": "integer" + }, + "fsGroupChangePolicy": { + "enum": [ + "OnRootMismatch", + "Always" + ], + "type": "string" + }, + "runAsGroup": { + "type": "integer" + }, + "runAsNonRoot": { + "type": "boolean" + }, + "runAsUser": { + "type": "integer" + }, + "seLinuxOptions": { + "properties": { + "level": { + "type": "string" + }, + "role": { + "type": "string" + }, + "type": { + "type": "string" + }, + "user": { + "type": "string" + } + }, + "type": "object" + }, + "seccompProfile": { + "properties": { + "localhostProfile": { + "type": "string" + }, + "type": { + "type": "string" + } + }, + "type": "object" + }, + "supplementalGroups": { + "items": { + "type": "integer" + }, + "type": "array" + }, + "sysctls": { + "items": { + "properties": { + "name": { + "type": "string" + }, + "value": { + "type": "string" + } + }, + "type": "object" + }, + "type": "array" + }, + "windowsOptions": { + "properties": { + "gmsaCredentialSpec": { + "type": "string" + }, + "gmsaCredentialSpecName": { + "type": "string" + }, + "hostProcess": { + "type": "boolean" + }, + "runAsUserName": { + "type": "string" + } + }, + "type": "object" + } + }, + "type": "object" + } + }, + "required": [ + "containers" + ], + "type": "object" + } + }, + "required": [ + "labels", + "annotations", + "spec" + ], + "type": "object" + }, + "resources": { + "properties": { + "claims": { + "items": { + "properties": { + "name": { + "type": "string" + } + }, + "type": "object" + }, + "type": "array" + }, + "limits": { + "additionalProperties": { + "oneOf": [ + { + "type": "integer" + }, + { + "pattern": "^[0-9]+(\\.[0-9]){0,1}(m|k|M|G|T|P|Ki|Mi|Gi|Ti|Pi)?$", + "type": "string" + } + ] + }, + "type": "object" + }, + "requests": { + "additionalProperties": { + "oneOf": [ + { + "type": "integer" + }, + { + "pattern": "^[0-9]+(\\.[0-9]){0,1}(m|k|M|G|T|P|Ki|Mi|Gi|Ti|Pi)?$", + "type": "string" + } + ] + }, + "type": "object" + } + }, + "type": "object" + }, + "securityContext": { + "properties": { + "allowPrivilegeEscalation": { + "type": "boolean" + }, + "capabilities": { + "properties": { + "add": { + "items": { + "type": "string" + }, + "type": "array" + }, + "drop": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "privileged": { + "type": "boolean" + }, + "procMount": { + "type": "string" + }, + "readOnlyRootFilesystem": { + "type": "boolean" + }, + "runAsGroup": { + "type": "integer" + }, + "runAsNonRoot": { + "type": "boolean" + }, + "runAsUser": { + "type": "integer" + }, + "seLinuxOptions": { + "properties": { + "level": { + "type": "string" + }, + "role": { + "type": "string" + }, + "type": { + "type": "string" + }, + "user": { + "type": "string" + } + }, + "type": "object" + }, + "seccompProfile": { + "properties": { + "localhostProfile": { + "type": "string" + }, + "type": { + "type": "string" + } + }, + "type": "object" + }, + "windowsOptions": { + "properties": { + "gmsaCredentialSpec": { + "type": "string" + }, + "gmsaCredentialSpecName": { + "type": "string" + }, + "hostProcess": { + "type": "boolean" + }, + "runAsUserName": { + "type": "string" + } + }, + "type": "object" + } + }, + "type": "object" + } + }, + "type": "object" + }, + "post_upgrade_job": { + "properties": { + "affinity": { + "properties": { + "nodeAffinity": { + "properties": { + "preferredDuringSchedulingIgnoredDuringExecution": { + "items": { + "properties": { + "preference": { + "properties": { + "matchExpressions": { + "items": { + "properties": { + "key": { + "type": "string" + }, + "operator": { + "type": "string" + }, + "values": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "type": "array" + }, + "matchFields": { + "items": { + "properties": { + "key": { + "type": "string" + }, + "operator": { + "type": "string" + }, + "values": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "type": "array" + } + }, + "type": "object" + }, + "weight": { + "type": "integer" + } + }, + "type": "object" + }, + "type": "array" + }, + "requiredDuringSchedulingIgnoredDuringExecution": { + "properties": { + "nodeSelectorTerms": { + "items": { + "properties": { + "matchExpressions": { + "items": { + "properties": { + "key": { + "type": "string" + }, + "operator": { + "type": "string" + }, + "values": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "type": "array" + }, + "matchFields": { + "items": { + "properties": { + "key": { + "type": "string" + }, + "operator": { + "type": "string" + }, + "values": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "type": "array" + } + }, + "type": "object" + }, + "type": "array" + } + }, + "type": "object" + } + }, + "type": "object" + }, + "podAffinity": { + "properties": { + "preferredDuringSchedulingIgnoredDuringExecution": { + "items": { + "properties": { + "podAffinityTerm": { + "properties": { + "labelSelector": { + "properties": { + "matchExpressions": { + "items": { + "properties": { + "key": { + "type": "string" + }, + "operator": { + "type": "string" + }, + "values": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "type": "array" + }, + "matchLabels": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + } + }, + "type": "object" + }, + "matchLabelKeys": { + "items": { + "type": "string" + }, + "type": "array" + }, + "mismatchLabelKeys": { + "items": { + "type": "string" + }, + "type": "array" + }, + "namespaceSelector": { + "properties": { + "matchExpressions": { + "items": { + "properties": { + "key": { + "type": "string" + }, + "operator": { + "type": "string" + }, + "values": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "type": "array" + }, + "matchLabels": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + } + }, + "type": "object" + }, + "namespaces": { + "items": { + "type": "string" + }, + "type": "array" + }, + "topologyKey": { + "type": "string" + } + }, + "type": "object" + }, + "weight": { + "type": "integer" + } + }, + "type": "object" + }, + "type": "array" + }, + "requiredDuringSchedulingIgnoredDuringExecution": { + "items": { + "properties": { + "labelSelector": { + "properties": { + "matchExpressions": { + "items": { + "properties": { + "key": { + "type": "string" + }, + "operator": { + "type": "string" + }, + "values": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "type": "array" + }, + "matchLabels": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + } + }, + "type": "object" + }, + "matchLabelKeys": { + "items": { + "type": "string" + }, + "type": "array" + }, + "mismatchLabelKeys": { + "items": { + "type": "string" + }, + "type": "array" + }, + "namespaceSelector": { + "properties": { + "matchExpressions": { + "items": { + "properties": { + "key": { + "type": "string" + }, + "operator": { + "type": "string" + }, + "values": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "type": "array" + }, + "matchLabels": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + } + }, + "type": "object" + }, + "namespaces": { + "items": { + "type": "string" + }, + "type": "array" + }, + "topologyKey": { + "type": "string" + } + }, + "type": "object" + }, + "type": "array" + } + }, + "type": "object" + }, + "podAntiAffinity": { + "properties": { + "preferredDuringSchedulingIgnoredDuringExecution": { + "items": { + "properties": { + "podAffinityTerm": { + "properties": { + "labelSelector": { + "properties": { + "matchExpressions": { + "items": { + "properties": { + "key": { + "type": "string" + }, + "operator": { + "type": "string" + }, + "values": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "type": "array" + }, + "matchLabels": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + } + }, + "type": "object" + }, + "matchLabelKeys": { + "items": { + "type": "string" + }, + "type": "array" + }, + "mismatchLabelKeys": { + "items": { + "type": "string" + }, + "type": "array" + }, + "namespaceSelector": { + "properties": { + "matchExpressions": { + "items": { + "properties": { + "key": { + "type": "string" + }, + "operator": { + "type": "string" + }, + "values": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "type": "array" + }, + "matchLabels": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + } + }, + "type": "object" + }, + "namespaces": { + "items": { + "type": "string" + }, + "type": "array" + }, + "topologyKey": { + "type": "string" + } + }, + "type": "object" + }, + "weight": { + "type": "integer" + } + }, + "type": "object" + }, + "type": "array" + }, + "requiredDuringSchedulingIgnoredDuringExecution": { + "items": { + "properties": { + "labelSelector": { + "properties": { + "matchExpressions": { + "items": { + "properties": { + "key": { + "type": "string" + }, + "operator": { + "type": "string" + }, + "values": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "type": "array" + }, + "matchLabels": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + } + }, + "type": "object" + }, + "matchLabelKeys": { + "items": { + "type": "string" + }, + "type": "array" + }, + "mismatchLabelKeys": { + "items": { + "type": "string" + }, + "type": "array" + }, + "namespaceSelector": { + "properties": { + "matchExpressions": { + "items": { + "properties": { + "key": { + "type": "string" + }, + "operator": { + "type": "string" + }, + "values": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "type": "array" + }, + "matchLabels": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + } + }, + "type": "object" + }, + "namespaces": { + "items": { + "type": "string" + }, + "type": "array" + }, + "topologyKey": { + "type": "string" + } + }, + "type": "object" + }, + "type": "array" + } + }, + "type": "object" + } + }, + "type": "object" + }, + "annotations": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + }, + "backoffLimit": { + "type": "integer" + }, + "enabled": { + "type": "boolean" + }, + "extraEnv": { + "items": { + "properties": { + "name": { + "type": "string" + }, + "value": { + "type": "string" + }, + "valueFrom": { + "properties": { + "configMapKeyRef": { + "properties": { + "key": { + "type": "string" + }, + "name": { + "type": "string" + }, + "optional": { + "type": "boolean" + } + }, + "type": "object" + }, + "fieldRef": { + "properties": { + "apiVersion": { + "type": "string" + }, + "fieldPath": { + "type": "string" + } + }, + "type": "object" + }, + "resourceFieldRef": { + "properties": { + "containerName": { + "type": "string" + }, + "divisor": { + "oneOf": [ + { + "type": "integer" + }, + { + "pattern": "^[0-9]+(\\.[0-9]){0,1}(m|k|M|G|T|P|Ki|Mi|Gi|Ti|Pi)?$", + "type": "string" + } + ] + }, + "resource": { + "type": "string" + } + }, + "type": "object" + }, + "secretKeyRef": { + "properties": { + "key": { + "type": "string" + }, + "name": { + "type": "string" + }, + "optional": { + "type": "boolean" + } + }, + "type": "object" + } + }, + "type": "object" + } + }, + "type": "object" + }, + "type": "array" + }, + "extraEnvFrom": { + "items": { + "properties": { + "configMapRef": { + "properties": { + "name": { + "type": "string" + }, + "optional": { + "type": "boolean" + } + }, + "type": "object" + }, + "prefix": { + "type": "string" + }, + "secretRef": { + "properties": { + "name": { + "type": "string" + }, + "optional": { + "type": "boolean" + } + }, + "type": "object" + } + }, + "type": "object" + }, + "type": "array" + }, + "labels": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + }, + "podTemplate": { + "properties": { + "annotations": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + }, + "labels": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + }, + "spec": { + "properties": { + "containers": { + "items": { + "properties": { + "env": { + "items": { + "properties": { + "name": { + "type": "string" + }, + "value": { + "type": "string" + }, + "valueFrom": { + "properties": { + "configMapKeyRef": { + "properties": { + "key": { + "type": "string" + }, + "name": { + "type": "string" + }, + "optional": { + "type": "boolean" + } + }, + "type": "object" + }, + "fieldRef": { + "properties": { + "apiVersion": { + "type": "string" + }, + "fieldPath": { + "type": "string" + } + }, + "type": "object" + }, + "resourceFieldRef": { + "properties": { + "containerName": { + "type": "string" + }, + "divisor": { + "oneOf": [ + { + "type": "integer" + }, + { + "pattern": "^[0-9]+(\\.[0-9]){0,1}(m|k|M|G|T|P|Ki|Mi|Gi|Ti|Pi)?$", + "type": "string" + } + ] + }, + "resource": { + "type": "string" + } + }, + "type": "object" + }, + "secretKeyRef": { + "properties": { + "key": { + "type": "string" + }, + "name": { + "type": "string" + }, + "optional": { + "type": "boolean" + } + }, + "type": "object" + } + }, + "type": "object" + } + }, + "type": "object" + }, + "type": "array" + }, + "name": { + "enum": [ + "redpanda", + "post-install", + "post-upgrade" + ], + "type": "string" + }, + "securityContext": { + "properties": { + "allowPrivilegeEscalation": { + "type": "boolean" + }, + "capabilities": { + "properties": { + "add": { + "items": { + "type": "string" + }, + "type": "array" + }, + "drop": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "privileged": { + "type": "boolean" + }, + "procMount": { + "type": "string" + }, + "readOnlyRootFilesystem": { + "type": "boolean" + }, + "runAsGroup": { + "type": "integer" + }, + "runAsNonRoot": { + "type": "boolean" + }, + "runAsUser": { + "type": "integer" + }, + "seLinuxOptions": { + "properties": { + "level": { + "type": "string" + }, + "role": { + "type": "string" + }, + "type": { + "type": "string" + }, + "user": { + "type": "string" + } + }, + "type": "object" + }, + "seccompProfile": { + "properties": { + "localhostProfile": { + "type": "string" + }, + "type": { + "type": "string" + } + }, + "type": "object" + }, + "windowsOptions": { + "properties": { + "gmsaCredentialSpec": { + "type": "string" + }, + "gmsaCredentialSpecName": { + "type": "string" + }, + "hostProcess": { + "type": "boolean" + }, + "runAsUserName": { + "type": "string" + } + }, + "type": "object" + } + }, + "type": "object" + } + }, + "required": [ + "name", + "env" + ], + "type": "object" + }, + "type": "array" + }, + "securityContext": { + "properties": { + "fsGroup": { + "type": "integer" + }, + "fsGroupChangePolicy": { + "enum": [ + "OnRootMismatch", + "Always" + ], + "type": "string" + }, + "runAsGroup": { + "type": "integer" + }, + "runAsNonRoot": { + "type": "boolean" + }, + "runAsUser": { + "type": "integer" + }, + "seLinuxOptions": { + "properties": { + "level": { + "type": "string" + }, + "role": { + "type": "string" + }, + "type": { + "type": "string" + }, + "user": { + "type": "string" + } + }, + "type": "object" + }, + "seccompProfile": { + "properties": { + "localhostProfile": { + "type": "string" + }, + "type": { + "type": "string" + } + }, + "type": "object" + }, + "supplementalGroups": { + "items": { + "type": "integer" + }, + "type": "array" + }, + "sysctls": { + "items": { + "properties": { + "name": { + "type": "string" + }, + "value": { + "type": "string" + } + }, + "type": "object" + }, + "type": "array" + }, + "windowsOptions": { + "properties": { + "gmsaCredentialSpec": { + "type": "string" + }, + "gmsaCredentialSpecName": { + "type": "string" + }, + "hostProcess": { + "type": "boolean" + }, + "runAsUserName": { + "type": "string" + } + }, + "type": "object" + } + }, + "type": "object" + } + }, + "required": [ + "containers" + ], + "type": "object" + } + }, + "required": [ + "labels", + "annotations", + "spec" + ], + "type": "object" + }, + "resources": { + "properties": { + "claims": { + "items": { + "properties": { + "name": { + "type": "string" + } + }, + "type": "object" + }, + "type": "array" + }, + "limits": { + "additionalProperties": { + "oneOf": [ + { + "type": "integer" + }, + { + "pattern": "^[0-9]+(\\.[0-9]){0,1}(m|k|M|G|T|P|Ki|Mi|Gi|Ti|Pi)?$", + "type": "string" + } + ] + }, + "type": "object" + }, + "requests": { + "additionalProperties": { + "oneOf": [ + { + "type": "integer" + }, + { + "pattern": "^[0-9]+(\\.[0-9]){0,1}(m|k|M|G|T|P|Ki|Mi|Gi|Ti|Pi)?$", + "type": "string" + } + ] + }, + "type": "object" + } + }, + "type": "object" + }, + "securityContext": { + "properties": { + "allowPrivilegeEscalation": { + "type": "boolean" + }, + "capabilities": { + "properties": { + "add": { + "items": { + "type": "string" + }, + "type": "array" + }, + "drop": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "privileged": { + "type": "boolean" + }, + "procMount": { + "type": "string" + }, + "readOnlyRootFilesystem": { + "type": "boolean" + }, + "runAsGroup": { + "type": "integer" + }, + "runAsNonRoot": { + "type": "boolean" + }, + "runAsUser": { + "type": "integer" + }, + "seLinuxOptions": { + "properties": { + "level": { + "type": "string" + }, + "role": { + "type": "string" + }, + "type": { + "type": "string" + }, + "user": { + "type": "string" + } + }, + "type": "object" + }, + "seccompProfile": { + "properties": { + "localhostProfile": { + "type": "string" + }, + "type": { + "type": "string" + } + }, + "type": "object" + }, + "windowsOptions": { + "properties": { + "gmsaCredentialSpec": { + "type": "string" + }, + "gmsaCredentialSpecName": { + "type": "string" + }, + "hostProcess": { + "type": "boolean" + }, + "runAsUserName": { + "type": "string" + } + }, + "type": "object" + } + }, + "type": "object" + } + }, + "type": "object" + }, + "rackAwareness": { + "properties": { + "enabled": { + "type": "boolean" + }, + "nodeAnnotation": { + "type": "string" + } + }, + "required": [ + "enabled", + "nodeAnnotation" + ], + "type": "object" + }, + "rbac": { + "properties": { + "annotations": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + }, + "enabled": { + "type": "boolean" + } + }, + "required": [ + "enabled", + "annotations" + ], + "type": "object" + }, + "resources": { + "properties": { + "cpu": { + "properties": { + "cores": { + "oneOf": [ + { + "type": "integer" + }, + { + "pattern": "^[0-9]+(\\.[0-9]){0,1}(m|k|M|G|T|P|Ki|Mi|Gi|Ti|Pi)?$", + "type": "string" + } + ] + }, + "overprovisioned": { + "type": "boolean" + } + }, + "required": [ + "cores" + ], + "type": "object" + }, + "memory": { + "properties": { + "container": { + "properties": { + "max": { + "oneOf": [ + { + "type": "integer" + }, + { + "pattern": "^[0-9]+(\\.[0-9]){0,1}(m|k|M|G|T|P|Ki|Mi|Gi|Ti|Pi)?$", + "type": "string" + } + ] + }, + "min": { + "oneOf": [ + { + "type": "integer" + }, + { + "pattern": "^[0-9]+(\\.[0-9]){0,1}(m|k|M|G|T|P|Ki|Mi|Gi|Ti|Pi)?$", + "type": "string" + } + ] + } + }, + "required": [ + "max" + ], + "type": "object" + }, + "enable_memory_locking": { + "type": "boolean" + }, + "redpanda": { + "properties": { + "memory": { + "oneOf": [ + { + "type": "integer" + }, + { + "pattern": "^[0-9]+(\\.[0-9]){0,1}(m|k|M|G|T|P|Ki|Mi|Gi|Ti|Pi)?$", + "type": "string" + } + ] + }, + "reserveMemory": { + "oneOf": [ + { + "type": "integer" + }, + { + "pattern": "^[0-9]+(\\.[0-9]){0,1}(m|k|M|G|T|P|Ki|Mi|Gi|Ti|Pi)?$", + "type": "string" + } + ] + } + }, + "type": "object" + } + }, + "required": [ + "container" + ], + "type": "object" + } + }, + "required": [ + "cpu", + "memory" + ], + "type": "object" + }, + "service": { + "properties": { + "internal": { + "properties": { + "annotations": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + } + }, + "type": "object" + }, + "name": { + "type": "string" + } + }, + "type": "object" + }, + "serviceAccount": { + "properties": { + "annotations": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + }, + "create": { + "type": "boolean" + }, + "name": { + "type": "string" + } + }, + "required": [ + "create", + "name", + "annotations" + ], + "type": "object" + }, + "statefulset": { + "properties": { + "additionalRedpandaCmdFlags": { + "items": { + "type": "string" + }, + "type": "array" + }, + "additionalSelectorLabels": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + }, + "annotations": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + }, + "budget": { + "properties": { + "maxUnavailable": { + "type": "integer" + } + }, + "required": [ + "maxUnavailable" + ], + "type": "object" + }, + "extraVolumeMounts": { + "type": "string" + }, + "extraVolumes": { + "type": "string" + }, + "initContainerImage": { + "properties": { + "repository": { + "type": "string" + }, + "tag": { + "type": "string" + } + }, + "type": "object" + }, + "initContainers": { + "properties": { + "configurator": { + "properties": { + "extraVolumeMounts": { + "type": "string" + }, + "resources": { + "type": "object" + } + }, + "type": "object" + }, + "extraInitContainers": { + "type": "string" + }, + "fsValidator": { + "properties": { + "enabled": { + "type": "boolean" + }, + "expectedFS": { + "type": "string" + }, + "extraVolumeMounts": { + "type": "string" + }, + "resources": { + "type": "object" + } + }, + "type": "object" + }, + "setDataDirOwnership": { + "properties": { + "enabled": { + "type": "boolean" + }, + "extraVolumeMounts": { + "type": "string" + }, + "resources": { + "type": "object" + } + }, + "type": "object" + }, + "setTieredStorageCacheDirOwnership": { + "properties": { + "extraVolumeMounts": { + "type": "string" + }, + "resources": { + "type": "object" + } + }, + "type": "object" + }, + "tuning": { + "properties": { + "extraVolumeMounts": { + "type": "string" + }, + "resources": { + "type": "object" + } + }, + "type": "object" + } + }, + "type": "object" + }, + "livenessProbe": { + "properties": { + "failureThreshold": { + "type": "integer" + }, + "initialDelaySeconds": { + "type": "integer" + }, + "periodSeconds": { + "type": "integer" + } + }, + "required": [ + "initialDelaySeconds", + "failureThreshold", + "periodSeconds" + ], + "type": "object" + }, + "nodeAffinity": { + "type": "object" + }, + "nodeSelector": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + }, + "podAffinity": { + "type": "object" + }, + "podAntiAffinity": { + "properties": { + "custom": { + "type": "object" + }, + "topologyKey": { + "type": "string" + }, + "type": { + "pattern": "^(hard|soft|custom)$", + "type": "string" + }, + "weight": { + "type": "integer" + } + }, + "required": [ + "topologyKey", + "type", + "weight" + ], + "type": "object" + }, + "podSecurityContext": { + "deprecated": true, + "properties": { + "allowPriviledgeEscalation": { + "type": "boolean" + }, + "allowPrivilegeEscalation": { + "type": "boolean" + }, + "fsGroup": { + "type": "integer" + }, + "fsGroupChangePolicy": { + "enum": [ + "OnRootMismatch", + "Always" + ], + "type": "string" + }, + "runAsGroup": { + "type": "integer" + }, + "runAsNonRoot": { + "type": "boolean" + }, + "runAsUser": { + "type": "integer" + } + }, + "type": "object" + }, + "podTemplate": { + "properties": { + "annotations": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + }, + "labels": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + }, + "spec": { + "properties": { + "containers": { + "items": { + "properties": { + "env": { + "items": { + "properties": { + "name": { + "type": "string" + }, + "value": { + "type": "string" + }, + "valueFrom": { + "properties": { + "configMapKeyRef": { + "properties": { + "key": { + "type": "string" + }, + "name": { + "type": "string" + }, + "optional": { + "type": "boolean" + } + }, + "type": "object" + }, + "fieldRef": { + "properties": { + "apiVersion": { + "type": "string" + }, + "fieldPath": { + "type": "string" + } + }, + "type": "object" + }, + "resourceFieldRef": { + "properties": { + "containerName": { + "type": "string" + }, + "divisor": { + "oneOf": [ + { + "type": "integer" + }, + { + "pattern": "^[0-9]+(\\.[0-9]){0,1}(m|k|M|G|T|P|Ki|Mi|Gi|Ti|Pi)?$", + "type": "string" + } + ] + }, + "resource": { + "type": "string" + } + }, + "type": "object" + }, + "secretKeyRef": { + "properties": { + "key": { + "type": "string" + }, + "name": { + "type": "string" + }, + "optional": { + "type": "boolean" + } + }, + "type": "object" + } + }, + "type": "object" + } + }, + "type": "object" + }, + "type": "array" + }, + "name": { + "enum": [ + "redpanda", + "post-install", + "post-upgrade" + ], + "type": "string" + }, + "securityContext": { + "properties": { + "allowPrivilegeEscalation": { + "type": "boolean" + }, + "capabilities": { + "properties": { + "add": { + "items": { + "type": "string" + }, + "type": "array" + }, + "drop": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "privileged": { + "type": "boolean" + }, + "procMount": { + "type": "string" + }, + "readOnlyRootFilesystem": { + "type": "boolean" + }, + "runAsGroup": { + "type": "integer" + }, + "runAsNonRoot": { + "type": "boolean" + }, + "runAsUser": { + "type": "integer" + }, + "seLinuxOptions": { + "properties": { + "level": { + "type": "string" + }, + "role": { + "type": "string" + }, + "type": { + "type": "string" + }, + "user": { + "type": "string" + } + }, + "type": "object" + }, + "seccompProfile": { + "properties": { + "localhostProfile": { + "type": "string" + }, + "type": { + "type": "string" + } + }, + "type": "object" + }, + "windowsOptions": { + "properties": { + "gmsaCredentialSpec": { + "type": "string" + }, + "gmsaCredentialSpecName": { + "type": "string" + }, + "hostProcess": { + "type": "boolean" + }, + "runAsUserName": { + "type": "string" + } + }, + "type": "object" + } + }, + "type": "object" + } + }, + "required": [ + "name", + "env" + ], + "type": "object" + }, + "type": "array" + }, + "securityContext": { + "properties": { + "fsGroup": { + "type": "integer" + }, + "fsGroupChangePolicy": { + "enum": [ + "OnRootMismatch", + "Always" + ], + "type": "string" + }, + "runAsGroup": { + "type": "integer" + }, + "runAsNonRoot": { + "type": "boolean" + }, + "runAsUser": { + "type": "integer" + }, + "seLinuxOptions": { + "properties": { + "level": { + "type": "string" + }, + "role": { + "type": "string" + }, + "type": { + "type": "string" + }, + "user": { + "type": "string" + } + }, + "type": "object" + }, + "seccompProfile": { + "properties": { + "localhostProfile": { + "type": "string" + }, + "type": { + "type": "string" + } + }, + "type": "object" + }, + "supplementalGroups": { + "items": { + "type": "integer" + }, + "type": "array" + }, + "sysctls": { + "items": { + "properties": { + "name": { + "type": "string" + }, + "value": { + "type": "string" + } + }, + "type": "object" + }, + "type": "array" + }, + "windowsOptions": { + "properties": { + "gmsaCredentialSpec": { + "type": "string" + }, + "gmsaCredentialSpecName": { + "type": "string" + }, + "hostProcess": { + "type": "boolean" + }, + "runAsUserName": { + "type": "string" + } + }, + "type": "object" + } + }, + "type": "object" + } + }, + "required": [ + "containers" + ], + "type": "object" + } + }, + "required": [ + "labels", + "annotations", + "spec" + ], + "type": "object" + }, + "priorityClassName": { + "type": "string" + }, + "readinessProbe": { + "properties": { + "failureThreshold": { + "type": "integer" + }, + "initialDelaySeconds": { + "type": "integer" + }, + "periodSeconds": { + "type": "integer" + }, + "successThreshold": { + "type": "integer" + }, + "timeoutSeconds": { + "type": "integer" + } + }, + "required": [ + "initialDelaySeconds", + "failureThreshold", + "periodSeconds" + ], + "type": "object" + }, + "replicas": { + "type": "integer" + }, + "securityContext": { + "deprecated": true, + "properties": { + "allowPriviledgeEscalation": { + "type": "boolean" + }, + "allowPrivilegeEscalation": { + "type": "boolean" + }, + "fsGroup": { + "type": "integer" + }, + "fsGroupChangePolicy": { + "enum": [ + "OnRootMismatch", + "Always" + ], + "type": "string" + }, + "runAsGroup": { + "type": "integer" + }, + "runAsNonRoot": { + "type": "boolean" + }, + "runAsUser": { + "type": "integer" + } + }, + "type": "object" + }, + "sideCars": { + "properties": { + "configWatcher": { + "properties": { + "enabled": { + "type": "boolean" + }, + "extraVolumeMounts": { + "type": "string" + }, + "resources": { + "type": "object" + }, + "securityContext": { + "properties": { + "allowPrivilegeEscalation": { + "type": "boolean" + }, + "capabilities": { + "properties": { + "add": { + "items": { + "type": "string" + }, + "type": "array" + }, + "drop": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "privileged": { + "type": "boolean" + }, + "procMount": { + "type": "string" + }, + "readOnlyRootFilesystem": { + "type": "boolean" + }, + "runAsGroup": { + "type": "integer" + }, + "runAsNonRoot": { + "type": "boolean" + }, + "runAsUser": { + "type": "integer" + }, + "seLinuxOptions": { + "properties": { + "level": { + "type": "string" + }, + "role": { + "type": "string" + }, + "type": { + "type": "string" + }, + "user": { + "type": "string" + } + }, + "type": "object" + }, + "seccompProfile": { + "properties": { + "localhostProfile": { + "type": "string" + }, + "type": { + "type": "string" + } + }, + "type": "object" + }, + "windowsOptions": { + "properties": { + "gmsaCredentialSpec": { + "type": "string" + }, + "gmsaCredentialSpecName": { + "type": "string" + }, + "hostProcess": { + "type": "boolean" + }, + "runAsUserName": { + "type": "string" + } + }, + "type": "object" + } + }, + "type": "object" + } + }, + "type": "object" + }, + "controllers": { + "properties": { + "createRBAC": { + "type": "boolean" + }, + "enabled": { + "type": "boolean" + }, + "healthProbeAddress": { + "type": "string" + }, + "image": { + "properties": { + "repository": { + "default": "docker.redpanda.com/redpandadata/redpanda-operator", + "type": "string" + }, + "tag": { + "default": "Chart.appVersion", + "pattern": "^v(0|[1-9]\\d*)\\.(0|[1-9]\\d*)\\.(0|[1-9]\\d*)(?:-((?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\\.(?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\\+([0-9a-zA-Z-]+(?:\\.[0-9a-zA-Z-]+)*))?$|^$", + "type": "string" + } + }, + "required": [ + "tag", + "repository" + ], + "type": "object" + }, + "metricsAddress": { + "type": "string" + }, + "resources": true, + "run": { + "items": { + "type": "string" + }, + "type": "array" + }, + "securityContext": { + "properties": { + "allowPrivilegeEscalation": { + "type": "boolean" + }, + "capabilities": { + "properties": { + "add": { + "items": { + "type": "string" + }, + "type": "array" + }, + "drop": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, + "privileged": { + "type": "boolean" + }, + "procMount": { + "type": "string" + }, + "readOnlyRootFilesystem": { + "type": "boolean" + }, + "runAsGroup": { + "type": "integer" + }, + "runAsNonRoot": { + "type": "boolean" + }, + "runAsUser": { + "type": "integer" + }, + "seLinuxOptions": { + "properties": { + "level": { + "type": "string" + }, + "role": { + "type": "string" + }, + "type": { + "type": "string" + }, + "user": { + "type": "string" + } + }, + "type": "object" + }, + "seccompProfile": { + "properties": { + "localhostProfile": { + "type": "string" + }, + "type": { + "type": "string" + } + }, + "type": "object" + }, + "windowsOptions": { + "properties": { + "gmsaCredentialSpec": { + "type": "string" + }, + "gmsaCredentialSpecName": { + "type": "string" + }, + "hostProcess": { + "type": "boolean" + }, + "runAsUserName": { + "type": "string" + } + }, + "type": "object" + } + }, + "type": "object" + } + }, + "type": "object" + } + }, + "type": "object" + }, + "startupProbe": { + "properties": { + "failureThreshold": { + "type": "integer" + }, + "initialDelaySeconds": { + "type": "integer" + }, + "periodSeconds": { + "type": "integer" + } + }, + "required": [ + "initialDelaySeconds", + "failureThreshold", + "periodSeconds" + ], + "type": "object" + }, + "terminationGracePeriodSeconds": { + "type": "integer" + }, + "tolerations": { + "items": { + "properties": { + "effect": { + "type": "string" + }, + "key": { + "type": "string" + }, + "operator": { + "type": "string" + }, + "tolerationSeconds": { + "type": "integer" + }, + "value": { + "type": "string" + } + }, + "type": "object" + }, + "type": "array" + }, + "topologySpreadConstraints": { + "items": { + "properties": { + "maxSkew": { + "type": "integer" + }, + "topologyKey": { + "type": "string" + }, + "whenUnsatisfiable": { + "pattern": "^(ScheduleAnyway|DoNotSchedule)$", + "type": "string" + } + }, + "type": "object" + }, + "minItems": 1, + "type": "array" + }, + "updateStrategy": { + "properties": { + "type": { + "pattern": "^(RollingUpdate|OnDelete)$", + "type": "string" + } + }, + "required": [ + "type" + ], + "type": "object" + } + }, + "required": [ + "additionalSelectorLabels", + "replicas", + "updateStrategy", + "podTemplate", + "budget", + "startupProbe", + "livenessProbe", + "readinessProbe", + "podAffinity", + "podAntiAffinity", + "nodeSelector", + "priorityClassName", + "topologySpreadConstraints", + "tolerations", + "securityContext", + "sideCars" + ], + "type": "object" + }, + "storage": { + "properties": { + "hostPath": { + "type": "string" + }, + "persistentVolume": { + "deprecated": true, + "properties": { + "annotations": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + }, + "enabled": { + "type": "boolean" + }, + "labels": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + }, + "nameOverwrite": { + "type": "string" + }, + "size": { + "oneOf": [ + { + "type": "integer" + }, + { + "pattern": "^[0-9]+(\\.[0-9]){0,1}(m|k|M|G|T|P|Ki|Mi|Gi|Ti|Pi)?$", + "type": "string" + } + ] + }, + "storageClass": { + "type": "string" + } + }, + "required": [ + "annotations", + "enabled", + "labels", + "size", + "storageClass" + ], + "type": "object" + }, + "tiered": { + "properties": { + "config": { + "properties": { + "cloud_storage_access_key": { + "type": "string" + }, + "cloud_storage_api_endpoint": { + "type": "string" + }, + "cloud_storage_api_endpoint_port": { + "type": "integer" + }, + "cloud_storage_azure_adls_endpoint": { + "type": "string" + }, + "cloud_storage_azure_adls_port": { + "type": "integer" + }, + "cloud_storage_bucket": { + "type": "string" + }, + "cloud_storage_cache_check_interval": { + "type": "integer" + }, + "cloud_storage_cache_directory": { + "type": "string" + }, + "cloud_storage_cache_size": { + "oneOf": [ + { + "type": "integer" + }, + { + "pattern": "^[0-9]+(\\.[0-9]){0,1}(m|k|M|G|T|P|Ki|Mi|Gi|Ti|Pi)?$", + "type": "string" + } + ] + }, + "cloud_storage_credentials_source": { + "pattern": "^(config_file|aws_instance_metadata|sts|gcp_instance_metadata)$", + "type": "string" + }, + "cloud_storage_disable_tls": { + "type": "boolean" + }, + "cloud_storage_enable_remote_read": { + "type": "boolean" + }, + "cloud_storage_enable_remote_write": { + "type": "boolean" + }, + "cloud_storage_enabled": { + "type": "boolean" + }, + "cloud_storage_initial_backoff_ms": { + "type": "integer" + }, + "cloud_storage_manifest_upload_timeout_ms": { + "type": "integer" + }, + "cloud_storage_max_connection_idle_time_ms": { + "type": "integer" + }, + "cloud_storage_max_connections": { + "type": "integer" + }, + "cloud_storage_reconciliation_interval_ms": { + "type": "integer" + }, + "cloud_storage_region": { + "type": "string" + }, + "cloud_storage_secret_key": { + "type": "string" + }, + "cloud_storage_segment_max_upload_interval_sec": { + "type": "integer" + }, + "cloud_storage_segment_upload_timeout_ms": { + "type": "integer" + }, + "cloud_storage_trust_file": { + "type": "string" + }, + "cloud_storage_upload_ctrl_d_coeff": { + "type": "integer" + }, + "cloud_storage_upload_ctrl_max_shares": { + "type": "integer" + }, + "cloud_storage_upload_ctrl_min_shares": { + "type": "integer" + }, + "cloud_storage_upload_ctrl_p_coeff": { + "type": "integer" + }, + "cloud_storage_upload_ctrl_update_interval_ms": { + "type": "integer" + } + }, + "required": [ + "cloud_storage_enabled", + "cloud_storage_bucket", + "cloud_storage_region" + ], + "type": "object" + }, + "credentialsSecretRef": { + "properties": { + "accessKey": { + "properties": { + "configurationKey": { + "type": "string" + }, + "key": { + "type": "string" + }, + "name": { + "type": "string" + } + }, + "type": "object" + }, + "configurationKey": { + "deprecated": true, + "type": "string" + }, + "key": { + "deprecated": true, + "type": "string" + }, + "name": { + "deprecated": true, + "type": "string" + }, + "secretKey": { + "properties": { + "configurationKey": { + "type": "string" + }, + "key": { + "type": "string" + }, + "name": { + "type": "string" + } + }, + "type": "object" + } + }, + "type": "object" + }, + "hostPath": { + "type": "string" + }, + "mountType": { + "pattern": "^(none|hostPath|emptyDir|persistentVolume)$", + "type": "string" + }, + "persistentVolume": { + "properties": { + "annotations": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + }, + "enabled": { + "type": "boolean" + }, + "labels": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + }, + "nameOverwrite": { + "type": "string" + }, + "size": { + "type": "string" + }, + "storageClass": { + "type": "string" + } + }, + "required": [ + "annotations", + "labels", + "storageClass" + ], + "type": "object" + } + }, + "required": [ + "mountType" + ], + "type": "object" + }, + "tieredConfig": { + "deprecated": true, + "properties": { + "cloud_storage_access_key": { + "type": "string" + }, + "cloud_storage_api_endpoint": { + "type": "string" + }, + "cloud_storage_api_endpoint_port": { + "type": "integer" + }, + "cloud_storage_azure_adls_endpoint": { + "type": "string" + }, + "cloud_storage_azure_adls_port": { + "type": "integer" + }, + "cloud_storage_bucket": { + "type": "string" + }, + "cloud_storage_cache_check_interval": { + "type": "integer" + }, + "cloud_storage_cache_directory": { + "type": "string" + }, + "cloud_storage_cache_size": { + "oneOf": [ + { + "type": "integer" + }, + { + "pattern": "^[0-9]+(\\.[0-9]){0,1}(m|k|M|G|T|P|Ki|Mi|Gi|Ti|Pi)?$", + "type": "string" + } + ] + }, + "cloud_storage_credentials_source": { + "pattern": "^(config_file|aws_instance_metadata|sts|gcp_instance_metadata)$", + "type": "string" + }, + "cloud_storage_disable_tls": { + "type": "boolean" + }, + "cloud_storage_enable_remote_read": { + "type": "boolean" + }, + "cloud_storage_enable_remote_write": { + "type": "boolean" + }, + "cloud_storage_enabled": { + "type": "boolean" + }, + "cloud_storage_initial_backoff_ms": { + "type": "integer" + }, + "cloud_storage_manifest_upload_timeout_ms": { + "type": "integer" + }, + "cloud_storage_max_connection_idle_time_ms": { + "type": "integer" + }, + "cloud_storage_max_connections": { + "type": "integer" + }, + "cloud_storage_reconciliation_interval_ms": { + "type": "integer" + }, + "cloud_storage_region": { + "type": "string" + }, + "cloud_storage_secret_key": { + "type": "string" + }, + "cloud_storage_segment_max_upload_interval_sec": { + "type": "integer" + }, + "cloud_storage_segment_upload_timeout_ms": { + "type": "integer" + }, + "cloud_storage_trust_file": { + "type": "string" + }, + "cloud_storage_upload_ctrl_d_coeff": { + "type": "integer" + }, + "cloud_storage_upload_ctrl_max_shares": { + "type": "integer" + }, + "cloud_storage_upload_ctrl_min_shares": { + "type": "integer" + }, + "cloud_storage_upload_ctrl_p_coeff": { + "type": "integer" + }, + "cloud_storage_upload_ctrl_update_interval_ms": { + "type": "integer" + } + }, + "type": "object" + }, + "tieredStorageHostPath": { + "deprecated": true, + "type": "string" + }, + "tieredStoragePersistentVolume": { + "deprecated": true, + "properties": { + "annotations": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + }, + "enabled": { + "type": "boolean" + }, + "labels": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + }, + "storageClass": { + "type": "string" + } + }, + "required": [ + "annotations", + "enabled", + "labels", + "storageClass" + ], + "type": "object" + } + }, + "required": [ + "hostPath", + "tiered", + "persistentVolume" + ], + "type": "object" + }, + "tests": { + "properties": { + "enabled": { + "type": "boolean" + } + }, + "type": "object" + }, + "tls": { + "properties": { + "certs": { + "minProperties": 1, + "patternProperties": { + "^[A-Za-z_][A-Za-z0-9_]*$": { + "properties": { + "applyInternalDNSNames": { + "type": "boolean" + }, + "caEnabled": { + "type": "boolean" + }, + "clientSecretRef": { + "properties": { + "name": { + "type": "string" + } + }, + "type": "object" + }, + "duration": { + "pattern": ".*[smh]$", + "type": "string" + }, + "enabled": { + "type": "boolean" + }, + "issuerRef": { + "properties": { + "group": { + "type": "string" + }, + "kind": { + "type": "string" + }, + "name": { + "type": "string" + } + }, + "type": "object" + }, + "secretRef": { + "properties": { + "name": { + "type": "string" + } + }, + "type": "object" + } + }, + "required": [ + "caEnabled" + ], + "type": "object" + } + }, + "type": "object" + }, + "enabled": { + "type": "boolean" + } + }, + "required": [ + "enabled", + "certs" + ], + "type": "object" + }, + "tolerations": { + "items": { + "properties": { + "effect": { + "type": "string" + }, + "key": { + "type": "string" + }, + "operator": { + "type": "string" + }, + "tolerationSeconds": { + "type": "integer" + }, + "value": { + "type": "string" + } + }, + "type": "object" + }, + "type": "array" + }, + "tuning": { + "properties": { + "ballast_file_path": { + "type": "string" + }, + "ballast_file_size": { + "type": "string" + }, + "tune_aio_events": { + "type": "boolean" + }, + "tune_ballast_file": { + "type": "boolean" + }, + "tune_clocksource": { + "type": "boolean" + }, + "well_known_io": { + "type": "string" + } + }, + "type": "object" + } + }, + "required": [ + "affinity", + "image" + ], + "type": "object" +} diff --git a/charts/redpanda/redpanda/5.9.2/values.yaml b/charts/redpanda/redpanda/5.9.2/values.yaml new file mode 100644 index 000000000..c1f8f1081 --- /dev/null +++ b/charts/redpanda/redpanda/5.9.2/values.yaml @@ -0,0 +1,1321 @@ +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# This file contains values for variables referenced from yaml files in the templates directory. +# +# For further information on Helm templating see the documentation at: +# https://helm.sh/docs/chart_template_guide/values_files/ + +# +# >>> This chart requires Helm version 3.6.0 or greater <<< +# + +# Common settings +# +# -- Override `redpanda.name` template. +nameOverride: "" +# -- Override `redpanda.fullname` template. +fullnameOverride: "" +# -- Default Kubernetes cluster domain. +clusterDomain: cluster.local +# -- Additional labels to add to all Kubernetes objects. +# For example, `my.k8s.service: redpanda`. +commonLabels: {} +# -- Node selection constraints for scheduling Pods, can override this for StatefulSets. +# For details, +# see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector). +nodeSelector: {} +# -- Affinity constraints for scheduling Pods, can override this for StatefulSets and Jobs. +# For details, +# see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity). +affinity: {} +# -- Taints to be tolerated by Pods, can override this for StatefulSets. +# For details, +# see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/). +tolerations: [] + +# -- Redpanda Docker image settings. +image: + # -- Docker repository from which to pull the Redpanda Docker image. + repository: docker.redpanda.com/redpandadata/redpanda + # -- The Redpanda version. + # See DockerHub for: + # [All stable versions](https://hub.docker.com/r/redpandadata/redpanda/tags) + # and [all unstable versions](https://hub.docker.com/r/redpandadata/redpanda-unstable/tags). + # @default -- `Chart.appVersion`. + tag: "" + # -- The imagePullPolicy. + # If `image.tag` is 'latest', the default is `Always`. + pullPolicy: IfNotPresent + +# -- Redpanda Service settings. +# service: +# -- set service.name to override the default service name +# name: redpanda +# -- internal Service +# internal: +# -- add annotations to the internal Service +# annotations: {} +# +# -- eg. for a bare metal install using external-dns +# annotations: +# "external-dns.alpha.kubernetes.io/hostname": redpanda.domain.dom +# "external-dns.alpha.kubernetes.io/endpoints-type": HostIP + +# -- Pull secrets may be used to provide credentials to image repositories +# See the [Kubernetes documentation](https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/). +imagePullSecrets: [] + +# -- DEPRECATED Enterprise license key (optional). +# For details, +# see the [License documentation](https://docs.redpanda.com/docs/get-started/licenses/?platform=kubernetes#redpanda-enterprise-edition). +license_key: "" +# -- DEPRECATED Secret name and secret key where the license key is stored. +license_secret_ref: {} + # secret_name: my-secret + # secret_key: key-where-license-is-stored + +# -- Audit logging for a redpanda cluster, must have enabled sasl and have one kafka listener supporting sasl authentication +# for audit logging to work. Note this feature is only available for redpanda versions >= v23.3.0. +auditLogging: + # -- Enable or disable audit logging, for production clusters we suggest you enable, + # however, this will only work if you also enable sasl and a listener with sasl enabled. + enabled: false + # -- Kafka listener name, note that it must have `authenticationMethod` set to `sasl`. + # For external listeners, use the external listener name, such as `default`. + listener: internal + # -- Integer value defining the number of partitions used by a newly created audit topic. + partitions: 12 + # -- Event types that should be captured by audit logs, default is [`admin`, `authenticate`, `management`]. + enabledEventTypes: + # -- List of topics to exclude from auditing, default is null. + excludedTopics: + # -- List of principals to exclude from auditing, default is null. + excludedPrincipals: + # -- Defines the number of bytes (in bytes) allocated by the internal audit client for audit messages. + clientMaxBufferSize: 16777216 + # -- In ms, frequency in which per shard audit logs are batched to client for write to audit log. + queueDrainIntervalMs: 500 + # -- Defines the maximum amount of memory used (in bytes) by the audit buffer in each shard. + queueMaxBufferSizePerShard: 1048576 + # -- Defines the replication factor for a newly created audit log topic. This configuration applies + # only to the audit log topic and may be different from the cluster or other topic configurations. + # This cannot be altered for existing audit log topics. Setting this value is optional. If a value is not provided, + # Redpanda will use the `internal_topic_replication_factor cluster` config value. Default is `null` + replicationFactor: + +# -- Enterprise (optional) +# For details, +# see the [License documentation](https://docs.redpanda.com/docs/get-started/licenses/?platform=kubernetes#redpanda-enterprise-edition). +enterprise: + # -- license (optional). + license: "" + # -- Secret name and key where the license key is stored. + licenseSecretRef: {} + # name: my-secret + # key: key-where-license-is-stored + +# -- Rack Awareness settings. +# For details, +# see the [Rack Awareness documentation](https://docs.redpanda.com/docs/manage/kubernetes/kubernetes-rack-awareness/). +rackAwareness: + # -- When running in multiple racks or availability zones, use a Kubernetes Node + # annotation value as the Redpanda rack value. + # Enabling this requires running with a service account with "get" Node permissions. + # To have the Helm chart configure these permissions, + # set `serviceAccount.create=true` and `rbac.enabled=true`. + enabled: false + # -- The common well-known annotation to use as the rack ID. + # Override this only if you use a custom Node annotation. + nodeAnnotation: topology.kubernetes.io/zone + +# +# -- Redpanda Console settings. +# For a reference of configuration settings, +# see the [Redpanda Console documentation](https://docs.redpanda.com/docs/reference/console/config/). +console: + enabled: true + configmap: + create: false + secret: + create: false + deployment: + create: false + config: {} + +# +# -- Redpanda Managed Connectors settings +# For a reference of configuration settings, +# see the [Redpanda Connectors documentation](https://docs.redpanda.com/docs/deploy/deployment-option/cloud/managed-connectors/). +connectors: + enabled: false + deployment: + create: false + test: + create: false + +# -- Authentication settings. +# For details, +# see the [SASL documentation](https://docs.redpanda.com/docs/manage/kubernetes/security/sasl-kubernetes/). +auth: + sasl: + # -- Enable SASL authentication. + # If you enable SASL authentication, you must provide a Secret in `auth.sasl.secretRef`. + enabled: false + # -- The authentication mechanism to use for the superuser. Options are `SCRAM-SHA-256` and `SCRAM-SHA-512`. + mechanism: SCRAM-SHA-512 + # -- A Secret that contains your superuser credentials. + # For details, + # see the [SASL documentation](https://docs.redpanda.com/docs/manage/kubernetes/security/sasl-kubernetes/#use-secrets). + secretRef: "redpanda-users" + # -- Optional list of superusers. + # These superusers will be created in the Secret whose name is defined in `auth.sasl.secretRef`. + # If this list is empty, + # the Secret in `auth.sasl.secretRef` must already exist in the cluster before you deploy the chart. + # Uncomment the sample list if you wish to try adding sample sasl users or override to use your own. + users: [] + # - name: admin + # password: change-me + # mechanism: SCRAM-SHA-512 + +# -- TLS settings. +# For details, see the [TLS documentation](https://docs.redpanda.com/docs/manage/kubernetes/security/kubernetes-tls/). +tls: + # -- Enable TLS globally for all listeners. + # Each listener must include a Certificate name in its `.tls` object. + # To allow you to enable TLS for individual listeners, + # Certificates in `auth.tls.certs` are always loaded, even if `tls.enabled` is `false`. + # See `listeners..tls.enabled`. + enabled: true + # -- List all Certificates here, + # then you can reference a specific Certificate's name + # in each listener's `listeners..tls.cert` setting. + certs: + # -- This key is the Certificate name. + # To apply the Certificate to a specific listener, + # reference the Certificate's name in `listeners..tls.cert`. + default: + # -- To use a custom pre-installed Issuer, + # add its name and kind to the `issuerRef` object. + # issuerRef: + # name: redpanda-default-root-issuer + # kind: Issuer # Can be Issuer or ClusterIssuer + # -- To use a secret with custom tls files, + # secretRef: + # name: my-tls-secret + # -- Set the `caEnabled` flag to `true` only for Certificates + # that are not authenticated using public authorities. + caEnabled: true + # duration: 43800h + # if you wish to have Kubernetes internal dns names (IE the headless service of the redpanda StatefulSet) included in `dnsNames` of the certificate even, when supplying an issuer. + # applyInternalDNSNames: false + # -- Example external tls configuration + # uncomment and set the right key to the listeners that require them + # also enable the tls setting for those listeners. + external: + # -- To use a custom pre-installed Issuer, + # add its name and kind to the `issuerRef` object. + # issuerRef: + # name: redpanda-default-root-issuer + # kind: Issuer # Can be Issuer or ClusterIssuer + # -- To use a secret with custom tls files, + # secretRef: + # name: my-tls-secret + # -- Set the `caEnabled` flag to `true` only for Certificates + # that are not authenticated using public authorities. + caEnabled: true + # duration: 43800h + # if you wish to for apply internal dns names to the certificate even when supplying an issuer + # applyInternalDNSNames: false + +# -- External access settings. +# For details, +# see the [Networking and Connectivity documentation](https://docs.redpanda.com/docs/manage/kubernetes/networking/networking-and-connectivity/). +external: + # -- Service allows you to manage the creation of an external kubernetes service object + service: + # -- Enabled if set to false will not create the external service type + # You can still set your cluster with external access but not create the supporting service (NodePort/LoadBalander). + # Set this to false if you rather manage your own service. + enabled: true + # -- Enable external access for each Service. + # You can toggle external access for each listener in + # `listeners..external..enabled`. + enabled: true + # -- External access type. Only `NodePort` and `LoadBalancer` are supported. + # If undefined, then advertised listeners will be configured in Redpanda, + # but the helm chart will not create a Service. + # You must create a Service manually. + # Warning: If you use LoadBalancers, you will likely experience higher latency and increased packet loss. + # NodePort is recommended in cases where latency is a priority. + type: NodePort + # Optional source range for external access. Only applicable when external.type is LoadBalancer + # sourceRanges: [] + # -- Optional domain advertised to external clients + # If specified, then it will be appended to the `external.addresses` values as each broker's advertised address + # domain: local + # Optional list of addresses that the Redpanda brokers advertise. + # Provide one entry for each broker in order of StatefulSet replicas. + # The number of brokers is defined in statefulset.replicas. + # The values can be IP addresses or DNS names. + # If external.domain is set, the domain is appended to these values. + # There is an option to define a single external address for all brokers and leverage + # prefixTemplate as it will be calculated during initContainer execution. + # addresses: + # - redpanda-0 + # - redpanda-1 + # - redpanda-2 + # + # annotations: + # For example: + # cloud.google.com/load-balancer-type: "Internal" + # service.beta.kubernetes.io/aws-load-balancer-type: nlb + # If you enable externalDns, each LoadBalancer service instance + # will be annotated with external-dns hostname + # matching external.addresses + external.domain + # externalDns: + # enabled: true + # prefixTemplate: "" + +# -- Log-level settings. +logging: + # -- Log level + # Valid values (from least to most verbose) are: `warn`, `info`, `debug`, and `trace`. + logLevel: info + # -- Send usage statistics back to Redpanda Data. + # For details, + # see the [stats reporting documentation](https://docs.redpanda.com/docs/cluster-administration/monitoring/#stats-reporting). + usageStats: + # Enable the `rpk.enable_usage_stats` property. + enabled: true + # Your cluster ID (optional) + # clusterId: your-helm-cluster + +# -- Monitoring. +# This will create a ServiceMonitor that can be used by Prometheus-Operator or VictoriaMetrics-Operator to scrape the metrics. +monitoring: + enabled: false + scrapeInterval: 30s + labels: {} + # Enables http2 for scraping metrics for prometheus. Used when Istio's mTLS is enabled and using tlsConfig. + # enableHttp2: true + # tlsConfig: + # caFile: /etc/prom-certs/root-cert.pem + # certFile: /etc/prom-certs/cert-chain.pem + # insecureSkipVerify: true + # keyFile: /etc/prom-certs/key.pem + +# -- Pod resource management. +# This section simplifies resource allocation +# by providing a single location where resources are defined. +# Helm sets these resource values within the `statefulset.yaml` and `configmap.yaml` templates. +# +# The default values are for a development environment. +# Production-level values and other considerations are documented, +# where those values are different from the default. +# For details, +# see the [Pod resources documentation](https://docs.redpanda.com/docs/manage/kubernetes/manage-resources/). +resources: + # + # -- CPU resources. + # For details, + # see the [Pod resources documentation](https://docs.redpanda.com/docs/manage/kubernetes/manage-resources/#configure-cpu-resources). + cpu: + # -- Redpanda makes use of a thread per core model. + # For details, see this [blog](https://redpanda.com/blog/tpc-buffers). + # For this reason, Redpanda should only be given full cores. + # + # Note: You can increase cores, but decreasing cores is not currently supported. + # See the [GitHub issue](https://github.com/redpanda-data/redpanda/issues/350). + # + # This setting is equivalent to `--smp`, `resources.requests.cpu`, and `resources.limits.cpu`. + # For production, use `4` or greater. + # + # To maximize efficiency, use the `static` CPU manager policy by specifying an even integer for + # CPU resource requests and limits. This policy gives the Pods running Redpanda brokers + # access to exclusive CPUs on the node. See + # https://kubernetes.io/docs/tasks/administer-cluster/cpu-management-policies/#static-policy. + cores: 1 + # + # -- Overprovisioned means Redpanda won't assume it has all of the provisioned CPU. + # This should be true unless the container has CPU affinity. + # Equivalent to: `--idle-poll-time-us 0 --thread-affinity 0 --poll-aio 0` + # + # If the value of full cores in `resources.cpu.cores` is less than `1`, this + # setting is set to `true`. + # overprovisioned: false + # + # -- Memory resources + # For details, + # see the [Pod resources documentation](https://docs.redpanda.com/docs/manage/kubernetes/manage-resources/#configure-memory-resources). + memory: + # -- Enables memory locking. + # For production, set to `true`. + # enable_memory_locking: false + # + # It is recommended to have at least 2Gi of memory per core for the Redpanda binary. + # This memory is taken from the total memory given to each container. + # The Helm chart allocates 80% of the container's memory to Redpanda, leaving the rest for + # the Seastar subsystem (reserveMemory) and other container processes. + # So at least 2.5Gi per core is recommended in order to ensure Redpanda has a full 2Gi. + # + # These values affect `--memory` and `--reserve-memory` flags passed to Redpanda and the memory + # requests/limits in the StatefulSet. + # Valid suffixes: k, M, G, T, P, Ki, Mi, Gi, Ti, Pi + # To create `Guaranteed` Pod QoS for Redpanda brokers, provide both container max and min values for the container. + # For details, see + # https://kubernetes.io/docs/tasks/configure-pod-container/quality-service-pod/#create-a-pod-that-gets-assigned-a-qos-class-of-guaranteed + # * Every container in the Pod must have a memory limit and a memory request. + # * For every container in the Pod, the memory limit must equal the memory request. + # + container: + # Minimum memory count for each Redpanda broker. + # If omitted, the `min` value is equal to the `max` value (requested resources defaults to limits). + # This setting is equivalent to `resources.requests.memory`. + # For production, use 10Gi or greater. + # min: 2.5Gi + # + # -- Maximum memory count for each Redpanda broker. + # Equivalent to `resources.limits.memory`. + # For production, use `10Gi` or greater. + max: 2.5Gi + # + # This optional `redpanda` object allows you to specify the memory size for both the Redpanda + # process and the underlying reserved memory used by Seastar. + # This section is omitted by default, and memory sizes are calculated automatically + # based on container memory. + # Uncommenting this section and setting memory and reserveMemory values will disable + # automatic calculation. + # + # If you are setting the following values manually, keep in mind the following guidelines. + # Getting this wrong may lead to performance issues, instability, and loss of data: + # The amount of memory to allocate to a container is determined by the sum of three values: + # 1. Redpanda (at least 2Gi per core, ~80% of the container's total memory) + # 2. Seastar subsystem (200Mi * 0.2% of the container's total memory, 200Mi < x < 1Gi) + # 3. Other container processes (whatever small amount remains) + # redpanda: + # Memory for the Redpanda process. + # This must be lower than the container's memory (resources.memory.container.min if provided, otherwise + # resources.memory.container.max). + # Equivalent to --memory. + # For production, use 8Gi or greater. + # memory: 2Gi + # + # Memory reserved for the Seastar subsystem. + # Any value above 1Gi will provide diminishing performance benefits. + # Equivalent to --reserve-memory. + # For production, use 1Gi. + # reserveMemory: 200Mi + +# -- Persistence settings. +# For details, see the [storage documentation](https://docs.redpanda.com/docs/manage/kubernetes/configure-storage/). +storage: + # -- Absolute path on the host to store Redpanda's data. + # If unspecified, then an `emptyDir` volume is used. + # If specified but `persistentVolume.enabled` is true, `storage.hostPath` has no effect. + hostPath: "" + # -- If `persistentVolume.enabled` is true, a PersistentVolumeClaim is created and + # used to store Redpanda's data. Otherwise, `storage.hostPath` is used. + persistentVolume: + enabled: true + size: 20Gi + # -- To disable dynamic provisioning, set to `-`. + # If undefined or empty (default), then no storageClassName spec is set, + # and the default dynamic provisioner is chosen (gp2 on AWS, standard on + # GKE, AWS & OpenStack). + storageClass: "" + # -- Additional labels to apply to the created PersistentVolumeClaims. + labels: {} + # -- Additional annotations to apply to the created PersistentVolumeClaims. + annotations: {} + # -- Option to change volume claim template name for tiered storage persistent volume + # if tiered.mountType is set to `persistentVolume` + nameOverwrite: "" + # + # Settings for the Tiered Storage cache. + # For details, + # see the [Tiered Storage documentation](https://docs.redpanda.com/docs/manage/kubernetes/tiered-storage/#caching). + + tiered: + # mountType can be one of: + # - none: does not mount a volume. Tiered storage will use the data directory. + # - hostPath: will allow you to chose a path on the Node the pod is running on + # - emptyDir: will mount a fresh empty directory every time the pod starts + # - persistentVolume: creates and mounts a PersistentVolumeClaim + mountType: emptyDir + + # For the maximum size of the disk cache, see `tieredConfig.cloud_storage_cache_size`. + # + # -- Absolute path on the host to store Redpanda's Tiered Storage cache. + hostPath: "" + # PersistentVolumeClaim to be created for the Tiered Storage cache and + # used to store data retrieved from cloud storage, such as S3). + persistentVolume: + # -- To disable dynamic provisioning, set to "-". + # If undefined or empty (default), then no storageClassName spec is set, + # and the default dynamic provisioner is chosen (gp2 on AWS, standard on + # GKE, AWS & OpenStack). + storageClass: "" + # -- Additional labels to apply to the created PersistentVolumeClaims. + labels: {} + # -- Additional annotations to apply to the created PersistentVolumeClaims. + annotations: {} + + # credentialsSecretRef can be used to set `cloud_storage_secret_key` and/or `cloud_storage_access_key` from + # referenced Kubernetes Secret + credentialsSecretRef: + accessKey: + # https://docs.redpanda.com/current/reference/cluster-properties/#cloud_storage_access_key + configurationKey: cloud_storage_access_key + # name: + # key: + secretKey: + # https://docs.redpanda.com/current/reference/cluster-properties/#cloud_storage_secret_key + # or + # https://docs.redpanda.com/current/reference/cluster-properties/#cloud_storage_azure_shared_key + configurationKey: cloud_storage_secret_key + # name: + # key + # -- DEPRECATED `configurationKey`, `name` and `key`. Please use `accessKey` and `secretKey` + # configurationKey: cloud_storage_secret_key + # name: + # key: + # + # -- Tiered Storage settings + # Requires `enterprise.licenseKey` or `enterprised.licenseSecretRef` + # For details, + # see the [Tiered Storage documentation](https://docs.redpanda.com/docs/manage/kubernetes/tiered-storage/). + config: + # -- Global flag that enables Tiered Storage if a license key is provided. + # See the [property reference documentation](https://docs.redpanda.com/docs/reference/cluster-properties/#cloud_storage_enabled). + cloud_storage_enabled: false + # -- Cluster level default remote write configuration for new topics. + # See the [property reference documentation](https://docs.redpanda.com/docs/reference/tunable-properties/#cloud_storage_enable_remote_write). + cloud_storage_enable_remote_write: true + # -- Cluster level default remote read configuration for new topics. + # See the [property reference documentation](https://docs.redpanda.com/docs/reference/tunable-properties/#cloud_storage_enable_remote_read). + cloud_storage_enable_remote_read: true + # -- AWS or GCP region for where the bucket used for Tiered Storage is located (required for AWS and GCP). + # See the [property reference documentation](https://docs.redpanda.com/docs/reference/cluster-properties/#cloud_storage_region). + cloud_storage_region: "" + # -- AWS or GCP bucket name used for Tiered Storage (required for AWS and GCP). + # See the [property reference documentation](https://docs.redpanda.com/docs/reference/cluster-properties/#cloud_storage_bucket). + cloud_storage_bucket: "" + # -- AWS or GCP access key (required for AWS and GCP authentication with access keys). + # See the [property reference documentation](https://docs.redpanda.com/docs/reference/cluster-properties/#cloud_storage_access_key). + cloud_storage_access_key: "" + # -- AWS or GCP secret key (required for AWS and GCP authentication with access keys). + # See the [property reference documentation](https://docs.redpanda.com/docs/reference/cluster-properties/#cloud_storage_secret_key). + cloud_storage_secret_key: "" + # -- AWS or GCP API endpoint. + # * For AWS, this can be left blank as it is generated automatically using the bucket and region. For example, `.s3..amazonaws.com`. + # * For GCP, use `storage.googleapis.com` + # See the [property reference documentation](https://docs.redpanda.com/docs/reference/cluster-properties/#cloud_storage_api_endpoint). + cloud_storage_api_endpoint: "" + # -- Name of the Azure container to use with Tiered Storage (required for ABS/ADLS). + # Note that the container must belong to the account specified by `cloud_storage_azure_storage_account`. + # See the [property reference documentation](https://docs.redpanda.com/docs/reference/cluster-properties/#cloud_storage_azure_container). + cloud_storage_azure_container: null + # The managed identity ID to access the Azure storage account. + # See the [property reference documentation](https://docs.redpanda.com/docs/reference/cluster-properties/#cloud_storage_azure_managed_identity_id). + cloud_storage_azure_managed_identity_id: null + # -- Name of the Azure storage account to use with Tiered Storage (required for ABS/ADLS). + # See the [property reference documentation](https://docs.redpanda.com/docs/reference/cluster-properties/#cloud_storage_azure_storage_account). + cloud_storage_azure_storage_account: null + # -- Shared key to be used for Azure Shared Key authentication with the Azure storage account specified by `cloud_storage_azure_storage_account`. + # Note that the key should be base64 encoded. + # See the [property reference documentation](https://docs.redpanda.com/docs/reference/cluster-properties/#cloud_storage_azure_shared_key). + cloud_storage_azure_shared_key: null + # -- Azure ADLS endpoint and port (required for ABS hierarchical namespaces). + # Available starting from 23.2.8. + # cloud_storage_azure_adls_endpoint: "" + # cloud_storage_azure_adls_port: "" + # -- Source of credentials used to connect to cloud services (required for AWS and GCP authentication with IAM roles). + # * `config_file` + # * `aws_instance_metadata` + # * `sts` + # * `gcp_instance_metadata` + # * `azure_aks_oidc_federation` + # * `azure_vm_instance_metadata` + # See the [property reference documentation](https://docs.redpanda.com/docs/reference/cluster-properties/#cloud_storage_credentials_source). + cloud_storage_credentials_source: config_file + + # -- Maximum size of the disk cache used by Tiered Storage. + # Default is 20 GiB. + # See the [property reference documentation](https://docs.redpanda.com/docs/reference/cluster-properties/#cloud_storage_cache_size). + cloud_storage_cache_size: 5368709120 + # cloud_storage_cache_directory: "" + # cloud_storage_cache_check_interval: 30000 + # cloud_storage_initial_backoff_ms: 100 + # cloud_storage_max_connections: 20 + # cloud_storage_segment_upload_timeout_ms: 30000 + # cloud_storage_manifest_upload_timeout_ms: 10000 + # cloud_storage_max_connection_idle_time_ms: 5000 + # cloud_storage_idle_timeout_ms: 10000 + # cloud_storage_segment_max_upload_interval_sec: 1 + # cloud_storage_trust_file: "" + # cloud_storage_upload_ctrl_update_interval_ms: 60000 + # cloud_storage_upload_ctrl_p_coeff: -2 + # cloud_storage_upload_ctrl_d_coeff: 0 + # cloud_storage_upload_ctrl_min_shares: 100 + # cloud_storage_upload_ctrl_max_shares: 1000 + # DEPRECATED: cloud_storage_reconciliation_interval_ms: 10000 + # cloud_storage_disable_tls: false + # cloud_storage_api_endpoint_port: 443 + # cloud_storage_idle_threshold_rps: 1 + # cloud_storage_enable_segment_merging: true + # cloud_storage_segment_size_target: # The default segment size is controlled by log_segment_size + # cloud_storage_segment_size_min: # Default is 50% of log segment size + # storage.tieredStorageHostPath has been deprecated. Use storage.tiered.hostPath and configure storage.tiered.mountType instead. + # storage.tieredStoragePersistentVolume has been deprecated. Use storage.tiered.persistentVolume and configure storage.tiered.mountType instead. + # storage.tieredConfig has been deprecated. Use storage.tiered.config instead. + +post_install_job: + enabled: true + # Resource requests and limits for the post-install batch job + # resources: + # requests: + # cpu: 1 + # memory: 512Mi + # limits: + # cpu: 2 + # memory: 1024Mi + # labels: {} + # annotations: {} + affinity: {} + + podTemplate: + # -- Additional labels to apply to the Pods of this Job. + labels: {} + # -- Additional annotations to apply to the Pods of this Job. + annotations: {} + # -- A subset of Kubernetes' PodSpec type that will be merged into the + # final PodSpec. See [Merge Semantics](#merging-semantics) for details. + spec: + securityContext: {} + containers: + - name: post-install + securityContext: {} + env: [] + +post_upgrade_job: + enabled: true + # Resource requests and limits for the post-upgrade batch job + # resources: + # requests: + # cpu: 1 + # memory: 512Mi + # limits: + # cpu: 2 + # memory: 1024Mi + # labels: {} + # annotations: {} + # Additional environment variables for the Post Upgrade Job + # extraEnv: + # - name: AWS_SECRET_ACCESS_KEY + # valueFrom: + # secretKeyRef: + # name: my-secret + # key: redpanda-aws-secret-access-key + # Additional environment variables for the Post Upgrade Job mapped from Secret or ConfigMap + # extraEnvFrom: + # - secretRef: + # name: redpanda-aws-secrets + # DEPRECATED. Please use podTemplate.securityContext + # You can set the security context as nessesary for the post-upgrade job as follows + # securityContext: + # allowPrivilegeEscalation: false + # runAsNonRoot: true + affinity: {} + # When helm upgrade is performed the post-upgrade job is scheduled before Statefulset successfully finish + # its rollout. User can extend Job default backoff limit of `6`. + # backoffLimit: + + podTemplate: + # -- Additional labels to apply to the Pods of this Job. + labels: {} + # -- Additional annotations to apply to the Pods of this Job. + annotations: {} + # -- A subset of Kubernetes' PodSpec type that will be merged into the + # final PodSpec. See [Merge Semantics](#merging-semantics) for details. + spec: + securityContext: {} + containers: + - name: post-upgrade + securityContext: {} + env: [] + +statefulset: + # -- Number of Redpanda brokers (Redpanda Data recommends setting this to the number of worker nodes in the cluster) + replicas: 3 + updateStrategy: + type: RollingUpdate + budget: + maxUnavailable: 1 + # -- DEPRECATED Please use statefulset.podTemplate.annotations. + # Annotations are used only for `Statefulset.spec.template.metadata.annotations`. The StatefulSet does not have + # any dedicated annotation. + annotations: {} + # -- Additional labels to be added to statefulset label selector. + # For example, `my.k8s.service: redpanda`. + additionalSelectorLabels: {} + podTemplate: + # -- Additional labels to apply to the Pods of the StatefulSet. + labels: {} + # -- Additional annotations to apply to the Pods of the StatefulSet. + annotations: {} + # -- A subset of Kubernetes' PodSpec type that will be merged into the + # final PodSpec. See [Merge Semantics](#merging-semantics) for details. + spec: + securityContext: {} + containers: + - name: redpanda + securityContext: {} + env: [] + # -- Adjust the period for your probes to meet your needs. + # For details, + # see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes). + startupProbe: + initialDelaySeconds: 1 + failureThreshold: 120 + periodSeconds: 10 + livenessProbe: + initialDelaySeconds: 10 + failureThreshold: 3 + periodSeconds: 10 + readinessProbe: + initialDelaySeconds: 1 + failureThreshold: 3 + periodSeconds: 10 + successThreshold: 1 + # + # StatefulSet resources: + # Resources are set through the top-level resources section above. + # It is recommended to set resource values in that section rather than here, as this will guarantee + # memory is allocated across containers, Redpanda, and the Seastar subsystem correctly. + # This automatic memory allocation is in place because Repanda and the Seastar subsystem require flags + # at startup that set the amount of memory available to each process. + # Kubernetes (mainly statefulset), Redpanda, and Seastar memory values are tightly coupled. + # Adding a resource section here will be ignored. + # + # -- Inter-Pod Affinity rules for scheduling Pods of this StatefulSet. + # For details, + # see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#inter-pod-affinity-and-anti-affinity). + podAffinity: {} + # -- Anti-affinity rules for scheduling Pods of this StatefulSet. + # For details, + # see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#inter-pod-affinity-and-anti-affinity). + # You may either edit the default settings for anti-affinity rules, + # or specify new anti-affinity rules to use instead of the defaults. + podAntiAffinity: + # -- The topologyKey to be used. + # Can be used to spread across different nodes, AZs, regions etc. + topologyKey: kubernetes.io/hostname + # -- Valid anti-affinity types are `soft`, `hard`, or `custom`. + # Use `custom` if you want to supply your own anti-affinity rules in the `podAntiAffinity.custom` object. + type: hard + # -- Weight for `soft` anti-affinity rules. + # Does not apply to other anti-affinity types. + weight: 100 + # -- Change `podAntiAffinity.type` to `custom` and provide your own podAntiAffinity rules here. + custom: {} + # -- Node selection constraints for scheduling Pods of this StatefulSet. + # These constraints override the global `nodeSelector` value. + # For details, + # see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector). + nodeSelector: {} + # -- PriorityClassName given to Pods of this StatefulSet. + # For details, + # see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass). + priorityClassName: "" + # -- Taints to be tolerated by Pods of this StatefulSet. + # These tolerations override the global tolerations value. + # For details, + # see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/). + tolerations: [] + # For details, + # see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/). + topologySpreadConstraints: + - maxSkew: 1 + topologyKey: topology.kubernetes.io/zone + whenUnsatisfiable: ScheduleAnyway + # -- DEPRECATED: Prefer to use podTemplate.spec.securityContext or podTemplate.spec.containers[0].securityContext. + securityContext: + fsGroup: 101 + runAsUser: 101 + fsGroupChangePolicy: OnRootMismatch + sideCars: + configWatcher: + enabled: true + # -- To create `Guaranteed` Pods for Redpanda brokers, provide both requests and limits for CPU and memory. For details, see + # https://kubernetes.io/docs/tasks/configure-pod-container/quality-service-pod/#create-a-pod-that-gets-assigned-a-qos-class-of-guaranteed + # * Every container in the Pod must have a memory limit and a memory request. + # * For every container in the Pod, the memory limit must equal the memory request. + # * Every container in the Pod must have a CPU limit and a CPU request. + # * For every container in the Pod, the CPU limit must equal the CPU request. + # + # To maximize efficiency, use the `static` CPU manager policy by specifying an even integer for + # CPU resource requests and limits. This policy gives the Pods running Redpanda brokers + # access to exclusive CPUs on the node. For details, see + # https://kubernetes.io/docs/tasks/administer-cluster/cpu-management-policies/#static-policy + resources: {} + securityContext: {} + extraVolumeMounts: |- + # Configure extra controllers to run as sidecars inside the Pods running Redpanda brokers. + # Available controllers: + # - Decommission Controller: The Decommission Controller ensures smooth scaling down operations. + # This controller is responsible for monitoring changes in the number of StatefulSet replicas and orchestrating + # the decommissioning of brokers when necessary. It also sets the reclaim policy for the decommissioned + # broker's PersistentVolume to `Retain` and deletes the corresponding PersistentVolumeClaim. + # - Node-PVC Controller: The Node-PVC Controller handles the PVCs of deleted brokers. + # By setting the PV Retain policy to retain, it facilitates the rescheduling of brokers to new, healthy nodes when + # an existing node is removed. + controllers: + image: + tag: v2.1.10-23.2.18 + repository: docker.redpanda.com/redpandadata/redpanda-operator + # You must also enable RBAC, `rbac.enabled=true`, to deploy this sidecar + enabled: false + # -- To create `Guaranteed` Pods for Redpanda brokers, provide both requests and limits for CPU and memory. For details, see + # https://kubernetes.io/docs/tasks/configure-pod-container/quality-service-pod/#create-a-pod-that-gets-assigned-a-qos-class-of-guaranteed + # + # * Every container in the Pod must have a CPU limit and a CPU request. + # * For every container in the Pod, the CPU limit must equal the CPU request. + # * Every container in the Pod must have a CPU limit and a CPU request. + # * For every container in the Pod, the CPU limit must equal the CPU request. + # + # To maximize efficiency, use the `static` CPU manager policy by specifying an even integer for + # CPU resource requests and limits. This policy gives the Pods running Redpanda brokers + # access to exclusive CPUs on the node. For details, see + # https://kubernetes.io/docs/tasks/administer-cluster/cpu-management-policies/#static-policy + resources: {} + securityContext: {} + healthProbeAddress: ":8085" + metricsAddress: ":9082" + run: + - all + createRBAC: true + initContainers: + fsValidator: + enabled: false + expectedFS: xfs + # -- To create `Guaranteed` Pods for Redpanda brokers, provide both requests and limits for CPU and memory. For details, see + # https://kubernetes.io/docs/tasks/configure-pod-container/quality-service-pod/#create-a-pod-that-gets-assigned-a-qos-class-of-guaranteed + # * Every container in the Pod must have a CPU limit and a CPU request. + # * For every container in the Pod, the CPU limit must equal the CPU request. + resources: {} + extraVolumeMounts: |- + tuning: + # -- To create `Guaranteed` Pods for Redpanda brokers, provide both requests and limits for CPU and memory. For details, see + # https://kubernetes.io/docs/tasks/configure-pod-container/quality-service-pod/#create-a-pod-that-gets-assigned-a-qos-class-of-guaranteed + # * Every container in the Pod must have a CPU limit and a CPU request. + # * For every container in the Pod, the CPU limit must equal the CPU request. + resources: {} + extraVolumeMounts: |- + setDataDirOwnership: + # -- In environments where root is not allowed, you cannot change the ownership of files and directories. + # Enable `setDataDirOwnership` when using default minikube cluster configuration. + enabled: false + # -- To create `Guaranteed` Pods for Redpanda brokers, provide both requests and limits for CPU and memory. For details, see + # https://kubernetes.io/docs/tasks/configure-pod-container/quality-service-pod/#create-a-pod-that-gets-assigned-a-qos-class-of-guaranteed + # * Every container in the Pod must have a CPU limit and a CPU request. + # * For every container in the Pod, the CPU limit must equal the CPU request. + resources: {} + extraVolumeMounts: |- + setTieredStorageCacheDirOwnership: + # -- To create `Guaranteed` Pods for Redpanda brokers, provide both requests and limits for CPU and memory. For details, see + # https://kubernetes.io/docs/tasks/configure-pod-container/quality-service-pod/#create-a-pod-that-gets-assigned-a-qos-class-of-guaranteed + # * Every container in the Pod must have a CPU limit and a CPU request. + # * For every container in the Pod, the CPU limit must equal the CPU request. + resources: {} + extraVolumeMounts: |- + configurator: + # -- To create `Guaranteed` Pods for Redpanda brokers, provide both requests and limits for CPU and memory. For details, see + # https://kubernetes.io/docs/tasks/configure-pod-container/quality-service-pod/#create-a-pod-that-gets-assigned-a-qos-class-of-guaranteed + # * Every container in the Pod must have a CPU limit and a CPU request. + # * For every container in the Pod, the CPU limit must equal the CPU request. + resources: {} + extraVolumeMounts: |- + ## Additional init containers + extraInitContainers: |- +# - name: "test-init-container" +# image: "mintel/docker-alpine-bash-curl-jq:latest" +# command: [ "/bin/bash", "-c" ] +# args: +# - | +# set -xe +# echo "Hello World!" + initContainerImage: + repository: busybox + tag: latest + # -- Additional flags to pass to redpanda, + additionalRedpandaCmdFlags: [] +# - --unsafe-bypass-fsync + # -- Termination grace period in seconds is time required to execute preStop hook + # which puts particular Redpanda Pod (process/container) into maintenance mode. + # Before settle down on particular value please put Redpanda under load and perform + # rolling upgrade or rolling restart. That value needs to accommodate two processes: + # * preStop hook needs to put Redpanda into maintenance mode + # * after preStop hook Redpanda needs to handle gracefully SIGTERM signal + # + # Both processes are executed sequentially where preStop hook has hard deadline in the + # middle of terminationGracePeriodSeconds. + # + # REF: + # https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#hook-handler-execution + # https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#pod-termination + terminationGracePeriodSeconds: 90 + ## Additional Volumes that you mount + extraVolumes: |- + ## Additional Volume mounts for redpanda container + extraVolumeMounts: |- + +# -- Service account management. +serviceAccount: + # -- Specifies whether a service account should be created. + create: false + # -- Annotations to add to the service account. + annotations: {} + # -- The name of the service account to use. + # If not set and `serviceAccount.create` is `true`, + # a name is generated using the `redpanda.fullname` template. + name: "" + +# -- Role Based Access Control. +rbac: + # -- Enable for features that need extra privileges. + # If you use the Redpanda Operator, + # you must deploy it with the `--set rbac.createRPKBundleCRs=true` flag + # to give it the required ClusterRoles. + enabled: false + # -- Annotations to add to the `rbac` resources. + annotations: {} + +# -- Redpanda tuning settings. +# Each is set to their default values in Redpanda. +tuning: + # -- Increase the maximum number of outstanding asynchronous IO operations if the + # current value is below a certain threshold. This allows Redpanda to make as many + # simultaneous IO requests as possible, increasing throughput. + # + # When this option is enabled, Helm creates a privileged container. If your security profile does not allow this, you can disable this container by setting `tune_aio_events` to `false`. + # For more details, see the [tuning documentation](https://docs.redpanda.com/docs/deploy/deployment-option/self-hosted/kubernetes/kubernetes-tune-workers/). + tune_aio_events: true + # + # Syncs NTP + # tune_clocksource: false + # + # Creates a "ballast" file so that, if a Redpanda node runs out of space, + # you can delete the ballast file to allow the node to resume operations and then + # delete a topic or records to reduce the space used by Redpanda. + # tune_ballast_file: false + # + # The path where the ballast file will be created. + # ballast_file_path: "/var/lib/redpanda/data/ballast" + # + # The ballast file size. + # ballast_file_size: "1GiB" + # + # (Optional) The vendor, VM type and storage device type that redpanda will run on, in + # the format ::. This hints to rpk which configuration values it + # should use for the redpanda IO scheduler. + # Some valid values are "gcp:c2-standard-16:nvme", "aws:i3.xlarge:default" + # well_known_io: "" + # + # The following tuning parameters must be false in container environments and will be ignored: + # tune_network + # tune_disk_scheduler + # tune_disk_nomerges + # tune_disk_irq + # tune_fstrim + # tune_cpu + # tune_swappiness + # tune_transparent_hugepages + # tune_coredump + + +# -- Listener settings. +# +# Override global settings configured above for individual +# listeners. +# For details, +# see the [listeners documentation](https://docs.redpanda.com/docs/manage/kubernetes/networking/configure-listeners/). +listeners: + # -- Admin API listener (only one). + admin: + # -- The port for both internal and external connections to the Admin API. + port: 9644 + # -- Optional instrumentation hint - https://kubernetes.io/docs/concepts/services-networking/service/#application-protocol + # appProtocol: + # -- Optional external access settings. + external: + # -- Name of the external listener. + default: + port: 9645 + # Override the global `external.enabled` for only this listener. + # enabled: true + # -- The port advertised to this listener's external clients. + # List one port if you want to use the same port for each broker (would be the case when using NodePort service). + # Otherwise, list the port you want to use for each broker in order of StatefulSet replicas. + # If undefined, `listeners.admin.port` is used. + tls: + # enabled: true + cert: external + advertisedPorts: + - 31644 + # -- Optional TLS section (required if global TLS is enabled) + tls: + # Optional flag to override the global TLS enabled flag. + # enabled: true + # -- Name of the Certificate used for TLS (must match a Certificate name that is registered in tls.certs). + cert: default + # -- If true, the truststore file for this listener is included in the ConfigMap. + requireClientAuth: false + # -- Kafka API listeners. + kafka: + # -- The port for internal client connections. + port: 9093 + # default is "sasl" + authenticationMethod: + tls: + # Optional flag to override the global TLS enabled flag. + # enabled: true + cert: default + requireClientAuth: false + external: + default: + # enabled: true + # -- The port used for external client connections. + port: 9094 + # prefixTemplate: "" + # -- If undefined, `listeners.kafka.external.default.port` is used. + advertisedPorts: + - 31092 + tls: + # enabled: true + cert: external + # default is "sasl" + authenticationMethod: + # -- RPC listener (this is never externally accessible). + rpc: + port: 33145 + tls: + # Optional flag to override the global TLS enabled flag. + # enabled: true + cert: default + requireClientAuth: false + # -- Schema registry listeners. + schemaRegistry: + enabled: true + port: 8081 + kafkaEndpoint: default + # default is "http_basic" + authenticationMethod: + tls: + # Optional flag to override the global TLS enabled flag. + # enabled: true + cert: default + requireClientAuth: false + external: + default: + # enabled: true + port: 8084 + advertisedPorts: + - 30081 + tls: + # enabled: true + cert: external + requireClientAuth: false + # default is "http_basic" + authenticationMethod: + # -- HTTP API listeners (aka PandaProxy). + http: + enabled: true + port: 8082 + kafkaEndpoint: default + # default is "http_basic" + authenticationMethod: + tls: + # Optional flag to override the global TLS enabled flag. + # enabled: true + cert: default + requireClientAuth: false + external: + default: + # enabled: true + port: 8083 + # prefixTemplate: "" + advertisedPorts: + - 30082 + tls: + # enabled: true + cert: external + requireClientAuth: false + # default is "http_basic" + authenticationMethod: + +# Expert Config +# Here be dragons! +# +# -- This section contains various settings supported by Redpanda that may not work +# correctly in a Kubernetes cluster. Changing these settings comes with some risk. +# +# Use these settings to customize various Redpanda configurations that are not covered in other sections. +# These values have no impact on the configuration or behavior of the Kubernetes objects deployed by Helm, +# and therefore should not be modified for the purpose of configuring those objects. +# Instead, these settings get passed directly to the Redpanda binary at startup. +# For descriptions of these properties, +# see the [configuration documentation](https://docs.redpanda.com/docs/cluster-administration/configuration/). +config: + rpk: {} + # additional_start_flags: # List of flags to pass to rpk, e.g., ` "--idle-poll-time-us=0"` + cluster: + default_topic_replications: 3 # Default replication factor for new topics + # There is logic in the chart that will set this to 1 if there are fewer than 3 statefulset.replicas + # auto_create_topics_enabled: true # Allow topic auto creation + # transaction_coordinator_replication: 1 # Replication factor for a transaction coordinator topic + # id_allocator_replication: 1 # Replication factor for an ID allocator topic + # default_topic_partitions: 1 # Default number of partitions per topic + # disable_metrics: false # Disable registering metrics + # enable_coproc: false # Enable coprocessing mode + # enable_idempotence: false # Enable idempotent producer + # enable_pid_file: true # Enable pid file; You probably don't want to change this + # enable_transactions: false # Enable transactions + # group_max_session_timeout_ms: 300s # The maximum allowed session timeout for registered consumers; Longer timeouts give consumers more time to process messages in between heartbeats at the cost of a longer time to detect failures; Default quota tracking window size in milliseconds + # group_min_session_timeout_ms: Optional # The minimum allowed session timeout for registered consumers; Shorter timeouts result in quicker failure detection at the cost of more frequent consumer heartbeating + # kafka_group_recovery_timeout_ms: 30000ms # Kafka group recovery timeout expressed in milliseconds + # kafka_qdc_enable: false # Enable kafka queue depth control + # kafka_qdc_max_latency_ms: 80ms # Max latency threshold for kafka queue depth control depth tracking + # log_cleanup_policy: deletion # Default topic cleanup policy + # log_compaction_interval_ms: 5min # How often do we trigger background compaction + # log_compression_type: producer # Default topic compression type + # log_message_timestamp_type: create_time # Default topic messages timestamp type + # retention_bytes: None # max bytes per partition on disk before triggering a compaction + # rm_sync_timeout_ms: 2000ms + # rm_violation_recovery_policy: crash # Describes how to recover from an invariant violation happened on the partition level + # target_quota_byte_rate: 2GB # Target quota byte rate in bytes per second + # tm_sync_timeout_ms: 2000ms # Time to wait state catch up before rejecting a request + # tm_violation_recovery_policy: crash # Describes how to recover from an invariant violation happened on the transaction coordinator level + # transactional_id_expiration_ms: 10080min # Producer ids are expired once this time has elapsed after the last write with the given producer ID + # -- Tunable cluster properties. + tunable: + # -- See the [property reference documentation](https://docs.redpanda.com/docs/reference/tunable-properties/#log_segment_size). + log_segment_size: 134217728 # 128 mb + # -- See the [property reference documentation](https://docs.redpanda.com/docs/reference/tunable-properties/#log_segment_size_min). + log_segment_size_min: 16777216 # 16 mb + # -- See the [property reference documentation](https://docs.redpanda.com/docs/reference/tunable-properties/#log_segment_size_max). + log_segment_size_max: 268435456 # 256 mb + # -- See the [property reference documentation](https://docs.redpanda.com/docs/reference/tunable-properties/#kafka_batch_max_bytes). + kafka_batch_max_bytes: 1048576 # 1 mb + # -- See the [property reference documentation](https://docs.redpanda.com/docs/reference/tunable-properties/#topic_partitions_per_shard). + topic_partitions_per_shard: 1000 + # -- See the [property reference documentation](https://docs.redpanda.com/docs/reference/tunable-properties/#compacted_log_segment_size). + compacted_log_segment_size: 67108864 # 64 mb + # -- See the [property reference documentation](https://docs.redpanda.com/docs/reference/tunable-properties/#max_compacted_log_segment_size). + max_compacted_log_segment_size: 536870912 # 512 mb + # -- See the [property reference documentation](https://docs.redpanda.com/docs/reference/cluster-properties/#kafka_connection_rate_limit). + kafka_connection_rate_limit: 1000 + # -- See the [property reference documentation](https://docs.redpanda.com/docs/reference/tunable-properties/#group_topic_partitions). + group_topic_partitions: 16 + # cloud_storage_enable_remote_read: true # cluster wide configuration for read from remote cloud storage + # cloud_storage_enable_remote_write: true # cluster wide configuration for writing to remote cloud storage + + # alter_topic_cfg_timeout_ms: 5s # Time to wait for entries replication in controller log when executing alter configuration request + # compacted_log_segment_size: 256MiB # How large in bytes should each compacted log segment be (default 256MiB) + # controller_backend_housekeeping_interval_ms: 1s # Interval between iterations of controller backend housekeeping loop + # coproc_max_batch_size: 32kb # Maximum amount of bytes to read from one topic read + # coproc_max_inflight_bytes: 10MB # Maximum amountt of inflight bytes when sending data to wasm engine + # coproc_max_ingest_bytes: 640kb # Maximum amount of data to hold from input logs in memory + # coproc_offset_flush_interval_ms: 300000ms # Interval for which all coprocessor offsets are flushed to disk + # create_topic_timeout_ms: 2000ms # Timeout (ms) to wait for new topic creation + # default_num_windows: 10 # Default number of quota tracking windows + # default_window_sec: 1000ms # Default quota tracking window size in milliseconds + # log_retention_ms: 6.048e+8 # delete segments older than this (default 1 week) + # disable_batch_cache: false # Disable batch cache in log manager + # fetch_reads_debounce_timeout: 1ms # Time to wait for next read in fetch request when requested min bytes wasn't reached + # fetch_session_eviction_timeout_ms: 60s # Minimum time before which unused session will get evicted from sessions; Maximum time after which inactive session will be deleted is two time given configuration valuecache + # group_initial_rebalance_delay: 300 # Extra delay (ms) added to rebalance phase to wait for new members + # group_new_member_join_timeout: 30000ms # Timeout for new member joins + # group_topic_partitions: 1 # Number of partitions in the internal group membership topic + # id_allocator_batch_size: 1000 # ID allocator allocates messages in batches (each batch is a one log record) and then serves requests from memory without touching the log until the batch is exhausted + # id_allocator_log_capacity: 100 # Capacity of the id_allocator log in number of messages; Once it reached id_allocator_stm should compact the log + # join_retry_timeout_ms: 5s # Time between cluster join retries in milliseconds + # kafka_qdc_idle_depth: 10 # Queue depth when idleness is detected in kafka queue depth control + # kafka_qdc_latency_alpha: 0.002 # Smoothing parameter for kafka queue depth control latency tracking + # kafka_qdc_max_depth: 100 # Maximum queue depth used in kafka queue depth control + # kafka_qdc_min_depth: 1 # Minimum queue depth used in kafka queue depth control + # kafka_qdc_window_count: 12 # Number of windows used in kafka queue depth control latency tracking + # kafka_qdc_window_size_ms: 1500ms # Window size for kafka queue depth control latency tracking + # kvstore_flush_interval: 10ms # Key-value store flush interval (ms) + # kvstore_max_segment_size: 16MB # Key-value maximum segment size (bytes) + # log_segment_size: 1GB # How large in bytes should each log segment be (default 1G) + # max_compacted_log_segment_size: 5GB # Max compacted segment size after consolidation + # max_kafka_throttle_delay_ms: 60000ms # Fail-safe maximum throttle delay on kafka requests + # metadata_dissemination_interval_ms: 3000ms # Interaval for metadata dissemination batching + # metadata_dissemination_retries: 10 # Number of attempts of looking up a topic's meta data like shard before failing a request + # metadata_dissemination_retry_delay_ms: 500ms # Delay before retry a topic lookup in a shard or other meta tables + # quota_manager_gc_sec: 30000ms # Quota manager GC frequency in milliseconds + # raft_learner_recovery_rate: 104857600 # Raft learner recovery rate in bytes per second + # raft_heartbeat_disconnect_failures: 3 # After how many failed heartbeats to forcibly close an unresponsive TCP connection. Set to 0 to disable force disconnection. + # raft_heartbeat_interval_ms: 150 # The interval in ms between raft leader heartbeats. + # raft_heartbeat_timeout_ms: 3000 # Raft heartbeat RPC timeout. + # raft_io_timeout_ms: 10000 # Raft I/O timeout. + # raft_max_concurrent_append_requests_per_follower: 16 # Maximum number of concurrent append entries requests sent by leader to one follower. + # raft_max_recovery_memory: 33554432 # Maximum memory that can be used for reads in the raft recovery process. + # raft_recovery_default_read_size: 524288 # Default size of read issued during raft follower recovery. + # raft_replicate_batch_window_size: 1048576 # Maximum size of requests cached for replication. + # raft_smp_max_non_local_requests: # Maximum number of x-core requests pending in Raft seastar::smp group. (for more details look at seastar::smp_service_group documentation). + # raft_timeout_now_timeout_ms: 1000 # Timeout for a timeout now request. + # raft_transfer_leader_recovery_timeout_ms: 1000 # Timeout waiting for follower recovery when transferring leadership. + # raft_election_timeout_ms: 1500ms # Election timeout expressed in milliseconds TBD - election_time_out + # readers_cache_eviction_timeout_ms: 30s # Duration after which inactive readers will be evicted from cache + # reclaim_growth_window: 3000ms # Length of time in which reclaim sizes grow + # reclaim_max_size: 4MB # Maximum batch cache reclaim size + # reclaim_min_size: 128KB # Minimum batch cache reclaim size + # reclaim_stable_window: 10000ms # Length of time above which growth is reset + # recovery_append_timeout_ms: 5s # Timeout for append entries requests issued while updating stale follower + # release_cache_on_segment_roll: false # Free cache when segments roll + # replicate_append_timeout_ms: 3s # Timeout for append entries requests issued while replicating entries + # segment_appender_flush_timeout_ms: 1ms # Maximum delay until buffered data is written + # wait_for_leader_timeout_ms: 5000ms # Timeout (ms) to wait for leadership in metadata cache + # -- Node (broker) properties. + # See the [property reference documentation](https://docs.redpanda.com/docs/reference/node-properties/). + node: + # -- Crash loop limit + # A limit on the number of consecutive times a broker can crash within one hour before its crash-tracking logic is reset. + # This limit prevents a broker from getting stuck in an infinite cycle of crashes. + # User can disable this crash loop limit check by the following action: + # + # * One hour elapses since the last crash + # * The node configuration file, redpanda.yaml, is updated via config.cluster or config.node or config.tunable objects + # * The startup_log file in the node’s data_directory is manually deleted + # + # Default to 5 + # REF: https://docs.redpanda.com/current/reference/node-properties/#crash_loop_limit + crash_loop_limit: 5 + # node_id: # Unique ID identifying a node in the cluster + # data_directory: # Place where redpanda will keep the data + # admin_api_doc_dir: /usr/share/redpanda/admin-api-doc # Admin API doc directory + # api_doc_dir: /usr/share/redpanda/proxy-api-doc # API doc directory + # coproc_supervisor_server: 127.0.0.1:43189 # IpAddress and port for supervisor service + # dashboard_dir: None # serve http dashboard on / url + # developer_mode: true # Skips most of the checks performed at startup + # recovery_mode_enabled: false # Sets recovery mode of a cluster + + # Reference schema registry client https://docs.redpanda.com/current/reference/node-configuration-sample/ + schema_registry_client: {} + # # Number of times to retry a request to a broker + # # Default: 5 + # retries: 5 + # + # # Delay (in milliseconds) for initial retry backoff + # # Default: 100ms + # retry_base_backoff_ms: 100 + # + # # Number of records to batch before sending to broker + # # Default: 1000 + # produce_batch_record_count: 1000 + # + # # Number of bytes to batch before sending to broker + # # Defautl 1MiB + # produce_batch_size_bytes: 1048576 + # + # # Delay (in milliseconds) to wait before sending batch + # # Default: 100ms + # produce_batch_delay_ms: 100 + # + # # Interval (in milliseconds) for consumer request timeout + # # Default: 100ms + # consumer_request_timeout_ms: 100 + # + # # Max bytes to fetch per request + # # Default: 1MiB + # consumer_request_max_bytes: 1048576 + # + # # Timeout (in milliseconds) for consumer session + # # Default: 10s + # consumer_session_timeout_ms: 10000 + # + # # Timeout (in milliseconds) for consumer rebalance + # # Default: 2s + # consumer_rebalance_timeout_ms: 2000 + # + # # Interval (in milliseconds) for consumer heartbeats + # # Default: 500ms + # consumer_heartbeat_interval_ms: 500 + + # Reference panda proxy client https://docs.redpanda.com/current/reference/node-configuration-sample/ + pandaproxy_client: {} + # # Number of times to retry a request to a broker + # # Default: 5 + # retries: 5 + # + # # Delay (in milliseconds) for initial retry backoff + # # Default: 100ms + # retry_base_backoff_ms: 100 + # + # # Number of records to batch before sending to broker + # # Default: 1000 + # produce_batch_record_count: 1000 + # + # # Number of bytes to batch before sending to broker + # # Defautl 1MiB + # produce_batch_size_bytes: 1048576 + # + # # Delay (in milliseconds) to wait before sending batch + # # Default: 100ms + # produce_batch_delay_ms: 100 + # + # # Interval (in milliseconds) for consumer request timeout + # # Default: 100ms + # consumer_request_timeout_ms: 100 + # + # # Max bytes to fetch per request + # # Default: 1MiB + # consumer_request_max_bytes: 1048576 + # + # # Timeout (in milliseconds) for consumer session + # # Default: 10s + # consumer_session_timeout_ms: 10000 + # + # # Timeout (in milliseconds) for consumer rebalance + # # Default: 2s + # consumer_rebalance_timeout_ms: 2000 + # + # # Interval (in milliseconds) for consumer heartbeats + # # Default: 500ms + # consumer_heartbeat_interval_ms: 500 + + # Invalid properties + # Any of these properties will be ignored. These otherwise valid properties are not allowed + # to be used in this section since they impact deploying Redpanda in Kubernetes. + # Make use of the above sections to modify these values instead (see comments below). + # admin: "127.0.0.1:9644" # Address and port of admin server: use listeners.admin + # admin_api_tls: validate_many # TLS configuration for admin HTTP server: use listeners.admin.tls + # advertised_kafka_api: None # Address of Kafka API published to the clients + # advertised_pandaproxy_api: None # Rest API address and port to publish to client + # advertised_rpc_api: None # Address of RPC endpoint published to other cluster members + # enable_admin_api: true # Enable the admin API + # enable_sasl: false # Enable SASL authentication for Kafka connections + # kafka_api: "127.0.0.1:9092" # Address and port of an interface to listen for Kafka API requests + # kafka_api_tls: None # TLS configuration for Kafka API endpoint + # pandaproxy_api: "0.0.0.0:8082" # Rest API listen address and port + # pandaproxy_api_tls: validate_many # TLS configuration for Pandaproxy api + # rpc_server: "127.0.0.1:33145" # IP address and port for RPC server + # rpc_server_tls: validate # TLS configuration for RPC server + # superusers: None # List of superuser usernames + +tests: + enabled: true diff --git a/index.yaml b/index.yaml index 5c1901ae2..0968c0cc4 100644 --- a/index.yaml +++ b/index.yaml @@ -20446,6 +20446,31 @@ entries: - assets/clastix/kamaji-console-0.0.4.tgz version: 0.0.4 kong: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Kong Gateway + catalog.cattle.io/release-name: kong + apiVersion: v2 + appVersion: "3.6" + created: "2024-08-30T00:51:01.97835777Z" + dependencies: + - condition: postgresql.enabled + name: postgresql + repository: file://./charts/postgresql + version: 11.9.13 + description: The Cloud-Native Ingress and API-management + digest: d96bd5f8e5d914ae8552ae6cb7c667203e6bde1b587e9a70635b738dc29fdd32 + home: https://konghq.com/ + icon: file://assets/icons/kong.png + maintainers: + - email: team-k8s@konghq.com + name: team-k8s-bot + name: kong + sources: + - https://github.com/Kong/charts/tree/main/charts/kong + urls: + - assets/kong/kong-2.41.0.tgz + version: 2.41.0 - annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: Kong Gateway @@ -22260,6 +22285,38 @@ entries: catalog.cattle.io/kube-version: '>=1.22.0-0' catalog.cattle.io/release-name: linkerd-control-plane apiVersion: v2 + appVersion: edge-24.8.3 + created: "2024-08-30T00:51:02.41787433Z" + dependencies: + - name: partials + repository: file://./charts/partials + version: 0.1.0 + description: 'Linkerd gives you observability, reliability, and security for your + microservices — with no code change required. ' + digest: 53da2413df66c421f9ae6920f7d0084e368a53d3643173bfec0b2bdf5e6329b3 + home: https://linkerd.io + icon: file://assets/icons/linkerd-control-plane.png + keywords: + - service-mesh + kubeVersion: '>=1.22.0-0' + maintainers: + - email: cncf-linkerd-dev@lists.cncf.io + name: Linkerd authors + url: https://linkerd.io/ + name: linkerd-control-plane + sources: + - https://github.com/linkerd/linkerd2/ + type: application + urls: + - assets/linkerd/linkerd-control-plane-2024.8.3.tgz + version: 2024.8.3 + - annotations: + catalog.cattle.io/auto-install: linkerd-crds + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Linkerd Control Plane + catalog.cattle.io/kube-version: '>=1.22.0-0' + catalog.cattle.io/release-name: linkerd-control-plane + apiVersion: v2 appVersion: edge-24.8.2 created: "2024-08-06T00:47:28.460808141Z" dependencies: @@ -22268,7 +22325,7 @@ entries: version: 0.1.0 description: 'Linkerd gives you observability, reliability, and security for your microservices — with no code change required. ' - digest: aaceb46fcf80aec619f10928f59b6280814875026753d67150d78096942d06c8 + digest: 51fad32307295b2f21fb6ce35289feb7ec00747546a6f441c59728ff89856386 home: https://linkerd.io icon: file://assets/icons/linkerd-control-plane.png keywords: @@ -23331,6 +23388,36 @@ entries: - assets/linkerd/linkerd-control-plane-1.12.5.tgz version: 1.12.5 linkerd-crds: + - annotations: + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Linkerd CRDs + catalog.cattle.io/kube-version: '>=1.22.0-0' + catalog.cattle.io/release-name: linkerd-crds + apiVersion: v2 + created: "2024-08-30T00:51:02.494226658Z" + dependencies: + - name: partials + repository: file://./charts/partials + version: 0.1.0 + description: 'Linkerd gives you observability, reliability, and security for your + microservices — with no code change required. ' + digest: 4a74e800e283c245fea722193cb3c661fb861e30a3fdcbfdbcaaf1167c0fb5cc + home: https://linkerd.io + icon: file://assets/icons/linkerd-crds.png + keywords: + - service-mesh + kubeVersion: '>=1.22.0-0' + maintainers: + - email: cncf-linkerd-dev@lists.cncf.io + name: Linkerd authors + url: https://linkerd.io/ + name: linkerd-crds + sources: + - https://github.com/linkerd/linkerd2/ + type: application + urls: + - assets/linkerd/linkerd-crds-2024.8.3.tgz + version: 2024.8.3 - annotations: catalog.cattle.io/certified: partner catalog.cattle.io/display-name: Linkerd CRDs @@ -24689,6 +24776,54 @@ entries: - assets/loft/loft-3.2.0.tgz version: 3.2.0 microgateway: + - annotations: + artifacthub.io/category: security + artifacthub.io/license: MIT + artifacthub.io/links: | + - name: Airlock Microgateway Documentation + url: https://docs.airlock.com/microgateway/4.3/ + - name: Airlock Microgateway Labs + url: https://play.instruqt.com/airlock/invite/hyi9fy4b4jzc?icp_referrer=artifacthub.io + - name: Airlock Microgateway Forum + url: https://forum.airlock.com/ + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Airlock Microgateway + catalog.cattle.io/kube-version: '>=1.25.0-0' + catalog.cattle.io/release-name: microgateway + charts.openshift.io/name: Airlock Microgateway + apiVersion: v2 + appVersion: 4.3.2 + created: "2024-08-30T00:50:59.329077791Z" + description: A Helm chart for deploying the Airlock Microgateway + digest: 6bda6fb8aa8e93db14d560587e6856a489a9133205fc4f5c2b29ec9ecf7f11e7 + home: https://www.airlock.com/en/microgateway + icon: file://assets/icons/microgateway.svg + keywords: + - WAF + - Web Application Firewall + - WAAP + - Web Application and API protection + - OWASP + - Airlock + - Microgateway + - Security + - Filtering + - DevSecOps + - shift left + - control plane + - Operator + kubeVersion: '>=1.25.0-0' + maintainers: + - email: support@airlock.com + name: Airlock + url: https://www.airlock.com/ + name: microgateway + sources: + - https://github.com/airlock/microgateway + type: application + urls: + - assets/airlock/microgateway-4.3.2.tgz + version: 4.3.2 - annotations: artifacthub.io/category: security artifacthub.io/license: MIT @@ -24834,6 +24969,53 @@ entries: - assets/airlock/microgateway-4.2.3.tgz version: 4.2.3 microgateway-cni: + - annotations: + artifacthub.io/category: security + artifacthub.io/license: MIT + artifacthub.io/links: | + - name: Airlock Microgateway Documentation + url: https://docs.airlock.com/microgateway/4.3/ + - name: Airlock Microgateway Labs + url: https://play.instruqt.com/airlock/invite/hyi9fy4b4jzc?icp_referrer=artifacthub.io + - name: Airlock Microgateway Forum + url: https://forum.airlock.com/ + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Airlock Microgateway CNI + catalog.cattle.io/kube-version: '>=1.25.0-0' + catalog.cattle.io/release-name: microgateway-cni + charts.openshift.io/name: Airlock Microgateway CNI + apiVersion: v2 + appVersion: 4.3.2 + created: "2024-08-30T00:50:59.331502562Z" + description: A Helm chart for deploying the Airlock Microgateway CNI plugin + digest: 4806a5cceba0dd17e41699f27d04b73689adfa5e074c71e100231da8a947106b + home: https://www.airlock.com/en/microgateway + icon: file://assets/icons/microgateway-cni.svg + keywords: + - WAF + - Web Application Firewall + - WAAP + - Web Application and API protection + - OWASP + - Airlock + - Microgateway + - Security + - Filtering + - DevSecOps + - shift left + - CNI + kubeVersion: '>=1.25.0-0' + maintainers: + - email: support@airlock.com + name: Airlock + url: https://www.airlock.com/ + name: microgateway-cni + sources: + - https://github.com/airlock/microgateway + type: application + urls: + - assets/airlock/microgateway-cni-4.3.2.tgz + version: 4.3.2 - annotations: artifacthub.io/category: security artifacthub.io/license: MIT @@ -31395,6 +31577,50 @@ entries: - assets/quobyte/quobyte-cluster-0.1.8.tgz version: 0.1.8 redpanda: + - annotations: + artifacthub.io/images: | + - name: redpanda + image: docker.redpanda.com/redpandadata/redpanda:v24.2.3 + - name: busybox + image: busybox:latest + - name: mintel/docker-alpine-bash-curl-jq + image: mintel/docker-alpine-bash-curl-jq:latest + artifacthub.io/license: Apache-2.0 + artifacthub.io/links: | + - name: Documentation + url: https://docs.redpanda.com + - name: "Helm (>= 3.10.0)" + url: https://helm.sh/docs/intro/install/ + catalog.cattle.io/certified: partner + catalog.cattle.io/display-name: Redpanda + catalog.cattle.io/kube-version: '>=1.21-0' + catalog.cattle.io/release-name: redpanda + apiVersion: v2 + appVersion: v24.2.3 + created: "2024-08-30T00:51:03.840842012Z" + dependencies: + - condition: console.enabled + name: console + repository: file://./charts/console + version: '>=0.5 <1.0' + - condition: connectors.enabled + name: connectors + repository: file://./charts/connectors + version: '>=0.1.2 <1.0' + description: Redpanda is the real-time engine for modern apps. + digest: 53b504cc03601a9967dbfdbdb37cf9fb33f8d995c2f18220ac5cf463b2268866 + icon: file://assets/icons/redpanda.svg + kubeVersion: '>=1.21-0' + maintainers: + - name: redpanda-data + url: https://github.com/orgs/redpanda-data/people + name: redpanda + sources: + - https://github.com/redpanda-data/helm-charts + type: application + urls: + - assets/redpanda/redpanda-5.9.2.tgz + version: 5.9.2 - annotations: artifacthub.io/images: | - name: redpanda @@ -40898,4 +41124,4 @@ entries: urls: - assets/netfoundry/ziti-host-1.5.1.tgz version: 1.5.1 -generated: "2024-08-29T00:50:30.107476326Z" +generated: "2024-08-30T00:50:59.320900655Z"