andata
/
rancher-partner-charts
mirror of https://git.rancher.io/partner-charts
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #323 from samuelattwood/main 

Release Partner Charts
pull/326/head
Samuel Attwood 2022-01-24 13:36:35 -05:00 committed by GitHub
parent 7d3d5616b6 38cb0d142c
commit ceb9934500
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
50 changed files with 7780 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

BIN
assets/neuvector/neuvector-1.8.90000.tgz Normal file
View File

Binary file not shown.

BIN
assets/portworx/portworx-2.8.100.tgz Normal file
View File

Binary file not shown.

21
charts/neuvector/neuvector/1.8.90000/.helmignore Normal file
View File

@ -0,0 +1,21 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*~
# Various IDEs
.project
.idea/
*.tmproj

17
charts/neuvector/neuvector/1.8.90000/Chart.yaml Normal file
View File

@ -0,0 +1,17 @@
annotations:
catalog.cattle.io/certified: partner
catalog.cattle.io/display-name: NeuVector
catalog.cattle.io/release-name: neuvector
apiVersion: v1
appVersion: 4.4.3
description: Helm chart for NeuVector's core services
home: https://neuvector.com
icon: https://avatars2.githubusercontent.com/u/19367275?s=200&v=4
keywords:
- security
kubeVersion: '>=1.13.0-0'
maintainers:
- email: support@neuvector.com
name: becitsthere
name: neuvector
version: 1.8.90000

191
charts/neuvector/neuvector/1.8.90000/README.md Normal file
View File

@ -0,0 +1,191 @@
# NeuVector Helm Chart
Helm chart for NeuVector container security's core services.
## Preparation if using Helm 2
- Kubernetes 1.7+
- Helm installed and Tiller pod is running
- Cluster role `cluster-admin` available, check by:
```console
$ kubectl get clusterrole cluster-admin
```
If nothing returned, then add the `cluster-admin`:
cluster-admin.yaml
```yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: cluster-admin
rules:
- apiGroups:
- '*'
resources:
- '*'
verbs:
- '*'
- nonResourceURLs:
- '*'
verbs:
- '*'
```
```console
$ kubectl create -f cluster-admin.yaml
```
- If you have not created a service account for tiller, and give it admin abilities on the cluster:
```console
$ kubectl create serviceaccount --namespace kube-system tiller
$ kubectl create clusterrolebinding tiller-cluster-rule --clusterrole=cluster-admin --serviceaccount=kube-system:tiller
$ kubectl patch deployment tiller-deploy -p '{"spec":{"template":{"spec":{"serviceAccount":"tiller"}}}}' -n kube-system
```
## CRD
Because the CRD (Custom Resource Definition) policies can be deployed before NeuVector's core product, a new 'crd' helm chart is created. The crd template in the 'core' chart is kept for the backward compatibility. Please set 'crdwebhook.enabled' to false, if you use the new 'crd' chart.
## Configuration
The following table lists the configurable parameters of the NeuVector chart and their default values.
Parameter | Description | Default | Notes
--------- | ----------- | ------- | -----
`openshift` | If deploying in OpenShift, set this to true | `false` |
`registry` | NeuVector container registry | `registry.neuvector.com` |
`tag` | image tag for controller enforcer manager | `latest` |
`oem` | OEM release name | `nil` |
`imagePullSecrets` | image pull secret | `nil` |
`psp` | NeuVector Pod Security Policy when psp policy is enabled | `false` |
`serviceAccount` | Service account name for NeuVector components | `default` |
`controller.enabled` | If true, create controller | `true` |
`controller.image.repository` | controller image repository | `neuvector/controller` |
`controller.replicas` | controller replicas | `3` |
`controller.schedulerName` | kubernetes scheduler name | `nil` |
`controller.affinity` | controller affinity rules | ... | spread controllers to different nodes |
`controller.tolerations` | List of node taints to tolerate | `nil` |
`controller.resources` | Add resources requests and limits to controller deployment | `{}` | see examples in [values.yaml](values.yaml)
`controller.nodeSelector` | Enable and specify nodeSelector labels | `{}` |
`controller.disruptionbudget` | controller PodDisruptionBudget. 0 to disable. Recommended value: 2. | `0` |
`controller.priorityClassName` | controller priorityClassName. Must exist prior to helm deployment. Leave empty to disable. | `nil` |
`controller.env` | User-defined environment variables for controller. | `[]` |
`controller.pvc.enabled` | If true, enable persistence for controller using PVC | `false` | Require persistent volume type RWX, and storage 1Gi
`controller.pvc.storageClass` | Storage Class to be used | `default` |
`controller.pvc.capacity` | Storage capacity | `1Gi` |
`controller.azureFileShare.enabled` | If true, enable the usage of an existing or statically provisioned Azure File Share | `false` |
`controller.azureFileShare.secretName` | The name of the secret containing the Azure file share storage account name and key | `nil` |
`controller.azureFileShare.shareName` | The name of the Azure file share to use | `nil` |
`controller.apisvc.type` | Controller REST API service type | `nil` |
`controller.apisvc.annotations` | Add annotations to controller REST API service | `{}` |
`controller.apisvc.route.enabled` | If true, create a OpenShift route to expose the Controller REST API service | `false` |
`controller.apisvc.route.termination` | Specify TLS termination for OpenShift route for Controller REST API service. Possible passthrough, edge, reencrypt | `passthrough` |
`controller.apisvc.route.host` | Set controller REST API service hostname | `nil` |
`controller.certificate.secret` | Replace controller REST API certificate using secret if secret name is specified | `nil` |
`controller.certificate.keyFile` | Replace controller REST API certificate key file | `tls.key` |
`controller.certificate.pemFile` | Replace controller REST API certificate pem file | `tls.pem` |
`controller.federation.mastersvc.type` | Multi-cluster primary cluster service type. If specified, the deployment will be used to manage other clusters. Possible values include NodePort, LoadBalancer and ClusterIP. | `nil` |
`controller.federation.mastersvc.route.enabled` | If true, create a OpenShift route to expose the Multi-cluster primary cluster service | `false` |
`controller.federation.mastersvc.route.host` | Set OpenShift route host for primary cluster service | `nil` |
`controller.federation.mastersvc.route.termination` | Specify TLS termination for OpenShift route for Multi-cluster primary cluster service. Possible passthrough, edge, reencrypt | `passthrough` |
`controller.federation.mastersvc.ingress.enabled` | If true, create ingress for federation master service, must also set ingress host value | `false` | enable this if ingress controller is installed
`controller.federation.mastersvc.ingress.tls` | If true, TLS is enabled for controller federation master ingress service |`false` | If set, the tls-host used is the one set with `controller.federation.mastersvc.ingress.host`.
`controller.federation.mastersvc.ingress.host` | Must set this host value if ingress is enabled | `nil` |
`controller.federation.mastersvc.ingress.secretName` | Name of the secret to be used for TLS-encryption | `nil` | Secret must be created separately (Let's encrypt, manually)
`controller.federation.mastersvc.ingress.path` | Set ingress path |`/` | If set, it might be necessary to set a rewrite rule in annotations.
`controller.federation.mastersvc.ingress.annotations` | Add annotations to ingress to influence behavior | `ingress.kubernetes.io/protocol: https ingress.kubernetes.io/rewrite-target: /` | see examples in [values.yaml](values.yaml)
`controller.federation.managedsvc.type` | Multi-cluster managed cluster service type. If specified, the deployment will be managed by the managed clsuter. Possible values include NodePort, LoadBalancer and ClusterIP. | `nil` |
`controller.federation.managedsvc.route.enabled` | If true, create a OpenShift route to expose the Multi-cluster managed cluster service | `false` |
`controller.federation.managedsvc.route.host` | Set OpenShift route host for manageed service | `nil` |
`controller.federation.managedsvc.route.termination` | Specify TLS termination for OpenShift route for Multi-cluster managed cluster service. Possible passthrough, edge, reencrypt | `passthrough` |
`controller.federation.managedsvc.ingress.enabled` | If true, create ingress for federation managed service, must also set ingress host value | `false` | enable this if ingress controller is installed
`controller.federation.managedsvc.ingress.tls` | If true, TLS is enabled for controller federation managed ingress service |`false` | If set, the tls-host used is the one set with `controller.federation.managedsvc.ingress.host`.
`controller.federation.managedsvc.ingress.host` | Must set this host value if ingress is enabled | `nil` |
`controller.federation.managedsvc.ingress.secretName` | Name of the secret to be used for TLS-encryption | `nil` | Secret must be created separately (Let's encrypt, manually)
`controller.federation.managedsvc.ingress.path` | Set ingress path |`/` | If set, it might be necessary to set a rewrite rule in annotations.
`controller.federation.managedsvc.ingress.annotations` | Add annotations to ingress to influence behavior | `ingress.kubernetes.io/protocol: https ingress.kubernetes.io/rewrite-target: /` | see examples in [values.yaml](values.yaml)
`controller.ingress.enabled` | If true, create ingress for rest api, must also set ingress host value | `false` | enable this if ingress controller is installed
`controller.ingress.tls` | If true, TLS is enabled for controller rest api ingress service |`false` | If set, the tls-host used is the one set with `controller.ingress.host`.
`controller.ingress.host` | Must set this host value if ingress is enabled | `nil` |
`controller.ingress.secretName` | Name of the secret to be used for TLS-encryption | `nil` | Secret must be created separately (Let's encrypt, manually)
`controller.ingress.path` | Set ingress path |`/` | If set, it might be necessary to set a rewrite rule in annotations.
`controller.ingress.annotations` | Add annotations to ingress to influence behavior | `ingress.kubernetes.io/protocol: https ingress.kubernetes.io/rewrite-target: /` | see examples in [values.yaml](values.yaml)
`controller.configmap.enabled` | If true, configure NeuVector global settings using a ConfigMap | `false`
`controller.configmap.data` | NeuVector configuration in YAML format | `{}`
`controller.secret.enabled` | If true, configure NeuVector global settings using secrets | `false`
`controller.secret.data` | NeuVector configuration in key/value pair format | `{}`
`enforcer.enabled` | If true, create enforcer | `true` |
`enforcer.image.repository` | enforcer image repository | `neuvector/enforcer` |
`enforcer.priorityClassName` | enforcer priorityClassName. Must exist prior to helm deployment. Leave empty to disable. | `nil` |
`enforcer.tolerations` | List of node taints to tolerate | `- effect: NoSchedule`<br>`key: node-role.kubernetes.io/master` | other taints can be added after the default
`enforcer.resources` | Add resources requests and limits to enforcer deployment | `{}` | see examples in [values.yaml](values.yaml)
`manager.enabled` | If true, create manager | `true` |
`manager.image.repository` | manager image repository | `neuvector/manager` |
`manager.priorityClassName` | manager priorityClassName. Must exist prior to helm deployment. Leave empty to disable. | `nil` |
`manager.env.ssl` | If false, manager will listen on HTTP access instead of HTTPS | `true` |
`manager.svc.type` | set manager service type for native Kubernetes | `NodePort`;<br>if it is OpenShift platform or ingress is enabled, then default is `ClusterIP` | set to LoadBalancer if using cloud providers, such as Azure, Amazon, Google
`manager.svc.loadBalancerIP` | if manager service type is LoadBalancer, this is used to specify the load balancer's IP | `nil` |
`manager.svc.annotations` | Add annotations to manager service | `{}` | see examples in [values.yaml](values.yaml)
`manager.route.enabled` | If true, create a OpenShift route to expose the management consol service | `true` |
`manager.route.host` | Set OpenShift route host for management consol service | `nil` |
`manager.route.termination` | Specify TLS termination for OpenShift route for management consol service. Possible passthrough, edge, reencrypt | `passthrough` |
`manager.certificate.secret` | Replace manager UI certificate using secret if secret name is specified | `nil` |
`manager.certificate.keyFile` | Replace manager UI certificate key file | `tls.key` |
`manager.certificate.pemFile` | Replace manager UI certificate pem file | `tls.pem` |
`manager.ingress.enabled` | If true, create ingress, must also set ingress host value | `false` | enable this if ingress controller is installed
`manager.ingress.host` | Must set this host value if ingress is enabled | `nil` |
`manager.ingress.path` | Set ingress path |`/` | If set, it might be necessary to set a rewrite rule in annotations. Currently only supports `/`
`manager.ingress.annotations` | Add annotations to ingress to influence behavior | `{}` | see examples in [values.yaml](values.yaml)
`manager.ingress.tls` | If true, TLS is enabled for manager ingress service |`false` | If set, the tls-host used is the one set with `manager.ingress.host`.
`manager.ingress.secretName` | Name of the secret to be used for TLS-encryption | `nil` | Secret must be created separately (Let's encrypt, manually)
`manager.resources` | Add resources requests and limits to manager deployment | `{}` | see examples in [values.yaml](values.yaml)
`manager.affinity` | manager affinity rules | `{}` |
`manager.tolerations` | List of node taints to tolerate | `nil` |
`manager.nodeSelector` | Enable and specify nodeSelector labels | `{}` |
`cve.updater.enabled` | If true, create cve updater | `true` |
`cve.updater.secure` | If ture, API server's certificate is validated | `false` |
`cve.updater.image.repository` | cve updater image repository | `neuvector/updater` |
`cve.updater.image.tag` | image tag for cve updater | `latest` |
`cve.updater.priorityClassName` | cve updater priorityClassName. Must exist prior to helm deployment. Leave empty to disable. | `nil` |
`cve.updater.schedule` | cronjob cve updater schedule | `0 0 * * *` |
`cve.scanner.enabled` | If true, external scanners will be deployed | `true` |
`cve.scanner.image.repository` | external scanner image repository | `neuvector/scanner` |
`cve.scanner.image.tag` | external scanner image tag | `latest` |
`cve.scanner.priorityClassName` | cve scanner priorityClassName. Must exist prior to helm deployment. Leave empty to disable. | `nil` |
`cve.scanner.replicas` | external scanner replicas | `3` |
`cve.scanner.dockerPath` | the remote docker socket if CI/CD integration need scan images before they are pushed to the registry | `nil` |
`cve.scanner.resources` | Add resources requests and limits to scanner deployment | `{}` | see examples in [values.yaml](values.yaml) |
`cve.scanner.affinity` | scanner affinity rules | `{}` |
`cve.scanner.tolerations` | List of node taints to tolerate | `nil` |
`cve.scanner.nodeSelector` | Enable and specify nodeSelector labels | `{}` |
`docker.path` | docker path | `/var/run/docker.sock` |
`containerd.enabled` | Set to true, if the container runtime is containerd | `false` |
`containerd.path` | If containerd is enabled, this local containerd socket path will be used | `/var/run/containerd/containerd.sock` |
`crio.enabled` | Set to true, if the container runtime is cri-o | `false` |
`crio.path` | If cri-o is enabled, this local cri-o socket path will be used | `/var/run/crio/crio.sock` |
`k3s.enabled` | Set to true for k3s | `false` |
`k3s.runtimePath` | If k3s is enabled, this local containerd socket path will be used | `/run/k3s/containerd/containerd.sock` |
`bottlerocket.enabled` | Set to true if using AWS bottlerocket | `false` |
`bottlerocket.runtimePath` | If bottlerocket is enabled, this local containerd socket path will be used | `/run/dockershim.sock` |
`admissionwebhook.type` | admission webhook type | `ClusterIP` |
`crdwebhook.enabled` | Enable crd service and create crd related resources | `true` |
`crdwebhook.type` | crd webhook type | `ClusterIP` |
Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example,
```console
$ helm install my-release --namespace neuvector ./neuvector-helm/ --set manager.env.ssl=off
```
Alternatively, a YAML file that specifies the values for the above parameters can be provided while installing the chart. For example,
```console
$ helm install my-release --namespace neuvector ./neuvector-helm/ -f values.yaml
```
---
Contact <support@neuvector.com> for access to container registry and docs.

14
charts/neuvector/neuvector/1.8.90000/app-readme.md Normal file
View File

@ -0,0 +1,14 @@
### Run-Time Protection Without Compromise
NeuVector delivers a complete run-time security solution with container process/file system protection and vulnerability scanning combined with the only true Layer 7 container firewall. Protect sensitive data with a complete container security platform.
NeuVector integrates tightly with Rancher and Kubernetes to extend the built-in security features for applications that require defense in depth. Security features include:
+ Build phase vulnerability scanning with Jenkins plug-in and registry scanning
+ Admission control to prevent vulnerable or unauthorized image deployments using Kubernetes admission control webhooks
+ Complete run-time scanning with network, process, and file system monitoring and protection
+ The industry's only layer 7 container firewall for multi-protocol threat detection and automated segmentation
+ Advanced network controls including DLP detection, service mesh integration, connection blocking and packet captures
+ Run-time vulnerability scanning and CIS benchmarks
Please Note: Before installing this chart, you will need to get an image pull secret and license key from NeuVector. Without this data supplied, the chart will not work. Configure correct container runtime and runtime path.

200
charts/neuvector/neuvector/1.8.90000/questions.yml Normal file
View File

@ -0,0 +1,200 @@
questions:
#image configurations
- variable: registry
default: "registry.neuvector.com"
description: image registry
type: string
label: Image Registry
group: "Container Images"
- variable: oem
default: ""
description: OEM release name
type: string
label: OEM name
group: "Container Images"
- variable: tag
default: "4.4.3"
description: image tag for controller enforcer manager
type: string
label: Image Tag
group: "Container Images"
- variable: imagePullSecrets
default: ""
description: secret name to pull image
type: string
label: Image Pull Secrets
group: "Container Images"
- variable: controller.image.repository
default: "neuvector/controller"
description: controller image repository
type: string
label: Controller image path
group: "Container Images"
- variable: manager.image.repository
default: "neuvector/manager"
description: manager image repository
type: string
label: Manager image path
group: "Container Images"
- variable: enforcer.image.repository
default: "neuvector/enforcer"
description: enforcer image repository
type: string
label: Enforcer image path
group: "Container Images"
- variable: cve.scanner.image.repository
default: "neuvector/scanner"
description: scanner image repository
type: string
label: Scanner image path
group: "Container Images"
- variable: cve.updater.image.repository
default: "neuvector/updater"
description: cve updater image repository
type: string
label: CVE Updater image path
group: "Container Images"
#Container Runtime configurations
- variable: docker.enabled
default: true
description: Docker runtime. Enable only one runtime.
type: boolean
label: Docker Runtime
show_subquestion_if: true
group: "Container Runtime"
subquestions:
- variable: docker.path
default: "/var/run/docker.sock"
description: "Docker Runtime Path"
type: string
label: Runtime Path
- variable: containerd.enabled
default: "false"
description: Containerd runtime. Enable only one runtime.
type: boolean
label: Containerd Runtime
show_subquestion_if: true
group: "Container Runtime"
subquestions:
- variable: containerd.path
default: " /var/run/containerd/containerd.sock"
description: "Containerd Runtime Path"
type: string
label: Runtime Path
- variable: crio.enabled
default: "false"
description: Crio runtime. Enable only one runtime.
type: boolean
label: Crio Runtime
show_subquestion_if: true
group: "Container Runtime"
subquestions:
- variable: crio.path
default: "/var/run/crio/crio.sock"
description: "Crio Runtime Path"
type: string
label: Runtime Path
#storage configurations
- variable: controller.pvc.enabled
default: false
description: If true, enable persistence for controller using PVC
type: boolean
label: PVC status
group: "PVC Configuration"
- variable: controller.pvc.storageClass
default: ""
description: Storage Class to be used
type: string
label: Storage Class Name
group: "PVC Configuration"
#ingress configurations
- variable: manager.ingress.enabled
default: false
description: If true, create ingress, must also set ingress host value
type: boolean
label: Manager ingress status
group: "Ingress Configuration"
- variable: manager.ingress.host
default: ""
description: Must set this host value if ingress is enabled
type: string
label: Manager Ingress host
group: "Ingress Configuration"
- variable: manager.ingress.path
default: "/"
description: Set ingress path
type: string
label: Manager Ingress path
group: "Ingress Configuration"
- variable: manager.ingress.annotations
default: "{}"
description: Add annotations to ingress to influence behavior. Please use the 'Edit as YAML' feature in the Rancher UI to add single or multiple lines of annotation.
type: string
label: Manager Ingress annotations
group: "Ingress Configuration"
- variable: controller.ingress.enabled
default: false
description: If true, create ingress for rest api, must also set ingress host value
type: boolean
label: Controller ingress status
group: "Ingress Configuration"
- variable: controller.ingress.host
default: ""
description: Must set this host value if ingress is enabled
type: string
label: Controller Ingress host
group: "Ingress Configuration"
- variable: controller.ingress.path
default: "/"
description: Set ingress path
type: string
label: Controller Ingress path
group: "Ingress Configuration"
- variable: controller.ingress.annotations
default: "{}"
description: Add annotations to ingress to influence behavior. Please use the 'Edit as YAML' feature in the Rancher UI to add single or multiple lines of annotation.
type: string
label: Controller Ingress annotations
group: "Ingress Configuration"
#service configurations
- variable: manager.svc.type
default: "NodePort"
description: Set manager service type for native Kubernetes
type: enum
label: Manager service type
group: "Service Configuration"
options:
- "NodePort"
- "ClusterIP"
- "LoadBalancer"
- variable: controller.federation.mastersvc.type
default: ""
description: Multi-cluster master cluster service type. If specified, the deployment will be used to manage other clusters. Possible values include NodePort, LoadBalancer and Ingress
type: enum
label: Fed Master Service Type
group: "Service Configuration"
options:
- "NodePort"
- "Ingress"
- "LoadBalancer"
- variable: controller.federation.managedsvc.type
default: ""
description: Multi-cluster managed cluster service type. If specified, the deployment will be managed by the master clsuter. Possible values include NodePort, LoadBalancer and Ingress
type: enum
label: Fed Managed service type
group: "Service Configuration"
options:
- "NodePort"
- "Ingress"
- "LoadBalancer"
- variable: controller.apisvc.type
default: "NodePort"
description: Controller REST API service type
type: enum
label: Controller REST API Service Type
group: "Service Configuration"
options:
- "NodePort"
- "ClusterIP"
- "LoadBalancer"

20
charts/neuvector/neuvector/1.8.90000/templates/NOTES.txt Normal file
View File

@ -0,0 +1,20 @@
{{- if and .Values.manager.enabled .Values.manager.ingress.enabled }}
From outside the cluster, the NeuVector URL is:
http://{{ .Values.manager.ingress.host }}
{{- else if not .Values.openshift }}
Get the NeuVector URL by running these commands:
{{- if contains "NodePort" .Values.manager.svc.type }}
NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services neuvector-service-webui)
NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}")
echo https://$NODE_IP:$NODE_PORT
{{- else if contains "ClusterIP" .Values.manager.svc.type }}
CLUSTER_IP=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.clusterIP}" services neuvector-service-webui)
echo https://$CLUSTER_IP:8443
{{- else if contains "LoadBalancer" .Values.manager.svc.type }}
NOTE: It may take a few minutes for the LoadBalancer IP to be available.
Watch the status by running 'kubectl get svc --namespace {{ .Release.Namespace }} -w neuvector-service-webui'
SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} neuvector-service-webui -o jsonpath="{.status.loadBalancer.ingress[0].ip}")
echo https://$SERVICE_IP:8443
{{- end }}
{{- end }}

32
charts/neuvector/neuvector/1.8.90000/templates/_helpers.tpl Normal file
View File

@ -0,0 +1,32 @@
{{/* vim: set filetype=mustache: */}}
{{/*
Expand the name of the chart.
*/}}
{{- define "neuvector.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
If release name contains chart name it will be used as a full name.
*/}}
{{- define "neuvector.fullname" -}}
{{- if .Values.fullnameOverride -}}
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- $name := default .Chart.Name .Values.nameOverride -}}
{{- if contains $name .Release.Name -}}
{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{- end -}}
{{- end -}}
{{/*
Create chart name and version as used by the chart label.
*/}}
{{- define "neuvector.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
{{- end -}}

18
charts/neuvector/neuvector/1.8.90000/templates/admission-webhook-service.yaml Normal file
View File

@ -0,0 +1,18 @@
apiVersion: v1
kind: Service
metadata:
name: neuvector-svc-admission-webhook
namespace: {{ .Release.Namespace }}
labels:
chart: {{ template "neuvector.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
spec:
ports:
- port: 443
targetPort: 20443
protocol: TCP
name: admission-webhook
type: {{ .Values.admissionwebhook.type }}
selector:
app: neuvector-controller-pod

119
charts/neuvector/neuvector/1.8.90000/templates/clusterrole.yaml Normal file
View File

@ -0,0 +1,119 @@
{{- $oc4 := and .Values.openshift (semverCompare ">=1.12-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) -}}
{{- $oc3 := and .Values.openshift (not $oc4) (semverCompare ">=1.9-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) -}}
{{- if $oc3 }}
apiVersion: authorization.openshift.io/v1
{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }}
apiVersion: rbac.authorization.k8s.io/v1
{{- else }}
apiVersion: v1
{{- end }}
kind: ClusterRole
metadata:
name: neuvector-binding-app
labels:
chart: {{ template "neuvector.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
rules:
- apiGroups:
- ""
resources:
- nodes
- pods
- services
- namespaces
verbs:
- get
- list
- watch
- update
---
{{- if $oc3 }}
apiVersion: authorization.openshift.io/v1
{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }}
apiVersion: rbac.authorization.k8s.io/v1
{{- else }}
apiVersion: v1
{{- end }}
kind: ClusterRole
metadata:
name: neuvector-binding-rbac
labels:
chart: {{ template "neuvector.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
rules:
{{- if .Values.openshift }}
- apiGroups:
- image.openshift.io
resources:
- imagestreams
verbs:
- get
- list
- watch
{{- end }}
- apiGroups:
- rbac.authorization.k8s.io
resources:
- rolebindings
- roles
- clusterrolebindings
- clusterroles
verbs:
- get
- list
- watch
---
{{- if $oc3 }}
apiVersion: authorization.openshift.io/v1
{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }}
apiVersion: rbac.authorization.k8s.io/v1
{{- else }}
apiVersion: v1
{{- end }}
kind: ClusterRole
metadata:
name: neuvector-binding-admission
labels:
chart: {{ template "neuvector.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
rules:
- apiGroups:
- admissionregistration.k8s.io
resources:
- validatingwebhookconfigurations
- mutatingwebhookconfigurations
verbs:
- get
- list
- watch
- create
- update
- delete
---
{{- if $oc4 }}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: neuvector-binding-co
labels:
chart: {{ template "neuvector.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
rules:
- apiGroups:
- config.openshift.io
resources:
- clusteroperators
verbs:
- get
- list
{{- end }}

145
charts/neuvector/neuvector/1.8.90000/templates/clusterrolebinding.yaml Normal file
View File

@ -0,0 +1,145 @@
{{- $oc4 := and .Values.openshift (semverCompare ">=1.12-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) -}}
{{- $oc3 := and .Values.openshift (not $oc4) (semverCompare ">=1.9-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) -}}
{{- if $oc3 }}
apiVersion: authorization.openshift.io/v1
{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }}
apiVersion: rbac.authorization.k8s.io/v1
{{- else }}
apiVersion: v1
{{- end }}
kind: ClusterRoleBinding
metadata:
name: neuvector-binding-app
labels:
chart: {{ template "neuvector.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
roleRef:
{{- if not $oc3 }}
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
{{- end }}
name: neuvector-binding-app
subjects:
- kind: ServiceAccount
name: {{ .Values.serviceAccount }}
namespace: {{ .Release.Namespace }}
{{- if $oc3 }}
userNames:
- system:serviceaccount:{{ .Release.Namespace }}:{{ .Values.serviceAccount }}
{{- end }}
---
{{- if $oc3 }}
apiVersion: authorization.openshift.io/v1
{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }}
apiVersion: rbac.authorization.k8s.io/v1
{{- else }}
apiVersion: v1
{{- end }}
kind: ClusterRoleBinding
metadata:
name: neuvector-binding-rbac
labels:
chart: {{ template "neuvector.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
roleRef:
{{- if not $oc3 }}
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
{{- end }}
name: neuvector-binding-rbac
subjects:
- kind: ServiceAccount
name: {{ .Values.serviceAccount }}
namespace: {{ .Release.Namespace }}
{{- if $oc3 }}
userNames:
- system:serviceaccount:{{ .Release.Namespace }}:{{ .Values.serviceAccount }}
{{- end }}
---
{{- if $oc3 }}
apiVersion: authorization.openshift.io/v1
{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }}
apiVersion: rbac.authorization.k8s.io/v1
{{- else }}
apiVersion: v1
{{- end }}
kind: ClusterRoleBinding
metadata:
name: neuvector-binding-admission
labels:
chart: {{ template "neuvector.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
roleRef:
{{- if not $oc3 }}
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
{{- end }}
name: neuvector-binding-admission
subjects:
- kind: ServiceAccount
name: {{ .Values.serviceAccount }}
namespace: {{ .Release.Namespace }}
{{- if $oc3 }}
userNames:
- system:serviceaccount:{{ .Release.Namespace }}:{{ .Values.serviceAccount }}
{{- end }}
---
{{- if $oc3 }}
apiVersion: authorization.openshift.io/v1
{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }}
apiVersion: rbac.authorization.k8s.io/v1
{{- else }}
apiVersion: v1
{{- end }}
kind: ClusterRoleBinding
metadata:
name: neuvector-binding-view
labels:
chart: {{ template "neuvector.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
roleRef:
{{- if not $oc3 }}
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
{{- end }}
name: view
subjects:
- kind: ServiceAccount
name: {{ .Values.serviceAccount }}
namespace: {{ .Release.Namespace }}
{{- if $oc3 }}
userNames:
- system:serviceaccount:{{ .Release.Namespace }}:{{ .Values.serviceAccount }}
{{- end }}
---
{{- if $oc4 }}
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: neuvector-binding-co
labels:
chart: {{ template "neuvector.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: neuvector-binding-co
subjects:
- kind: ServiceAccount
name: {{ .Values.serviceAccount }}
namespace: {{ .Release.Namespace }}
{{- end }}

199
charts/neuvector/neuvector/1.8.90000/templates/controller-deployment.yaml Normal file
View File

@ -0,0 +1,199 @@
{{- if .Values.controller.enabled -}}
{{- if (semverCompare ">=1.9-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }}
apiVersion: apps/v1
{{- else }}
apiVersion: extensions/v1beta1
{{- end }}
kind: Deployment
metadata:
name: neuvector-controller-pod
namespace: {{ .Release.Namespace }}
labels:
chart: {{ template "neuvector.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
spec:
replicas: {{ .Values.controller.replicas }}
minReadySeconds: 60
strategy:
{{ toYaml .Values.controller.strategy | indent 4 }}
selector:
matchLabels:
app: neuvector-controller-pod
template:
metadata:
labels:
app: neuvector-controller-pod
release: {{ .Release.Name }}
spec:
{{- if .Values.controller.affinity }}
affinity:
{{ toYaml .Values.controller.affinity | indent 8 }}
{{- end }}
{{- if .Values.controller.tolerations }}
tolerations:
{{ toYaml .Values.controller.tolerations | indent 8 }}
{{- end }}
{{- if .Values.controller.nodeSelector }}
nodeSelector:
{{ toYaml .Values.controller.nodeSelector | indent 8 }}
{{- end }}
{{- if .Values.controller.schedulerName }}
schedulerName: {{ .Values.controller.schedulerName }}
{{- end }}
{{- if .Values.imagePullSecrets }}
imagePullSecrets:
- name: {{ .Values.imagePullSecrets }}
{{- end }}
{{- if .Values.controller.priorityClassName }}
priorityClassName: {{ .Values.controller.priorityClassName }}
{{- end }}
serviceAccountName: {{ .Values.serviceAccount }}
serviceAccount: {{ .Values.serviceAccount }}
containers:
- name: neuvector-controller-pod
{{ if eq .Values.registry "registry.neuvector.com" }}
{{ if .Values.oem }}
image: "{{ .Values.registry }}/{{ .Values.oem }}/controller:{{ .Values.tag }}"
{{- else }}
image: "{{ .Values.registry }}/controller:{{ .Values.tag }}"
{{- end }}
{{- else }}
image: "{{ .Values.registry }}/{{ .Values.controller.image.repository }}:{{ .Values.tag }}"
{{- end }}
securityContext:
privileged: true
resources:
{{- if .Values.controller.resources }}
{{ toYaml .Values.controller.resources | indent 12 }}
{{- else }}
{{ toYaml .Values.resources | indent 12 }}
{{- end }}
readinessProbe:
exec:
command:
- cat
- /tmp/ready
initialDelaySeconds: 5
periodSeconds: 5
env:
- name: CLUSTER_JOIN_ADDR
value: neuvector-svc-controller.{{ .Release.Namespace }}
- name: CLUSTER_ADVERTISED_ADDR
valueFrom:
fieldRef:
fieldPath: status.podIP
- name: CLUSTER_BIND_ADDR
valueFrom:
fieldRef:
fieldPath: status.podIP
{{- if or .Values.controller.pvc.enabled .Values.controller.azureFileShare.enabled }}
- name: CTRL_PERSIST_CONFIG
value: "1"
{{- end }}
{{- with .Values.controller.env }}
{{- toYaml . | nindent 12 }}
{{- end }}
volumeMounts:
- mountPath: /var/neuvector
name: nv-share
readOnly: false
{{- if .Values.containerd.enabled }}
- mountPath: /var/run/containerd/containerd.sock
{{- else if .Values.k3s.enabled }}
- mountPath: /var/run/containerd/containerd.sock
{{- else if .Values.bottlerocket.enabled }}
- mountPath: /var/run/containerd/containerd.sock
{{- else if .Values.crio.enabled }}
- mountPath: /var/run/crio/crio.sock
{{- else }}
- mountPath: /var/run/docker.sock
{{- end }}
name: runtime-sock
readOnly: true
- mountPath: /host/proc
name: proc-vol
readOnly: true
- mountPath: /host/cgroup
name: cgroup-vol
readOnly: true
- mountPath: /etc/config
name: config-volume
readOnly: true
{{- if .Values.controller.certificate.secret }}
- mountPath: /etc/neuvector/certs/ssl-cert.key
subPath: {{ .Values.controller.certificate.keyFile }}
name: cert
readOnly: true
- mountPath: /etc/neuvector/certs/ssl-cert.pem
subPath: {{ .Values.controller.certificate.pemFile }}
name: cert
readOnly: true
{{- end }}
terminationGracePeriodSeconds: 300
restartPolicy: Always
volumes:
- name: nv-share
{{- if .Values.controller.pvc.enabled }}
persistentVolumeClaim:
claimName: neuvector-data
{{- else if .Values.controller.azureFileShare.enabled }}
azureFile:
secretName: {{ .Values.controller.azureFileShare.secretName }}
shareName: {{ .Values.controller.azureFileShare.shareName }}
readOnly: false
{{- else }}
hostPath:
path: /var/neuvector
{{- end }}
- name: runtime-sock
hostPath:
{{- if .Values.containerd.enabled }}
path: {{ .Values.containerd.path }}
{{- else if .Values.crio.enabled }}
path: {{ .Values.crio.path }}
{{- else if .Values.k3s.enabled }}
path: {{ .Values.k3s.runtimePath }}
{{- else if .Values.bottlerocket.enabled }}
path: {{ .Values.bottlerocket.runtimePath }}
{{- else }}
path: {{ .Values.docker.path }}
{{- end }}
- name: proc-vol
hostPath:
path: /proc
- name: cgroup-vol
hostPath:
path: /sys/fs/cgroup
- name: config-volume
projected:
sources:
{{- if .Values.controller.configmap.enabled }}
- configMap:
name: neuvector-init
optional: true
{{- end }}
{{- if .Values.controller.secret.enabled }}
- secret:
name: neuvector-init
optional: true
{{- end }}
{{- if .Values.controller.certificate.secret }}
- name: cert
secret:
secretName: {{ .Values.controller.certificate.secret }}
{{- end }}
{{- if gt (int .Values.controller.disruptionbudget) 0 }}
---
apiVersion: policy/v1beta1
kind: PodDisruptionBudget
metadata:
name: neuvector-controller-pdb
namespace: neuvector
spec:
minAvailable: {{ .Values.controller.disruptionbudget }}
selector:
matchLabels:
app: neuvector-controller-pod
{{- end }}
{{- end }}

210
charts/neuvector/neuvector/1.8.90000/templates/controller-ingress.yaml Normal file
View File

@ -0,0 +1,210 @@
{{- if .Values.controller.enabled }}
{{- if .Values.controller.ingress.enabled }}
{{- if (semverCompare ">=1.19-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }}
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: neuvector-restapi-ingress
namespace: {{ .Release.Namespace }}
{{- with .Values.controller.ingress.annotations }}
annotations:
{{ toYaml . | indent 4 }}
{{- end }}
labels:
chart: {{ template "neuvector.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
spec:
{{- if .Values.controller.ingress.tls }}
tls:
- hosts:
- {{ .Values.controller.ingress.host }}
{{- if .Values.controller.ingress.secretName }}
secretName: {{ .Values.controller.ingress.secretName }}
{{- end }}
{{- end }}
rules:
- host: {{ .Values.controller.ingress.host }}
http:
paths:
- path: {{ .Values.controller.ingress.path }}
pathType: Prefix
backend:
service:
name: neuvector-svc-controller-api
port:
number: 10443
{{- else }}
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: neuvector-restapi-ingress
namespace: {{ .Release.Namespace }}
{{- with .Values.controller.ingress.annotations }}
annotations:
{{ toYaml . | indent 4 }}
{{- end }}
labels:
chart: {{ template "neuvector.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
spec:
{{- if .Values.controller.ingress.tls }}
tls:
- hosts:
- {{ .Values.controller.ingress.host }}
{{- if .Values.controller.ingress.secretName }}
secretName: {{ .Values.controller.ingress.secretName }}
{{- end }}
{{- end }}
rules:
- host: {{ .Values.controller.ingress.host }}
http:
paths:
- path: {{ .Values.controller.ingress.path }}
backend:
serviceName: neuvector-svc-controller-api
servicePort: 10443
{{- end }}
{{- end }}
{{- if .Values.controller.federation.mastersvc.ingress.enabled }}
{{- if (semverCompare ">=1.19-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }}
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: neuvector-mastersvc-ingress
namespace: {{ .Release.Namespace }}
{{- with .Values.controller.federation.mastersvc.ingress.annotations }}
annotations:
{{ toYaml . | indent 4 }}
{{- end }}
labels:
chart: {{ template "neuvector.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
spec:
{{- if .Values.controller.federation.mastersvc.ingress.tls }}
tls:
- hosts:
- {{ .Values.controller.federation.mastersvc.ingress.host }}
{{- if .Values.controller.federation.mastersvc.ingress.secretName }}
secretName: {{ .Values.controller.federation.mastersvc.ingress.secretName }}
{{- end }}
{{- end }}
rules:
- host: {{ .Values.controller.federation.mastersvc.ingress.host }}
http:
paths:
- path: {{ .Values.controller.federation.mastersvc.ingress.path }}
pathType: Prefix
backend:
service:
name: neuvector-svc-controller-fed-master
port:
number: 11443
{{- else }}
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: neuvector-mastersvc-ingress
namespace: {{ .Release.Namespace }}
{{- with .Values.controller.federation.mastersvc.ingress.annotations }}
annotations:
{{ toYaml . | indent 4 }}
{{- end }}
labels:
chart: {{ template "neuvector.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
spec:
{{- if .Values.controller.federation.mastersvc.ingress.tls }}
tls:
- hosts:
- {{ .Values.controller.federation.mastersvc.ingress.host }}
{{- if .Values.controller.federation.mastersvc.ingress.secretName }}
secretName: {{ .Values.controller.federation.mastersvc.ingress.secretName }}
{{- end }}
{{- end }}
rules:
- host: {{ .Values.controller.federation.mastersvc.ingress.host }}
http:
paths:
- path: {{ .Values.controller.federation.mastersvc.ingress.path }}
backend:
serviceName: neuvector-svc-controller-fed-master
servicePort: 11443
{{- end }}
{{- end }}
{{- if .Values.controller.federation.managedsvc.ingress.enabled }}
{{- if (semverCompare ">=1.19-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }}
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: neuvector-managedsvc-ingress
namespace: {{ .Release.Namespace }}
{{- with .Values.controller.federation.managedsvc.ingress.annotations }}
annotations:
{{ toYaml . | indent 4 }}
{{- end }}
labels:
chart: {{ template "neuvector.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
spec:
{{- if .Values.controller.federation.managedsvc.ingress.tls }}
tls:
- hosts:
- {{ .Values.controller.federation.managedsvc.ingress.host }}
{{- if .Values.controller.federation.managedsvc.ingress.secretName }}
secretName: {{ .Values.controller.federation.managedsvc.ingress.secretName }}
{{- end }}
{{- end }}
rules:
- host: {{ .Values.controller.federation.managedsvc.ingress.host }}
http:
paths:
- path: {{ .Values.controller.federation.managedsvc.ingress.path }}
pathType: Prefix
backend:
service:
name: neuvector-svc-controller-fed-managed
port:
number: 10443
{{- else }}
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: neuvector-managedsvc-ingress
namespace: {{ .Release.Namespace }}
{{- with .Values.controller.federation.managedsvc.ingress.annotations }}
annotations:
{{ toYaml . | indent 4 }}
{{- end }}
labels:
chart: {{ template "neuvector.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
spec:
{{- if .Values.controller.federation.managedsvc.ingress.tls }}
tls:
- hosts:
- {{ .Values.controller.federation.managedsvc.ingress.host }}
{{- if .Values.controller.federation.managedsvc.ingress.secretName }}
secretName: {{ .Values.controller.federation.managedsvc.ingress.secretName }}
{{- end }}
{{- end }}
rules:
- host: {{ .Values.controller.federation.managedsvc.ingress.host }}
http:
paths:
- path: {{ .Values.controller.federation.managedsvc.ingress.path }}
backend:
serviceName: neuvector-svc-controller-fed-managed
servicePort: 10443
{{- end }}
{{- end }}
{{- end -}}

82
charts/neuvector/neuvector/1.8.90000/templates/controller-route.yaml Normal file
View File

@ -0,0 +1,82 @@
{{- if .Values.openshift -}}
{{- if .Values.controller.apisvc.route.enabled }}
{{- if (semverCompare ">=1.9-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }}
apiVersion: route.openshift.io/v1
{{- else }}
apiVersion: v1
{{- end }}
kind: Route
metadata:
name: neuvector-route-api
namespace: {{ .Release.Namespace }}
labels:
chart: {{ template "neuvector.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
spec:
{{- if .Values.controller.apisvc.route.host }}
host: {{ .Values.controller.apisvc.route.host }}
{{- end }}
to:
kind: Service
name: neuvector-svc-controller-api
port:
targetPort: controller-api
tls:
termination: {{ .Values.controller.apisvc.route.termination }}
---
{{ end -}}
{{- if .Values.controller.federation.mastersvc.route.enabled }}
{{- if (semverCompare ">=1.9-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }}
apiVersion: route.openshift.io/v1
{{- else }}
apiVersion: v1
{{- end }}
kind: Route
metadata:
name: neuvector-route-fed-master
namespace: {{ .Release.Namespace }}
labels:
chart: {{ template "neuvector.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
spec:
{{- if .Values.controller.federation.mastersvc.route.host }}
host: {{ .Values.controller.federation.mastersvc.route.host }}
{{- end }}
to:
kind: Service
name: neuvector-svc-controller-fed-master
port:
targetPort: fed
tls:
termination: {{ .Values.controller.federation.mastersvc.route.termination }}
---
{{ end -}}
{{- if .Values.controller.federation.managedsvc.route.enabled }}
{{- if (semverCompare ">=1.9-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }}
apiVersion: route.openshift.io/v1
{{- else }}
apiVersion: v1
{{- end }}
kind: Route
metadata:
name: neuvector-route-fed-managed
namespace: {{ .Release.Namespace }}
labels:
chart: {{ template "neuvector.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
spec:
{{- if .Values.controller.federation.managedsvc.route.host }}
host: {{ .Values.controller.federation.managedsvc.route.host }}
{{- end }}
to:
kind: Service
name: neuvector-svc-controller-fed-managed
port:
targetPort: fed
tls:
termination: {{ .Values.controller.federation.managedsvc.route.termination }}
{{ end -}}
{{- end -}}

89
charts/neuvector/neuvector/1.8.90000/templates/controller-service.yaml Normal file
View File

@ -0,0 +1,89 @@
{{- if .Values.controller.enabled -}}
apiVersion: v1
kind: Service
metadata:
name: neuvector-svc-controller
namespace: {{ .Release.Namespace }}
labels:
chart: {{ template "neuvector.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
spec:
clusterIP: None
ports:
- port: 18300
protocol: "TCP"
name: "cluster-tcp-18300"
- port: 18301
protocol: "TCP"
name: "cluster-tcp-18301"
- port: 18301
protocol: "UDP"
name: "cluster-udp-18301"
selector:
app: neuvector-controller-pod
{{- if .Values.controller.apisvc.type }}
---
apiVersion: v1
kind: Service
metadata:
name: neuvector-svc-controller-api
namespace: {{ .Release.Namespace }}
{{- with .Values.controller.apisvc.annotations }}
annotations:
{{ toYaml . | indent 4 }}
{{- end }}
labels:
chart: {{ template "neuvector.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
spec:
type: {{ .Values.controller.apisvc.type }}
ports:
- port: 10443
protocol: "TCP"
name: "controller-api"
selector:
app: neuvector-controller-pod
{{ end -}}
{{- if .Values.controller.federation.mastersvc.type }}
---
apiVersion: v1
kind: Service
metadata:
name: neuvector-svc-controller-fed-master
namespace: {{ .Release.Namespace }}
labels:
chart: {{ template "neuvector.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
spec:
type: {{ .Values.controller.federation.mastersvc.type }}
ports:
- port: 11443
name: fed
protocol: TCP
selector:
app: neuvector-controller-pod
{{ end -}}
{{- if .Values.controller.federation.managedsvc.type }}
---
apiVersion: v1
kind: Service
metadata:
name: neuvector-svc-controller-fed-managed
namespace: {{ .Release.Namespace }}
labels:
chart: {{ template "neuvector.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
spec:
type: {{ .Values.controller.federation.managedsvc.type }}
ports:
- port: 10443
name: fed
protocol: TCP
selector:
app: neuvector-controller-pod
{{ end -}}
{{- end -}}

926
charts/neuvector/neuvector/1.8.90000/templates/crd.yaml Normal file
View File

@ -0,0 +1,926 @@
{{- if .Values.crdwebhook.enabled -}}
{{- $oc4 := and .Values.openshift (semverCompare ">=1.12-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) -}}
{{- $oc3 := and .Values.openshift (not $oc4) (semverCompare ">=1.9-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) -}}
{{- if (semverCompare ">=1.19-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }}
apiVersion: apiextensions.k8s.io/v1
{{- else }}
apiVersion: apiextensions.k8s.io/v1beta1
{{- end }}
kind: CustomResourceDefinition
metadata:
name: nvsecurityrules.neuvector.com
labels:
chart: {{ template "neuvector.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
spec:
group: neuvector.com
names:
kind: NvSecurityRule
listKind: NvSecurityRuleList
plural: nvsecurityrules
singular: nvsecurityrule
scope: Namespaced
{{- if (semverCompare "<1.19-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }}
version: v1
{{- end }}
versions:
- name: v1
served: true
storage: true
{{- if (semverCompare ">=1.19-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }}
schema:
openAPIV3Schema:
properties:
spec:
properties:
egress:
items:
properties:
action:
enum:
- allow
- deny
type: string
applications:
items:
type: string
type: array
name:
type: string
ports:
type: string
priority:
type: integer
selector:
properties:
comment:
type: string
criteria:
items:
properties:
key:
type: string
op:
type: string
value:
type: string
required:
- key
- op
- value
type: object
type: array
name:
type: string
original_name:
type: string
required:
- name
- criteria
type: object
required:
- action
- name
- selector
type: object
type: array
file:
items:
properties:
app:
items:
type: string
type: array
behavior:
enum:
- monitor_change
- block_access
type: string
filter:
type: string
recursive:
type: boolean
required:
- behavior
- filter
type: object
type: array
ingress:
items:
properties:
action:
enum:
- allow
- deny
type: string
applications:
items:
type: string
type: array
name:
type: string
ports:
type: string
priority:
type: integer
selector:
properties:
comment:
type: string
criteria:
items:
properties:
key:
type: string
op:
type: string
value:
type: string
required:
- key
- op
- value
type: object
type: array
name:
type: string
original_name:
type: string
required:
- name
- criteria
type: object
required:
- action
- name
- selector
type: object
type: array
process:
items:
properties:
action:
enum:
- allow
- deny
type: string
allow_update:
type: boolean
name:
type: string
path:
type: string
required:
- action
type: object
type: array
process_profile:
properties:
baseline:
enum:
- default
- shield
type: string
type: object
target:
properties:
policymode:
enum:
- Discover
- Monitor
- Protect
- N/A
type: string
selector:
properties:
comment:
type: string
criteria:
items:
properties:
key:
type: string
op:
type: string
value:
type: string
required:
- key
- op
- value
type: object
type: array
name:
type: string
original_name:
type: string
required:
- name
- criteria
type: object
required:
- selector
type: object
waf:
properties:
settings:
items:
properties:
action:
enum:
- allow
- deny
type: string
name:
type: string
required:
- name
- action
type: object
type: array
status:
type: boolean
type: object
required:
- target
type: object
type: object
{{- end }}
---
{{- if (semverCompare ">=1.19-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }}
apiVersion: apiextensions.k8s.io/v1
{{- else }}
apiVersion: apiextensions.k8s.io/v1beta1
{{- end }}
kind: CustomResourceDefinition
metadata:
name: nvclustersecurityrules.neuvector.com
labels:
chart: {{ template "neuvector.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
spec:
group: neuvector.com
names:
kind: NvClusterSecurityRule
listKind: NvClusterSecurityRuleList
plural: nvclustersecurityrules
singular: nvclustersecurityrule
scope: Cluster
{{- if (semverCompare "<1.19-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }}
version: v1
{{- end }}
versions:
- name: v1
served: true
storage: true
{{- if (semverCompare ">=1.19-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }}
schema:
openAPIV3Schema:
properties:
spec:
properties:
egress:
items:
properties:
action:
enum:
- allow
- deny
type: string
applications:
items:
type: string
type: array
name:
type: string
ports:
type: string
priority:
type: integer
selector:
properties:
comment:
type: string
criteria:
items:
properties:
key:
type: string
op:
type: string
value:
type: string
required:
- key
- op
- value
type: object
type: array
name:
type: string
original_name:
type: string
required:
- name
- criteria
type: object
required:
- action
- name
- selector
type: object
type: array
file:
items:
properties:
app:
items:
type: string
type: array
behavior:
enum:
- monitor_change
- block_access
type: string
filter:
type: string
recursive:
type: boolean
required:
- behavior
- filter
type: object
type: array
ingress:
items:
properties:
action:
enum:
- allow
- deny
type: string
applications:
items:
type: string
type: array
name:
type: string
ports:
type: string
priority:
type: integer
selector:
properties:
comment:
type: string
criteria:
items:
properties:
key:
type: string
op:
type: string
value:
type: string
required:
- key
- op
- value
type: object
type: array
name:
type: string
original_name:
type: string
required:
- name
- criteria
type: object
required:
- action
- name
- selector
type: object
type: array
process:
items:
properties:
action:
enum:
- allow
- deny
type: string
allow_update:
type: boolean
name:
type: string
path:
type: string
required:
- action
type: object
type: array
process_profile:
properties:
baseline:
enum:
- default
- shield
type: string
type: object
target:
properties:
policymode:
enum:
- Discover
- Monitor
- Protect
- N/A
type: string
selector:
properties:
comment:
type: string
criteria:
items:
properties:
key:
type: string
op:
type: string
value:
type: string
required:
- key
- op
- value
type: object
type: array
name:
type: string
original_name:
type: string
required:
- name
- criteria
type: object
required:
- selector
type: object
waf:
properties:
settings:
items:
properties:
action:
enum:
- allow
- deny
type: string
name:
type: string
required:
- name
- action
type: object
type: array
status:
type: boolean
type: object
required:
- target
type: object
type: object
{{- end }}
---
{{- if (semverCompare ">=1.19-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }}
apiVersion: apiextensions.k8s.io/v1
{{- else }}
apiVersion: apiextensions.k8s.io/v1beta1
{{- end }}
kind: CustomResourceDefinition
metadata:
name: nvadmissioncontrolsecurityrules.neuvector.com
labels:
chart: {{ template "neuvector.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
spec:
group: neuvector.com
names:
kind: NvAdmissionControlSecurityRule
listKind: NvAdmissionControlSecurityRuleList
plural: nvadmissioncontrolsecurityrules
singular: nvadmissioncontrolsecurityrule
scope: Cluster
{{- if (semverCompare "<1.19-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }}
version: v1
{{- end }}
versions:
- name: v1
served: true
storage: true
{{- if (semverCompare ">=1.19-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }}
schema:
openAPIV3Schema:
properties:
spec:
properties:
config:
properties:
client_mode:
enum:
- service
- url
type: string
enable:
type: boolean
mode:
enum:
- monitor
- protect
type: string
required:
- enable
- mode
- client_mode
type: object
rules:
items:
properties:
action:
enum:
- allow
- deny
type: string
comment:
type: string
criteria:
items:
properties:
name:
type: string
op:
type: string
sub_criteria:
items:
properties:
name:
type: string
op:
type: string
value:
type: string
required:
- name
- op
- value
type: object
type: array
value:
type: string
required:
- name
- op
- value
type: object
type: array
disabled:
type: boolean
id:
type: integer
required:
- action
- criteria
type: object
type: array
type: object
type: object
{{- end }}
---
{{- if (semverCompare ">=1.19-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }}
apiVersion: apiextensions.k8s.io/v1
{{- else }}
apiVersion: apiextensions.k8s.io/v1beta1
{{- end }}
kind: CustomResourceDefinition
metadata:
name: nvwafsecurityrules.neuvector.com
labels:
chart: {{ template "neuvector.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
spec:
group: neuvector.com
names:
kind: NvWafSecurityRule
listKind: NvWafSecurityRuleList
plural: nvwafsecurityrules
singular: nvwafsecurityrule
scope: Cluster
{{- if (semverCompare "<1.19-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }}
version: v1
{{- end }}
versions:
- name: v1
served: true
storage: true
{{- if (semverCompare ">=1.19-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }}
schema:
openAPIV3Schema:
properties:
spec:
properties:
sensor:
properties:
comment:
type: string
name:
type: string
rules:
items:
properties:
name:
type: string
patterns:
items:
properties:
context:
enum:
- url
- header
- body
- packet
type: string
key:
enum:
- pattern
type: string
op:
enum:
- regex
- '!regex'
type: string
value:
type: string
required:
- key
- op
- value
- context
type: object
type: array
required:
- name
- patterns
type: object
type: array
required:
- name
type: object
required:
- sensor
type: object
type: object
{{- end }}
---
apiVersion: v1
kind: Service
metadata:
name: neuvector-svc-crd-webhook
namespace: {{ .Release.Namespace }}
labels:
chart: {{ template "neuvector.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
spec:
ports:
- port: 443
targetPort: 30443
protocol: TCP
name: crd-webhook
type: {{ .Values.crdwebhook.type }}
selector:
app: neuvector-controller-pod
---
# ClusterRole for NeuVector to operate CRD
{{- if $oc3 }}
apiVersion: authorization.openshift.io/v1
{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }}
apiVersion: rbac.authorization.k8s.io/v1
{{- else }}
apiVersion: v1
{{- end }}
kind: ClusterRole
metadata:
name: neuvector-binding-customresourcedefinition
labels:
chart: {{ template "neuvector.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
rules:
- apiGroups:
- apiextensions.k8s.io
resources:
- customresourcedefinitions
verbs:
- update
- watch
- create
- get
---
# ClusterRoleBinding for NeuVector to operate CRD
{{- if $oc3 }}
apiVersion: authorization.openshift.io/v1
{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }}
apiVersion: rbac.authorization.k8s.io/v1
{{- else }}
apiVersion: v1
{{- end }}
kind: ClusterRoleBinding
metadata:
name: neuvector-binding-customresourcedefinition
labels:
chart: {{ template "neuvector.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
roleRef:
{{- if not $oc3 }}
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
{{- end }}
name: neuvector-binding-customresourcedefinition
subjects:
- kind: ServiceAccount
name: {{ .Values.serviceAccount }}
namespace: {{ .Release.Namespace }}
{{- if $oc3 }}
userNames:
- system:serviceaccount:{{ .Release.Namespace }}:{{ .Values.serviceAccount }}
{{- end }}
---
# ClusterRole for NeuVector to manager user-created network/process CRD rules
{{- if $oc3 }}
apiVersion: authorization.openshift.io/v1
{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }}
apiVersion: rbac.authorization.k8s.io/v1
{{- else }}
apiVersion: v1
{{- end }}
kind: ClusterRole
metadata:
name: neuvector-binding-nvsecurityrules
labels:
chart: {{ template "neuvector.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
rules:
- apiGroups:
- neuvector.com
resources:
- nvsecurityrules
- nvclustersecurityrules
verbs:
- list
- delete
---
# ClusterRoleBinding for NeuVector to manager user-created network/process CRD rules
{{- if $oc3 }}
apiVersion: authorization.openshift.io/v1
{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }}
apiVersion: rbac.authorization.k8s.io/v1
{{- else }}
apiVersion: v1
{{- end }}
kind: ClusterRoleBinding
metadata:
name: neuvector-binding-nvsecurityrules
labels:
chart: {{ template "neuvector.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
roleRef:
{{- if not $oc3 }}
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
{{- end }}
name: neuvector-binding-nvsecurityrules
subjects:
- kind: ServiceAccount
name: {{ .Values.serviceAccount }}
namespace: {{ .Release.Namespace }}
{{- if $oc3 }}
userNames:
- system:serviceaccount:{{ .Release.Namespace }}:{{ .Values.serviceAccount }}
{{- end }}
---
# ClusterRole for NeuVector to manager user-created admission control CRD rules
{{- if $oc3 }}
apiVersion: authorization.openshift.io/v1
{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }}
apiVersion: rbac.authorization.k8s.io/v1
{{- else }}
apiVersion: v1
{{- end }}
kind: ClusterRole
metadata:
name: neuvector-binding-nvadmissioncontrolsecurityrules
labels:
chart: {{ template "neuvector.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
rules:
- apiGroups:
- neuvector.com
resources:
- nvadmissioncontrolsecurityrules
verbs:
- list
- delete
---
# ClusterRoleBinding for NeuVector to manager user-created admission control CRD rules
{{- if $oc3 }}
apiVersion: authorization.openshift.io/v1
{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }}
apiVersion: rbac.authorization.k8s.io/v1
{{- else }}
apiVersion: v1
{{- end }}
kind: ClusterRoleBinding
metadata:
name: neuvector-binding-nvadmissioncontrolsecurityrules
labels:
chart: {{ template "neuvector.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
roleRef:
{{- if not $oc3 }}
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
{{- end }}
name: neuvector-binding-nvadmissioncontrolsecurityrules
subjects:
- kind: ServiceAccount
name: {{ .Values.serviceAccount }}
namespace: {{ .Release.Namespace }}
{{- if $oc3 }}
userNames:
- system:serviceaccount:{{ .Release.Namespace }}:{{ .Values.serviceAccount }}
{{- end }}
---
# ClusterRole for NeuVector to manager user-created waf CRD rules
{{- if $oc3 }}
apiVersion: authorization.openshift.io/v1
{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }}
apiVersion: rbac.authorization.k8s.io/v1
{{- else }}
apiVersion: v1
{{- end }}
kind: ClusterRole
metadata:
name: neuvector-binding-nvwafsecurityrules
labels:
chart: {{ template "neuvector.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
rules:
- apiGroups:
- neuvector.com
resources:
- nvwafsecurityrules
verbs:
- list
- delete
---
# ClusterRoleBinding for NeuVector to manager user-created waf CRD rules
{{- if $oc3 }}
apiVersion: authorization.openshift.io/v1
{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }}
apiVersion: rbac.authorization.k8s.io/v1
{{- else }}
apiVersion: v1
{{- end }}
kind: ClusterRoleBinding
metadata:
name: neuvector-binding-nvwafsecurityrules
labels:
chart: {{ template "neuvector.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
roleRef:
{{- if not $oc3 }}
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
{{- end }}
name: neuvector-binding-nvwafsecurityrules
subjects:
- kind: ServiceAccount
name: {{ .Values.serviceAccount }}
namespace: {{ .Release.Namespace }}
{{- if $oc3 }}
userNames:
- system:serviceaccount:{{ .Release.Namespace }}:{{ .Values.serviceAccount }}
{{- end }}
{{- end }}

119
charts/neuvector/neuvector/1.8.90000/templates/enforcer-daemonset.yaml Normal file
View File

@ -0,0 +1,119 @@
{{- if .Values.enforcer.enabled -}}
{{- if (semverCompare ">=1.9-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }}
apiVersion: apps/v1
{{- else }}
apiVersion: extensions/v1beta1
{{- end }}
kind: DaemonSet
metadata:
name: neuvector-enforcer-pod
namespace: {{ .Release.Namespace }}
labels:
chart: {{ template "neuvector.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
spec:
updateStrategy:
type: RollingUpdate
selector:
matchLabels:
app: neuvector-enforcer-pod
template:
metadata:
labels:
app: neuvector-enforcer-pod
release: {{ .Release.Name }}
spec:
{{- if .Values.imagePullSecrets }}
imagePullSecrets:
- name: {{ .Values.imagePullSecrets }}
{{- end }}
{{- if .Values.enforcer.tolerations }}
tolerations:
{{ toYaml .Values.enforcer.tolerations | indent 8 }}
{{- end }}
hostPID: true
{{- if .Values.enforcer.priorityClassName }}
priorityClassName: {{ .Values.enforcer.priorityClassName }}
{{- end }}
serviceAccountName: {{ .Values.serviceAccount }}
serviceAccount: {{ .Values.serviceAccount }}
containers:
- name: neuvector-enforcer-pod
{{ if eq .Values.registry "registry.neuvector.com" }}
{{ if .Values.oem }}
image: "{{ .Values.registry }}/{{ .Values.oem }}/enforcer:{{ .Values.tag }}"
{{- else }}
image: "{{ .Values.registry }}/enforcer:{{ .Values.tag }}"
{{- end }}
{{- else }}
image: "{{ .Values.registry }}/{{ .Values.enforcer.image.repository }}:{{ .Values.tag }}"
{{- end }}
securityContext:
privileged: true
resources:
{{- if .Values.enforcer.resources }}
{{ toYaml .Values.enforcer.resources | indent 12 }}
{{- else }}
{{ toYaml .Values.resources | indent 12 }}
{{- end }}
env:
- name: CLUSTER_JOIN_ADDR
value: neuvector-svc-controller.{{ .Release.Namespace }}
- name: CLUSTER_ADVERTISED_ADDR
valueFrom:
fieldRef:
fieldPath: status.podIP
- name: CLUSTER_BIND_ADDR
valueFrom:
fieldRef:
fieldPath: status.podIP
volumeMounts:
{{- if .Values.containerd.enabled }}
- mountPath: /var/run/containerd/containerd.sock
{{- else if .Values.k3s.enabled }}
- mountPath: /var/run/containerd/containerd.sock
{{- else if .Values.bottlerocket.enabled }}
- mountPath: /var/run/containerd/containerd.sock
{{- else if .Values.crio.enabled }}
- mountPath: /var/run/crio/crio.sock
{{- else }}
- mountPath: /var/run/docker.sock
{{- end }}
name: runtime-sock
readOnly: true
- mountPath: /host/proc
name: proc-vol
readOnly: true
- mountPath: /host/cgroup
name: cgroup-vol
readOnly: true
- mountPath: /lib/modules
name: modules-vol
readOnly: true
terminationGracePeriodSeconds: 1200
restartPolicy: Always
volumes:
- name: runtime-sock
hostPath:
{{- if .Values.containerd.enabled }}
path: {{ .Values.containerd.path }}
{{- else if .Values.crio.enabled }}
path: {{ .Values.crio.path }}
{{- else if .Values.k3s.enabled }}
path: {{ .Values.k3s.runtimePath }}
{{- else if .Values.bottlerocket.enabled }}
path: {{ .Values.bottlerocket.runtimePath }}
{{- else }}
path: {{ .Values.docker.path }}
{{- end }}
- name: proc-vol
hostPath:
path: /proc
- name: cgroup-vol
hostPath:
path: /sys/fs/cgroup
- name: modules-vol
hostPath:
path: /lib/modules
{{- end }}

13
charts/neuvector/neuvector/1.8.90000/templates/init-configmap.yaml Normal file
View File

@ -0,0 +1,13 @@
{{- if .Values.controller.configmap.enabled }}
apiVersion: v1
kind: ConfigMap
metadata:
name: neuvector-init
namespace: {{ .Release.Namespace }}
labels:
chart: {{ template "neuvector.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
data:
{{ toYaml .Values.controller.configmap.data | indent 4 }}
{{- end }}

15
charts/neuvector/neuvector/1.8.90000/templates/init-secret.yaml Normal file
View File

@ -0,0 +1,15 @@
{{- if .Values.controller.secret.enabled }}
apiVersion: v1
kind: Secret
metadata:
name: neuvector-init
namespace: {{ .Release.Namespace }}
labels:
chart: {{ template "neuvector.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
data:
{{- range $key, $val := .Values.controller.secret.data }}
{{ $key }}: | {{ toYaml $val | b64enc | nindent 4 }}
{{- end }}
{{- end }}

89
charts/neuvector/neuvector/1.8.90000/templates/manager-deployment.yaml Normal file
View File

@ -0,0 +1,89 @@
{{- if .Values.manager.enabled -}}
{{- if (semverCompare ">=1.9-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }}
apiVersion: apps/v1
{{- else }}
apiVersion: extensions/v1beta1
{{- end }}
kind: Deployment
metadata:
name: neuvector-manager-pod
namespace: {{ .Release.Namespace }}
labels:
chart: {{ template "neuvector.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
spec:
replicas: 1
selector:
matchLabels:
app: neuvector-manager-pod
template:
metadata:
labels:
app: neuvector-manager-pod
release: {{ .Release.Name }}
spec:
{{- if .Values.manager.affinity }}
affinity:
{{ toYaml .Values.manager.affinity | indent 8 }}
{{- end }}
{{- if .Values.manager.tolerations }}
tolerations:
{{ toYaml .Values.manager.tolerations | indent 8 }}
{{- end }}
{{- if .Values.manager.nodeSelector }}
nodeSelector:
{{ toYaml .Values.manager.nodeSelector | indent 8 }}
{{- end }}
{{- if .Values.imagePullSecrets }}
imagePullSecrets:
- name: {{ .Values.imagePullSecrets }}
{{- end }}
{{- if .Values.manager.priorityClassName }}
priorityClassName: {{ .Values.manager.priorityClassName }}
{{- end }}
serviceAccountName: {{ .Values.serviceAccount }}
serviceAccount: {{ .Values.serviceAccount }}
containers:
- name: neuvector-manager-pod
{{ if eq .Values.registry "registry.neuvector.com" }}
{{ if .Values.oem }}
image: "{{ .Values.registry }}/{{ .Values.oem }}/manager:{{ .Values.tag }}"
{{- else }}
image: "{{ .Values.registry }}/manager:{{ .Values.tag }}"
{{- end }}
{{- else }}
image: "{{ .Values.registry }}/{{ .Values.manager.image.repository }}:{{ .Values.tag }}"
{{- end }}
env:
- name: CTRL_SERVER_IP
value: neuvector-svc-controller.{{ .Release.Namespace }}
{{- if not .Values.manager.env.ssl }}
- name: MANAGER_SSL
value: "off"
{{- end }}
volumeMounts:
{{- if .Values.manager.certificate.secret }}
- mountPath: /etc/neuvector/certs/ssl-cert.key
subPath: {{ .Values.manager.certificate.keyFile }}
name: cert
readOnly: true
- mountPath: /etc/neuvector/certs/ssl-cert.pem
subPath: {{ .Values.manager.certificate.pemFile }}
name: cert
readOnly: true
{{- end }}
resources:
{{- if .Values.manager.resources }}
{{ toYaml .Values.manager.resources | indent 12 }}
{{- else }}
{{ toYaml .Values.resources | indent 12 }}
{{- end }}
restartPolicy: Always
volumes:
{{- if .Values.manager.certificate.secret }}
- name: cert
secret:
secretName: {{ .Values.manager.certificate.secret }}
{{- end }}
{{- end }}

68
charts/neuvector/neuvector/1.8.90000/templates/manager-ingress.yaml Normal file
View File

@ -0,0 +1,68 @@
{{- if and .Values.manager.enabled .Values.manager.ingress.enabled -}}
{{- if (semverCompare ">=1.19-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }}
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: neuvector-webui-ingress
namespace: {{ .Release.Namespace }}
{{- with .Values.manager.ingress.annotations }}
annotations:
{{ toYaml . | indent 4 }}
{{- end }}
labels:
chart: {{ template "neuvector.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
spec:
{{- if .Values.manager.ingress.tls }}
tls:
- hosts:
- {{ .Values.manager.ingress.host }}
{{- if .Values.manager.ingress.secretName }}
secretName: {{ .Values.manager.ingress.secretName }}
{{- end }}
{{- end }}
rules:
- host: {{ .Values.manager.ingress.host }}
http:
paths:
- path: {{ .Values.manager.ingress.path }}
pathType: Prefix
backend:
service:
name: neuvector-service-webui
port:
number: 8443
{{- else }}
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: neuvector-webui-ingress
namespace: {{ .Release.Namespace }}
{{- with .Values.manager.ingress.annotations }}
annotations:
{{ toYaml . | indent 4 }}
{{- end }}
labels:
chart: {{ template "neuvector.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
spec:
{{- if .Values.manager.ingress.tls }}
tls:
- hosts:
- {{ .Values.manager.ingress.host }}
{{- if .Values.manager.ingress.secretName }}
secretName: {{ .Values.manager.ingress.secretName }}
{{- end }}
{{- end }}
rules:
- host: {{ .Values.manager.ingress.host }}
http:
paths:
- path: {{ .Values.manager.ingress.path }}
backend:
serviceName: neuvector-service-webui
servicePort: 8443
{{- end }}
{{- end -}}

28
charts/neuvector/neuvector/1.8.90000/templates/manager-route.yaml Normal file
View File

@ -0,0 +1,28 @@
{{- if .Values.openshift -}}
{{- if .Values.manager.route.enabled }}
{{- if (semverCompare ">=1.9-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }}
apiVersion: route.openshift.io/v1
{{- else }}
apiVersion: v1
{{- end }}
kind: Route
metadata:
name: neuvector-route-webui
namespace: {{ .Release.Namespace }}
labels:
chart: {{ template "neuvector.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
spec:
{{- if .Values.manager.route.host }}
host: {{ .Values.manager.route.host }}
{{- end }}
to:
kind: Service
name: neuvector-service-webui
port:
targetPort: manager
tls:
termination: {{ .Values.manager.route.termination }}
{{- end }}
{{- end -}}

26
charts/neuvector/neuvector/1.8.90000/templates/manager-service.yaml Normal file
View File

@ -0,0 +1,26 @@
{{- if .Values.manager.enabled -}}
apiVersion: v1
kind: Service
metadata:
name: neuvector-service-webui
namespace: {{ .Release.Namespace }}
{{- with .Values.manager.svc.annotations }}
annotations:
{{ toYaml . | indent 4 }}
{{- end }}
labels:
chart: {{ template "neuvector.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
spec:
type: {{ .Values.manager.svc.type }}
{{- if and .Values.manager.svc.loadBalancerIP (eq .Values.manager.svc.type "LoadBalancer") }}
loadBalancerIP: {{ .Values.manager.svc.loadBalancerIP }}
{{- end }}
ports:
- port: 8443
name: manager
protocol: TCP
selector:
app: neuvector-manager-pod
{{- end }}

77
charts/neuvector/neuvector/1.8.90000/templates/psp.yaml Normal file
View File

@ -0,0 +1,77 @@
{{- if .Values.psp -}}
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: neuvector-binding-psp
annotations:
seccomp.security.alpha.kubernetes.io/allowedProfileNames: '*'
labels:
chart: {{ template "neuvector.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
spec:
privileged: true
readOnlyRootFilesystem: false
allowPrivilegeEscalation: true
allowedCapabilities:
- SYS_ADMIN
- NET_ADMIN
- SYS_PTRACE
- IPC_LOCK
requiredDropCapabilities:
- ALL
volumes:
- '*'
hostNetwork: true
hostPorts:
- min: 0
max: 65535
hostIPC: true
hostPID: true
runAsUser:
rule: 'RunAsAny'
seLinux:
rule: 'RunAsAny'
supplementalGroups:
rule: 'RunAsAny'
fsGroup:
rule: 'RunAsAny'
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: neuvector-binding-psp
namespace: {{ .Release.Namespace }}
labels:
chart: {{ template "neuvector.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
rules:
- apiGroups:
- policy
- extensions
resources:
- podsecuritypolicies
verbs:
- use
resourceNames:
- neuvector-binding-psp
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: neuvector-binding-psp
namespace: {{ .Release.Namespace }}
labels:
chart: {{ template "neuvector.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: neuvector-binding-psp
subjects:
- kind: ServiceAccount
name: {{ .Values.serviceAccount }}
namespace: {{ .Release.Namespace }}
{{- end }}

25
charts/neuvector/neuvector/1.8.90000/templates/pvc.yaml Normal file
View File

@ -0,0 +1,25 @@
{{- if and .Values.controller.enabled .Values.controller.pvc.enabled -}}
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: neuvector-data
namespace: {{ .Release.Namespace }}
labels:
chart: {{ template "neuvector.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
spec:
accessModes:
{{ toYaml .Values.controller.pvc.accessModes | indent 4 }}
volumeMode: Filesystem
{{- if .Values.controller.pvc.storageClass }}
storageClassName: {{ .Values.controller.pvc.storageClass }}
{{- end }}
resources:
requests:
{{- if .Values.controller.pvc.capacity }}
storage: {{ .Values.controller.pvc.capacity }}
{{- else }}
storage: 1Gi
{{- end }}
{{- end }}

31
charts/neuvector/neuvector/1.8.90000/templates/rolebinding.yaml Normal file
View File

@ -0,0 +1,31 @@
{{- $oc4 := and .Values.openshift (semverCompare ">=1.12-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) -}}
{{- $oc3 := and .Values.openshift (not $oc4) (semverCompare ">=1.9-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) -}}
{{- if $oc3 }}
apiVersion: authorization.openshift.io/v1
{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }}
apiVersion: rbac.authorization.k8s.io/v1
{{- else }}
apiVersion: v1
{{- end }}
kind: RoleBinding
metadata:
name: neuvector-admin
namespace: {{ .Release.Namespace }}
labels:
chart: {{ template "neuvector.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
roleRef:
{{- if not $oc3 }}
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
{{- end }}
name: admin
subjects:
- kind: ServiceAccount
name: {{ .Values.serviceAccount }}
namespace: {{ .Release.Namespace }}
{{- if $oc3 }}
userNames:
- system:serviceaccount:{{ .Release.Namespace }}:{{ .Values.serviceAccount }}
{{- end }}

70
charts/neuvector/neuvector/1.8.90000/templates/scanner-deployment.yaml Normal file
View File

@ -0,0 +1,70 @@
{{- if .Values.cve.scanner.enabled -}}
{{- if (semverCompare ">=1.9-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }}
apiVersion: apps/v1
{{- else }}
apiVersion: extensions/v1beta1
{{- end }}
kind: Deployment
metadata:
name: neuvector-scanner-pod
namespace: {{ .Release.Namespace }}
labels:
chart: {{ template "neuvector.chart" . }}
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
spec:
strategy:
{{ toYaml .Values.cve.scanner.strategy | indent 4 }}
replicas: {{ .Values.cve.scanner.replicas }}
selector:
matchLabels:
app: neuvector-scanner-pod
template:
metadata:
labels:
app: neuvector-scanner-pod
spec:
{{- if .Values.cve.scanner.affinity }}
affinity:
{{ toYaml .Values.cve.scanner.affinity | indent 8 }}
{{- end }}
{{- if .Values.cve.scanner.tolerations }}
tolerations:
{{ toYaml .Values.cve.scanner.tolerations | indent 8 }}
{{- end }}
{{- if .Values.cve.scanner.nodeSelector }}
nodeSelector:
{{ toYaml .Values.cve.scanner.nodeSelector | indent 8 }}
{{- end }}
{{- if .Values.imagePullSecrets }}
imagePullSecrets:
- name: {{ .Values.imagePullSecrets }}
{{- end }}
{{- if .Values.cve.scanner.priorityClassName }}
priorityClassName: {{ .Values.cve.scanner.priorityClassName }}
{{- end }}
serviceAccountName: {{ .Values.serviceAccount }}
serviceAccount: {{ .Values.serviceAccount }}
containers:
- name: neuvector-scanner-pod
{{ if eq .Values.registry "registry.neuvector.com" }}
{{ if .Values.oem }}
image: "{{ .Values.registry }}/{{ .Values.oem }}/scanner:{{ .Values.cve.scanner.image.tag }}"
{{- else }}
image: "{{ .Values.registry }}/scanner:{{ .Values.cve.scanner.image.tag }}"
{{- end }}
{{- else }}
image: "{{ .Values.registry }}/{{ .Values.cve.scanner.image.repository }}:{{ .Values.cve.scanner.image.tag }}"
{{- end }}
imagePullPolicy: Always
env:
- name: CLUSTER_JOIN_ADDR
value: neuvector-svc-controller.{{ .Release.Namespace }}
{{- if .Values.cve.scanner.dockerPath }}
- name: SCANNER_DOCKER_URL
value: {{ .Values.cve.scanner.dockerPath }}
{{- end }}
resources:
{{ toYaml .Values.cve.scanner.resources | indent 12 }}
restartPolicy: Always
{{- end }}

69
charts/neuvector/neuvector/1.8.90000/templates/updater-cronjob.yaml Normal file
View File

@ -0,0 +1,69 @@
{{- if .Values.cve.updater.enabled -}}
{{- if (semverCompare ">=1.21-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }}
apiVersion: batch/v1
{{- else if (semverCompare ">=1.8-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }}
apiVersion: batch/v1beta1
{{- else }}
apiVersion: batch/v2alpha1
{{- end }}
kind: CronJob
metadata:
name: neuvector-updater-pod
namespace: {{ .Release.Namespace }}
labels:
chart: {{ template "neuvector.chart" . }}
release: {{ .Release.Name }}
heritage: {{ .Release.Service }}
spec:
schedule: {{ .Values.cve.updater.schedule | quote }}
jobTemplate:
spec:
template:
metadata:
labels:
app: neuvector-updater-pod
release: {{ .Release.Name }}
spec:
{{- if .Values.imagePullSecrets }}
imagePullSecrets:
- name: {{ .Values.imagePullSecrets }}
{{- end }}
{{- if .Values.cve.updater.priorityClassName }}
priorityClassName: {{ .Values.cve.updater.priorityClassName }}
{{- end }}
serviceAccountName: {{ .Values.serviceAccount }}
serviceAccount: {{ .Values.serviceAccount }}
containers:
- name: neuvector-updater-pod
{{ if eq .Values.registry "registry.neuvector.com" }}
{{ if .Values.oem }}
image: "{{ .Values.registry }}/{{ .Values.oem }}/updater:{{ .Values.cve.updater.image.tag }}"
{{- else }}
image: "{{ .Values.registry }}/updater:{{ .Values.cve.updater.image.tag }}"
{{- end }}
{{- else }}
image: "{{ .Values.registry }}/{{ .Values.cve.updater.image.repository }}:{{ .Values.cve.updater.image.tag }}"
{{- end }}
imagePullPolicy: Always
{{- if .Values.cve.scanner.enabled }}
lifecycle:
postStart:
exec:
command:
- /bin/sh
- -c
{{- if (semverCompare ">=1.9-0" (substr 1 -1 .Capabilities.KubeVersion.GitVersion)) }}
{{- if .Values.cve.updater.secure }}
- /usr/bin/curl -v -X PATCH -H "Authorization:Bearer $(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" -H "Content-Type:application/strategic-merge-patch+json" -d '{"spec":{"template":{"metadata":{"annotations":{"kubectl.kubernetes.io/restartedAt":"'`date +%Y-%m-%dT%H:%M:%S%z`'"}}}}}' 'https://kubernetes.default/apis/apps/v1/namespaces/{{ .Release.Namespace }}/deployments/neuvector-scanner-pod'
{{- else }}
- /usr/bin/curl -kv -X PATCH -H "Authorization:Bearer $(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" -H "Content-Type:application/strategic-merge-patch+json" -d '{"spec":{"template":{"metadata":{"annotations":{"kubectl.kubernetes.io/restartedAt":"'`date +%Y-%m-%dT%H:%M:%S%z`'"}}}}}' 'https://kubernetes.default/apis/apps/v1/namespaces/{{ .Release.Namespace }}/deployments/neuvector-scanner-pod'
{{- end }}
{{- else }}
- /usr/bin/curl -kv -X PATCH -H "Authorization:Bearer $(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" -H "Content-Type:application/strategic-merge-patch+json" -d '{"spec":{"template":{"metadata":{"annotations":{"kubectl.kubernetes.io/restartedAt":"'`date +%Y-%m-%dT%H:%M:%S%z`'"}}}}}' 'https://kubernetes.default/apis/extensions/v1beta1/namespaces/{{ .Release.Namespace }}/deployments/neuvector-scanner-pod'
{{- end }}
{{- end }}
env:
- name: CLUSTER_JOIN_ADDR
value: neuvector-svc-controller.{{ .Release.Namespace }}
restartPolicy: Never
{{- end }}

287
charts/neuvector/neuvector/1.8.90000/values.yaml Normal file
View File

@ -0,0 +1,287 @@
# Default values for neuvector.
# This is a YAML-formatted file.
# Declare variables to be passed into the templates.
openshift: false
registry: registry.neuvector.com
tag: 4.4.3
oem:
imagePullSecrets:
psp: false
serviceAccount: default
controller:
# If false, controller will not be installed
enabled: true
strategy:
type: RollingUpdate
rollingUpdate:
maxSurge: 1
maxUnavailable: 0
image:
repository: neuvector/controller
replicas: 3
disruptionbudget: 0
schedulerName:
priorityClassName:
env: []
affinity:
podAntiAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 100
podAffinityTerm:
labelSelector:
matchExpressions:
- key: app
operator: In
values:
- neuvector-controller-pod
topologyKey: "kubernetes.io/hostname"
tolerations: []
nodeSelector: {}
# key1: value1
# key2: value2
apisvc:
type:
annotations: {}
# OpenShift Route configuration
route:
enabled: false
termination: passthrough
host:
pvc:
enabled: false
accessModes:
- ReadWriteMany
storageClass:
capacity:
azureFileShare:
enabled: false
secretName:
shareName:
certificate:
secret:
keyFile: tls.key
pemFile: tls.pem
federation:
mastersvc:
type:
# Federation Master Ingress
ingress:
enabled: false
host: # MUST be set, if ingress is enabled
path: "/" # or this could be "/api", but might need "rewrite-target" annotation
annotations:
ingress.kubernetes.io/protocol: https
# ingress.kubernetes.io/rewrite-target: /
tls: false
secretName:
# OpenShift Route configuration
route:
enabled: false
termination: passthrough
host:
managedsvc:
type:
# Federation Managed Ingress
ingress:
enabled: false
host: # MUST be set, if ingress is enabled
path: "/" # or this could be "/api", but might need "rewrite-target" annotation
annotations:
ingress.kubernetes.io/protocol: https
# ingress.kubernetes.io/rewrite-target: /
tls: false
secretName:
# OpenShift Route configuration
route:
enabled: false
termination: passthrough
host:
ingress:
enabled: false
host: # MUST be set, if ingress is enabled
path: "/" # or this could be "/api", but might need "rewrite-target" annotation
annotations:
ingress.kubernetes.io/protocol: https
# ingress.kubernetes.io/rewrite-target: /
tls: false
secretName:
resources: {}
# limits:
# cpu: 400m
# memory: 2792Mi
# requests:
# cpu: 100m
# memory: 2280Mi
configmap:
enabled: false
data:
# eulainitcfg.yaml: |
# ...
# ldapinitcfg.yaml: |
# ...
# oidcinitcfg.yaml: |
# ...
# samlinitcfg.yaml: |
# ...
# sysinitcfg.yaml: |
# ...
# userinitcfg.yaml: |
# ...
secret:
# NOTE: files defined here have preferrence over the ones defined in the configmap section
enabled: false
data: {}
# eulainitcfg.yaml:
# license_key: 0Bca63Iy2FiXGqjk...
# ...
# ldapinitcfg.yaml:
# directory: OpenLDAP
# ...
# oidcinitcfg.yaml:
# Issuer: https://...
# ...
# samlinitcfg.yaml:
# ...
# sysinitcfg.yaml:
# ...
# userinitcfg.yaml:
# ...
enforcer:
# If false, enforcer will not be installed
enabled: true
image:
repository: neuvector/enforcer
priorityClassName:
tolerations:
- effect: NoSchedule
key: node-role.kubernetes.io/master
resources: {}
# limits:
# cpu: 400m
# memory: 2792Mi
# requests:
# cpu: 100m
# memory: 2280Mi
manager:
# If false, manager will not be installed
enabled: true
image:
repository: neuvector/manager
priorityClassName:
env:
ssl: true
svc:
type: NodePort
loadBalancerIP:
annotations: {}
# azure
# service.beta.kubernetes.io/azure-load-balancer-internal: "true"
# service.beta.kubernetes.io/azure-load-balancer-internal-subnet: "apps-subnet"
# OpenShift Route configuration
route:
enabled: true
termination: passthrough
host:
certificate:
secret:
keyFile: tls.key
pemFile: tls.pem
ingress:
enabled: false
host: # MUST be set, if ingress is enabled
path: "/"
annotations: {}
# kubernetes.io/ingress.class: my-nginx
# nginx.ingress.kubernetes.io/whitelist-source-range: "1.1.1.1"
# nginx.ingress.kubernetes.io/rewrite-target: /
# nginx.ingress.kubernetes.io/enable-rewrite-log: "true"
# only for end-to-end tls conf - ingress-nginx accepts backend self-signed cert
# nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
tls: false
secretName: # my-tls-secret
resources: {}
# limits:
# cpu: 400m
# memory: 2792Mi
# requests:
# cpu: 100m
# memory: 2280Mi
affinity: {}
tolerations: []
nodeSelector: {}
# key1: value1
# key2: value2
cve:
updater:
# If false, cve updater will not be installed
enabled: true
secure: false
image:
repository: neuvector/updater
tag: latest
schedule: "0 0 * * *"
priorityClassName:
scanner:
enabled: true
replicas: 3
dockerPath: ""
strategy:
type: RollingUpdate
rollingUpdate:
maxSurge: 1
maxUnavailable: 0
image:
repository: neuvector/scanner
tag: latest
priorityClassName:
resources: {}
# limits:
# cpu: 400m
# memory: 2792Mi
# requests:
# cpu: 100m
# memory: 2280Mi
affinity: {}
tolerations: []
nodeSelector: {}
# key1: value1
# key2: value2
docker:
path: /var/run/docker.sock
resources: {}
# limits:
# cpu: 400m
# memory: 2792Mi
# requests:
# cpu: 100m
# memory: 2280Mi
k3s:
enabled: false
runtimePath: /run/k3s/containerd/containerd.sock
bottlerocket:
enabled: false
runtimePath: /run/dockershim.sock
containerd:
enabled: false
path: /var/run/containerd/containerd.sock
crio:
enabled: false
path: /var/run/crio/crio.sock
admissionwebhook:
type: ClusterIP
crdwebhook:
enabled: true
type: ClusterIP

32
charts/portworx/portworx/2.8.100/Chart.yaml Normal file
View File

@ -0,0 +1,32 @@
annotations:
catalog.cattle.io/certified: partner
catalog.cattle.io/display-name: Portworx
catalog.cattle.io/release-name: portworx
apiVersion: v1
appVersion: "2.8"
description: A Helm chart for installing Portworx on Kubernetes.
home: https://portworx.com/
icon: https://raw.githubusercontent.com/portworx/helm/master/doc/media/k8s-porx.png
keywords:
- Storage
- ICP
- persistent disk
- pvc
- cloud native storage
- persistent storage
- portworx
- amd64
kubeVersion: '>=1.16.0'
maintainers:
- email: hadesai@purestorage.com
name: harsh-px
- email: onaumov@purestorage.com
name: trierra
- email: tasharma@purestorage.com
name: sharma-tapas
- email: dahuang@purestorage.com
name: dahuang-purestorage
name: portworx
sources:
- https://github.com/portworx/charts-rancher/tree/master/stable
version: 2.8.100

76
charts/portworx/portworx/2.8.100/README.md Normal file
View File

@ -0,0 +1,76 @@
# Portworx
## **Pre-requisites**
Use this Helm chart to deploy [Portworx](https://portworx.com/) and [Stork](https://docs.portworx.com/scheduler/kubernetes/stork.html) to your Kubernetes cluster.
Prerequisites
Refer to the [Install Portworx on Kubernetes via Helm](https://docs.portworx.com/portworx-install-with-kubernetes/install-px-helm/#pre-requisites) page for the list of prerequisites.
## **Limitations**
* The portworx helm chart can only be deployed in the kube-system namespace. Hence use "kube-system" in the "Target namespace" during configuration.
## **Uninstalling the Chart**
#### You can uninstall Portworx using one of the following methods:
#### **1. Delete all the Kubernetes components associated with the chart and the release.**
> **Note** > The Portworx configuration files under `/etc/pwx/` directory are preserved, and will not be deleted.
To perform this operation simply delete the application from the Apps page
#### **2. Wipe your Portworx installation**
> **Note** > The commands in this section are disruptive and will lead to data loss. Please use caution..
See more details [here](https://docs.portworx.com/portworx-install-with-kubernetes/install-px-helm/#uninstall)
## **Documentation**
* [Portworx docs site](https://docs.portworx.com/install-with-other/rancher/rancher-2.x/#step-1-install-rancher)
* [Portworx interactive tutorials](https://docs.portworx.com/scheduler/kubernetes/px-k8s-interactive.html)
## **Installing the Chart using the CLI**
See the installation details [here](https://docs.portworx.com/portworx-install-with-kubernetes/install-px-helm/)
## **Installing Portworx on AWS**
See the installation details [here](https://docs.portworx.com/cloud-references/auto-disk-provisioning/aws)
## ** Giving your etcd certificates to Portworx using Kubernetes Secrets.**
This is the recommended way of providing etcd certificates, as the certificates will be automatically available to the new nodes joining the cluster
* Create Kubernetes secret
* Copy all your etcd certificates and key in a directory etcd-secrets/ to create a Kubernetes secret from it. Make sure the file names are the same as you gave above.
```
# ls -1 etcd-secrets/
etcd-ca.crt
etcd.crt
etcd.key
```
* Use kubectl to create the secret named px-etcd-certs from the above files:
```
# kubectl -n kube-system create secret generic px-etcd-certs --from-file=etcd-secrets/
```
* Notice that the secret has 3 keys etcd-ca.crt, etcd.crt and etcd.key, corresponding to file names in the etcd-secrets folder. We will use these keys in the Portworx spec file to reference the certificates.
```
# kubectl -n kube-system describe secret px-etcd-certs
Name: px-etcd-certs
Namespace: kube-system
Labels: <none>
Annotations: <none>
Type: Opaque
Data
====
etcd-ca.crt: 1679 bytes
etcd.crt: 1680 bytes
etcd.key: 414 bytes
```
Once above secret is created, proceed to the next steps.

8
charts/portworx/portworx/2.8.100/app-readme.md Normal file
View File

@ -0,0 +1,8 @@
# Portworx
[Portworx](https://portworx.com/) is a software defined storage overlay that allows you to
* Run containerized stateful applications that are highly-available (HA) across multiple nodes, cloud instances, regions, data centers or even clouds
* Migrate workflows between multiple clusters running across same or hybrid clouds
* Run hyperconverged workloads where the data resides on the same host as the applications
* Have programmatic control on your storage resources

1
charts/portworx/portworx/2.8.100/ci/test-values.yaml Normal file
View File

@ -0,0 +1 @@
etcdType: Built-in

915
charts/portworx/portworx/2.8.100/questions.yml Normal file
View File

@ -0,0 +1,915 @@
categories:
- storage
namespace: kube-system
labels:
io.rancher.certified: partner
questions:
################################### KVDB options ################################
- variable: etcdType
label: "Select ETCD"
type: enum
required: true
group: "Key value store parameters (Required)"
options:
- "Provide your own etcd"
- "Built-in"
# ------ "Provide your own etcd" ------
- variable: ownEtcdOption
show_if: "etcdType=Provide your own etcd"
label: "Select one of 2 options for your ETCD cluster"
type: enum
required: true
group: "Key value store parameters (Required)"
options:
- "Your etcd details"
- "Portworx hosted (for PoCs only)"
- variable: etcdAuth
show_if: "ownEtcdOption=Your etcd details&&etcdType=Provide your own etcd"
label: "Select an auth option for your ETCD cluster"
type: enum
default: "Disable HTTPS"
required: true
group: "Key value store parameters (Required)"
options:
- "Disable HTTPS"
- "Certificate Auth"
- "Password Auth"
- variable: region
show_if: "ownEtcdOption=Portworx hosted (for PoCs only)"
label: "Select region"
type: enum
required: true
group: "Key value store parameters (Required)"
options:
- "US region"
- "EU region"
# kvdb endpoint
- variable: kvdb
show_if: "ownEtcdOption=Your etcd details"
description: "Enter your etcd or Consul endpoints separated by semicolons. Use the following as an example: etcd://myetc1.company.com:2379;etcd://myetc2.company.com.2379. Note: If the `etcdAuth` key is set to 'Disable HTTPS', you must provide HTTP endpoints."
type: string
label: "Endpoint address"
required: true
group: "Key value store parameters (Required)"
- variable: etcd.ca
show_if: "etcdAuth=Certificate Auth"
description: "Name of CA file for ETCD authentication. Example: etcd-ca.crt. Follow https://docs.portworx.com/scheduler/kubernetes/etcd-certs-using-secrets.html to create a Kubernetes secret for the etcd certs."
type: string
required: true
label: "ETCD CA file"
group: "Key value store security Parameters (Details in README)"
- variable: etcd.cert
show_if: "etcdAuth=Certificate Auth"
description: "Name of certificate for ETCD authentication. Example: etcd.crt"
type: string
required: true
label: "ETCD cert file"
group: "Key value store security Parameters (Details in README)"
- variable: etcd.key
show_if: "etcdAuth=Certificate Auth"
description: "Name of certificate key for ETCD authentication Example: etcd.key"
type: string
required: true
label: "ETCD cert key file"
group: "Key value store security Parameters (Details in README)"
- variable: etcd.credentials
show_if: "etcdAuth=Password Auth"
description: "Username and password for ETCD authentication in the form user:password. Not needed if using certificates."
type: string
required: true
label: "ETCD credentials"
group: "Key value store security Parameters (Details in README)"
################################### Storage options ################################
- variable: environment
description: "Select your environment"
label: "Environment"
type: enum
default: "OnPrem"
required: true
group: "Storage Parameters"
options:
- "OnPrem"
- "Cloud"
- variable: provider
show_if: "environment=Cloud"
description: "Select cloud platform"
label: "Cloud provider"
type: enum
required: true
group: "Storage Parameters"
options:
- "AWS"
- "Google cloud/GKE"
- variable: onpremStorage
show_if: "environment=OnPrem"
type: enum
default: "Automatically scan disks"
label: "Select type of OnPrem storage"
group: "Storage Parameters"
required: true
options:
- "Automatically scan disks"
- "Manually specify disks"
- variable: deviceConfig
show_if: "environment=Cloud"
description: "If you plan to use EC2 instance storage or plan to manage EBS volumes your own way, select 'Consume unused' or 'Use Existing disks'."
label: "Select a type of disk"
type: enum
default: "Create Using a Spec"
required: true
group: "Storage Parameters"
options:
- "Create Using a Spec"
- "Consume Unused"
- "Use Existing Disks"
-
- variable: journalDevice
description: "This allows PX to create its own journal partition on the best drive to absorb PX metadata writes. Journal writes are small with frequent syncs and hence a separate journal partition will enable better performance. Use value 'auto' if you want Portworx to create it's own journal partition."
type: string
label: "Journal Device"
group: "Storage Parameters"
############ Consume unused ##############
- variable: usedrivesAndPartitions
show_if: "deviceConfig=Consume Unused||onpremStorage=Automatically scan disks"
label: "Use unmounted drives and partitions"
descrition: "Use unmounted disks even if they have a partition or filesystem on it. PX will never use a drive or partition that is mounted."
type: boolean
default: false
group: "Storage Parameters"
############ Use Exising Disks ##############
- variable: existingDisk1
show_if: "deviceConfig=Use Existing Disks||onpremStorage=Manually specify disks"
label: "Drive/Device1"
description: "Enter the block/device name; eg: /dev/sda"
type: string
required: true
group: "Storage Parameters"
- variable: addExistingDisk2
show_if: "deviceConfig=Use Existing Disks||onpremStorage=Manually specify disks"
label: "Add another drive?"
type: boolean
default: false
group: "Storage Parameters"
- variable: existingDisk2
show_if: "addExistingDisk2=true"
label: "Drive/Device2"
description: "Enter the block/device name; eg: /dev/sda"
type: string
required: true
group: "Storage Parameters"
- variable: addExistingDisk3
show_if: "addExistingDisk2=true"
label: "Add another drive?"
type: boolean
default: false
group: "Storage Parameters"
- variable: existingDisk3
show_if: "addExistingDisk3=true"
label: "Drive/Device3"
description: "Enter the block/device name; eg: /dev/sda"
type: string
required: true
group: "Storage Parameters"
- variable: addExistingDisk4
show_if: "addExistingDisk3=true"
label: "Add another drive?"
type: boolean
default: false
group: "Storage Parameters"
- variable: existingDisk4
show_if: "addExistingDisk4=true"
label: "Drive/Device4"
description: "Enter the block/device name; eg: /dev/sda"
type: string
required: true
group: "Storage Parameters"
- variable: addExistingDisk5
show_if: "addExistingDisk4=true"
label: "Add another drive?"
type: boolean
default: false
group: "Storage Parameters"
- variable: existingDisk5
show_if: "addExistingDisk5=true"
label: "Drive/Device5"
description: "Enter the block/device name; eg: /dev/sda"
type: string
required: true
group: "Storage Parameters"
##################################################### Cloud ################################
##################################################### AWS ################################
### Section 1 AWS
- variable: drive_1.aws.type
show_if: "provider=AWS&&deviceConfig=Create Using a Spec"
description: "Select the type of EBS volume"
label: "EBS volume"
type: enum
default: "GP2"
required: true
show_subquestion_if: "IO1"
group: "Storage Parameters"
options:
- "GP2"
- "IO1"
subquestions:
- variable: drive_1.aws.iops
required: true
description: "*IOPS required from EBS volume"
type: int
label: IOPS
- variable: drive_1.aws.size
show_if: "provider=AWS&&deviceConfig=Create Using a Spec"
description: "Volume size"
label: "Size"
type: int
default: 150
required: true
group: "Storage Parameters"
### Section 2 AWS
- variable: addEBSDrive_2
show_if: "provider=AWS&&deviceConfig=Create Using a Spec"
label: "Add another drive?"
type: boolean
default: false
group: "Storage Parameters"
- variable: drive_2.aws.type
show_if: "addEBSDrive_2=true"
description: "Select the type of EBS volume"
label: "EBS volume"
type: enum
required: true
show_subquestion_if: "IO1"
group: "Storage Parameters"
options:
- "GP2"
- "IO1"
subquestions:
- variable: drive_2.aws.iops
required: true
description: "*IOPS required from EBS volume"
type: int
label: IOPS
- variable: drive_2.aws.size
show_if: "addEBSDrive_2=true"
description: "Volume size"
label: "Size"
type: int
required: true
group: "Storage Parameters"
### Section 3 AWS
- variable: addEBSDrive_3
show_if: "addEBSDrive_2=true"
label: "Add another drive?"
type: boolean
default: false
group: "Storage Parameters"
- variable: drive_3.aws.type
show_if: "addEBSDrive_3=true"
description: "Select the type of EBS volume"
label: "EBS volume"
type: enum
required: true
show_subquestion_if: "IO1"
group: "Storage Parameters"
options:
- "GP2"
- "IO1"
subquestions:
- variable: drive_3.aws.iops
required: true
description: "*IOPS required from EBS volume"
type: int
label: IOPS
- variable: drive_3.aws.size
show_if: "addEBSDrive_3=true"
description: "Volume size"
label: "Size"
type: int
required: true
group: "Storage Parameters"
### Section 4 AWS
- variable: addEBSDrive_4
show_if: "addEBSDrive_3=true"
label: "Add another drive?"
type: boolean
default: false
group: "Storage Parameters"
- variable: drive_4.aws.type
show_if: "addEBSDrive_4=true"
description: "Select the type of EBS volume"
label: "EBS volume"
type: enum
required: true
show_subquestion_if: "IO1"
group: "Storage Parameters"
options:
- "GP2"
- "IO1"
subquestions:
- variable: drive_4.aws.iops
required: true
description: "*IOPS required from EBS volume"
type: int
label: IOPS
- variable: drive_4.aws.size
show_if: "addEBSDrive_4=true"
description: "Volume size"
label: "Size"
required: true
type: int
group: "Storage Parameters"
### Section 5 AWS
- variable: addEBSDrive_5
show_if: "addEBSDrive_4=true"
label: "Add another drive?"
type: boolean
default: false
group: "Storage Parameters"
- variable: drive_5.aws.type
show_if: "addEBSDrive_5=true"
description: "Select the type of EBS volume"
label: "EBS volume"
type: enum
required: true
show_subquestion_if: "IO1"
group: "Storage Parameters"
options:
- "GP2"
- "IO1"
subquestions:
- variable: drive_5.aws.iops
required: true
description: "*IOPS required from EBS volume"
type: int
label: IOPS
- variable: drive_5.aws.size
show_if: "addEBSDrive_5=true"
description: "Volume size"
label: "Size"
required: true
type: int
group: "Storage Parameters"
### Section 6 AWS
- variable: addEBSDrive_6
show_if: "addEBSDrive_5=true"
label: "Add another drive?"
type: boolean
default: false
group: "Storage Parameters"
- variable: drive_6.aws.type
show_if: "addEBSDrive_6=true"
description: "Select the type of EBS volume"
label: "EBS volume"
type: enum
required: true
show_subquestion_if: "IO1"
group: "Storage Parameters"
options:
- "GP2"
- "IO1"
subquestions:
- variable: drive_6.aws.iops
required: true
description: "*IOPS required from EBS volume"
type: int
label: IOPS
- variable: drive_6.aws.size
show_if: "addEBSDrive_6=true"
description: "Volume size"
label: "Size"
required: true
type: int
group: "Storage Parameters"
### Section 7 AWS
- variable: addEBSDrive_7
show_if: "addEBSDrive_6=true"
label: "Add another drive?"
type: boolean
default: false
group: "Storage Parameters"
- variable: drive_7.aws.type
show_if: "addEBSDrive_7=true"
description: "Select the type of EBS volume"
label: "EBS volume"
type: enum
required: true
show_subquestion_if: "IO1"
group: "Storage Parameters"
options:
- "GP2"
- "IO1"
subquestions:
- variable: drive_7.aws.iops
required: true
description: "*IOPS required from EBS volume"
type: int
label: IOPS
- variable: drive_7.aws.size
show_if: "addEBSDrive_7=true"
description: "Volume size"
label: "Size"
required: true
type: int
group: "Storage Parameters"
### Section 8 AWS
- variable: addEBSDrive_8
show_if: "addEBSDrive_7=true"
label: "Add another drive?"
type: boolean
default: false
group: "Storage Parameters"
- variable: drive_8.aws.type
show_if: "addEBSDrive_8=true"
description: "Select the type of EBS volume"
label: "EBS volume"
type: enum
required: true
show_subquestion_if: "IO1"
group: "Storage Parameters"
options:
- "GP2"
- "IO1"
subquestions:
- variable: drive_8.aws.iops
required: true
description: "*IOPS required from EBS volume"
type: int
label: IOPS
- variable: drive_8.aws.size
show_if: "addEBSDrive_8=true"
description: "Volume size"
label: "Size"
required: true
type: int
group: "Storage Parameters"
### Section 9 AWS
- variable: addEBSDrive_9
show_if: "addEBSDrive_8=true"
label: "Add another drive?"
type: boolean
default: false
group: "Storage Parameters"
- variable: drive_9.aws.type
show_if: "addEBSDrive_9=true"
description: "Select the type of EBS volume"
label: "EBS volume"
type: enum
required: true
show_subquestion_if: "IO1"
group: "Storage Parameters"
options:
- "GP2"
- "IO1"
subquestions:
- variable: drive_9.aws.iops
required: true
description: "*IOPS required from EBS volume"
type: int
label: IOPS
- variable: drive_9.aws.size
show_if: "addEBSDrive_9=true"
description: "Volume size"
label: "Size"
required: true
type: int
group: "Storage Parameters"
### Section 10 AWS
- variable: addEBSDrive_10
show_if: "addEBSDrive_9=true"
label: "Add another drive?"
type: boolean
default: false
group: "Storage Parameters"
- variable: drive_10.aws.type
show_if: "addEBSDrive_10=true"
description: "Select the type of EBS volume"
label: "EBS volume"
type: enum
required: true
show_subquestion_if: "IO1"
group: "Storage Parameters"
options:
- "GP2"
- "IO1"
subquestions:
- variable: drive_10.aws.iops
required: true
description: "*IOPS required from EBS volume"
type: int
label: IOPS
- variable: drive_10.aws.size
show_if: "addEBSDrive_10=true"
description: "Volume size"
label: "Size"
required: true
type: int
group: "Storage Parameters"
##################################################### GOOGLE CLOUD ################################
#### Section 1 GC
- variable: drive_1.gc.type
show_if: "provider=Google cloud/GKE&&deviceConfig=Create Using a Spec"
description: "Select volume type"
label: "Volume"
type: enum
default: "standard"
required: true
group: "Storage Parameters"
options:
- "standard"
- "ssd"
- variable: drive_1.gc.size
show_if: "provider=Google cloud/GKE&&deviceConfig=Create Using a Spec"
description: "Volume size"
label: "Size"
type: int
default: 150
required: true
group: "Storage Parameters"
#### Section 2 GC
- variable: addGCDrive_2
show_if: "provider=Google cloud/GKE&&deviceConfig=Create Using a Spec"
label: "Add another drive?"
type: boolean
default: false
group: "Storage Parameters"
- variable: drive_2.gc.type
show_if: "addGCDrive_2=true"
description: "Select volume type"
label: "Volume"
type: enum
required: true
group: "Storage Parameters"
options:
- "standard"
- "ssd"
- variable: drive_2.gc.size
show_if: "addGCDrive_2=true"
description: "Volume size"
label: "Size"
type: int
required: true
group: "Storage Parameters"
#### Section 3 GC
- variable: addGCDrive_3
show_if: "addGCDrive_2=true"
label: "Add another drive?"
type: boolean
default: false
group: "Storage Parameters"
- variable: drive_3.gc.type
show_if: "addGCDrive_3=true"
description: "Select volume type"
label: "Volume"
type: enum
required: true
group: "Storage Parameters"
options:
- "standard"
- "ssd"
- variable: drive_3.gc.size
show_if: "addGCDrive_3=true"
description: "Volume size"
label: "Size"
type: int
required: true
group: "Storage Parameters"
#### Section 4 GC
- variable: addGCDrive_4
show_if: "addGCDrive_3=true"
label: "Add another drive?"
type: boolean
default: false
group: "Storage Parameters"
- variable: drive_4.gc.type
show_if: "addGCDrive_4=true"
description: "Select volume type"
label: "Volume"
type: enum
required: true
group: "Storage Parameters"
options:
- "standard"
- "ssd"
- variable: drive_4.gc.size
show_if: "addGCDrive_4=true"
description: "Volume size"
label: "Size"
type: int
required: true
group: "Storage Parameters"
#### Section 5 GC
- variable: addGCDrive_5
show_if: "addGCDrive_4=true"
label: "Add another drive?"
type: boolean
default: false
group: "Storage Parameters"
- variable: drive_5.gc.type
show_if: "addGCDrive_5=true"
description: "Select volume type"
label: "Volume"
type: enum
required: true
group: "Storage Parameters"
options:
- "standard"
- "ssd"
- variable: drive_5.gc.size
show_if: "addGCDrive_5=true"
description: "Volume size"
label: "Size"
type: int
required: true
group: "Storage Parameters"
#### Section 6 GC
- variable: addGCDrive_6
show_if: "addGCDrive_5=true"
label: "Add another drive?"
type: boolean
default: false
group: "Storage Parameters"
- variable: drive_6.gc.type
show_if: "addGCDrive_6=true"
description: "Select volume type"
label: "Volume"
type: enum
required: true
group: "Storage Parameters"
options:
- "standard"
- "ssd"
- variable: drive_6.gc.size
show_if: "addGCDrive_6=true"
description: "Volume size"
label: "Size"
type: int
required: true
group: "Storage Parameters"
#### Section 7 GC
- variable: addGCDrive_7
show_if: "addGCDrive_6=true"
label: "Add another drive?"
type: boolean
default: false
group: "Storage Parameters"
- variable: drive_7.gc.type
show_if: "addGCDrive_6=true"
description: "Select volume type"
label: "Volume"
type: enum
required: true
group: "Storage Parameters"
options:
- "standard"
- "ssd"
- variable: drive_7.gc.size
show_if: "addGCDrive_7=true"
description: "Volume size"
label: "Size"
type: int
required: true
group: "Storage Parameters"
#### Section 8 GC
- variable: addGCDrive_8
show_if: "addGCDrive_7=true"
label: "Add another drive?"
type: boolean
default: false
group: "Storage Parameters"
- variable: drive_8.gc.type
show_if: "addGCDrive_8=true"
description: "Select volume type"
label: "Volume"
type: enum
required: true
group: "Storage Parameters"
options:
- "standard"
- "ssd"
- variable: drive_8.gc.size
show_if: "addGCDrive_8=true"
description: "Volume size"
label: "Size"
type: int
required: true
group: "Storage Parameters"
#### Section 9 GC
- variable: addGCDrive_9
show_if: "addGCDrive_8=true"
label: "Add another drive?"
type: boolean
default: false
group: "Storage Parameters"
- variable: drive_9.gc.type
show_if: "addGCDrive_9=true"
description: "Select volume type"
label: "Volume"
type: enum
required: true
group: "Storage Parameters"
options:
- "standard"
- "ssd"
- variable: drive_9.gc.size
show_if: "addGCDrive_9=true"
description: "Volume size"
label: "Size"
type: int
required: true
group: "Storage Parameters"
#### Section 10 GC
- variable: addGCDrive_10
show_if: "addGCDrive_9=true"
label: "Add another drive?"
type: boolean
default: false
group: "Storage Parameters"
- variable: drive_10.gc.type
show_if: "addGCDrive_10=true"
description: "Select volume type"
label: "Volume"
type: enum
required: true
group: "Storage Parameters"
options:
- "standard"
- "ssd"
- variable: drive_10.gc.size
show_if: "addGCDrive_10=true"
description: "Volume size"
label: "Size"
type: int
required: true
group: "Storage Parameters"
- variable: maxStorageNodes
show_if: "environment=Cloud&&deviceConfig=Create Using a Spec"
description: "Max storage nodes per availability zone"
label: "Max storage nodes (Optional)"
type: int
group: "Storage Parameters"
################################### Network options ################################
- variable: dataInterface
description: "Specify your data network interface (example: `eth1`). If set to `auto`, Portworx will automatically select the first routable interface."
type: string
label: "Data Network Interface"
default: auto
group: "Network Parameters"
- variable: managementInterface
description: "Specify your management network interface (example: `eth1`). If set to `auto`, Portworx will automatically select the first routable interface."
type: string
default: auto
label: "Management Network Interface"
group: "Network Parameters"
################################### Platform options ################################
- variable: platformOptions
type: enum
label: "Platform"
group: "Platform Parameters"
options:
- "AKS"
- "EKS"
- "GKE"
################################### Registry settings options ################################
- variable: customRegistry
label: "Use a custom container registry?"
type: boolean
default: false
group: "Container Registry Parameters"
- variable: registrySecret
show_if: "customRegistry=true"
description: "Specify a custom Kubernetes secret that will be used to authenticate with a container registry. Must be defined in kube-system namespace. (example: regcred)"
type: string
label: "Registry Kubernetes Secret"
group: "Container Registry Parameters"
- variable: customRegistryURL
show_if: "customRegistry=true"
description: "Specify a custom container registry server (including repository) that will be used instead of index.docker.io to download Docker images. (example: dockerhub.acme.net:5443 or myregistry.com/myrepository/)"
label: "Custom Registry URL"
type: string
group: "Container Registry Parameters"
################################## Optional features ############################
# TODO: Once we have a stable CSI release, we will default this to enabled
#- variable: csi
# description: "Select if you want to enable CSI (Container Storage Interface). CSI is still in ALPHA."
# type: boolean
# label: "Enable CSI"
# default: false
# required: false
# group: "Advanced parameters"
- variable: storkVersion
default: "2.6.3"
label: "Stork version"
type: string
group: "Advanced parameters"
- variable: envVars
label: "Environment variables"
description: "Enter your environment variables separated by semicolons (example: API_SERVER=http://lighthouse-new.portworx.com;MYENV1=val1;MYENV2=val2). These environment variables will be exported to Portworx."
type: string
group: "Advanced parameters"
- variable: imageVersion
default: "2.8.0"
type: string
label: Portworx version to be deployed.
group: "Advanced parameters"
- variable: clusterName
type: string
label: Portworx cluster name
default: mycluster
group: "Advanced parameters"

13
charts/portworx/portworx/2.8.100/templates/NOTES.txt Normal file
View File

@ -0,0 +1,13 @@
Your Release is named {{ .Release.Name | quote }}
Portworx Pods should be running on each node in your cluster.
Portworx would create a unified pool of the disks attached to your Kubernetes nodes. No further action should be required and you are ready to consume Portworx Volumes as part of your application data requirements.
For further information on usage of the Portworx, refer to following doc pages.
- For dynamically provisioning volumes: https://docs.portworx.com/scheduler/kubernetes/dynamic-provisioning.html
- For preprovisioned volumes: https://docs.portworx.com/scheduler/kubernetes/preprovisioned-volumes.html
- To use Stork (Storage Orchestration Runtime for Kubernetes) for hyperconvergence and snapshots: https://docs.portworx.com/scheduler/kubernetes/stork.html
- For stateful application solutions using Portworx: https://docs.portworx.com/scheduler/kubernetes/k8s-px-app-samples.html
- For interactive tutorials on using Portworx on Kubernetes: https://docs.portworx.com/scheduler/kubernetes/px-k8s-interactive.html

443
charts/portworx/portworx/2.8.100/templates/_helpers.tpl Normal file
View File

@ -0,0 +1,443 @@
{{/* Gets the correct API Version based on the version of the cluster
*/}}
{{- define "rbac.apiVersion" -}}
{{- if semverCompare ">= 1.8-0" .Capabilities.KubeVersion.GitVersion -}}
"rbac.authorization.k8s.io/v1"
{{- else -}}
"rbac.authorization.k8s.io/v1beta1"
{{- end -}}
{{- end -}}
{{- define "px.labels" -}}
chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
heritage: {{ .Release.Service | quote }}
release: {{ .Release.Name | quote }}
{{- end -}}
{{- define "driveOpts" }}
{{ $v := .Values.installOptions.drives | split "," }}
{{$v._0}}
{{- end -}}
{{- define "px.kubernetesVersion" -}}
{{$version := .Capabilities.KubeVersion.GitVersion | regexFind "^v\\d+\\.\\d+\\.\\d+"}}{{$version}}
{{- end -}}
{{- define "px.getImage" -}}
{{- if (.Values.customRegistryURL) -}}
{{- if (eq "/" (.Values.customRegistryURL | regexFind "/")) -}}
{{- if .Values.openshiftInstall -}}
{{ cat (trim .Values.customRegistryURL) "/px-monitor" | replace " " ""}}
{{- else -}}
{{ cat (trim .Values.customRegistryURL) "/oci-monitor" | replace " " ""}}
{{- end -}}
{{- else -}}
{{- if .Values.openshiftInstall -}}
{{cat (trim .Values.customRegistryURL) "/portworx/px-monitor" | replace " " ""}}
{{- else -}}
{{cat (trim .Values.customRegistryURL) "/portworx/oci-monitor" | replace " " ""}}
{{- end -}}
{{- end -}}
{{- else -}}
{{- if .Values.openshiftInstall -}}
{{ "registry.connect.redhat.com/portworx/px-monitor" }}
{{- else -}}
{{ "portworx/oci-monitor" }}
{{- end -}}
{{- end -}}
{{- end -}}
{{- define "px.getStorkImage" -}}
{{- if (.Values.customRegistryURL) -}}
{{- if (eq "/" (.Values.customRegistryURL | regexFind "/")) -}}
{{ cat (trim .Values.customRegistryURL) "/stork" | replace " " ""}}
{{- else -}}
{{cat (trim .Values.customRegistryURL) "/openstorage/stork" | replace " " ""}}
{{- end -}}
{{- else -}}
{{ "openstorage/stork" }}
{{- end -}}
{{- end -}}
{{- define "px.getk8sImages" -}}
{{- $version := .Capabilities.KubeVersion.GitVersion -}}
{{- if (.Values.customRegistryURL) -}}
{{- if (eq "/" (.Values.customRegistryURL | regexFind "/")) -}}
{{ trim .Values.customRegistryURL }}
{{- else -}}
{{- if or (or (and (semverCompare ">= 1.16.14" $version ) (semverCompare "<=1.17.0" $version)) (and (semverCompare ">= 1.17.10" $version) (semverCompare "<=1.18.0" $version ))) (semverCompare ">=1.18.7" $version) -}}
{{cat (trim .Values.customRegistryURL) "/k8s.gcr.io" | replace " " ""}}
{{- else -}}
{{cat (trim .Values.customRegistryURL) "/gcr.io/google_containers" | replace " " ""}}
{{- end -}}
{{- end -}}
{{- else -}}
{{- if or (or (and (semverCompare ">= 1.16.14" $version ) (semverCompare "<=1.17.0" $version)) (and (semverCompare ">= 1.17.10" $version) (semverCompare "<=1.18.0" $version ))) (semverCompare ">=1.18.7" $version) -}}
{{ "k8s.gcr.io" }}
{{- else -}}
{{ "gcr.io/google_containers" }}
{{- end -}}
{{- end -}}
{{- end -}}
{{- define "px.getcsiImages" -}}
{{- if (.Values.customRegistryURL) -}}
{{- if (eq "/" (.Values.customRegistryURL | regexFind "/")) -}}
{{ trim .Values.customRegistryURL }}
{{- else -}}
{{cat (trim .Values.customRegistryURL) "/quay.io/k8scsi" | replace " " ""}}
{{- end -}}
{{- else -}}
{{ "quay.io/k8scsi" }}
{{- end -}}
{{- end -}}
{{- define "px.getCSIProvisionerImage" -}}
{{- if semverCompare "<1.17.0" .Capabilities.KubeVersion.GitVersion -}}
{{ "docker.io/openstorage/csi-provisioner:v1.6.1-1" }}
{{- else if semverCompare "< 1.20.0" .Capabilities.KubeVersion.GitVersion -}}
{{ "docker.io/openstorage/csi-provisioner:v2.2.2-1" }}
{{- else -}}
{{ "docker.io/openstorage/csi-provisioner:v3.0.0-1" }}
{{- end -}}
{{- end -}}
{{- define "px.getCSISnapshotterImage" -}}
{{- if semverCompare "<1.17.0" .Capabilities.KubeVersion.GitVersion -}}
{{ "docker.io/openstorage/csi-snapshotter:v1.2.2-1" }}
{{- else if semverCompare "< 1.20.0" .Capabilities.KubeVersion.GitVersion -}}
{{ "k8s.gcr.io/sig-storage/csi-snapshotter:v3.0.3" }}
{{- else -}}
{{ "k8s.gcr.io/sig-storage/csi-snapshotter:v4.2.1" }}
{{- end -}}
{{- end -}}
{{- define "px.getCSISnapshotControllerImage" -}}
{{- if semverCompare "< 1.20.0" .Capabilities.KubeVersion.GitVersion -}}
{{ "k8s.gcr.io/sig-storage/snapshot-controller:v3.0.3" }}
{{- else -}}
{{ "k8s.gcr.io/sig-storage/snapshot-controller:v4.2.1" }}
{{- end -}}
{{- end -}}
{{- define "px.getPauseImage" -}}
{{- if (.Values.customRegistryURL) -}}
{{- if (eq "/" (.Values.customRegistryURL | regexFind "/")) -}}
{{ trim .Values.customRegistryURL }}
{{- else -}}
{{cat (trim .Values.customRegistryURL) "/k8s.gcr.io" | replace " " ""}}
{{- end -}}
{{- else -}}
{{ "k8s.gcr.io" }}
{{- end -}}
{{- end -}}
{{- define "px.registryConfigType" -}}
{{- if semverCompare ">=1.9-0" .Capabilities.KubeVersion.GitVersion -}}
".dockerconfigjson"
{{- else -}}
".dockercfg"
{{- end -}}
{{- end -}}
{{/*
Create the name of the service account to use for hooks
*/}}
{{- define "px.hookServiceAccount" -}}
{{- if .Values.serviceAccount.hook.create -}}
{{- printf "%s-hook" .Chart.Name | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{ default "default" .Values.serviceAccount.hook.name }}
{{- end -}}
{{- end -}}
{{/*
Create the name of the cluster role to use for hooks
*/}}
{{- define "px.hookClusterRole" -}}
{{- if .Values.serviceAccount.hook.create -}}
{{- printf "%s-hook" .Chart.Name | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{ default "default" .Values.serviceAccount.hook.name }}
{{- end -}}
{{- end -}}
{{/*
Create the name of the cluster role binding to use for hooks
*/}}
{{- define "px.hookClusterRoleBinding" -}}
{{- if .Values.serviceAccount.hook.create -}}
{{- printf "%s-hook" .Chart.Name | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
{{- else -}}
{{ default "default" .Values.serviceAccount.hook.name }}
{{- end -}}
{{- end -}}
{{/*
String concatenation for drives in AWS section
*/}}
{{- define "px.storage" -}}
{{- $awsType1 := .Values.drive_1.aws.type -}}
{{- $awsType2 := .Values.drive_2.aws.type -}}
{{- $awsType3 := .Values.drive_3.aws.type -}}
{{- $awsType4 := .Values.drive_4.aws.type -}}
{{- $awsType5 := .Values.drive_5.aws.type -}}
{{- $awsType6 := .Values.drive_6.aws.type -}}
{{- $awsType7 := .Values.drive_7.aws.type -}}
{{- $awsType8 := .Values.drive_8.aws.type -}}
{{- $awsType9 := .Values.drive_9.aws.type -}}
{{- $awsType10 := .Values.drive_10.aws.type -}}
{{- $awsSize1 := .Values.drive_1.aws.size -}}
{{- $awsSize2 := .Values.drive_2.aws.size -}}
{{- $awsSize3 := .Values.drive_3.aws.size -}}
{{- $awsSize4 := .Values.drive_4.aws.size -}}
{{- $awsSize5 := .Values.drive_5.aws.size -}}
{{- $awsSize6 := .Values.drive_6.aws.size -}}
{{- $awsSize7 := .Values.drive_7.aws.size -}}
{{- $awsSize8 := .Values.drive_8.aws.size -}}
{{- $awsSize9 := .Values.drive_9.aws.size -}}
{{- $awsSize10 := .Values.drive_10.aws.size -}}
{{- $awsIops1 := .Values.drive_1.aws.iops -}}
{{- $awsIops2 := .Values.drive_2.aws.iops -}}
{{- $awsIops3 := .Values.drive_3.aws.iops -}}
{{- $awsIops4 := .Values.drive_4.aws.iops -}}
{{- $awsIops5 := .Values.drive_5.aws.iops -}}
{{- $awsIops6 := .Values.drive_6.aws.iops -}}
{{- $awsIops7 := .Values.drive_7.aws.iops -}}
{{- $awsIops8 := .Values.drive_8.aws.iops -}}
{{- $awsIops9 := .Values.drive_9.aws.iops -}}
{{- $awsIops10 := .Values.drive_10.aws.iops -}}
{{- $gcType1 := .Values.drive_1.gc.type -}}
{{- $gcType2 := .Values.drive_2.gc.type -}}
{{- $gcType3 := .Values.drive_3.gc.type -}}
{{- $gcType4 := .Values.drive_4.gc.type -}}
{{- $gcType5 := .Values.drive_5.gc.type -}}
{{- $gcType6 := .Values.drive_6.gc.type -}}
{{- $gcType7 := .Values.drive_7.gc.type -}}
{{- $gcType8 := .Values.drive_8.gc.type -}}
{{- $gcType9 := .Values.drive_9.gc.type -}}
{{- $gcType10 := .Values.drive_10.gc.type -}}
{{- $gcSize1 := .Values.drive_1.gc.size -}}
{{- $gcSize2 := .Values.drive_2.gc.size -}}
{{- $gcSize3 := .Values.drive_3.gc.size -}}
{{- $gcSize4 := .Values.drive_4.gc.size -}}
{{- $gcSize5 := .Values.drive_5.gc.size -}}
{{- $gcSize6 := .Values.drive_6.gc.size -}}
{{- $gcSize7 := .Values.drive_7.gc.size -}}
{{- $gcSize8 := .Values.drive_8.gc.size -}}
{{- $gcSize9 := .Values.drive_9.gc.size -}}
{{- $gcSize10 := .Values.drive_10.gc.size -}}
{{- $usefileSystemDrive := .Values.usefileSystemDrive | default false }}
{{- $usedrivesAndPartitions := .Values.usedrivesAndPartitions | default false }}
{{- $deployEnvironmentIKS := .Capabilities.KubeVersion.GitVersion | regexMatch "IKS" }}
{{- if eq "OnPrem" .Values.environment -}}
{{- if eq "Manually specify disks" .Values.onpremStorage }}
{{- if ne "none" .Values.existingDisk1 }}
"-s", "{{- .Values.existingDisk1 }}",
{{- end }}
{{- if ne "none" .Values.existingDisk2 -}}
"-s", "{{- .Values.existingDisk2 }}",
{{- end }}
{{- if ne "none" .Values.existingDisk3 -}}
"-s", "{{- .Values.existingDisk3 }}",
{{- end }}
{{- if ne "none" .Values.existingDisk4 -}}
"-s", "{{- .Values.existingDisk4 }}",
{{- end }}
{{- if ne "none" .Values.existingDisk5 }}
"-s", "{{- .Values.existingDisk5 }}",
{{- end }}
{{- else if eq "Automatically scan disks" .Values.onpremStorage -}}
{{- if or $usedrivesAndPartitions $deployEnvironmentIKS }}
"-f",
{{- end }}
{{- if eq $usedrivesAndPartitions true }}
"-A",
{{- else }}
"-a",
{{- end -}}
{{- end -}}
{{- else if eq "Cloud" .Values.environment -}}
{{- if eq "Consume Unused" .Values.deviceConfig -}}
{{- if or $usedrivesAndPartitions $deployEnvironmentIKS }}
"-f",
{{- end }}
{{- if eq $usedrivesAndPartitions true }}
"-A",
{{- else }}
"-a",
{{- end -}}
{{- end }}
{{/*------------------- ----------------- Google cloud/GKE -------------- --------------- */}}
{{- if eq "Google cloud/GKE" .Values.provider -}}
{{- if eq "Use Existing Disks" .Values.deviceConfig -}}
{{- if .Values.existingDisk1 -}}
"-s", "{{- .Values.existingDisk1 -}}",
{{- end -}}
{{- if ne "none" .Values.existingDisk2 -}}
"-s", "{{- .Values.existingDisk2 -}}",
{{- end -}}
{{- if ne "none" .Values.existingDisk3 -}}
"-s", "{{- .Values.existingDisk3 -}}",
{{- end -}}
{{- if ne "none" .Values.existingDisk4 -}}
"-s", "{{- .Values.existingDisk4 -}}",
{{- end -}}
{{- if ne "none" .Values.existingDisk5 -}}
"-s", "{{- .Values.existingDisk5 -}}",
{{- end -}}
{{- else if eq "Create Using a Spec" .Values.deviceConfig -}}
{{- if $gcType1 }}
"-s", "type=pd-{{$gcType1 | lower}},size={{$gcSize1}}",
{{- end }}
{{/*------------------- DRIVE 2 --------------- */}}
{{- if $gcType2 -}}
"-s", "type=pd-{{$gcType2 | lower}},size={{$gcSize2}}",
{{- end }}
{{/*------------------- DRIVE 3 --------------- */}}
{{- if $gcType3 -}}
"-s", "type=pd-{{$gcType3 | lower}},size={{$gcSize3}}",
{{- end }}
{{/*------------------- DRIVE 4 --------------- */}}
{{- if $gcType4 -}}
"-s", "type=pd-{{$gcType4 | lower}},size={{$gcSize4}}",
{{- end }}
{{/*------------------- DRIVE 5 --------------- */}}
{{- if $gcType5 -}}
"-s", "type=pd-{{$gcType5 | lower}},size={{$gcSize5}}",
{{- end }}
{{/*------------------- DRIVE 6 --------------- */}}
{{- if $gcType6 -}}
"-s", "type=pd-{{$gcType6 | lower}},size={{$gcSize6}}",
{{- end }}
{{/*------------------- DRIVE 7 --------------- */}}
{{- if $gcType7 -}}
"-s", "type=pd-{{$gcType7 | lower}},size={{$gcSize7}}",
{{- end }}
{{/*------------------- DRIVE 8 --------------- */}}
{{- if $gcType8 -}}
"-s", "type=pd-{{$gcType8 | lower}},size={{$gcSize8}}",
{{- end }}
{{/*------------------- DRIVE 9 --------------- */}}
{{- if $gcType9 -}}
"-s", "type=pd-{{$gcType9 | lower}},size={{$gcSize9}}",
{{- end }}
{{/*------------------- DRIVE 10 --------------- */}}
{{- if $gcType10 -}}
"-s", "type=pd-{{$gcType1 | lower}},size={{$gcSize10}}",
{{- end }}
{{- end -}}
{{/*------------------- ----------------- AWS -------------- --------------- */}}
{{- else if eq "AWS" .Values.provider -}}
{{- if eq "Use Existing Disks" .Values.deviceConfig -}}
{{- if ne "none" .Values.existingDisk1 -}}
"-s", "{{ .Values.existingDisk1 }}",
{{- end -}}
{{- if ne "none" .Values.existingDisk2 -}}
"-s", "{{ .Values.existingDisk2 }}",
{{- end -}}
{{- if ne "none" .Values.existingDisk3 -}}
"-s", "{{ .Values.existingDisk3 }}",
{{- end -}}
{{- if ne "none" .Values.existingDisk4 -}}
"-s", "{{ .Values.existingDisk4 }}",
{{- end -}}
{{- if ne "none" .Values.existingDisk5 -}}
"-s", "{{ .Values.existingDisk5 }}",
{{- end -}}
{{- else if eq "Create Using a Spec" .Values.deviceConfig -}}
{{- if ne "none" $awsType1 }}
{{- if eq "GP2" $awsType1 -}}
"-s", "type={{$awsType1 | lower}},size={{$awsSize1}}",
{{- else if eq "IO1" $awsType1 -}}
"-s", "type={{$awsType1 | lower}},size={{$awsSize1}},iops={{$awsIops1}}",
{{- end }}
{{- end }}
{{/*------------------- DRIVE 2 --------------- */}}
{{- if ne "none" $awsType2 -}}
{{- if eq "GP2" $awsType2 -}}
"-s", "type={{$awsType2 | lower}},size={{$awsSize2}}",
{{- else if eq "IO1" $awsType2 -}}
"-s", "type={{$awsType2 | lower}},size={{$awsSize2}},iops={{$awsIops2}}",
{{- end -}}
{{- end }}
{{/*------------------- DRIVE 3 --------------- */}}
{{- if ne "none" $awsType3 }}
{{- if eq "GP2" $awsType3 -}}
"-s", "type={{$awsType3 | lower}},size={{$awsSize3}}",
{{- else if eq "IO1" $awsType3 -}}
"-s", "type={{$awsType3 | lower}},size={{$awsSize3}},iops={{$awsIops3}}",
{{- end -}}
{{- end }}
{{/*------------------- DRIVE 4 --------------- */}}
{{- if ne "none" $awsType4 }}
{{- if eq "GP2" $awsType4 -}}
"-s", "type={{$awsType4 | lower}},size={{$awsSize4}}",
{{- else if eq "IO1" $awsType4 -}}
"-s", "type={{$awsType4 | lower}},size={{$awsSize4}},iops={{$awsIops4}}",
{{- end -}}
{{- end }}
{{/*------------------- DRIVE 5 --------------- */}}
{{- if ne "none" $awsType5 }}
{{- if eq "GP2" $awsType5 -}}
"-s", "type={{$awsType5 | lower}},size={{$awsSize5}}",
{{- else if eq "IO1" $awsType5 -}}
"-s", "type={{$awsType5 | lower}},size={{$awsSize5}},iops={{$awsIops5}}",
{{- end -}}
{{- end }}
{{/*------------------- DRIVE 6 --------------- */}}
{{- if ne "none" $awsType6 }}
{{- if eq "GP2" $awsType6 -}}
"-s", "type={{$awsType6 | lower}},size={{$awsSize6}}",
{{- else if eq "IO1" $awsType6 -}}
"-s", "type={{$awsType6 | lower}},size={{$awsSize6}},iops={{$awsIops6}}",
{{- end -}}
{{- end }}
{{/*------------------- DRIVE 7 --------------- */}}
{{- if ne "none" $awsType7 }}
{{- if eq "GP2" $awsType7 -}}
"-s", "type={{$awsType7 | lower}},size={{$awsSize7}}",
{{- else if eq "IO1" $awsType7 -}}
"-s", "type={{$awsType7 | lower}},size={{$awsSize7}},iops={{$awsIops7}}",
{{- end -}}
{{- end }}
{{/*------------------- DRIVE 8 --------------- */}}
{{- if ne "none" $awsType8 }}
{{- if eq "GP2" $awsType8 -}}
"-s", "type={{$awsType8 | lower}},size={{$awsSize8}}",
{{- else if eq "IO1" $awsType8 -}}
"-s", "type={{$awsType8 | lower}},size={{$awsSize8}},iops={{$awsIops8}}",
{{- end -}}
{{- end }}
{{/*------------------- DRIVE 9 --------------- */}}
{{- if ne "none" $awsType9 }}
{{- if eq "GP2" $awsType9 -}}
"-s", "type={{$awsType9 | lower}},size={{$awsSize9}}",
{{- else if eq "IO1" $awsType9 -}}
"-s", "type={{$awsType9 | lower}},size={{$awsSize9}},iops={{$awsIops9}}",
{{- end -}}
{{- end }}
{{/*------------------- DRIVE 10 --------------- */}}
{{- if ne "none" $awsType10 }}
{{- if eq "GP2" $awsType10 -}}
"-s", "type={{$awsType10 | lower}},size={{$awsSize10}}",
{{- else if eq "IO1" $awsType10 -}}
"-s", "type={{$awsType10 | lower}},size={{$awsSize10}},iops={{$awsIops10}}",
{{- end -}}
{{- end }}
{{- end -}}
{{- end -}}
{{- end -}}
{{- end }}

40
charts/portworx/portworx/2.8.100/templates/hooks/post-delete/px-postdelete-unlabelnode.yaml Normal file
View File

@ -0,0 +1,40 @@
{{- $customRegistryURL := .Values.customRegistryURL | default "none" }}
{{- $registrySecret := .Values.registrySecret | default "none" }}
apiVersion: batch/v1
kind: Job
metadata:
namespace: kube-system
name: px-hook-postdelete-unlabelnode
labels:
heritage: {{.Release.Service | quote }}
release: {{.Release.Name | quote }}
chart: "{{.Chart.Name}}-{{.Chart.Version}}"
app.kubernetes.io/managed-by: {{.Release.Service | quote }}
app.kubernetes.io/instance: {{.Release.Name | quote }}
annotations:
"helm.sh/hook": post-delete
"helm.sh/hook-weight": "-5"
"helm.sh/hook-delete-policy": before-hook-creation
spec:
{{ if semverCompare ">= 1.8-0" .Capabilities.KubeVersion.GitVersion }}
backoffLimit: 0
{{ else }}
activeDeadlineSeconds: 30
{{ end }}
template:
spec:
{{- if not (eq $registrySecret "none") }}
imagePullSecrets:
- name: {{ $registrySecret }}
{{- end }}
restartPolicy: Never
serviceAccountName: {{ template "px.hookServiceAccount" . }}
containers:
- name: post-delete-job
{{- if eq $customRegistryURL "none" }}
image: "lachlanevenson/k8s-kubectl:{{ template "px.kubernetesVersion" . }}"
{{- else}}
image: "{{ $customRegistryURL }}/lachlanevenson/k8s-kubectl:{{ template "px.kubernetesVersion" . }}"
{{- end}}
args: ['label','nodes','--all','px/enabled-']

40
charts/portworx/portworx/2.8.100/templates/hooks/pre-delete/px-predelete-nodelabel.yaml Normal file
View File

@ -0,0 +1,40 @@
{{- $customRegistryURL := .Values.customRegistryURL | default "none" }}
{{- $registrySecret := .Values.registrySecret | default "none" }}
apiVersion: batch/v1
kind: Job
metadata:
namespace: kube-system
name: px-hook-predelete-nodelabel
labels:
heritage: {{.Release.Service | quote }}
release: {{.Release.Name | quote }}
chart: "{{.Chart.Name}}-{{.Chart.Version}}"
app.kubernetes.io/managed-by: {{.Release.Service | quote }}
app.kubernetes.io/instance: {{.Release.Name | quote }}
annotations:
"helm.sh/hook": pre-delete
"helm.sh/hook-weight": "-5"
"helm.sh/hook-delete-policy": before-hook-creation
spec:
{{ if semverCompare ">= 1.8-0" .Capabilities.KubeVersion.GitVersion }}
backoffLimit: 0
{{ else }}
activeDeadlineSeconds: 30
{{ end }}
template:
spec:
{{- if not (eq $registrySecret "none") }}
imagePullSecrets:
- name: {{ $registrySecret }}
{{- end }}
serviceAccountName: {{ template "px.hookServiceAccount" . }}
restartPolicy: Never
containers:
- name: pre-delete-job
{{- if eq $customRegistryURL "none" }}
image: "lachlanevenson/k8s-kubectl:{{ template "px.kubernetesVersion" . }}"
{{- else}}
image: "{{ $customRegistryURL }}/lachlanevenson/k8s-kubectl:{{ template "px.kubernetesVersion" . }}"
{{- end}}
args: ['label','nodes','--all','px/enabled=remove','--overwrite']

128
charts/portworx/portworx/2.8.100/templates/portworx-controller.yaml Normal file
View File

@ -0,0 +1,128 @@
{{- if or (and (.Values.openshiftInstall) (eq .Values.openshiftInstall true)) (and (.Values.AKSorEKSInstall) (eq .Values.AKSorEKSInstall true)) ((.Capabilities.KubeVersion.GitVersion | regexMatch "gke")) }}
apiVersion: v1
kind: ServiceAccount
metadata:
name: portworx-pvc-controller-account
namespace: kube-system
---
kind: ClusterRole
apiVersion: {{ template "rbac.apiVersion" . }}
metadata:
name: portworx-pvc-controller-role
rules:
- apiGroups: [""]
resources: ["persistentvolumes"]
verbs: ["create","delete","get","list","update","watch"]
- apiGroups: [""]
resources: ["persistentvolumes/status"]
verbs: ["update"]
- apiGroups: [""]
resources: ["persistentvolumeclaims"]
verbs: ["get", "list", "update", "watch"]
- apiGroups: [""]
resources: ["persistentvolumeclaims/status"]
verbs: ["update"]
- apiGroups: [""]
resources: ["pods"]
verbs: ["create", "delete", "get", "list", "watch"]
- apiGroups: ["storage.k8s.io"]
resources: ["storageclasses"]
verbs: ["get", "list", "watch"]
- apiGroups: [""]
resources: ["endpoints", "services"]
verbs: ["create", "delete", "get", "update"]
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get", "list"]
- apiGroups: [""]
resources: ["nodes"]
verbs: ["get", "list", "watch"]
- apiGroups: [""]
resources: ["events"]
verbs: ["watch"]
- apiGroups: [""]
resources: ["events"]
verbs: ["create", "patch", "update"]
- apiGroups: [""]
resources: ["serviceaccounts"]
verbs: ["get", "create"]
- apiGroups: [""]
resources: ["configmaps"]
verbs: ["get", "create", "update"]
---
kind: ClusterRoleBinding
apiVersion: {{ template "rbac.apiVersion" . }}
metadata:
name: portworx-pvc-controller-role-binding
subjects:
- kind: ServiceAccount
name: portworx-pvc-controller-account
namespace: kube-system
roleRef:
kind: ClusterRole
name: portworx-pvc-controller-role
apiGroup: rbac.authorization.k8s.io
---
apiVersion: apps/v1
kind: Deployment
metadata:
annotations:
scheduler.alpha.kubernetes.io/critical-pod: ""
labels:
tier: control-plane
name: portworx-pvc-controller
namespace: kube-system
spec:
replicas: 3
strategy:
rollingUpdate:
maxSurge: 1
maxUnavailable: 1
type: RollingUpdate
template:
metadata:
annotations:
scheduler.alpha.kubernetes.io/critical-pod: ""
labels:
name: portworx-pvc-controller
tier: control-plane
spec:
{{- if not (empty .Values.registrySecret) }}
imagePullSecrets:
- name: {{ .Values.registrySecret }}
{{- end }}
containers:
- command:
- kube-controller-manager
- --leader-elect=true
- --address=0.0.0.0
- --controllers=persistentvolume-binder,persistentvolume-expander
- --use-service-account-credentials=true
- --leader-elect-resource-lock=configmaps
image: "{{ template "px.getk8sImages" . }}/kube-controller-manager-amd64:{{ template "px.kubernetesVersion" . }}"
livenessProbe:
failureThreshold: 8
httpGet:
host: 127.0.0.1
path: /healthz
port: 10252
scheme: HTTP
initialDelaySeconds: 15
timeoutSeconds: 15
name: portworx-pvc-controller-manager
resources:
requests:
cpu: 200m
hostNetwork: true
affinity:
podAntiAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
- labelSelector:
matchExpressions:
- key: "name"
operator: In
values:
- portworx-pvc-controller
topologyKey: "kubernetes.io/hostname"
serviceAccountName: portworx-pvc-controller-account
{{- end }}

1146
charts/portworx/portworx/2.8.100/templates/portworx-crd.yaml Normal file
View File

File diff suppressed because it is too large Load Diff

195
charts/portworx/portworx/2.8.100/templates/portworx-csi.yaml Normal file
View File

@ -0,0 +1,195 @@
{{- if or (and (.Values.csi) (eq .Values.csi true)) (not (.Capabilities.KubeVersion.GitVersion | toString | regexFind "(k3s|rke2)" | empty))}}
{{- $customRegistryURL := .Values.customRegistryURL | default "none" }}
apiVersion: v1
kind: ServiceAccount
metadata:
name: px-csi-account
namespace: kube-system
---
kind: ClusterRole
apiVersion: {{ template "rbac.apiVersion" . }}
metadata:
name: px-csi-role
rules:
- apiGroups: ["extensions"]
resources: ["podsecuritypolicies"]
resourceNames: ["privileged"]
verbs: ["use"]
- apiGroups: ["apiextensions.k8s.io"]
resources: ["customresourcedefinitions"]
verbs: ["*"]
- apiGroups: [""]
resources: ["nodes"]
verbs: ["get", "list", "watch"]
- apiGroups: [""]
resources: ["persistentvolumes"]
verbs: ["get", "list", "watch", "create", "delete", "update", "patch"]
- apiGroups: [""]
resources: ["persistentvolumeclaims"]
verbs: ["get", "list", "watch", "update"]
- apiGroups: [""]
resources: ["persistentvolumeclaims/status"]
verbs: ["update", "patch"]
- apiGroups: [""]
resources: ["pods"]
verbs: ["get", "list", "watch"]
- apiGroups: ["storage.k8s.io"]
resources: ["storageclasses"]
verbs: ["get", "list", "watch"]
- apiGroups: ["storage.k8s.io"]
resources: ["volumeattachments"]
verbs: ["get", "list", "watch", "update", "patch"]
- apiGroups: ["storage.k8s.io"]
resources: ["csistoragecapacities"]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
- apiGroups: ["apps"]
resources: ["replicasets"]
verbs: ["get"]
- apiGroups: [""]
resources: ["events"]
verbs: ["list", "watch", "create", "update", "patch"]
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get", "list"]
- apiGroups: ["snapshot.storage.k8s.io"]
resources: ["volumesnapshots", "volumesnapshotcontents", "volumesnapshotclasses", "volumesnapshots/status", "volumesnapshotcontents/status"]
verbs: ["create", "get", "list", "watch", "update", "delete"]
- apiGroups: ["csi.storage.k8s.io"]
resources: ["csinodeinfos"]
verbs: ["get", "list", "watch", "update"]
- apiGroups: ["storage.k8s.io"]
resources: ["csinodes"]
verbs: ["get", "list", "watch", "update"]
- apiGroups: [""]
resources: ["nodes"]
verbs: ["get", "list", "watch"]
- apiGroups: ["csi.storage.k8s.io"]
resources: ["csidrivers"]
verbs: ["create", "delete"]
- apiGroups: [""]
resources: ["endpoints"]
verbs: ["get", "watch", "list", "delete", "update", "create"]
- apiGroups: [""]
resources: ["configmaps"]
verbs: ["get", "watch", "list", "delete", "update", "create"]
- apiGroups: ["coordination.k8s.io"]
resources: ["leases"]
verbs: ["*"]
---
kind: ClusterRoleBinding
apiVersion: {{ template "rbac.apiVersion" . }}
metadata:
name: px-csi-role-binding
subjects:
- kind: ServiceAccount
name: px-csi-account
namespace: kube-system
roleRef:
kind: ClusterRole
name: px-csi-role
apiGroup: rbac.authorization.k8s.io
---
kind: Service
apiVersion: v1
metadata:
name: px-csi-service
namespace: kube-system
spec:
clusterIP: None
---
kind: Deployment
apiVersion: apps/v1
metadata:
name: px-csi-ext
namespace: kube-system
spec:
selector:
matchLabels:
app: px-csi-driver
replicas: 1
template:
metadata:
labels:
app: px-csi-driver
spec:
serviceAccount: px-csi-account
containers:
- name: csi-external-provisioner
imagePullPolicy: Always
image: {{ template "px.getCSIProvisionerImage" . }}
args:
- "--v=3"
- "--csi-address=$(ADDRESS)"
{{- if semverCompare "<1.17.0" .Capabilities.KubeVersion.GitVersion }}
- "--provisioner=pxd.portworx.com"
- "--enable-leader-election"
- "--leader-election-type={{if and (semverCompare ">=1.13.0" .Capabilities.KubeVersion.GitVersion) (semverCompare "<1.14.0" .Capabilities.KubeVersion.GitVersion) }}endpoints{{else}}leases{{end}}"
{{- else }}
- "--leader-election=true"
- "--default-fstype=ext4"
{{- end }}
env:
- name: ADDRESS
value: /csi/csi.sock
securityContext:
privileged: true
volumeMounts:
- name: socket-dir
mountPath: /csi
{{- if semverCompare ">=1.12.0" .Capabilities.KubeVersion.GitVersion }}
- name: csi-snapshotter
imagePullPolicy: Always
image: {{ template "px.getCSISnapshotterImage" . }}
args:
- "--v=3"
- "--csi-address=$(ADDRESS)"
- "--leader-election=true"
{{if and (semverCompare ">=1.13.0" .Capabilities.KubeVersion.GitVersion) (semverCompare "<1.14.0" .Capabilities.KubeVersion.GitVersion) }}
- "--leader-election-type=configmaps"
{{- end}}
env:
- name: ADDRESS
value: /csi/csi.sock
volumeMounts:
- name: socket-dir
mountPath: /csi
{{- end }}
{{- if semverCompare ">=1.17.0" .Capabilities.KubeVersion.GitVersion }}
- name: csi-snapshot-controller
imagePullPolicy: Always
image: {{ template "px.getCSISnapshotControllerImage" . }}
args:
- "--v=3"
- "--leader-election=true"
env:
- name: ADDRESS
value: /csi/csi.sock
securityContext:
privileged: true
volumeMounts:
- name: socket-dir
mountPath: /csi
{{- end }}
{{- if semverCompare ">=1.16.0" .Capabilities.KubeVersion.GitVersion }}
- name: csi-resizer
imagePullPolicy: Always
image: k8s.gcr.io/sig-storage/csi-resizer:v1.3.0
args:
- "--v=3"
- "--csi-address=$(ADDRESS)"
- "--leader-election=true"
env:
- name: ADDRESS
value: /csi/csi.sock
securityContext:
privileged: true
volumeMounts:
- name: socket-dir
mountPath: /csi
{{- end }}
volumes:
- name: socket-dir
hostPath:
path: /var/lib/kubelet/plugins/pxd.portworx.com
type: DirectoryOrCreate
{{- end }}

472
charts/portworx/portworx/2.8.100/templates/portworx-ds.yaml Normal file
View File

@ -0,0 +1,472 @@
{{/* Setting defaults if they are omitted. */}}
{{- $deployEnvironmentIKS := .Capabilities.KubeVersion.GitVersion | regexMatch "IKS" }}
{{- $usefileSystemDrive := .Values.usefileSystemDrive | default false }}
{{- $usedrivesAndPartitions := .Values.usedrivesAndPartitions | default false }}
{{- $secretType := .Values.secretType | default "k8s" }}
{{- $journalDevice := .Values.journalDevice | default "none" }}
{{- $maxStorageNodes := .Values.maxStorageNodes | default "none" }}
{{- $customRegistryURL := .Values.customRegistryURL | default "none" }}
{{- $registrySecret := .Values.registrySecret | default "none" }}
{{- $dataInterface := .Values.dataInterface | default "none" }}
{{- $managementInterface := .Values.managementInterface | default "none" }}
{{- $envVars := .Values.envVars | default "none" }}
{{- $isCoreOS := .Values.isTargetOSCoreOS | default false }}
{{- $pksInstall := .Values.pksInstall | default false }}
{{- $internalKVDB := .Values.etcdType | default "none" }}
{{- $csi := .Values.csi | default (not (.Capabilities.KubeVersion.GitVersion | toString | regexFind "(k3s|rke2)" | empty)) }}
{{- $etcdCredentials := .Values.etcd.credentials | default "none:none" }}
{{- $etcdCertPath := .Values.etcd.ca | default "none" }}
{{- $etcdCA := .Values.etcd.ca | default "none" }}
{{- $etcdCert := .Values.etcd.cert | default "none" }}
{{- $etcdKey := .Values.etcd.key | default "none" }}
{{- $consulToken := .Values.consul.token | default "none" }}
{{- $misc := .Values.misc | default "" | split " " }}
{{- $etcdEndPoints := .Values.kvdb }}
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: portworx
namespace: kube-system
labels:
name: portworx
spec:
minReadySeconds: 0
updateStrategy:
type: RollingUpdate
rollingUpdate:
maxUnavailable: 1
selector:
matchLabels:
name: portworx
app: portworx
template:
metadata:
labels:
app: portworx
name: portworx
spec:
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: px/enabled
operator: NotIn
values:
- "false"
{{- if and (.Values.openshiftInstall) (eq .Values.openshiftInstall true)}}
- key: openshift-infra
operator: DoesNotExist
{{- else if or (not .Values.deployOnMaster) (eq .Values.deployOnMaster false)}}
- key: node-role.kubernetes.io/master
operator: DoesNotExist
{{- end }}
hostNetwork: true
hostPID: true
{{- if not (eq $registrySecret "none") }}
imagePullSecrets:
- name: {{ $registrySecret }}
{{- end }}
containers:
# {{ template "px.getImage"}}
- name: portworx
image: {{ template "px.getImage" . }}:{{ required "A valid Image tag is required in the SemVer format" .Values.imageVersion }}
terminationMessagePath: "/tmp/px-termination-log"
imagePullPolicy: Always
args:
[
{{ include "px.storage" . | indent 0 }}
{{- with .Values -}}
{{- if eq "Built-in" $internalKVDB }}
"-b",
{{- end -}}
{{- if ne $journalDevice "none" }}
"-j", "{{ $journalDevice }}",
{{- end -}}
{{- if $etcdEndPoints -}}
"-k", "{{ regexReplaceAllLiteral "(;)" .kvdb "," }}",
{{- else }}
{{- if ne "Built-in" $internalKVDB }}
{{- if eq "US region" .region }}
"-k", "etcd:http://px-etcd1.portworx.com:2379,etcd:http://px-etcd2.portworx.com:2379,etcd:http://px-etcd3.portworx.com:2379",
{{- else if eq "EU region" .region }}
"-k", "etcd:http://px-eu-etcd1.portworx.com:2379,etcd:http://px-eu-etcd2.portworx.com:2379,etcd:http://px-eu-etcd3.portworx.com:2379",
{{- else }}
"{{ required "A valid kvdb url is required." .kvdb }}"
{{- end -}}
{{- end -}}
{{- end -}}
"-c", "{{ required "Clustername cannot be empty" .clusterName }}",
{{- if ne $secretType "none" }}
"-secret_type", "{{ $secretType }}",
{{- else }}
{{- if $deployEnvironmentIKS }}
"-secret_type", "ibm-kp",
{{- end -}}
{{- end -}}
{{- if and (ne $dataInterface "none") (ne $dataInterface "auto")}}
"-d", "{{ $dataInterface }}",
{{- end -}}
{{- if and (ne $managementInterface "none") (ne $managementInterface "auto") }}
"-m", "{{ $managementInterface }}",
{{- end -}}
{{- if ne $etcdCredentials "none:none" }}
"-userpwd", "{{ $etcdCredentials }}",
{{- end -}}
{{- if ne $etcdCA "none" }}
"-ca", "/etc/pwx/etcdcerts/{{ $etcdCA }}",
{{- end -}}
{{- if ne $etcdCert "none" }}
"-cert", "/etc/pwx/etcdcerts/{{ $etcdCert }}",
{{- end -}}
{{- if ne $etcdKey "none" }}
"-key", "/etc/pwx/etcdcerts/{{ $etcdKey }}",
{{- end -}}
{{- if ne $consulToken "none" }}
"-acltoken", "{{ $consulToken }}",
{{- end -}}
{{- if .misc }}
{{- range $index, $name := $misc }}
"{{ $name }}",
{{- end }}
{{ end -}}
"-x", "kubernetes"
{{- end -}}
]
env:
- name: "PX_TEMPLATE_VERSION"
value: "v2"
{{ if not (eq $envVars "none") }}
{{- $vars := $envVars | split ";" }}
{{- range $key, $val := $vars }}
{{- $envVariable := $val | split "=" }}
- name: {{ $envVariable._0 | trim | quote }}
value: {{ $envVariable._1 | trim | quote }}
{{ end }}
{{- end }}
{{- if not (eq $registrySecret "none") }}
- name: REGISTRY_CONFIG
valueFrom:
secretKeyRef:
{{- if (semverCompare ">=1.9-0" .Capabilities.KubeVersion.GitVersion) or (.Values.openshiftInstall and semverCompare ">=1.8-0" .Capabilities.KubeVersion.GitVersion) }}
key: ".dockerconfigjson"
{{- else }}
key: ".dockercfg"
{{- end }}
name: "{{ $registrySecret }}"
{{- end }}
{{- if eq $pksInstall true }}
- name: "PRE-EXEC"
value: "if [ ! -x /bin/systemctl ]; then apt-get update; apt-get install -y systemd; fi"
{{- end }}
{{- if eq $csi true }}
- name: CSI_ENDPOINT
value: unix:///var/lib/kubelet/plugins/pxd.portworx.com/csi.sock
{{- end }}
livenessProbe:
periodSeconds: 30
initialDelaySeconds: 840 # allow image pull in slow networks
httpGet:
host: 127.0.0.1
path: /status
port: 9001
readinessProbe:
periodSeconds: 10
httpGet:
host: 127.0.0.1
{{- if eq (.Values.deploymentType | upper | lower) "oci" }}
path: /health
port: 9015
{{- else }}
path: /v1/cluster/nodehealth
port: 9001
{{- end}}
securityContext:
privileged: true
volumeMounts:
{{- if not (eq $etcdCertPath "none") }}
- mountPath: /etc/pwx/etcdcerts
name: etcdcerts
{{- end }}
{{- if not (.Capabilities.KubeVersion.GitVersion | toString | regexFind "(k3s|rke2)" | empty) }}
- name: containerd-k3s
mountPath: /run/containerd/containerd.sock
{{- end }}
- name: dockersock
mountPath: /var/run/docker.sock
- name: containerdsock
mountPath: /run/containerd
- name: etcpwx
mountPath: /etc/pwx
- name: cores
mountPath: /var/cores
{{- if eq (.Values.deploymentType | upper | lower) "oci" }}
- name: optpwx
mountPath: /opt/pwx
- name: sysdmount
mountPath: /etc/systemd/system
- name: journalmount1
mountPath: /var/run/log
readOnly: true
- name: journalmount2
mountPath: /var/log
readOnly: true
- name: dbusmount
mountPath: /var/run/dbus
- name: hostproc
mountPath: /host_proc
{{- else if eq (.Values.deploymentType | upper | lower) "docker" }}
- name: dev
mountPath: /dev
- name: optpwx
mountPath: /export_bin
- name: dockerplugins
mountPath: /run/docker/plugins
- name: hostproc
mountPath: /hostproc
{{- if semverCompare "< 1.10-0" .Capabilities.KubeVersion.GitVersion }}
- name: libosd
mountPath: /var/lib/osd:shared
{{- if (.Values.openshiftInstall) and (eq .Values.openshiftInstall true)}}
- name: kubelet
mountPath: /var/lib/origin/openshift.local.volumes:shared
{{- else }}
- name: kubelet
mountPath: /var/lib/kubelet:shared
{{- end }}
{{- else }}
- name: libosd
mountPath: /var/lib/osd
mountPropagation: "Bidirectional"
{{- if (.Values.openshiftInstall) and (eq .Values.openshiftInstall true)}}
- name: kubelet
mountPath: /var/lib/origin/openshift.local.volumes
mountPropagation: "Bidirectional"
{{- else }}
- name: kubelet
mountPath: /var/lib/kubelet
mountPropagation: "Bidirectional"
{{- end }}
{{- end }}
{{- if eq $isCoreOS true}}
- name: src
mountPath: /lib/modules
{{- else }}
- name: src
mountPath: /usr/src
{{- end }}
{{- end }}
{{- if eq $csi true }}
- name: csi-node-driver-registrar
imagePullPolicy: Always
{{- if eq $customRegistryURL "none" }}
image: "k8s.gcr.io/sig-storage/csi-node-driver-registrar:v2.1.0"
{{- else }}
image: "{{ $customRegistryURL }}/k8s.gcr.io/sig-storage/csi-node-driver-registrar:v2.1.0"
{{- end}}
args:
- "--v=5"
- "--csi-address=$(ADDRESS)"
- "--kubelet-registration-path=/var/lib/kubelet/plugins/pxd.portworx.com/csi.sock"
env:
- name: ADDRESS
value: /csi/csi.sock
- name: KUBE_NODE_NAME
valueFrom:
fieldRef:
fieldPath: spec.nodeName
volumeMounts:
- name: csi-driver-path
mountPath: /csi
- name: registration-dir
mountPath: /registration
{{- end }}
restartPolicy: Always
{{- if not (.Capabilities.KubeVersion.GitVersion | toString | regexFind "(k3s|rke2)" | empty) }}
tolerations:
- key: node-role.kubernetes.io/master
effect: NoSchedule
{{- end }}
serviceAccountName: px-account
volumes:
{{- if ne $etcdCertPath "none" }}
- name: etcdcerts
secret:
secretName: px-etcd-certs
items:
- key: "{{ $etcdCA }}"
path: "{{ $etcdCA }}"
- key: "{{ $etcdCert }}"
path: "{{ $etcdCert }}"
- key: "{{ $etcdKey }}"
path: "{{ $etcdKey }}"
{{- end}}
{{- if not (.Capabilities.KubeVersion.GitVersion | toString | regexFind "(k3s|rke2)" | empty) }}
- name: containerd-k3s
hostPath:
path: /run/k3s/containerd/containerd.sock
{{- end }}
- name: dockersock
hostPath:
path: {{if eq $pksInstall true}}/var/vcap/sys/run/docker/docker.sock{{else}}/var/run/docker.sock{{end}}
- name: containerdsock
hostPath:
path: {{if eq $pksInstall true}}/var/vcap/sys/run/containerd{{else}}/run/containerd{{end}}
{{- if eq $csi true}}
- name: csi-driver-path
hostPath:
path: /var/lib/kubelet/plugins/pxd.portworx.com
type: DirectoryOrCreate
- name: registration-dir
hostPath:
path: /var/lib/kubelet/plugins_registry
type: DirectoryOrCreate
{{- end}}
- name: etcpwx
hostPath:
path: /etc/pwx
- name: cores
hostPath:
path: {{if eq $pksInstall true }}/var/vcap/store/cores{{else}}/var/cores{{end}}
{{- if eq (.Values.deploymentType | upper | lower) "oci" }}
- name: optpwx
hostPath:
path: {{if eq $pksInstall true }}/var/vcap/store/opt/pwx{{else}}/opt/pwx{{end}}
- name: sysdmount
hostPath:
path: /etc/systemd/system
- name: journalmount1
hostPath:
path: /var/run/log
- name: journalmount2
hostPath:
path: /var/log
- name: dbusmount
hostPath:
path: /var/run/dbus
- name: hostproc
hostPath:
path: /proc
{{- else if eq (.Values.deploymentType | upper | lower) "docker" }}
- name: libosd
hostPath:
path: /var/lib/osd
- name: optpwx
hostPath:
path: /opt/pwx/bin
- name: dev
hostPath:
path: /dev
{{- if (.Values.openshiftInstall) and (eq .Values.openshiftInstall true)}}
- name: kubelet
hostPath:
path: /var/lib/origin/openshift.local.volumes
{{- else }}
- name: kubelet
hostPath:
path: /var/lib/kubelet
{{- end }}
{{- if eq $isCoreOS true}}
- name: src
hostPath:
path: /lib/modules
{{- else }}
- name: src
hostPath:
path: /usr/src
{{- end }}
- name: dockerplugins
hostPath:
path: /run/docker/plugins
- name: hostproc
hostPath:
path: /proc
{{- end }}
---
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: portworx-api
namespace: kube-system
labels:
name: portworx-api
spec:
selector:
matchLabels:
name: portworx-api
minReadySeconds: 0
updateStrategy:
type: RollingUpdate
rollingUpdate:
maxUnavailable: 100%
template:
metadata:
labels:
name: portworx-api
spec:
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: px/enabled
operator: NotIn
values:
- "false"
{{- if not (.Capabilities.KubeVersion.GitVersion | toString | regexFind "(k3s|rke2)" | empty) }}
- key: node-role.kubernetes.io/master
operator: DoesNotExist
{{- end }}
hostNetwork: true
hostPID: false
containers:
- name: portworx-api
image: "{{ template "px.getPauseImage" . }}/pause:3.1"
imagePullPolicy: Always
readinessProbe:
periodSeconds: 10
httpGet:
host: 127.0.0.1
path: /status
port: 9001
restartPolicy: Always
serviceAccountName: px-account
{{- if eq $csi true }}
---
apiVersion: storage.k8s.io/v1
kind: CSIDriver
metadata:
name: "pxd.portworx.com"
spec:
attachRequired: false
podInfoOnMount: true
volumeLifecycleModes:
- Persistent
- Ephemeral
{{- end}}

68
charts/portworx/portworx/2.8.100/templates/portworx-rbac-config.yaml Normal file
View File

@ -0,0 +1,68 @@
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: px-account
namespace: kube-system
---
kind: ClusterRole
apiVersion: {{ template "rbac.apiVersion" . }}
metadata:
name: node-get-put-list-role
rules:
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get", "list"]
- apiGroups: [""]
resources: ["nodes"]
verbs: ["watch", "get", "update", "list"]
- apiGroups: [""]
resources: ["pods"]
verbs: ["delete", "get", "list", "watch", "update"]
- apiGroups: [""]
resources: ["persistentvolumeclaims", "persistentvolumes"]
verbs: ["get", "list"]
- apiGroups: ["storage.k8s.io"]
resources: ["storageclasses"]
verbs: ["get", "list"]
- apiGroups: [""]
resources: ["configmaps"]
verbs: ["get", "list", "update", "create"]
- apiGroups: [""]
resources: ["services"]
verbs: ["get", "list", "create", "update", "delete"]
- apiGroups: [""]
resources: ["endpoints"]
verbs: ["get", "list", "create", "update", "delete"]
- apiGroups: ["extensions"]
resources: ["podsecuritypolicies"]
resourceNames: ["privileged"]
verbs: ["use"]
- apiGroups: ["portworx.io"]
resources: ["volumeplacementstrategies"]
verbs: ["get", "list"]
- apiGroups: ["stork.libopenstorage.org"]
resources: ["backuplocations"]
verbs: ["get", "list"]
- apiGroups: ["core.libopenstorage.org"]
resources: ["*"]
verbs: ["*"]
- apiGroups: [""]
resources: ["events"]
verbs: ["create"]
---
kind: ClusterRoleBinding
apiVersion: {{ template "rbac.apiVersion" . }}
metadata:
name: node-role-binding
subjects:
- kind: ServiceAccount
name: px-account
namespace: kube-system
roleRef:
kind: ClusterRole
name: node-get-put-list-role
apiGroup: rbac.authorization.k8s.io

54
charts/portworx/portworx/2.8.100/templates/portworx-service.yaml Normal file
View File

@ -0,0 +1,54 @@
kind: Service
apiVersion: v1
metadata:
name: portworx-service
namespace: kube-system
labels:
name: portworx
spec:
selector:
name: portworx
type: ClusterIP
ports:
- name: px-api
protocol: TCP
port: 9001
targetPort: 9001
- name: px-kvdb
protocol: TCP
port: 9019
targetPort: 9019
- name: px-sdk
protocol: TCP
port: 9020
targetPort: 9020
- name: px-rest-gateway
protocol: TCP
port: 9021
targetPort: 9021
---
kind: Service
apiVersion: v1
metadata:
name: portworx-api
namespace: kube-system
labels:
name: portworx-api
spec:
selector:
name: portworx-api
type: ClusterIP
ports:
- name: px-api
protocol: TCP
port: 9001
targetPort: 9001
- name: px-sdk
protocol: TCP
port: 9020
targetPort: 9020
- name: px-rest-gateway
protocol: TCP
port: 9021
targetPort: 9021
---

56
charts/portworx/portworx/2.8.100/templates/portworx-storageclasses.yaml Normal file
View File

@ -0,0 +1,56 @@
kind: StorageClass
apiVersion: storage.k8s.io/v1
metadata:
name: portworx-db-sc
provisioner: kubernetes.io/portworx-volume
parameters:
repl: "3"
io_profile: "db"
---
kind: StorageClass
apiVersion: storage.k8s.io/v1
metadata:
name: portworx-db2-sc
provisioner: kubernetes.io/portworx-volume
parameters:
repl: "3"
block_size: "512b"
io_profile: "db"
---
kind: StorageClass
apiVersion: storage.k8s.io/v1
metadata:
name: portworx-shared-sc
provisioner: kubernetes.io/portworx-volume
parameters:
repl: "3"
shared: "true"
---
#
# NULL StorageClass that documents all possible
# Portworx StorageClass parameters
#
# Please refer to : https://docs.portworx.com/scheduler/kubernetes/dynamic-provisioning.html
#
kind: StorageClass
apiVersion: storage.k8s.io/v1
metadata:
name: portworx-null-sc
annotations:
params/docs: 'https://docs.portworx.com/scheduler/kubernetes/dynamic-provisioning.html'
params/fs: "Filesystem to be laid out: none|xfs|ext4 "
params/block_size: "Block size"
params/repl: "Replication factor for the volume: 1|2|3"
params/shared: "Flag to create a globally shared namespace volume which can be used by multiple pods : true|false"
params/priority_io: "IO Priority: low|medium|high"
params/io_profile: "IO Profile can be used to override the I/O algorithm Portworx uses for the volumes. Supported values are [db](/maintain/performance/tuning.html#db), [sequential](/maintain/performance/tuning.html#sequential), [random](/maintain/performance/tuning.html#random), [cms](/maintain/performance/tuning.html#cms)"
params/group: "The group a volume should belong too. Portworx will restrict replication sets of volumes of the same group on different nodes. If the force group option 'fg' is set to true, the volume group rule will be strictly enforced. By default, it's not strictly enforced."
params/fg: "This option enforces volume group policy. If a volume belonging to a group cannot find nodes for it's replication sets which don't have other volumes of same group, the volume creation will fail."
params/label: "List of comma-separated name=value pairs to apply to the Portworx volume"
params/nodes: "Comma-separated Portworx Node ID's to use for replication sets of the volume"
params/aggregation_level: "Specifies the number of replication sets the volume can be aggregated from"
params/snap_schedule: "Snapshot schedule. Following are the accepted formats: periodic=_mins_,_snaps-to-keep_ daily=_hh:mm_,_snaps-to-keep_ weekly=_weekday@hh:mm_,_snaps-to-keep_ monthly=_day@hh:mm_,_snaps-to-keep_ _snaps-to-keep_ is optional. Periodic, Daily, Weekly and Monthly keep last 5, 7, 5 and 12 snapshots by default respectively"
params/sticky: "Flag to create sticky volumes that cannot be deleted until the flag is disabled"
params/journal: "Flag to indicate if you want to use journal device for the volume's metadata. This will use the journal device that you used when installing Portworx. As of PX version 1.3, it is recommended to use a journal device to absorb PX metadata writes"
provisioner: kubernetes.io/portworx-volume
parameters:

645
charts/portworx/portworx/2.8.100/templates/portworx-stork.yaml Normal file
View File

@ -0,0 +1,645 @@
{{- if and (.Values.stork) (eq .Values.stork true)}}
{{- $isCoreOS := .Values.isTargetOSCoreOS | default false }}
{{- $customRegistryURL := .Values.customRegistryURL | default "none" }}
{{- $registrySecret := .Values.registrySecret | default "none" }}
apiVersion: v1
kind: ConfigMap
metadata:
name: stork-config
namespace: kube-system
data:
policy.cfg: |-
{
"kind": "Policy",
"apiVersion": "v1",
{{- if semverCompare "< 1.10-0" .Capabilities.KubeVersion.GitVersion }}
"predicates": [
{{- if semverCompare "< 1.9-0" .Capabilities.KubeVersion.GitVersion }}
{"name": "NoVolumeNodeConflict"},
{{- end}}
{"name": "MaxAzureDiskVolumeCount"},
{"name": "NoVolumeZoneConflict"},
{"name": "PodToleratesNodeTaints"},
{"name": "CheckNodeMemoryPressure"},
{"name": "MaxEBSVolumeCount"},
{"name": "MaxGCEPDVolumeCount"},
{"name": "MatchInterPodAffinity"},
{"name": "NoDiskConflict"},
{"name": "GeneralPredicates"},
{"name": "CheckNodeDiskPressure"}
],
"priorities": [
{"name": "NodeAffinityPriority", "weight": 1},
{"name": "TaintTolerationPriority", "weight": 1},
{"name": "SelectorSpreadPriority", "weight": 1},
{"name": "InterPodAffinityPriority", "weight": 1},
{"name": "LeastRequestedPriority", "weight": 1},
{"name": "BalancedResourceAllocation", "weight": 1},
{"name": "NodePreferAvoidPodsPriority", "weight": 1}
],
{{- end}}
"extenders": [
{
"urlPrefix": "http://stork-service.kube-system:8099",
"apiVersion": "v1beta1",
"filterVerb": "filter",
"prioritizeVerb": "prioritize",
"weight": 5,
"enableHttps": false,
"nodeCacheCapable": false
}
]
}
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: stork-account
namespace: kube-system
---
kind: ClusterRole
apiVersion: {{ template "rbac.apiVersion" . }}
metadata:
name: stork-role
rules:
- apiGroups: ["*"]
resources: ["*"]
verbs: ["*"]
---
kind: ClusterRoleBinding
apiVersion: {{ template "rbac.apiVersion" . }}
metadata:
name: stork-role-binding
subjects:
- kind: ServiceAccount
name: stork-account
namespace: kube-system
roleRef:
kind: ClusterRole
name: stork-role
apiGroup: rbac.authorization.k8s.io
---
kind: Service
apiVersion: v1
metadata:
name: stork-service
namespace: kube-system
spec:
selector:
name: stork
ports:
- name: extender
protocol: TCP
port: 8099
targetPort: 8099
- name: webhook
protocol: TCP
port: 443
targetPort: 443
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: volumeplacementstrategies.portworx.io
spec:
group: portworx.io
versions:
- name: v1beta2
served: true
storage: true
schema:
openAPIV3Schema:
type: object
required:
- spec
properties:
spec:
type: object
description: The desired spec of the volume placement strategy
properties:
replicaAffinity:
type: array
description: Allows you to specify a rule which creates an affinity for replicas within a volume
items:
type: object
properties:
affected_replicas:
type: integer
description: The number of volume replicas affected by the replica affinity
enforcement:
type: string
enum:
- required
- preferred
description: Specifies if the given rule is required (hard) or preferred (soft)
topologyKey:
type: string
minLength: 1
description: Key for the node label that the system uses to denote a topology domain. The key can be for any node label that is present on the Kubernetes node.
matchExpressions:
description: Expression to use for the replica affinity rule
type: array
items:
type: object
properties:
key:
type: string
minLength: 1
operator:
type: string
enum:
- In
- NotIn
- Exists
- DoesNotExist
- Lt
- Gt
description: The logical operator to use for comparing the key and values in the match expression
values:
type: array
items:
type: string
required:
- key
- operator
replicaAntiAffinity:
type: array
description: Allows you to specify a rule that creates an anti-affinity for replicas within a volume
items:
type: object
properties:
affected_replicas:
type: integer
description: The number of volume replicas affected by the replica anti affinity
enforcement:
type: string
enum:
- required
- preferred
description: Specifies if the given rule is required (hard) or preferred (soft)
topologyKey:
type: string
minLength: 1
description: Key for the node label that the system uses to denote a topology domain. The key can be for any node label that is present on the Kubernetes node.
required:
- topologyKey
volumeAffinity:
type: array
description: Allows you to colocate volumes by specifying rules that place replicas of a volume together with those of another volume for which the specified labels match
items:
type: object
properties:
enforcement:
type: string
enum:
- required
- preferred
description: Specifies if the given rule is required (hard) or preferred (soft)
topologyKey:
type: string
minLength: 1
description: Key for the node label that the system uses to denote a topology domain. The key can be for any node label that is present on the Kubernetes node.
matchExpressions:
description: Expression to use for the volume affinity rule
type: array
items:
type: object
properties:
key:
type: string
minLength: 1
operator:
type: string
enum:
- In
- NotIn
- Exists
- DoesNotExist
- Lt
- Gt
description: The logical operator to use for comparing the key and values in the match expression
values:
type: array
items:
type: string
required:
- key
- operator
required:
- matchExpressions
volumeAntiAffinity:
type: array
description: Allows you to specify dissociation rules between 2 or more volumes that match the given labels
items:
type: object
properties:
enforcement:
type: string
enum:
- required
- preferred
description: Specifies if the given rule is required (hard) or preferred (soft)
topologyKey:
type: string
minLength: 1
description: Key for the node label that the system uses to denote a topology domain. The key can be for any node label that is present on the Kubernetes node.
matchExpressions:
description: Expression to use for the volume anti affinity rule
type: array
items:
type: object
properties:
key:
type: string
minLength: 1
operator:
type: string
enum:
- In
- NotIn
- Exists
- DoesNotExist
- Lt
- Gt
description: The logical operator to use for comparing the key and values in the match expression
values:
type: array
items:
type: string
required:
- key
- operator
required:
- matchExpressions
- name: v1beta1
served: false
storage: false
schema:
openAPIV3Schema:
type: object
required:
- spec
properties:
spec:
type: object
description: The desired spec of the volume placement strategy
properties:
replicaAffinity:
type: array
description: Allows you to specify a rule which creates an affinity for replicas within a volume
items:
type: object
properties:
affected_replicas:
type: integer
description: The number of volume replicas affected by the replica affinity
enforcement:
type: string
enum:
- required
- preferred
description: Specifies if the given rule is required (hard) or preferred (soft)
topologyKey:
type: string
minLength: 1
description: Key for the node label that the system uses to denote a topology domain. The key can be for any node label that is present on the Kubernetes node.
matchExpressions:
description: Expression to use for the replica affinity rule
type: array
items:
type: object
properties:
key:
type: string
minLength: 1
operator:
type: string
enum:
- In
- NotIn
- Exists
- DoesNotExist
- Lt
- Gt
description: The logical operator to use for comparing the key and values in the match expression
values:
type: array
items:
type: string
required:
- key
- operator
replicaAntiAffinity:
type: array
description: Allows you to specify a rule that creates an anti-affinity for replicas within a volume
items:
type: object
properties:
affected_replicas:
type: integer
description: The number of volume replicas affected by the replica anti affinity
enforcement:
type: string
enum:
- required
- preferred
description: Specifies if the given rule is required (hard) or preferred (soft)
topologyKey:
type: string
minLength: 1
description: Key for the node label that the system uses to denote a topology domain. The key can be for any node label that is present on the Kubernetes node.
required:
- topologyKey
volumeAffinity:
type: array
description: Allows you to colocate volumes by specifying rules that place replicas of a volume together with those of another volume for which the specified labels match
items:
type: object
properties:
enforcement:
type: string
enum:
- required
- preferred
description: Specifies if the given rule is required (hard) or preferred (soft)
topologyKey:
type: string
minLength: 1
description: Key for the node label that the system uses to denote a topology domain. The key can be for any node label that is present on the Kubernetes node.
matchExpressions:
description: Expression to use for the volume affinity rule
type: array
items:
type: object
properties:
key:
type: string
minLength: 1
operator:
type: string
enum:
- In
- NotIn
- Exists
- DoesNotExist
- Lt
- Gt
description: The logical operator to use for comparing the key and values in the match expression
values:
type: array
items:
type: string
required:
- key
- operator
required:
- matchExpressions
volumeAntiAffinity:
type: array
description: Allows you to specify dissociation rules between 2 or more volumes that match the given labels
items:
type: object
properties:
enforcement:
type: string
enum:
- required
- preferred
description: Specifies if the given rule is required (hard) or preferred (soft)
topologyKey:
type: string
minLength: 1
description: Key for the node label that the system uses to denote a topology domain. The key can be for any node label that is present on the Kubernetes node.
matchExpressions:
description: Expression to use for the volume anti affinity rule
type: array
items:
type: object
properties:
key:
type: string
minLength: 1
operator:
type: string
enum:
- In
- NotIn
- Exists
- DoesNotExist
- Lt
- Gt
description: The logical operator to use for comparing the key and values in the match expression
values:
type: array
items:
type: string
required:
- key
- operator
required:
- matchExpressions
scope: Cluster
names:
plural: volumeplacementstrategies
singular: volumeplacementstrategy
kind: VolumePlacementStrategy
shortNames:
- vps
- vp
---
apiVersion: apps/v1
kind: Deployment
metadata:
annotations:
scheduler.alpha.kubernetes.io/critical-pod: ""
labels:
tier: control-plane
name: stork
namespace: kube-system
spec:
strategy:
rollingUpdate:
maxSurge: 1
maxUnavailable: 1
type: RollingUpdate
replicas: 3
selector:
matchLabels:
name: stork
tier: control-plane
template:
metadata:
annotations:
scheduler.alpha.kubernetes.io/critical-pod: ""
labels:
name: stork
tier: control-plane
spec:
{{- if not (eq $registrySecret "none") }}
imagePullSecrets:
- name: {{ $registrySecret }}
{{- end }}
containers:
- command:
- /stork
- --driver=pxd
- --verbose
- --leader-elect=true
- --webhook-controller=false
imagePullPolicy: Always
image: {{ template "px.getStorkImage" . }}:{{ required "A valid Image tag is required in the SemVer format" .Values.storkVersion }}
resources:
requests:
cpu: '0.1'
name: stork
hostPID: false
affinity:
podAntiAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
- labelSelector:
matchExpressions:
- key: "name"
operator: In
values:
- stork
topologyKey: "kubernetes.io/hostname"
serviceAccountName: stork-account
---
kind: StorageClass
apiVersion: storage.k8s.io/v1
metadata:
name: stork-snapshot-sc
provisioner: stork-snapshot
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: stork-scheduler-account
namespace: kube-system
---
kind: ClusterRole
apiVersion: {{ template "rbac.apiVersion" . }}
metadata:
name: stork-scheduler-role
rules:
- apiGroups: [""]
resources: ["endpoints"]
verbs: ["get", "update"]
- apiGroups: [""]
resources: ["configmaps"]
verbs: ["get", "list", "watch"]
- apiGroups: ["", "events.k8s.io"]
resources: ["events"]
verbs: ["create", "patch", "update"]
- apiGroups: [""]
resources: ["endpoints"]
verbs: ["create"]
- apiGroups: [""]
resourceNames: ["kube-scheduler"]
resources: ["endpoints"]
verbs: ["delete", "get", "patch", "update"]
- apiGroups: [""]
resources: ["nodes"]
verbs: ["get", "list", "watch"]
- apiGroups: [""]
resources: ["pods"]
verbs: ["delete", "get", "list", "watch"]
- apiGroups: [""]
resources: ["bindings", "pods/binding"]
verbs: ["create"]
- apiGroups: [""]
resources: ["pods/status"]
verbs: ["patch", "update"]
- apiGroups: [""]
resources: ["replicationcontrollers", "services"]
verbs: ["get", "list", "watch"]
- apiGroups: ["apps", "extensions"]
resources: ["replicasets"]
verbs: ["get", "list", "watch"]
- apiGroups: ["apps"]
resources: ["statefulsets"]
verbs: ["get", "list", "watch"]
- apiGroups: ["policy"]
resources: ["poddisruptionbudgets"]
verbs: ["get", "list", "watch"]
- apiGroups: [""]
resources: ["persistentvolumeclaims", "persistentvolumes"]
verbs: ["get", "list", "watch"]
- apiGroups: ["storage.k8s.io"]
resources: ["storageclasses", "csinodes", "csidrivers", "csistoragecapacities"]
verbs: ["get", "list", "watch"]
- apiGroups: ["coordination.k8s.io"]
resources: ["leases"]
verbs: ["create", "update", "get", "list", "watch"]
---
kind: ClusterRoleBinding
apiVersion: {{ template "rbac.apiVersion" . }}
metadata:
name: stork-scheduler-role-binding
subjects:
- kind: ServiceAccount
name: stork-scheduler-account
namespace: kube-system
roleRef:
kind: ClusterRole
name: stork-scheduler-role
apiGroup: rbac.authorization.k8s.io
---
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
component: scheduler
tier: control-plane
name: stork-scheduler
namespace: kube-system
spec:
replicas: 3
selector:
matchLabels:
component: scheduler
tier: control-plane
template:
metadata:
labels:
component: scheduler
tier: control-plane
name: stork-scheduler
spec:
containers:
- command:
- /usr/local/bin/kube-scheduler
- --address=0.0.0.0
- --leader-elect=true
- --scheduler-name=stork
- --policy-configmap=stork-config
- --policy-configmap-namespace=kube-system
- --lock-object-name=stork-scheduler
image: "{{ template "px.getk8sImages" . }}/kube-scheduler-amd64:v1.21.4"
livenessProbe:
httpGet:
path: /healthz
port: 10251
initialDelaySeconds: 15
name: stork-scheduler
readinessProbe:
httpGet:
path: /healthz
port: 10251
resources:
requests:
cpu: '0.1'
affinity:
podAntiAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
- labelSelector:
matchExpressions:
- key: "name"
operator: In
values:
- stork-scheduler
topologyKey: "kubernetes.io/hostname"
hostPID: false
serviceAccountName: stork-scheduler-account
{{- end }}

42
charts/portworx/portworx/2.8.100/templates/serviceaccount-hook.yaml Normal file
View File

@ -0,0 +1,42 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ template "px.hookServiceAccount" . }}
namespace: kube-system
annotations:
"helm.sh/hook-delete-policy": before-hook-creation
"helm.sh/hook": "post-install,pre-delete,post-delete"
labels:
heritage: {{ .Release.Service }}
release: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{.Release.Service | quote }}
app.kubernetes.io/instance: {{.Release.Name | quote }}
chart: "{{.Chart.Name}}-{{.Chart.Version}}"
---
kind: ClusterRole
apiVersion: {{ template "rbac.apiVersion" . }}
metadata:
annotations:
"helm.sh/hook-delete-policy": before-hook-creation
"helm.sh/hook": "post-install,pre-delete,post-delete"
name: {{ template "px.hookClusterRole" . }}
rules:
- apiGroups: [""]
resources: ["nodes"]
verbs: ["patch", "get", "update", "list"]
---
kind: ClusterRoleBinding
apiVersion: {{ template "rbac.apiVersion" . }}
metadata:
annotations:
"helm.sh/hook-delete-policy": before-hook-creation
"helm.sh/hook": "post-install,pre-delete,post-delete"
name: {{ template "px.hookClusterRoleBinding" . }}
subjects:
- kind: ServiceAccount
name: {{ template "px.hookServiceAccount" . }}
namespace: kube-system
roleRef:
kind: ClusterRole
name: {{ template "px.hookClusterRole" . }}
apiGroup: rbac.authorization.k8s.io

149
charts/portworx/portworx/2.8.100/values.yaml Normal file
View File

@ -0,0 +1,149 @@
# Please uncomment and specify values for these options as per your requirements.
kvdb:
ownEtcdOption: none
etcdAuth: none
etcdType: none # KVDB type
etcd:
credentials: none:none # Username and password for ETCD authentication in the form user:password
ca: none # Name of CA file for ETCD authentication. server.ca
cert: none # Name of certificate for ETCD authentication. Should be server.crt
key: none # Name of certificate key for ETCD authentication Should be server.key
consul:
token: none # ACL token value used for Consul authentication. (example: 398073a8-5091-4d9c-871a-bbbeb030d1f6)
region: none # US or EU regions for Portworx hosted etcds
dataInterface: none # Name of the interface <ethX>
managementInterface: none # Name of the interface <ethX>
platformOptions: none # AKS, EKS or GKE platforms
customRegistryURL:
registrySecret:
clusterName: mycluster # This is the default. please change it to your cluster name.
secretType: k8s # Defaults to None, but can be AWS / KVDB / Vault.
envVars: none # NOTE: This is a ";" seperated list of environment variables. For eg: MYENV1=myvalue1;MYENV2=myvalue2
stork: true # Use Stork https://docs.portworx.com/scheduler/kubernetes/stork.html for hyperconvergence.
storkVersion: 2.7.0
deployOnMaster: false # For POC only
csi: false # Enable CSI
openshiftInstall: false
AKSorEKSInstall: false
serviceAccount:
hook:
create: true
name:
deploymentType: oci # accepts "oci" or "docker"
imageType: none #
imageVersion: 2.8.0 # Version of the PX Image.
result: none
environment: none
onpremStorage: none
maxStorageNodes: none
journalDevice: none
usefileSystemDrive: false # true/false Instructs PX to use an unmounted Drive even if it has a filesystem.
usedrivesAndPartitions: false # Use unmounted disks even if they have a partition or filesystem on it. PX will never use a drive or partition that is mounted. (useDrivesAndPartitions)
provider: none
deviceConfig: none
drive_1:
aws:
type: none
size: none
iops: none
gc:
type: standard
size: 1000
drive_2:
aws:
type: none
size: none
iops: none
gc:
type: none
size: none
drive_3:
aws:
type: none
size: none
iops: none
gc:
type: none
size: none
drive_4:
aws:
type: none
size: none
iops: none
gc:
type: none
size: none
drive_5:
aws:
type: none
size: none
iops: none
gc:
type: none
size: none
drive_6:
aws:
type: none
size: none
iops: none
gc:
type: none
size: none
drive_7:
aws:
type: none
size: none
iops: none
gc:
type: none
size: none
drive_8:
aws:
type: none
size: none
iops: none
gc:
type: none
size: none
drive_9:
aws:
type: none
size: none
iops: none
gc:
type: none
size: none
drive_10:
aws:
type: none
size: none
iops: none
gc:
type: none
size: none
existingDisk1: none
existingDisk2: none
existingDisk3: none
existingDisk4: none
existingDisk5: none

57
index.yaml
View File

@ -2162,6 +2162,27 @@ entries:
- assets/nats/nats-0.10.0.tgz
version: 0.10.0
neuvector:
- annotations:
catalog.cattle.io/certified: partner
catalog.cattle.io/display-name: NeuVector
catalog.cattle.io/release-name: neuvector
apiVersion: v1
appVersion: 4.4.3
created: "2022-01-21T17:59:14.412119672-08:00"
description: Helm chart for NeuVector's core services
digest: 9beceb544458dcbf28e3da77d59a9691d2cde7a0890cfcaaaeb94c23af505f37
home: https://neuvector.com
icon: https://avatars2.githubusercontent.com/u/19367275?s=200&v=4
keywords:
- security
kubeVersion: '>=1.13.0-0'
maintainers:
- email: support@neuvector.com
name: becitsthere
name: neuvector
urls:
- assets/neuvector/neuvector-1.8.90000.tgz
version: 1.8.90000
- annotations:
catalog.cattle.io/certified: partner
catalog.cattle.io/display-name: NeuVector
@ -2737,6 +2758,42 @@ entries:
- assets/portshift-operator/portshift-operator-0.1.000.tgz
version: 0.1.000
portworx:
- annotations:
catalog.cattle.io/certified: partner
catalog.cattle.io/display-name: Portworx
catalog.cattle.io/release-name: portworx
apiVersion: v1
appVersion: "2.8"
created: "2021-12-03T16:12:21.938192593-07:00"
description: A Helm chart for installing Portworx on Kubernetes.
digest: fb91976efad7934229cc1bf943bd95c73bff4a843524abddbfc232471d62daf6
home: https://portworx.com/
icon: https://raw.githubusercontent.com/portworx/helm/master/doc/media/k8s-porx.png
keywords:
- Storage
- ICP
- persistent disk
- pvc
- cloud native storage
- persistent storage
- portworx
- amd64
kubeVersion: '>=1.16.0'
maintainers:
- email: hadesai@purestorage.com
name: harsh-px
- email: onaumov@purestorage.com
name: trierra
- email: tasharma@purestorage.com
name: sharma-tapas
- email: dahuang@purestorage.com
name: dahuang-purestorage
name: portworx
sources:
- https://github.com/portworx/charts-rancher/tree/master/stable
urls:
- assets/portworx/portworx-2.8.100.tgz
version: 2.8.100
- annotations:
catalog.cattle.io/certified: partner
catalog.cattle.io/display-name: Portworx