Added chart versions:

codefresh/cf-runtime:
    - 6.3.52
  digitalis/vals-operator:
    - 0.7.10
  kuma/kuma:
    - 2.8.2
  minio/minio-operator:
    - 6.0.1
  new-relic/nri-bundle:
    - 5.0.87
  percona/psmdb-db:
    - 1.16.3
  percona/psmdb-operator:
    - 1.16.3
  speedscale/speedscale-operator:
    - 2.2.203

charts/codefresh/cf-runtime/6.3.52/.helmignore

@@ -0,0 +1,3 @@
+tests/
+.ci/
+test-values/

charts/codefresh/cf-runtime/6.3.52/Chart.yaml

@@ -0,0 +1,28 @@
+annotations:
+  artifacthub.io/changes: |
+    - kind: security
+      description: "cf-docker-builder image upgraded to 1.3.13 with security fixes"
+  artifacthub.io/containsSecurityUpdates: "false"
+  catalog.cattle.io/certified: partner
+  catalog.cattle.io/display-name: Codefresh
+  catalog.cattle.io/kube-version: '>=1.18-0'
+  catalog.cattle.io/release-name: cf-runtime
+apiVersion: v2
+dependencies:
+- name: cf-common
+  repository: file://./charts/cf-common
+  version: 0.16.0
+description: A Helm chart for Codefresh Runner
+home: https://codefresh.io/
+icon: file://assets/icons/cf-runtime.png
+keywords:
+- codefresh
+- runner
+kubeVersion: '>=1.18-0'
+maintainers:
+- name: codefresh
+  url: https://codefresh-io.github.io/
+name: cf-runtime
+sources:
+- https://github.com/codefresh-io/venona
+version: 6.3.52

charts/codefresh/cf-runtime/6.3.52/files/cleanup-runtime.sh

@@ -0,0 +1,37 @@
+#!/bin/bash
+
+echo "-----"
+echo "API_HOST:           ${API_HOST}"
+echo "AGENT_NAME:         ${AGENT_NAME}"
+echo "RUNTIME_NAME:       ${RUNTIME_NAME}"
+echo "AGENT:              ${AGENT}"
+echo "AGENT_SECRET_NAME:  ${AGENT_SECRET_NAME}"
+echo "DIND_SECRET_NAME:   ${DIND_SECRET_NAME}"
+echo "-----"
+
+auth() {
+  codefresh auth create-context --api-key ${API_TOKEN} --url ${API_HOST}
+}
+
+remove_runtime() {
+  if [ "$AGENT" == "true" ]; then
+    codefresh delete re ${RUNTIME_NAME} || true
+  else
+    codefresh delete sys-re ${RUNTIME_NAME} || true
+  fi
+}
+
+remove_agent() {
+  codefresh delete agent ${AGENT_NAME} || true
+}
+
+remove_secrets() {
+  kubectl patch secret $(kubectl get secret -l codefresh.io/internal=true | awk 'NR>1{print $1}' | xargs) -p '{"metadata":{"finalizers":null}}' --type=merge || true
+  kubectl delete secret $AGENT_SECRET_NAME || true
+  kubectl delete secret $DIND_SECRET_NAME || true
+}
+
+auth
+remove_runtime
+remove_agent
+remove_secrets

charts/codefresh/cf-runtime/6.3.52/files/configure-dind-certs.sh

@@ -0,0 +1,132 @@
+#!/usr/bin/env bash
+#
+
+#---
+fatal() {
+   echo "ERROR: $1"
+   exit 1
+}
+
+msg() { echo -e "\e[32mINFO ---> $1\e[0m"; }
+err() { echo -e "\e[31mERR ---> $1\e[0m" ; return 1; }
+
+exit_trap () {
+  local lc="$BASH_COMMAND" rc=$?
+  if [ $rc != 0 ]; then
+    if [[ -n "$SLEEP_ON_ERROR" ]]; then
+      echo -e "\nSLEEP_ON_ERROR is set - Sleeping to fix error"
+      sleep $SLEEP_ON_ERROR
+    fi
+  fi
+}
+trap exit_trap EXIT
+
+usage() {
+    echo "Usage:
+    $0 [-n | --namespace] [--server-cert-cn] [--server-cert-extra-sans] codefresh-api-host codefresh-api-token
+
+Example:
+   $0 -n workflow https://g.codefresh.io 21341234.423141234.412431234
+
+"
+}
+
+# Args
+while [[ $1 =~ ^(-(n|h)|--(namespace|server-cert-cn|server-cert-extra-sans|help)) ]]
+do
+  key=$1
+  value=$2
+
+  case $key in
+    -h|--help)
+        usage
+        exit
+      ;;
+    -n|--namespace)
+        NAMESPACE="$value"
+        shift
+      ;;
+    --server-cert-cn)
+        SERVER_CERT_CN="$value"
+        shift
+      ;;
+    --server-cert-extra-sans)
+        SERVER_CERT_EXTRA_SANS="$value"
+        shift
+      ;;
+  esac
+  shift # past argument or value
+done
+
+API_HOST=${1:-"$CF_API_HOST"}
+API_TOKEN=${2:-"$CF_API_TOKEN"}
+
+[[ -z "$API_HOST" ]] && usage && fatal "Missing API_HOST"
+[[ -z "$API_TOKEN" ]] && usage && fatal "Missing token"
+
+
+API_SIGN_PATH=${API_SIGN_PATH:-"api/custom_clusters/signServerCerts"}
+
+NAMESPACE=${NAMESPACE:-default}
+RELEASE=${RELEASE:-cf-runtime}
+
+DIR=$(dirname $0)
+TMPDIR=/tmp/codefresh/
+
+TMP_CERTS_FILE_ZIP=$TMPDIR/cf-certs.zip
+TMP_CERTS_HEADERS_FILE=$TMPDIR/cf-certs-response-headers.txt
+CERTS_DIR=$TMPDIR/ssl
+SRV_TLS_CA_CERT=${CERTS_DIR}/ca.pem
+SRV_TLS_KEY=${CERTS_DIR}/server-key.pem
+SRV_TLS_CSR=${CERTS_DIR}/server-cert.csr
+SRV_TLS_CERT=${CERTS_DIR}/server-cert.pem
+CF_SRV_TLS_CERT=${CERTS_DIR}/cf-server-cert.pem
+CF_SRV_TLS_CA_CERT=${CERTS_DIR}/cf-ca.pem
+mkdir -p $TMPDIR $CERTS_DIR
+
+K8S_CERT_SECRET_NAME=codefresh-certs-server
+echo -e "\n------------------\nGenerating server tls certificates ... "
+
+SERVER_CERT_CN=${SERVER_CERT_CN:-"docker.codefresh.io"}
+SERVER_CERT_EXTRA_SANS="${SERVER_CERT_EXTRA_SANS}"
+###
+
+  openssl genrsa -out $SRV_TLS_KEY 4096 || fatal "Failed to generate openssl key "
+  openssl req -subj "/CN=${SERVER_CERT_CN}" -new -key $SRV_TLS_KEY -out $SRV_TLS_CSR  || fatal "Failed to generate openssl csr "
+  GENERATE_CERTS=true
+  CSR=$(sed ':a;N;$!ba;s/\n/\\n/g' ${SRV_TLS_CSR})
+
+  SERVER_CERT_SANS="IP:127.0.0.1,DNS:dind,DNS:*.dind.${NAMESPACE},DNS:*.dind.${NAMESPACE}.svc${KUBE_DOMAIN},DNS:*.cf-cd.com,DNS:*.codefresh.io"
+  if [[ -n "${SERVER_CERT_EXTRA_SANS}" ]]; then
+    SERVER_CERT_SANS=${SERVER_CERT_SANS},${SERVER_CERT_EXTRA_SANS}
+  fi
+  echo "{\"reqSubjectAltName\": \"${SERVER_CERT_SANS}\", \"csr\": \"${CSR}\" }" > ${TMPDIR}/sign_req.json
+
+  rm -fv ${TMP_CERTS_HEADERS_FILE} ${TMP_CERTS_FILE_ZIP}
+
+  SIGN_STATUS=$(curl -k -sSL -d @${TMPDIR}/sign_req.json -H "Content-Type: application/json" -H "Authorization: ${API_TOKEN}" -H "Expect: " \
+        -o ${TMP_CERTS_FILE_ZIP} -D ${TMP_CERTS_HEADERS_FILE} -w '%{http_code}' ${API_HOST}/${API_SIGN_PATH} )
+
+  echo "Sign request completed with HTTP_STATUS_CODE=$SIGN_STATUS"
+  if [[ $SIGN_STATUS != 200 ]]; then
+     echo "ERROR: Cannot sign certificates"
+     if [[ -f ${TMP_CERTS_FILE_ZIP} ]]; then
+       mv ${TMP_CERTS_FILE_ZIP} ${TMP_CERTS_FILE_ZIP}.error
+       cat ${TMP_CERTS_FILE_ZIP}.error
+     fi
+     exit 1
+  fi
+  unzip -o -d ${CERTS_DIR}/  ${TMP_CERTS_FILE_ZIP} || fatal "Failed to unzip certificates to ${CERTS_DIR} "
+  cp -v ${CF_SRV_TLS_CA_CERT} $SRV_TLS_CA_CERT || fatal "received ${TMP_CERTS_FILE_ZIP} does not contains ca.pem"
+  cp -v ${CF_SRV_TLS_CERT} $SRV_TLS_CERT || fatal "received ${TMP_CERTS_FILE_ZIP} does not contains cf-server-cert.pem"
+
+
+echo -e "\n------------------\nCreating certificate secret "
+
+kubectl -n $NAMESPACE create secret generic $K8S_CERT_SECRET_NAME \
+    --from-file=$SRV_TLS_CA_CERT \
+    --from-file=$SRV_TLS_KEY \
+    --from-file=$SRV_TLS_CERT \
+    --dry-run=client -o yaml | kubectl apply --overwrite -f -
+kubectl -n $NAMESPACE label --overwrite secret ${K8S_CERT_SECRET_NAME} codefresh.io/internal=true
+kubectl -n $NAMESPACE patch secret $K8S_CERT_SECRET_NAME -p '{"metadata": {"finalizers": ["kubernetes"]}}'

charts/codefresh/cf-runtime/6.3.52/files/init-runtime.sh

@@ -0,0 +1,80 @@
+#!/bin/bash
+
+echo "-----"
+echo "API_HOST:         ${API_HOST}"
+echo "AGENT_NAME:       ${AGENT_NAME}"
+echo "KUBE_CONTEXT:     ${KUBE_CONTEXT}"
+echo "KUBE_NAMESPACE:   ${KUBE_NAMESPACE}"
+echo "OWNER_NAME:       ${OWNER_NAME}"
+echo "RUNTIME_NAME:     ${RUNTIME_NAME}"
+echo "SECRET_NAME:      ${SECRET_NAME}"
+echo "-----"
+
+create_agent_secret() {
+
+  kubectl apply -f - <<EOF
+  apiVersion: v1
+  kind: Secret
+  type: Opaque
+  metadata:
+    name: ${SECRET_NAME}
+    namespace: ${KUBE_NAMESPACE}
+    labels:
+      codefresh.io/internal: "true"
+    finalizers:
+    - kubernetes
+    ownerReferences:
+    - apiVersion: apps/v1
+      kind: Deploy
+      name: ${OWNER_NAME}
+      uid: ${OWNER_UID}
+  stringData:
+    agent-codefresh-token: ${1}
+EOF
+
+}
+
+OWNER_UID=$(kubectl get deploy ${OWNER_NAME} --namespace ${KUBE_NAMESPACE} -o jsonpath='{.metadata.uid}')
+echo "got owner uid: ${OWNER_UID}"
+
+if [ ! -z "${AGENT_CODEFRESH_TOKEN}" ]; then
+    echo "-----"
+    echo "runtime and agent are already initialized"
+    echo "-----"
+    exit 0
+fi
+
+if [ ! -z "${EXISTING_AGENT_CODEFRESH_TOKEN}" ]; then
+    echo "using existing agentToken value"
+    create_agent_secret $EXISTING_AGENT_CODEFRESH_TOKEN
+    exit 0
+fi
+
+if [ -z "${USER_CODEFRESH_TOKEN}" ]; then
+    echo "-----"
+    echo "missing codefresh user token. must supply \".global.codefreshToken\" if agent-codefresh-token does not exist"
+    echo "-----"
+    exit 1
+fi
+
+codefresh auth create-context --api-key ${USER_CODEFRESH_TOKEN} --url ${API_HOST}
+
+# AGENT_TOKEN might be empty, in which case it will be returned by the call
+RES=$(codefresh install agent \
+    --name ${AGENT_NAME} \
+    --kube-context-name ${KUBE_CONTEXT} \
+    --kube-namespace ${KUBE_NAMESPACE} \
+    --agent-kube-namespace ${KUBE_NAMESPACE} \
+    --install-runtime \
+    --runtime-name ${RUNTIME_NAME} \
+    --skip-cluster-creation \
+    --platform-only)
+
+AGENT_CODEFRESH_TOKEN=$(echo "${RES}" | tail -n 1)
+echo "generated agent + runtime in platform"
+
+create_agent_secret $AGENT_CODEFRESH_TOKEN
+
+echo "-----"
+echo "done initializing runtime and agent"
+echo "-----"

charts/codefresh/cf-runtime/6.3.52/files/reconcile-runtime.sh

@@ -0,0 +1,38 @@
+#!/bin/bash
+
+echo "-----"
+echo "API_HOST:             ${API_HOST}"
+echo "KUBE_CONTEXT:         ${KUBE_CONTEXT}"
+echo "KUBE_NAMESPACE:       ${KUBE_NAMESPACE}"
+echo "OWNER_NAME:           ${OWNER_NAME}"
+echo "RUNTIME_NAME:         ${RUNTIME_NAME}"
+echo "CONFIGMAP_NAME:       ${CONFIGMAP_NAME}"
+echo "RECONCILE_INTERVAL:   ${RECONCILE_INTERVAL}"
+echo "-----"
+
+msg() { echo -e "\e[32mINFO ---> $1\e[0m"; }
+err() { echo -e "\e[31mERR ---> $1\e[0m" ; return 1; }
+
+
+if [ -z "${USER_CODEFRESH_TOKEN}" ]; then
+    err "missing codefresh user token. must supply \".global.codefreshToken\" if agent-codefresh-token does not exist"
+    exit 1
+fi
+
+codefresh auth create-context --api-key ${USER_CODEFRESH_TOKEN} --url ${API_HOST}
+
+while true; do
+  msg "Reconciling ${RUNTIME_NAME} runtime"
+
+  sleep $RECONCILE_INTERVAL
+
+  codefresh get re \
+      --name ${RUNTIME_NAME} \
+      -o yaml \
+      | yq 'del(.version, .metadata.changedBy, .metadata.creationTime)' > /tmp/runtime.yaml
+
+  kubectl get cm ${CONFIGMAP_NAME} -n ${KUBE_NAMESPACE} -o yaml \
+  | yq 'del(.metadata.resourceVersion, .metadata.uid)' \
+  | yq eval '.data["runtime.yaml"] = load_str("/tmp/runtime.yaml")' \
+  | kubectl apply -f -
+done

charts/codefresh/cf-runtime/6.3.52/templates/_components/app-proxy/_deployment.yaml

@@ -0,0 +1,70 @@
+{{- define "app-proxy.resources.deployment" -}}
+{{ $cfCommonTplSemver := printf "cf-common-%s" (index .Subcharts "cf-common").Chart.Version }}
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ include "app-proxy.fullname" . }}
+  labels:
+    {{- include "app-proxy.labels" . | nindent 4 }}
+spec:
+  replicas: {{ .Values.replicasCount }}
+  strategy:
+    type: {{ .Values.updateStrategy.type }}
+  selector:
+    matchLabels:
+      {{- include "app-proxy.selectorLabels" . | nindent 6 }}
+  template:
+    metadata:
+      labels:
+        {{- include "app-proxy.selectorLabels" . | nindent 8 }}
+      {{- with .Values.podAnnotations }}
+      annotations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+    spec:
+      {{- include (printf "%s.image.pullSecrets" $cfCommonTplSemver ) . | nindent 8 }}
+      serviceAccountName: {{ include "app-proxy.serviceAccountName" . }}
+      {{- if .Values.podSecurityContext.enabled }}
+      securityContext: {{- omit .Values.podSecurityContext "enabled" | toYaml | nindent 8 }}
+      {{- end }}
+      containers:
+      - name: app-proxy
+        image: {{ include (printf "%s.image.name" $cfCommonTplSemver ) (dict "image" .Values.image "context" .) }}
+        imagePullPolicy: {{ .Values.image.pullPolicy | default "Always" }}
+        env:
+        {{- include "app-proxy.environment-variables" . | nindent 8 }}
+        ports:
+        - name: http
+          containerPort: 3000
+        readinessProbe:
+          initialDelaySeconds: {{ .Values.readinessProbe.initialDelaySeconds }}
+          periodSeconds: {{ .Values.readinessProbe.periodSeconds }}
+          timeoutSeconds: {{ .Values.readinessProbe.timeoutSeconds }}
+          successThreshold: {{ .Values.readinessProbe.successThreshold }}
+          failureThreshold: {{ .Values.readinessProbe.failureThreshold }}
+          httpGet:
+            path: /health
+            port: http
+        resources:
+          {{- toYaml .Values.resources | nindent 12  }}
+        volumeMounts:
+        {{- with .Values.extraVolumeMounts }}
+          {{- toYaml . | nindent 8 }}
+        {{- end }}
+      {{- with .Values.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 6 }}
+      {{- end }}
+      volumes:
+      {{- with .Values.extraVolumes }}
+        {{- toYaml . | nindent 6 }}
+      {{- end }}
+{{- end -}}

charts/codefresh/cf-runtime/6.3.52/templates/_components/app-proxy/_env-vars.yaml

@@ -0,0 +1,19 @@
+{{- define "app-proxy.environment-variables.defaults" }}
+PORT: 3000
+{{- end }}
+
+{{- define "app-proxy.environment-variables.calculated" }}
+CODEFRESH_HOST: {{ include "runtime.runtime-environment-spec.codefresh-host" . }}
+{{- with .Values.ingress.pathPrefix }}
+API_PATH_PREFIX: {{ . | quote }}
+{{- end }}
+{{- end }}
+
+{{- define "app-proxy.environment-variables" }}
+{{- $cfCommonTplSemver := printf "cf-common-%s" (index .Subcharts "cf-common").Chart.Version }}
+{{- $defaults := (include "app-proxy.environment-variables.defaults" . | fromYaml) }}
+{{- $calculated := (include "app-proxy.environment-variables.calculated" . | fromYaml) }}
+{{- $overrides := .Values.env }}
+{{- $mergedValues := mergeOverwrite (merge $defaults $calculated) $overrides }}
+{{- include (printf "%s.env-vars" $cfCommonTplSemver) (dict "Values" $mergedValues "context" .) }}
+{{- end }}

charts/codefresh/cf-runtime/6.3.52/templates/_components/app-proxy/_helpers.tpl

@@ -0,0 +1,43 @@
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "app-proxy.name" -}}
+    {{- printf "%s-%s" (include "cf-runtime.name" .) "app-proxy" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "app-proxy.fullname" -}}
+    {{- printf "%s-%s" (include "cf-runtime.fullname" .) "app-proxy" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "app-proxy.labels" -}}
+{{ include "cf-runtime.labels" . }}
+codefresh.io/application: app-proxy
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "app-proxy.selectorLabels" -}}
+{{ include "cf-runtime.selectorLabels" . }}
+codefresh.io/application: app-proxy
+{{- end }}
+
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "app-proxy.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create }}
+{{- default (include "app-proxy.fullname" .) .Values.serviceAccount.name }}
+{{- else }}
+{{- default "default" .Values.serviceAccount.name }}
+{{- end }}
+{{- end }}

charts/codefresh/cf-runtime/6.3.52/templates/_components/app-proxy/_ingress.yaml

@@ -0,0 +1,32 @@
+{{- define "app-proxy.resources.ingress" -}}
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: {{ include "app-proxy.fullname" . }}
+  labels: {{- include "app-proxy.labels" . | nindent 4 }}
+  {{- with .Values.ingress.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+spec:
+  {{- if and .Values.ingress.class (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion) }}
+  ingressClassName: {{ .Values.ingress.class }}
+  {{- end }}
+  {{- if .Values.ingress.tlsSecret }}
+  tls:
+    - hosts:
+        - {{ .Values.ingress.host }}
+      secretName: {{ .Values.tlsSecret }}
+  {{- end }}
+  rules:
+    - host: {{ .Values.ingress.host }}
+      http:
+        paths:
+          - path: {{ .Values.ingress.pathPrefix | default "/" }}
+            pathType: ImplementationSpecific
+            backend:
+              service:
+                name: {{ include "app-proxy.fullname" . }}
+                port:
+                  number: 80
+{{- end -}}

charts/codefresh/cf-runtime/6.3.52/templates/_components/app-proxy/_rbac.yaml

@@ -0,0 +1,47 @@
+{{- define "app-proxy.resources.rbac" -}}
+{{- if .Values.serviceAccount.create }}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "app-proxy.serviceAccountName" . }}
+  labels:
+    {{- include "app-proxy.labels" . | nindent 4 }}
+  {{- with .Values.serviceAccount.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+{{- end }}
+---
+{{- if .Values.rbac.create }}
+kind: {{ .Values.rbac.namespaced | ternary "Role" "ClusterRole" }}
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ include "app-proxy.fullname" . }}
+  labels:
+    {{- include "app-proxy.labels" . | nindent 4 }}
+rules:
+  - apiGroups: [ "" ]
+    resources: [ "secrets" ]
+    verbs: [ "get" ]
+{{- with .Values.rbac.rules }}
+  {{ toYaml . | nindent 2 }}
+{{- end }}
+{{- end }}
+---
+{{- if and .Values.serviceAccount.create .Values.rbac.create }}
+kind: {{ .Values.rbac.namespaced | ternary "RoleBinding" "ClusterRoleBinding" }}
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ include "app-proxy.fullname" . }}
+  labels:
+    {{- include "app-proxy.labels" . | nindent 4 }}
+subjects:
+  - kind: ServiceAccount
+    name: {{ include "app-proxy.serviceAccountName" . }}
+    namespace: {{ .Release.Namespace }}
+roleRef:
+  kind: Role
+  name: {{ include "app-proxy.fullname" . }}
+  apiGroup: rbac.authorization.k8s.io
+{{- end }}
+{{- end -}}

charts/codefresh/cf-runtime/6.3.52/templates/_components/app-proxy/_service.yaml

@@ -0,0 +1,17 @@
+{{- define "app-proxy.resources.service" -}}
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ include "app-proxy.fullname" . }}
+  labels:
+    {{- include "app-proxy.labels" . | nindent 4 }}
+spec:
+  type: ClusterIP
+  ports:
+  - name: http
+    port: 80
+    protocol: TCP
+    targetPort: 3000
+  selector:
+    {{- include "app-proxy.selectorLabels" . | nindent 4 }}
+{{- end -}}

charts/codefresh/cf-runtime/6.3.52/templates/_components/event-exporter/_deployment.yaml

@@ -0,0 +1,62 @@
+{{- define "event-exporter.resources.deployment" -}}
+{{ $cfCommonTplSemver := printf "cf-common-%s" (index .Subcharts "cf-common").Chart.Version }}
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ include "event-exporter.fullname" . }}
+  labels:
+    {{- include "event-exporter.labels" . | nindent 4 }}
+spec:
+  replicas: {{ .Values.replicasCount }}
+  strategy:
+    type: {{ .Values.updateStrategy.type }}
+  selector:
+    matchLabels:
+      {{- include "event-exporter.selectorLabels" . | nindent 6 }}
+  template:
+    metadata:
+      labels:
+        {{- include "event-exporter.selectorLabels" . | nindent 8 }}
+      {{- with .Values.podAnnotations }}
+      annotations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+    spec:
+      {{- include (printf "%s.image.pullSecrets" $cfCommonTplSemver ) . | nindent 8 }}
+      serviceAccountName: {{ include "event-exporter.serviceAccountName" . }}
+      {{- if .Values.podSecurityContext.enabled }}
+      securityContext: {{- omit .Values.podSecurityContext "enabled" | toYaml | nindent 8 }}
+      {{- end }}
+      containers:
+      - name: event-exporter
+        image: {{ include (printf "%s.image.name" $cfCommonTplSemver ) (dict "image" .Values.image "context" .) }}
+        imagePullPolicy: {{ .Values.image.pullPolicy | default "Always" }}
+        args: [--running-in-cluster=true]
+        env:
+        {{- include "event-exporter.environment-variables" . | nindent 8 }}
+        ports:
+        - name: metrics
+          containerPort: 9102
+        resources:
+          {{- toYaml .Values.resources | nindent 12  }}
+        volumeMounts:
+        {{- with .Values.extraVolumeMounts }}
+          {{- toYaml . | nindent 8 }}
+        {{- end }}
+      {{- with .Values.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 6 }}
+      {{- end }}
+      volumes:
+      {{- with .Values.extraVolumes }}
+        {{- toYaml . | nindent 6 }}
+      {{- end }}
+{{- end -}}

charts/codefresh/cf-runtime/6.3.52/templates/_components/event-exporter/_env-vars.yaml

@@ -0,0 +1,14 @@
+{{- define "event-exporter.environment-variables.defaults" }}
+{{- end }}
+
+{{- define "event-exporter.environment-variables.calculated" }}
+{{- end }}
+
+{{- define "event-exporter.environment-variables" }}
+{{- $cfCommonTplSemver := printf "cf-common-%s" (index .Subcharts "cf-common").Chart.Version }}
+{{- $defaults := (include "event-exporter.environment-variables.defaults" . | fromYaml) }}
+{{- $calculated := (include "event-exporter.environment-variables.calculated" . | fromYaml) }}
+{{- $overrides := .Values.env }}
+{{- $mergedValues := mergeOverwrite (merge $defaults $calculated) $overrides }}
+{{- include (printf "%s.env-vars" $cfCommonTplSemver) (dict "Values" $mergedValues "context" .) }}
+{{- end }}

charts/codefresh/cf-runtime/6.3.52/templates/_components/event-exporter/_helpers.tpl

@@ -0,0 +1,43 @@
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "event-exporter.name" -}}
+    {{- printf "%s-%s" (include "cf-runtime.name" .) "event-exporter" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "event-exporter.fullname" -}}
+    {{- printf "%s-%s" (include "cf-runtime.fullname" .) "event-exporter" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "event-exporter.labels" -}}
+{{ include "cf-runtime.labels" . }}
+app: event-exporter
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "event-exporter.selectorLabels" -}}
+{{ include "cf-runtime.selectorLabels" . }}
+app: event-exporter
+{{- end }}
+
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "event-exporter.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create }}
+{{- default (include "event-exporter.fullname" .) .Values.serviceAccount.name }}
+{{- else }}
+{{- default "default" .Values.serviceAccount.name }}
+{{- end }}
+{{- end }}

charts/codefresh/cf-runtime/6.3.52/templates/_components/event-exporter/_rbac.yaml

@@ -0,0 +1,47 @@
+{{- define "event-exporter.resources.rbac" -}}
+{{- if .Values.serviceAccount.create }}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "event-exporter.serviceAccountName" . }}
+  labels:
+    {{- include "event-exporter.labels" . | nindent 4 }}
+  {{- with .Values.serviceAccount.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+{{- end }}
+---
+{{- if .Values.rbac.create }}
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ include "event-exporter.fullname" . }}
+  labels:
+    {{- include "event-exporter.labels" . | nindent 4 }}
+rules:
+  - apiGroups: [""]
+    resources: [events]
+    verbs: [get, list, watch]
+{{- with .Values.rbac.rules }}
+  {{ toYaml . | nindent 2 }}
+{{- end }}
+{{- end }}
+---
+{{- if and .Values.serviceAccount.create .Values.rbac.create }}
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ include "event-exporter.fullname" . }}
+  labels:
+    {{- include "event-exporter.labels" . | nindent 4 }}
+subjects:
+  - kind: ServiceAccount
+    name: {{ include "event-exporter.serviceAccountName" . }}
+    namespace: {{ .Release.Namespace }}
+roleRef:
+  kind: ClusterRole
+  name: {{ include "event-exporter.fullname" . }}
+  apiGroup: rbac.authorization.k8s.io
+{{- end }}
+{{- end -}}

charts/codefresh/cf-runtime/6.3.52/templates/_components/event-exporter/_service.yaml

@@ -0,0 +1,17 @@
+{{- define "event-exporter.resources.service" -}}
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ include "event-exporter.fullname" . }}
+  labels:
+    {{- include "event-exporter.labels" . | nindent 4 }}
+spec:
+  type: ClusterIP
+  ports:
+  - name: metrics
+    port: 9102
+    targetPort: metrics
+    protocol: TCP
+  selector:
+    {{- include "event-exporter.selectorLabels" . | nindent 4 }}
+{{- end -}}

charts/codefresh/cf-runtime/6.3.52/templates/_components/event-exporter/_serviceMontor.yaml

@@ -0,0 +1,14 @@
+{{- define "event-exporter.resources.serviceMonitor" -}}
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+  name: {{ include "event-exporter.fullname" . }}
+  labels:
+    {{- include "event-exporter.labels" . | nindent 4 }}
+spec:
+  endpoints:
+  - port: metrics
+  selector:
+    matchLabels:
+    {{- include "event-exporter.selectorLabels" . | nindent 6 }}
+{{- end -}}

charts/codefresh/cf-runtime/6.3.52/templates/_components/monitor/_deployment.yaml

@@ -0,0 +1,70 @@
+{{- define "monitor.resources.deployment" -}}
+{{ $cfCommonTplSemver := printf "cf-common-%s" (index .Subcharts "cf-common").Chart.Version }}
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ include "monitor.fullname" . }}
+  labels:
+    {{- include "monitor.labels" . | nindent 4 }}
+spec:
+  replicas: {{ .Values.replicasCount }}
+  strategy:
+    type: {{ .Values.updateStrategy.type }}
+  selector:
+    matchLabels:
+      {{- include "monitor.selectorLabels" . | nindent 6 }}
+  template:
+    metadata:
+      labels:
+        {{- include "monitor.selectorLabels" . | nindent 8 }}
+      {{- with .Values.podAnnotations }}
+      annotations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+    spec:
+      {{- include (printf "%s.image.pullSecrets" $cfCommonTplSemver ) . | nindent 8 }}
+      serviceAccountName: {{ include "monitor.serviceAccountName" . }}
+      {{- if .Values.podSecurityContext.enabled }}
+      securityContext: {{- omit .Values.podSecurityContext "enabled" | toYaml | nindent 8 }}
+      {{- end }}
+      containers:
+      - name: monitor
+        image: {{ include (printf "%s.image.name" $cfCommonTplSemver ) (dict "image" .Values.image "context" .) }}
+        imagePullPolicy: {{ .Values.image.pullPolicy | default "Always" }}
+        env:
+        {{- include "monitor.environment-variables" . | nindent 8 }}
+        ports:
+        - name: http
+          containerPort: 9020
+        readinessProbe:
+          initialDelaySeconds: {{ .Values.readinessProbe.initialDelaySeconds }}
+          periodSeconds: {{ .Values.readinessProbe.periodSeconds }}
+          timeoutSeconds: {{ .Values.readinessProbe.timeoutSeconds }}
+          successThreshold: {{ .Values.readinessProbe.successThreshold }}
+          failureThreshold: {{ .Values.readinessProbe.failureThreshold }}
+          httpGet:
+            path: /api/ping
+            port: 9020
+        resources:
+          {{- toYaml .Values.resources | nindent 12  }}
+        volumeMounts:
+        {{- with .Values.extraVolumeMounts }}
+          {{- toYaml . | nindent 8 }}
+        {{- end }}
+      {{- with .Values.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 6 }}
+      {{- end }}
+      volumes:
+      {{- with .Values.extraVolumes }}
+        {{- toYaml . | nindent 6 }}
+      {{- end }}
+{{- end -}}

charts/codefresh/cf-runtime/6.3.52/templates/_components/monitor/_env-vars.yaml

@@ -0,0 +1,26 @@
+{{- define "monitor.environment-variables.defaults" }}
+SERVICE_NAME: {{ include "monitor.fullname" . }}
+PORT: 9020
+HELM3: true
+NODE_OPTIONS: "--max_old_space_size=4096"
+{{- end }}
+
+{{- define "monitor.environment-variables.calculated" }}
+API_TOKEN: {{ include "runtime.installation-token-env-var-value" . | nindent 2 }}
+CLUSTER_ID: {{ include "runtime.runtime-environment-spec.context-name" . }}
+API_URL: {{ include "runtime.runtime-environment-spec.codefresh-host" . }}/api/k8s-monitor/events
+ACCOUNT_ID: {{ .Values.global.accountId }}
+NAMESPACE: {{ .Release.Namespace }}
+{{- if .Values.rbac.namespaced }}
+ROLE_BINDING: true
+{{- end }}
+{{- end }}
+
+{{- define "monitor.environment-variables" }}
+{{- $cfCommonTplSemver := printf "cf-common-%s" (index .Subcharts "cf-common").Chart.Version }}
+{{- $defaults := (include "monitor.environment-variables.defaults" . | fromYaml) }}
+{{- $calculated := (include "monitor.environment-variables.calculated" . | fromYaml) }}
+{{- $overrides := .Values.env }}
+{{- $mergedValues := mergeOverwrite (merge $defaults $calculated) $overrides }}
+{{- include (printf "%s.env-vars" $cfCommonTplSemver) (dict "Values" $mergedValues "context" .) }}
+{{- end }}

charts/codefresh/cf-runtime/6.3.52/templates/_components/monitor/_helpers.tpl

@@ -0,0 +1,42 @@
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "monitor.name" -}}
+    {{- printf "%s-%s" (include "cf-runtime.name" .) "monitor" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "monitor.fullname" -}}
+    {{- printf "%s-%s" (include "cf-runtime.fullname" .) "monitor" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "monitor.labels" -}}
+{{ include "cf-runtime.labels" . }}
+codefresh.io/application: monitor
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "monitor.selectorLabels" -}}
+{{ include "cf-runtime.selectorLabels" . }}
+codefresh.io/application: monitor
+{{- end }}
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "monitor.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create }}
+{{- default (include "monitor.fullname" .) .Values.serviceAccount.name }}
+{{- else }}
+{{- default "default" .Values.serviceAccount.name }}
+{{- end }}
+{{- end }}

charts/codefresh/cf-runtime/6.3.52/templates/_components/monitor/_rbac.yaml

@@ -0,0 +1,56 @@
+{{- define "monitor.resources.rbac" -}}
+{{- if .Values.serviceAccount.create }}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "monitor.serviceAccountName" . }}
+  labels:
+    {{- include "monitor.labels" . | nindent 4 }}
+  {{- with .Values.serviceAccount.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+{{- end }}
+---
+{{- if .Values.rbac.create }}
+kind: {{ .Values.rbac.namespaced | ternary "Role" "ClusterRole" }}
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ include "monitor.fullname" . }}
+  labels:
+    {{- include "monitor.labels" . | nindent 4 }}
+rules:
+  - apiGroups: [ "" ]
+    resources: [ "*" ]
+    verbs: [ "get", "list", "watch", "create", "delete" ]
+  - apiGroups: [ "" ]
+    resources: [ "pods" ]
+    verbs: [ "get", "list", "watch", "create", "deletecollection" ]
+  - apiGroups: [ "extensions" ]
+    resources: [ "*" ]
+    verbs: [ "get", "list", "watch" ]
+  - apiGroups: [ "apps" ]
+    resources: [ "*" ]
+    verbs: [ "get", "list", "watch" ]
+{{- with .Values.rbac.rules }}
+  {{ toYaml . | nindent 2 }}
+{{- end }}
+{{- end }}
+---
+{{- if and .Values.serviceAccount.create .Values.rbac.create }}
+kind: {{ .Values.rbac.namespaced | ternary "RoleBinding" "ClusterRoleBinding" }}
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ include "monitor.fullname" . }}
+  labels:
+    {{- include "monitor.labels" . | nindent 4 }}
+subjects:
+  - kind: ServiceAccount
+    name: {{ include "monitor.serviceAccountName" . }}
+    namespace: {{ .Release.Namespace }}
+roleRef:
+  kind: {{ .Values.rbac.namespaced | ternary "Role" "ClusterRole" }}
+  name: {{ include "monitor.fullname" . }}
+  apiGroup: rbac.authorization.k8s.io
+{{- end }}
+{{- end -}}

charts/codefresh/cf-runtime/6.3.52/templates/_components/monitor/_service.yaml

@@ -0,0 +1,17 @@
+{{- define "monitor.resources.service" -}}
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ include "monitor.fullname" . }}
+  labels:
+    {{- include "monitor.labels" . | nindent 4 }}
+spec:
+  type: ClusterIP
+  ports:
+  - name: http
+    port: 80
+    protocol: TCP
+    targetPort: 9020
+  selector:
+    {{- include "monitor.selectorLabels" . | nindent 4 }}
+{{- end -}}

charts/codefresh/cf-runtime/6.3.52/templates/_components/runner/_deployment.yaml

@@ -0,0 +1,103 @@
+{{- define "runner.resources.deployment" -}}
+{{ $cfCommonTplSemver := printf "cf-common-%s" (index .Subcharts "cf-common").Chart.Version }}
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ include "runner.fullname" . }}
+  labels:
+    {{- include "runner.labels" . | nindent 4 }}
+spec:
+  replicas: {{ .Values.replicasCount }}
+  strategy:
+    type: {{ .Values.updateStrategy.type }}
+  selector:
+    matchLabels:
+      {{- include "runner.selectorLabels" . | nindent 6 }}
+  template:
+    metadata:
+      labels:
+        {{- include "runner.selectorLabels" . | nindent 8 }}
+      {{- with .Values.podAnnotations }}
+      annotations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+    spec:
+      {{- include (printf "%s.image.pullSecrets" $cfCommonTplSemver ) . | nindent 8 }}
+      serviceAccountName: {{ include "runner.serviceAccountName" . }}
+      {{- if .Values.podSecurityContext.enabled }}
+      securityContext: {{- omit .Values.podSecurityContext "enabled" | toYaml | nindent 8 }}
+      {{- end }}
+      initContainers:
+      - name: init
+        image: {{ include (printf "%s.image.name" $cfCommonTplSemver ) (dict "image" .Values.init.image "context" .) }}
+        imagePullPolicy: {{ .Values.init.image.pullPolicy | default "IfNotPresent" }}
+        command:
+        - /bin/bash
+        args:
+        - -ec
+        - | {{ .Files.Get "files/init-runtime.sh" | nindent 10 }}
+        env:
+        {{- include "runner-init.environment-variables" . | nindent 8 }}
+        {{- with .Values.init.resources }}
+        resources:
+          {{- toYaml . | nindent 10  }}
+        {{- end }}
+      containers:
+      - name: runner
+        image: {{ include (printf "%s.image.name" $cfCommonTplSemver ) (dict "image" .Values.image "context" .) }}
+        imagePullPolicy: {{ .Values.image.pullPolicy | default "IfNotPresent" }}
+        env:
+        {{- include "runner.environment-variables" . | nindent 8 }}
+        ports:
+        - name: http
+          containerPort: 8080
+        readinessProbe:
+          initialDelaySeconds: {{ .Values.readinessProbe.initialDelaySeconds }}
+          periodSeconds: {{ .Values.readinessProbe.periodSeconds }}
+          timeoutSeconds: {{ .Values.readinessProbe.timeoutSeconds }}
+          successThreshold: {{ .Values.readinessProbe.successThreshold }}
+          failureThreshold: {{ .Values.readinessProbe.failureThreshold }}
+          httpGet:
+            path: /health
+            port: http
+        {{- with .Values.resources }}
+        resources:
+          {{- toYaml . | nindent 10  }}
+        {{- end }}
+        {{- with .Values.extraVolumeMounts }}
+        volumeMounts:
+          {{- toYaml . | nindent 8 }}
+        {{- end }}
+      {{- if .Values.sidecar.enabled }}
+      - name: reconcile-runtime
+        image: {{ include (printf "%s.image.name" $cfCommonTplSemver ) (dict "image" .Values.sidecar.image "context" .) }}
+        imagePullPolicy: {{ .Values.sidecar.image.pullPolicy | default "IfNotPresent" }}
+        command:
+        - /bin/bash
+        args:
+        - -ec
+        - | {{ .Files.Get "files/reconcile-runtime.sh" | nindent 10 }}
+        env:
+        {{- include "runner-sidecar.environment-variables" . | nindent 8 }}
+        {{- with .Values.sidecar.resources }}
+        resources:
+          {{- toYaml . | nindent 10  }}
+        {{- end }}
+      {{- end }}
+      {{- with .Values.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 6 }}
+      {{- end }}
+      {{- with .Values.extraVolumes }}
+      volumes:
+        {{- toYaml . | nindent 6 }}
+      {{- end }}
+{{- end -}}

charts/codefresh/cf-runtime/6.3.52/templates/_components/runner/_helpers.tpl

@@ -0,0 +1,42 @@
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "runner.name" -}}
+  {{- printf "%s-%s" (include "cf-runtime.name" .) "runner" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "runner.fullname" -}}
+  {{- printf "%s-%s" (include "cf-runtime.fullname" .) "runner" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "runner.labels" -}}
+{{ include "cf-runtime.labels" . }}
+codefresh.io/application: runner
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "runner.selectorLabels" -}}
+{{ include "cf-runtime.selectorLabels" . }}
+codefresh.io/application: runner
+{{- end }}
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "runner.serviceAccountName" -}}
+  {{- if .Values.serviceAccount.create }}
+    {{- default (include "runner.fullname" .) .Values.serviceAccount.name }}
+  {{- else }}
+    {{- default "default" .Values.serviceAccount.name }}
+  {{- end }}
+{{- end }}

charts/codefresh/cf-runtime/6.3.52/templates/_components/runner/_rbac.yaml

@@ -0,0 +1,53 @@
+{{- define "runner.resources.rbac" -}}
+{{- if .Values.serviceAccount.create }}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "runner.serviceAccountName" . }}
+  labels:
+    {{- include "runner.labels" . | nindent 4 }}
+  {{- with .Values.serviceAccount.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+{{- end }}
+---
+{{- if .Values.rbac.create }}
+kind: Role
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ include "runner.fullname" . }}
+  labels:
+    {{- include "runner.labels" . | nindent 4 }}
+rules:
+  - apiGroups: [ "" ]
+    resources: [ "pods", "persistentvolumeclaims" ]
+    verbs: [ "get", "create", "delete", patch ]
+  - apiGroups: [ "" ]
+    resources: [ "configmaps", "secrets" ]
+    verbs: [ "get", "create", "update", patch ]
+  - apiGroups: [ "apps" ]
+    resources: [ "deployments" ]
+    verbs: [ "get" ]
+{{- with .Values.rbac.rules }}
+  {{ toYaml . | nindent 2 }}
+{{- end }}
+{{- end }}
+---
+{{- if and .Values.serviceAccount.create .Values.rbac.create }}
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ include "runner.fullname" . }}
+  labels:
+    {{- include "runner.labels" . | nindent 4 }}
+subjects:
+  - kind: ServiceAccount
+    name: {{ include "runner.serviceAccountName" . }}
+    namespace: {{ .Release.Namespace }}
+roleRef:
+  kind: Role
+  name: {{ include "runner.fullname" . }}
+  apiGroup: rbac.authorization.k8s.io
+{{- end }}
+{{- end -}}

charts/codefresh/cf-runtime/6.3.52/templates/_components/runner/environment-variables/_init-container.yaml

@@ -0,0 +1,30 @@
+{{- define "runner-init.environment-variables.defaults" }}
+HOME: /tmp
+{{- end }}
+
+{{- define "runner-init.environment-variables.calculated" }}
+AGENT_NAME: {{ include "runtime.runtime-environment-spec.agent-name" . }}
+API_HOST: {{ include "runtime.runtime-environment-spec.codefresh-host" . }}
+AGENT_CODEFRESH_TOKEN:
+  valueFrom:
+    secretKeyRef:
+      name: {{ include "runner.fullname" . }}
+      key: agent-codefresh-token
+      optional: true
+EXISTING_AGENT_CODEFRESH_TOKEN: {{ include "runtime.agent-token-env-var-value" . | nindent 2 }}
+KUBE_CONTEXT: {{ include "runtime.runtime-environment-spec.context-name" . }}
+KUBE_NAMESPACE: {{ .Release.Namespace }}
+OWNER_NAME: {{ include "runner.fullname" . }}
+RUNTIME_NAME: {{ include "runtime.runtime-environment-spec.runtime-name" . }}
+SECRET_NAME: {{ include "runner.fullname" . }}
+USER_CODEFRESH_TOKEN: {{ include "runtime.installation-token-env-var-value" . | nindent 2 }}
+{{- end }}
+
+{{- define "runner-init.environment-variables" }}
+  {{- $cfCommonTplSemver := printf "cf-common-%s" (index .Subcharts "cf-common").Chart.Version }}
+  {{- $defaults := (include "runner-init.environment-variables.defaults" . | fromYaml) }}
+  {{- $calculated := (include "runner-init.environment-variables.calculated" . | fromYaml) }}
+  {{- $overrides := .Values.env }}
+  {{- $mergedValues := mergeOverwrite (merge $defaults $calculated) $overrides }}
+  {{- include (printf "%s.env-vars" $cfCommonTplSemver) (dict "Values" $mergedValues "context" .) }}
+{{- end }}

charts/codefresh/cf-runtime/6.3.52/templates/_components/runner/environment-variables/_main-container.yaml

@@ -0,0 +1,28 @@
+{{- define "runner.environment-variables.defaults" }}
+AGENT_MODE: InCluster
+SELF_DEPLOYMENT_NAME:
+  valueFrom:
+    fieldRef:
+      fieldPath: metadata.name
+{{- end }}
+
+{{- define "runner.environment-variables.calculated" }}
+AGENT_ID: {{ include "runtime.runtime-environment-spec.agent-name" . }}
+CODEFRESH_HOST: {{ include "runtime.runtime-environment-spec.codefresh-host" . }}
+CODEFRESH_IN_CLUSTER_RUNTIME: {{ include "runtime.runtime-environment-spec.runtime-name" . }}
+CODEFRESH_TOKEN:
+  valueFrom:
+    secretKeyRef:
+      name: {{ include "runner.fullname" . }}
+      key: agent-codefresh-token
+DOCKER_REGISTRY: {{ .Values.global.imageRegistry }}
+{{- end }}
+
+{{- define "runner.environment-variables" }}
+{{- $cfCommonTplSemver := printf "cf-common-%s" (index .Subcharts "cf-common").Chart.Version }}
+{{- $defaults := (include "runner.environment-variables.defaults" . | fromYaml) }}
+{{- $calculated := (include "runner.environment-variables.calculated" . | fromYaml) }}
+{{- $overrides := .Values.env }}
+{{- $mergedValues := mergeOverwrite (merge $defaults $calculated) $overrides }}
+{{- include (printf "%s.env-vars" $cfCommonTplSemver) (dict "Values" $mergedValues "context" .) }}
+{{- end }}

charts/codefresh/cf-runtime/6.3.52/templates/_components/runner/environment-variables/_sidecar-container.yaml

@@ -0,0 +1,22 @@
+{{- define "runner-sidecar.environment-variables.defaults" }}
+HOME: /tmp
+{{- end }}
+
+{{- define "runner-sidecar.environment-variables.calculated" }}
+API_HOST: {{ include "runtime.runtime-environment-spec.codefresh-host" . }}
+USER_CODEFRESH_TOKEN: {{ include "runtime.installation-token-env-var-value" . | nindent 2 }}
+KUBE_CONTEXT: {{ include "runtime.runtime-environment-spec.context-name" . }}
+KUBE_NAMESPACE: {{ .Release.Namespace }}
+OWNER_NAME: {{ include "runner.fullname" . }}
+RUNTIME_NAME: {{ include "runtime.runtime-environment-spec.runtime-name" . }}
+CONFIGMAP_NAME: {{ printf "%s-%s" (include "runtime.fullname" .) "spec" }}
+{{- end }}
+
+{{- define "runner-sidecar.environment-variables" }}
+  {{- $cfCommonTplSemver := printf "cf-common-%s" (index .Subcharts "cf-common").Chart.Version }}
+  {{- $defaults := (include "runner-sidecar.environment-variables.defaults" . | fromYaml) }}
+  {{- $calculated := (include "runner-sidecar.environment-variables.calculated" . | fromYaml) }}
+  {{- $overrides := .Values.sidecar.env }}
+  {{- $mergedValues := mergeOverwrite (merge $defaults $calculated) $overrides }}
+  {{- include (printf "%s.env-vars" $cfCommonTplSemver) (dict "Values" $mergedValues "context" .) }}
+{{- end }}

charts/codefresh/cf-runtime/6.3.52/templates/_components/volume-provisioner/_cronjob.yaml

@@ -0,0 +1,58 @@
+{{- define "dind-volume-provisioner.resources.cronjob" -}}
+{{ $cfCommonTplSemver := printf "cf-common-%s" (index .Subcharts "cf-common").Chart.Version }}
+{{- if not (eq .Values.storage.backend "local") }}
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: {{ include "dind-volume-cleanup.fullname" . }}
+  labels:
+    {{- include "dind-volume-cleanup.labels" . | nindent 4 }}
+spec:
+  concurrencyPolicy: {{ .Values.concurrencyPolicy }}
+  schedule: {{ .Values.schedule | quote }}
+  successfulJobsHistoryLimit: {{ .Values.successfulJobsHistory }}
+  failedJobsHistoryLimit: {{ .Values.failedJobsHistory }}
+  {{- with .Values.suspend }}
+  suspend: {{ . }}
+  {{- end }}
+  jobTemplate:
+    spec:
+      template:
+        metadata:
+          labels:
+            {{- include "dind-volume-cleanup.selectorLabels" . | nindent 12 }}
+          {{- with .Values.podAnnotations }}
+          annotations:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+        spec:
+          {{- include (printf "%s.image.pullSecrets" $cfCommonTplSemver ) . | nindent 10 }}
+          serviceAccountName: {{ include "dind-volume-provisioner.serviceAccountName" . }}
+          {{- if .Values.podSecurityContext.enabled }}
+          securityContext: {{- omit .Values.podSecurityContext "enabled" | toYaml | nindent 12 }}
+          {{- end }}
+          restartPolicy: {{ .Values.restartPolicy | default "Never" }}
+          containers:
+          - name: dind-volume-cleanup
+            image: {{ include (printf "%s.image.name" $cfCommonTplSemver ) (dict "image" .Values.image "context" .) }}
+            imagePullPolicy: {{ .Values.image.pullPolicy | default "Always" }}
+            env:
+            {{- include (printf "%s.env-vars" $cfCommonTplSemver) (dict "Values" .Values.env "context" .) | nindent 12 }}
+            - name: PROVISIONED_BY
+              value: {{ include "dind-volume-provisioner.volumeProvisionerName" . }}
+            resources:
+            {{- toYaml .Values.resources | nindent 14 }}
+          {{- with .Values.nodeSelector }}
+          nodeSelector:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+          {{- with .Values.affinity }}
+          affinity:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+          {{- with .Values.tolerations }}
+          tolerations:
+            {{- toYaml . | nindent 10 }}
+          {{- end }}
+  {{- end }}
+{{- end -}}

charts/codefresh/cf-runtime/6.3.52/templates/_components/volume-provisioner/_daemonset.yaml

@@ -0,0 +1,98 @@
+{{- define "dind-volume-provisioner.resources.daemonset" -}}
+{{ $cfCommonTplSemver := printf "cf-common-%s" (index .Subcharts "cf-common").Chart.Version }}
+{{ $localVolumeParentDir := .Values.storage.local.volumeParentDir  }}
+{{- if eq .Values.storage.backend "local" }}
+---
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  name: {{ include "dind-lv-monitor.fullname" . }}
+  labels:
+    {{- include "dind-lv-monitor.labels" . | nindent 4 }}
+spec:
+  selector:
+    matchLabels:
+      {{- include "dind-lv-monitor.selectorLabels" . | nindent 6 }}
+  template:
+    metadata:
+      labels:
+        {{- include "dind-lv-monitor.selectorLabels" . | nindent 8 }}
+      {{- with .Values.podAnnotations }}
+      annotations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+    spec:
+      {{- include (printf "%s.image.pullSecrets" $cfCommonTplSemver ) . | nindent 8 }}
+      serviceAccountName: {{ include "dind-volume-provisioner.serviceAccountName" . }}
+      {{- if .Values.podSecurityContext.enabled }}
+      securityContext: {{- omit .Values.podSecurityContext "enabled" | toYaml | nindent 8 }}
+      {{- end }}
+      {{- if .Values.volumePermissions.enabled }}
+      initContainers:
+      - name: volume-permissions
+        image: {{ include (printf "%s.image.name" $cfCommonTplSemver ) (dict "image" .Values.volumePermissions.image "context" .) }}
+        imagePullPolicy: {{ .Values.volumePermissions.image.pullPolicy | default "Always" }}
+        command:
+         - /bin/sh
+        args:
+         - -ec
+         - |
+           chown -R {{ .Values.podSecurityContext.runAsUser }}:{{ .Values.podSecurityContext.fsGroup }} {{ $localVolumeParentDir }}
+        volumeMounts:
+        - mountPath: {{ $localVolumeParentDir }}
+          name: dind-volume-dir
+        {{- if eq ( toString ( .Values.volumePermissions.securityContext.runAsUser )) "auto" }}
+        securityContext: {{- omit .Values.volumePermissions.securityContext "runAsUser" | toYaml | nindent 10 }}
+        {{- else }}
+        securityContext: {{- .Values.volumePermissions.securityContext | toYaml | nindent 10 }}
+        {{- end }}
+        resources:
+          {{- toYaml .Values.volumePermissions.resources | nindent 10 }}
+      {{- end }}
+      containers:
+      - name: dind-lv-monitor
+        image: {{ include (printf "%s.image.name" $cfCommonTplSemver ) (dict "image" .Values.image "context" .) }}
+        imagePullPolicy: {{ .Values.image.pullPolicy | default "Always" }}
+        {{- if .Values.containerSecurityContext.enabled }}
+        securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 10 }}
+        {{- end }}
+        command:
+          - /home/dind-volume-utils/bin/local-volumes-agent
+        env:
+          {{- include (printf "%s.env-vars" $cfCommonTplSemver) (dict "Values" .Values.env "context" .) | nindent 10 }}
+          - name: NODE_NAME
+            valueFrom:
+              fieldRef:
+                fieldPath: spec.nodeName
+          - name: VOLUME_PARENT_DIR
+            value: {{ $localVolumeParentDir }}
+        resources:
+          {{- toYaml .Values.resources | nindent 10  }}
+        volumeMounts:
+        - mountPath: {{ $localVolumeParentDir }}
+          readOnly: false
+          name: dind-volume-dir
+        {{- with .Values.extraVolumeMounts }}
+          {{- toYaml . | nindent 8 }}
+        {{- end }}
+      {{- with .Values.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 6 }}
+      {{- end }}
+      volumes:
+      - name: dind-volume-dir
+        hostPath:
+          path: {{ $localVolumeParentDir }}
+      {{- with .Values.extraVolumes }}
+        {{- toYaml . | nindent 6 }}
+      {{- end }}
+{{- end }}
+{{- end -}}

charts/codefresh/cf-runtime/6.3.52/templates/_components/volume-provisioner/_deployment.yaml

@@ -0,0 +1,67 @@
+{{- define "dind-volume-provisioner.resources.deployment" -}}
+{{ $cfCommonTplSemver := printf "cf-common-%s" (index .Subcharts "cf-common").Chart.Version }}
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ include "dind-volume-provisioner.fullname" . }}
+  labels:
+    {{- include "dind-volume-provisioner.labels" . | nindent 4 }}
+spec:
+  replicas: {{ .Values.replicasCount }}
+  strategy:
+    type: {{ .Values.updateStrategy.type }}
+  selector:
+    matchLabels:
+      {{- include "dind-volume-provisioner.selectorLabels" . | nindent 6 }}
+  template:
+    metadata:
+      labels:
+        {{- include "dind-volume-provisioner.selectorLabels" . | nindent 8 }}
+      {{- with .Values.podAnnotations }}
+      annotations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+    spec:
+      {{- include (printf "%s.image.pullSecrets" $cfCommonTplSemver ) . | nindent 8 }}
+      serviceAccountName: {{ include "dind-volume-provisioner.serviceAccountName" . }}
+      {{- if .Values.podSecurityContext.enabled }}
+      securityContext: {{- omit .Values.podSecurityContext "enabled" | toYaml | nindent 8 }}
+      {{- end }}
+      containers:
+      - name: dind-volume-provisioner
+        image: {{ include (printf "%s.image.name" $cfCommonTplSemver ) (dict "image" .Values.image "context" .) }}
+        imagePullPolicy: {{ .Values.image.pullPolicy | default "Always" }}
+        command:
+          - /usr/local/bin/dind-volume-provisioner
+          - -v=4
+          - --resync-period=50s
+        env:
+        {{- include "dind-volume-provisioner.environment-variables" . | nindent 8 }}
+        ports:
+        - name: http
+          containerPort: 8080
+        resources:
+          {{- toYaml .Values.resources | nindent 12  }}
+        volumeMounts:
+        {{- include "dind-volume-provisioner.volumeMounts.calculated" . | nindent 8 }}
+        {{- with .Values.extraVolumeMounts }}
+          {{- toYaml . | nindent 8 }}
+        {{- end }}
+      {{- with .Values.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 6 }}
+      {{- end }}
+      volumes:
+      {{- include "dind-volume-provisioner.volumes.calculated" . | nindent 6 }}
+      {{- with .Values.extraVolumes }}
+        {{- toYaml . | nindent 6 }}
+      {{- end }}
+{{- end -}}

charts/codefresh/cf-runtime/6.3.52/templates/_components/volume-provisioner/_env-vars.yaml

@@ -0,0 +1,88 @@
+{{- define "dind-volume-provisioner.environment-variables.defaults" }}
+{{- end }}
+
+{{- define "dind-volume-provisioner.environment-variables.calculated" }}
+DOCKER_REGISTRY: {{ .Values.global.imageRegistry }}
+PROVISIONER_NAME: {{ include "dind-volume-provisioner.volumeProvisionerName" . }}
+
+{{- if or .Values.storage.ebs.accessKeyId .Values.storage.ebs.accessKeyIdSecretKeyRef }}
+AWS_ACCESS_KEY_ID:
+  {{- if .Values.storage.ebs.accessKeyId }}
+  valueFrom:
+    secretKeyRef:
+      name: {{ include "dind-volume-provisioner.fullname" . }}
+      key: aws_access_key_id
+  {{- else if .Values.storage.ebs.accessKeyIdSecretKeyRef }}
+  valueFrom:
+    secretKeyRef:
+  {{- .Values.storage.ebs.accessKeyIdSecretKeyRef | toYaml | nindent 6 }}
+  {{- end }}
+{{- end }}
+
+{{- if or .Values.storage.ebs.secretAccessKey .Values.storage.ebs.secretAccessKeySecretKeyRef }}
+AWS_SECRET_ACCESS_KEY:
+  {{- if .Values.storage.ebs.secretAccessKey }}
+  valueFrom:
+    secretKeyRef:
+      name: {{ include "dind-volume-provisioner.fullname" . }}
+      key: aws_secret_access_key
+  {{- else if .Values.storage.ebs.secretAccessKeySecretKeyRef }}
+  valueFrom:
+    secretKeyRef:
+  {{- .Values.storage.ebs.secretAccessKeySecretKeyRef | toYaml | nindent 6 }}
+  {{- end }}
+{{- end }}
+
+{{- if or .Values.storage.gcedisk.serviceAccountJson .Values.storage.gcedisk.serviceAccountJsonSecretKeyRef }}
+GOOGLE_APPLICATION_CREDENTIALS: {{ printf "/etc/dind-volume-provisioner/credentials/%s" (.Values.storage.gcedisk.serviceAccountJsonSecretKeyRef.key | default "google-service-account.json") }}
+{{- end }}
+
+{{- if and .Values.storage.mountAzureJson }}
+AZURE_CREDENTIAL_FILE: /etc/kubernetes/azure.json
+CLOUDCONFIG_AZURE: /etc/kubernetes/azure.json
+{{- end }}
+
+{{- end }}
+
+{{- define "dind-volume-provisioner.environment-variables" }}
+{{- $cfCommonTplSemver := printf "cf-common-%s" (index .Subcharts "cf-common").Chart.Version }}
+{{- $defaults := (include "dind-volume-provisioner.environment-variables.defaults" . | fromYaml) }}
+{{- $calculated := (include "dind-volume-provisioner.environment-variables.calculated" . | fromYaml) }}
+{{- $overrides := .Values.env }}
+{{- $mergedValues := mergeOverwrite (merge $defaults $calculated) $overrides }}
+{{- include (printf "%s.env-vars" $cfCommonTplSemver) (dict "Values" $mergedValues "context" .) }}
+{{- end }}
+
+
+{{- define "dind-volume-provisioner.volumes.calculated" }}
+  {{- if .Values.storage.gcedisk.serviceAccountJson }}
+- name: credentials
+  secret:
+    secretName: {{ include "dind-volume-provisioner.fullname" . }}
+    optional: true
+  {{- else if .Values.storage.gcedisk.serviceAccountJsonSecretKeyRef }}
+- name: credentials
+  secret:
+    secretName: {{ .Values.storage.gcedisk.serviceAccountJsonSecretKeyRef.name }}
+    optional: true
+  {{- end }}
+  {{- if .Values.storage.mountAzureJson }}
+- name: azure-json
+  hostPath:
+    path: /etc/kubernetes/azure.json
+    type: File
+  {{- end }}
+{{- end }}
+
+{{- define "dind-volume-provisioner.volumeMounts.calculated" }}
+  {{- if or .Values.storage.gcedisk.serviceAccountJson .Values.storage.gcedisk.serviceAccountJsonSecretKeyRef }}
+- name: credentials
+  readOnly: true
+  mountPath: "/etc/dind-volume-provisioner/credentials"
+  {{- end }}
+  {{- if .Values.storage.mountAzureJson }}
+- name: azure-json
+  readOnly: true
+  mountPath: "/etc/kubernetes/azure.json"
+  {{- end }}
+{{- end }}

charts/codefresh/cf-runtime/6.3.52/templates/_components/volume-provisioner/_helpers.tpl

@@ -0,0 +1,93 @@
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "dind-volume-provisioner.name" -}}
+    {{- printf "%s-%s" (include "cf-runtime.name" .) "volume-provisioner" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "dind-volume-provisioner.fullname" -}}
+    {{- printf "%s-%s" (include "cf-runtime.fullname" .) "volume-provisioner" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{- define "dind-volume-cleanup.fullname" -}}
+    {{- printf "%s-%s" (include "cf-runtime.fullname" .) "volume-cleanup" | trunc 52 | trimSuffix "-" }}
+{{- end }}
+
+{{- define "dind-lv-monitor.fullname" -}}
+    {{- printf "%s-%s" (include "cf-runtime.fullname" .) "lv-monitor" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Provisioner name for storage class
+*/}}
+{{- define "dind-volume-provisioner.volumeProvisionerName" }}
+    {{- printf "codefresh.io/dind-volume-provisioner-runner-%s" .Release.Namespace }}
+{{- end }}
+
+{{/*
+Common labels for dind-lv-monitor
+*/}}
+{{- define "dind-lv-monitor.labels" -}}
+{{ include "cf-runtime.labels" . }}
+codefresh.io/application: lv-monitor
+{{- end }}
+
+{{/*
+Selector labels for dind-lv-monitor
+*/}}
+{{- define "dind-lv-monitor.selectorLabels" -}}
+{{ include "cf-runtime.selectorLabels" . }}
+codefresh.io/application: lv-monitor
+{{- end }}
+
+{{/*
+Common labels for dind-volume-provisioner
+*/}}
+{{- define "dind-volume-provisioner.labels" -}}
+{{ include "cf-runtime.labels" . }}
+codefresh.io/application: volume-provisioner
+{{- end }}
+
+{{/*
+Selector labels for dind-volume-provisioner
+*/}}
+{{- define "dind-volume-provisioner.selectorLabels" -}}
+{{ include "cf-runtime.selectorLabels" . }}
+codefresh.io/application: volume-provisioner
+{{- end }}
+
+{{/*
+Common labels for dind-volume-cleanup
+*/}}
+{{- define "dind-volume-cleanup.labels" -}}
+{{ include "cf-runtime.labels" . }}
+codefresh.io/application: pv-cleanup
+{{- end }}
+
+{{/*
+Common labels for dind-volume-cleanup
+*/}}
+{{- define "dind-volume-cleanup.selectorLabels" -}}
+{{ include "cf-runtime.selectorLabels" . }}
+codefresh.io/application: pv-cleanup
+{{- end }}
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "dind-volume-provisioner.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create }}
+{{- default (include "dind-volume-provisioner.fullname" .) .Values.serviceAccount.name }}
+{{- else }}
+{{- default "default" .Values.serviceAccount.name }}
+{{- end }}
+{{- end }}
+
+{{- define "dind-volume-provisioner.storageClassName" }}
+{{- printf "dind-local-volumes-runner-%s" .Release.Namespace }}
+{{- end }}

charts/codefresh/cf-runtime/6.3.52/templates/_components/volume-provisioner/_rbac.yaml

@@ -0,0 +1,71 @@
+{{- define "dind-volume-provisioner.resources.rbac" -}}
+{{- if .Values.serviceAccount.create }}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "dind-volume-provisioner.serviceAccountName" . }}
+  labels:
+    {{- include "dind-volume-provisioner.labels" . | nindent 4 }}
+  {{- with .Values.serviceAccount.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+{{- end }}
+---
+{{- if .Values.rbac.create }}
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ include "dind-volume-provisioner.fullname" . }}
+  labels:
+    {{- include "dind-volume-provisioner.labels" . | nindent 4 }}
+rules:
+  - apiGroups: [ "" ]
+    resources: [ "persistentvolumes" ]
+    verbs: [ "get", "list", "watch", "create", "delete", "patch" ]
+  - apiGroups: [ "" ]
+    resources: [ "persistentvolumeclaims" ]
+    verbs: [ "get", "list", "watch", "update", "delete" ]
+  - apiGroups: [ "storage.k8s.io" ]
+    resources: [ "storageclasses" ]
+    verbs: [ "get", "list", "watch" ]
+  - apiGroups: [ "" ]
+    resources: [ "events" ]
+    verbs: [ "list", "watch", "create", "update", "patch" ]
+  - apiGroups: [ "" ]
+    resources: [ "secrets" ]
+    verbs: [ "get", "list" ]
+  - apiGroups: [ "" ]
+    resources: [ "nodes" ]
+    verbs: [ "get", "list", "watch" ]
+  - apiGroups: [ "" ]
+    resources: [ "pods" ]
+    verbs: [ "get", "list", "watch", "create", "delete", "patch" ]
+  - apiGroups: [ "" ]
+    resources: [ "endpoints" ]
+    verbs: [ "get", "list", "watch", "create", "update", "delete" ]
+  - apiGroups: [ "coordination.k8s.io" ]
+    resources: [ "leases" ]
+    verbs: [ "get", "create", "update" ]
+{{- with .Values.rbac.rules }}
+  {{ toYaml . | nindent 2 }}
+{{- end }}
+{{- end }}
+---
+{{- if and .Values.serviceAccount.create .Values.rbac.create }}
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ include "dind-volume-provisioner.fullname" . }}
+  labels:
+    {{- include "dind-volume-provisioner.labels" . | nindent 4 }}
+subjects:
+  - kind: ServiceAccount
+    name: {{ include "dind-volume-provisioner.serviceAccountName" . }}
+    namespace: {{ .Release.Namespace }}
+roleRef:
+  kind: ClusterRole
+  name: {{ include "dind-volume-provisioner.fullname" . }}
+  apiGroup: rbac.authorization.k8s.io
+{{- end }}
+{{- end -}}

charts/codefresh/cf-runtime/6.3.52/templates/_components/volume-provisioner/_secret.yaml

@@ -0,0 +1,22 @@
+{{- define "dind-volume-provisioner.resources.secret" -}}
+{{- if or .Values.storage.ebs.accessKeyId .Values.storage.ebs.secretAccessKey .Values.storage.gcedisk.serviceAccountJson }}
+apiVersion: v1
+kind: Secret
+type: Opaque
+metadata:
+  name: {{ include "dind-volume-provisioner.fullname" . }}
+  labels:
+    {{- include "dind-volume-provisioner.labels" . | nindent 4 }}
+stringData:
+  {{- with .Values.storage.gcedisk.serviceAccountJson }}
+  google-service-account.json: |
+{{- . | nindent 4 }}
+  {{- end }}
+  {{- with .Values.storage.ebs.accessKeyId }}
+  aws_access_key_id: {{ . }}
+  {{- end }}
+  {{- with .Values.storage.ebs.secretAccessKey }}
+  aws_secret_access_key: {{ . }}
+  {{- end }}
+{{- end }}
+{{- end -}}

charts/codefresh/cf-runtime/6.3.52/templates/_components/volume-provisioner/_storageclass.yaml

@@ -0,0 +1,47 @@
+{{- define "dind-volume-provisioner.resources.storageclass" -}}
+kind: StorageClass
+apiVersion: storage.k8s.io/v1
+metadata:
+  {{/* has to be exactly that */}}
+  name: {{ include "dind-volume-provisioner.storageClassName" . }}
+  labels:
+    {{- include "dind-volume-provisioner.labels" . | nindent 4 }}
+provisioner: {{ include "dind-volume-provisioner.volumeProvisionerName" . }}
+parameters:
+{{- if eq .Values.storage.backend "local" }}
+  volumeBackend: local
+  volumeParentDir: {{ .Values.storage.local.volumeParentDir }}
+{{- else if eq .Values.storage.backend "gcedisk" }}
+  volumeBackend: {{ .Values.storage.backend }}
+  type: {{ .Values.storage.gcedisk.volumeType | default "pd-ssd" }}
+  zone: {{ required ".Values.storage.gcedisk.availabilityZone is required" .Values.storage.gcedisk.availabilityZone }}
+  fsType: {{ .Values.storage.fsType | default "ext4" }}
+{{- else if or (eq .Values.storage.backend "ebs") (eq .Values.storage.backend "ebs-csi")}}
+  volumeBackend: {{ .Values.storage.backend }}
+  VolumeType: {{ .Values.storage.ebs.volumeType | default "gp3" }}
+  AvailabilityZone: {{ required ".Values.storage.ebs.availabilityZone is required" .Values.storage.ebs.availabilityZone }}
+  fsType: {{ .Values.storage.fsType | default "ext4" }}
+  encrypted: {{ .Values.storage.ebs.encrypted | default "false" | quote }}
+  {{- with .Values.storage.ebs.kmsKeyId }}
+  kmsKeyId: {{ . | quote }}
+  {{- end }}
+  {{- with .Values.storage.ebs.iops }}
+  iops: {{ . | quote }}
+  {{- end }}
+  {{- with .Values.storage.ebs.throughput }}
+  throughput: {{ . | quote }}
+  {{- end }}
+{{- else if or (eq .Values.storage.backend "azuredisk") (eq .Values.storage.backend "azuredisk-csi")}}
+  volumeBackend: {{ .Values.storage.backend }}
+  kind: managed
+  skuName: {{ .Values.storage.azuredisk.skuName | default "Premium_LRS" }}
+  fsType: {{ .Values.storage.fsType | default "ext4" }}
+  cachingMode: {{ .Values.storage.azuredisk.cachingMode | default "None" }}
+  {{- with .Values.storage.azuredisk.availabilityZone }}
+  availabilityZone: {{ . | quote }}
+  {{- end }}
+  {{- with .Values.storage.azuredisk.resourceGroup }}
+  resourceGroup: {{ . | quote }}
+  {{- end }}
+{{- end }}
+{{- end -}}

charts/codefresh/cf-runtime/6.3.52/templates/_helpers.tpl

@@ -0,0 +1,51 @@
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "cf-runtime.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "cf-runtime.fullname" -}}
+{{- if .Values.fullnameOverride }}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- $name := default .Chart.Name .Values.nameOverride }}
+{{- if contains $name .Release.Name }}
+{{- .Release.Name | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "cf-runtime.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "cf-runtime.labels" -}}
+helm.sh/chart: {{ include "cf-runtime.chart" . }}
+{{ include "cf-runtime.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "cf-runtime.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "cf-runtime.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}

charts/codefresh/cf-runtime/6.3.52/templates/app-proxy/deployment.yaml

@@ -0,0 +1,9 @@
+{{- $appProxyContext := deepCopy . }}
+{{- $_ := set $appProxyContext "Values" (get .Values "appProxy") }}
+{{- $_ := set $appProxyContext.Values "global" (get .Values "global") }}
+{{- $_ := set $appProxyContext.Values "nameOverride" (get .Values "nameOverride") }}
+{{- $_ := set $appProxyContext.Values "fullnameOverride" (get .Values "fullnameOverride") }}
+
+{{- if $appProxyContext.Values.enabled }}
+{{- include "app-proxy.resources.deployment" $appProxyContext }}
+{{- end }}

charts/codefresh/cf-runtime/6.3.52/templates/app-proxy/ingress.yaml

@@ -0,0 +1,9 @@
+{{- $appProxyContext := deepCopy . }}
+{{- $_ := set $appProxyContext "Values" (get .Values "appProxy") }}
+{{- $_ := set $appProxyContext.Values "global" (get .Values "global") }}
+{{- $_ := set $appProxyContext.Values "nameOverride" (get .Values "nameOverride") }}
+{{- $_ := set $appProxyContext.Values "fullnameOverride" (get .Values "fullnameOverride") }}
+
+{{- if $appProxyContext.Values.enabled }}
+{{- include "app-proxy.resources.ingress" $appProxyContext }}
+{{- end }}

charts/codefresh/cf-runtime/6.3.52/templates/app-proxy/rbac.yaml

@@ -0,0 +1,9 @@
+{{- $appProxyContext := deepCopy . }}
+{{- $_ := set $appProxyContext "Values" (get .Values "appProxy") }}
+{{- $_ := set $appProxyContext.Values "global" (get .Values "global") }}
+{{- $_ := set $appProxyContext.Values "nameOverride" (get .Values "nameOverride") }}
+{{- $_ := set $appProxyContext.Values "fullnameOverride" (get .Values "fullnameOverride") }}
+
+{{- if $appProxyContext.Values.enabled }}
+{{- include "app-proxy.resources.rbac" $appProxyContext }}
+{{- end }}

charts/codefresh/cf-runtime/6.3.52/templates/app-proxy/service.yaml

@@ -0,0 +1,9 @@
+{{- $appProxyContext := deepCopy . }}
+{{- $_ := set $appProxyContext "Values" (get .Values "appProxy") }}
+{{- $_ := set $appProxyContext.Values "global" (get .Values "global") }}
+{{- $_ := set $appProxyContext.Values "nameOverride" (get .Values "nameOverride") }}
+{{- $_ := set $appProxyContext.Values "fullnameOverride" (get .Values "fullnameOverride") }}
+
+{{- if $appProxyContext.Values.enabled }}
+{{- include "app-proxy.resources.service" $appProxyContext }}
+{{- end }}

charts/codefresh/cf-runtime/6.3.52/templates/event-exporter/deployment.yaml

@@ -0,0 +1,9 @@
+{{- $eventExporterContext := deepCopy . }}
+{{- $_ := set $eventExporterContext "Values" (get .Values "event-exporter") }}
+{{- $_ := set $eventExporterContext.Values "global" (get .Values "global") }}
+{{- $_ := set $eventExporterContext.Values "nameOverride" (get .Values "nameOverride") }}
+{{- $_ := set $eventExporterContext.Values "fullnameOverride" (get .Values "fullnameOverride") }}
+
+{{- if and $eventExporterContext.Values.enabled }}
+{{- include "event-exporter.resources.deployment" $eventExporterContext }}
+{{- end }}

charts/codefresh/cf-runtime/6.3.52/templates/event-exporter/rbac.yaml

@@ -0,0 +1,9 @@
+{{- $eventExporterContext := deepCopy . }}
+{{- $_ := set $eventExporterContext "Values" (get .Values "event-exporter") }}
+{{- $_ := set $eventExporterContext.Values "global" (get .Values "global") }}
+{{- $_ := set $eventExporterContext.Values "nameOverride" (get .Values "nameOverride") }}
+{{- $_ := set $eventExporterContext.Values "fullnameOverride" (get .Values "fullnameOverride") }}
+
+{{- if and $eventExporterContext.Values.enabled }}
+{{- include "event-exporter.resources.rbac" $eventExporterContext }}
+{{- end }}

charts/codefresh/cf-runtime/6.3.52/templates/event-exporter/service.yaml

@@ -0,0 +1,11 @@
+{{- $eventExporterContext := deepCopy . }}
+{{- $_ := set $eventExporterContext "Values" (get .Values "event-exporter") }}
+{{- $_ := set $eventExporterContext.Values "global" (get .Values "global") }}
+{{- $_ := set $eventExporterContext.Values "nameOverride" (get .Values "nameOverride") }}
+{{- $_ := set $eventExporterContext.Values "fullnameOverride" (get .Values "fullnameOverride") }}
+
+{{- if $eventExporterContext.Values.enabled }}
+{{- include "event-exporter.resources.service" $eventExporterContext }}
+---
+{{- include "event-exporter.resources.serviceMonitor" $eventExporterContext }}
+{{- end }}

charts/codefresh/cf-runtime/6.3.52/templates/extra/extra-resources.yaml

@@ -0,0 +1,6 @@
+{{ $cfCommonTplSemver := printf "cf-common-%s" (index .Subcharts "cf-common").Chart.Version }}
+
+{{- range .Values.extraResources }}
+---
+{{ include (printf "%s.tplrender" $cfCommonTplSemver) (dict "Values" . "context" $) }}
+{{- end }}

charts/codefresh/cf-runtime/6.3.52/templates/extra/runtime-images-cm.yaml

@@ -0,0 +1,19 @@
+{{ $cfCommonTplSemver := printf "cf-common-%s" (index .Subcharts "cf-common").Chart.Version }}
+{{ $values := .Values.runtime.engine.runtimeImages }}
+---
+kind: ConfigMap
+apiVersion: v1
+metadata:
+  {{- /* dummy template just to list runtime images */}}
+  name: {{ include "runtime.fullname" . }}-images
+  labels:
+    {{- include "runtime.labels" . | nindent 4 }}
+  annotations:
+    {{- with $values.annotations }}
+      {{- toYaml . | nindent 4 }}
+    {{- end }}
+data:
+  images: |
+    {{- range $key, $val := $values }}
+    image: {{ $val }}
+    {{- end }}

charts/codefresh/cf-runtime/6.3.52/templates/hooks/post-install/cm-update-runtime.yaml

@@ -0,0 +1,18 @@
+{{ $cfCommonTplSemver := printf "cf-common-%s" (index .Subcharts "cf-common").Chart.Version }}
+{{ $values := .Values.runtime.patch }}
+{{- if $values.enabled }}
+---
+kind: ConfigMap
+apiVersion: v1
+metadata:
+  name: {{ include "runtime.fullname" . }}-spec
+  labels:
+    {{- include "runtime.labels" . | nindent 4 }}
+  annotations:
+    {{- with $values.annotations }}
+      {{- toYaml . | nindent 4 }}
+    {{- end }}
+data:
+  runtime.yaml: |
+    {{ include "runtime.runtime-environment-spec.template" . | nindent 4 | trim }}
+{{- end }}

charts/codefresh/cf-runtime/6.3.52/templates/hooks/post-install/job-gencerts-dind.yaml

@@ -0,0 +1,68 @@
+{{ $cfCommonTplSemver := printf "cf-common-%s" (index .Subcharts "cf-common").Chart.Version }}
+{{ $values := .Values.runtime.gencerts }}
+{{- if and $values.enabled }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ include "runtime.fullname" . }}-gencerts-dind
+  labels:
+    {{- include "runtime.labels" . | nindent 4 }}
+  annotations:
+    helm.sh/hook: post-install,post-upgrade
+    helm.sh/hook-weight: "3"
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+    {{- with $values.annotations }}
+      {{- toYaml . | nindent 4 }}
+    {{- end }}
+spec:
+  {{- with $values.ttlSecondsAfterFinished }}
+  ttlSecondsAfterFinished: {{ . }}
+  {{- end }}
+  {{- with $values.backoffLimit }}
+  backoffLimit: {{ . | int }}
+  {{- end }}
+  template:
+    metadata:
+      name: {{ include "runtime.fullname" . }}-gencerts-dind
+      labels:
+        {{- include "runtime.labels" . | nindent 8 }}
+    spec:
+      {{- if $values.rbac.enabled }}
+      serviceAccountName: {{ template "runtime.fullname" . }}-gencerts-dind
+      {{- end }}
+      securityContext:
+        {{- toYaml $values.podSecurityContext | nindent 8 }}
+      containers:
+      - name: gencerts-dind
+        image: {{ include (printf "%s.image.name" $cfCommonTplSemver ) (dict "image" $values.image "context" .) }}
+        imagePullPolicy: {{ $values.image.pullPolicy | default "Always" }}
+        command:
+        - "/bin/bash"
+        args:
+        - -ec
+        - | {{ .Files.Get "files/configure-dind-certs.sh" | nindent 10 }}
+        env:
+        - name: NAMESPACE
+          value: {{ .Release.Namespace }}
+        - name: RELEASE
+          value: {{ .Release.Name }}
+        - name: CF_API_HOST
+          value: {{ include "runtime.runtime-environment-spec.codefresh-host" . }}
+        - name: CF_API_TOKEN
+          {{- include "runtime.installation-token-env-var-value" . | indent 10}}
+          {{- include (printf "%s.env-vars" $cfCommonTplSemver) (dict "Values" $values.env "context" .) | nindent 8 }}
+      {{- with $values.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with $values.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with $values.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 6 }}
+      {{- end }}
+      restartPolicy: OnFailure
+{{- end }}

charts/codefresh/cf-runtime/6.3.52/templates/hooks/post-install/job-update-runtime.yaml

@@ -0,0 +1,77 @@
+{{ $cfCommonTplSemver := printf "cf-common-%s" (index .Subcharts "cf-common").Chart.Version }}
+{{ $values := .Values.runtime.patch }}
+{{- if $values.enabled }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ include "runtime.fullname" . }}-patch
+  labels:
+    {{- include "runtime.labels" . | nindent 4 }}
+  annotations:
+    helm.sh/hook: post-install,post-upgrade
+    helm.sh/hook-weight: "5"
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+    {{- with $values.annotations }}
+      {{- toYaml . | nindent 4 }}
+    {{- end }}
+spec:
+  {{- with $values.ttlSecondsAfterFinished }}
+  ttlSecondsAfterFinished: {{ . }}
+  {{- end }}
+  {{- with $values.backoffLimit }}
+  backoffLimit: {{ . | int }}
+  {{- end }}
+  template:
+    metadata:
+      name: {{ include "runtime.fullname" . }}-patch
+      labels:
+        {{- include "runtime.labels" . | nindent 8 }}
+    spec:
+      securityContext:
+        {{- toYaml $values.podSecurityContext | nindent 8 }}
+      containers:
+      - name: patch-runtime
+        image: {{ include (printf "%s.image.name" $cfCommonTplSemver ) (dict "image" $values.image "context" .) }}
+        imagePullPolicy: {{ $values.image.pullPolicy | default "Always" }}
+        command:
+        - "/bin/bash"
+        args:
+        - -ec
+        - |
+          codefresh auth create-context --api-key $API_KEY --url $API_HOST
+          cat /usr/share/extras/runtime.yaml
+          codefresh get re
+{{- if .Values.runtime.agent }}
+          codefresh patch re -f /usr/share/extras/runtime.yaml
+{{- else }}
+          codefresh patch sys-re -f /usr/share/extras/runtime.yaml
+{{- end }}
+        env:
+        - name: API_KEY
+          {{- include "runtime.installation-token-env-var-value" . | indent 10}}
+        - name: API_HOST
+          value: {{ include "runtime.runtime-environment-spec.codefresh-host" . }}
+          {{- include (printf "%s.env-vars" $cfCommonTplSemver) (dict "Values" $values.env "context" .) | nindent 8 }}
+        volumeMounts:
+        - name: config
+          mountPath: /usr/share/extras/runtime.yaml
+          subPath: runtime.yaml
+      {{- with $values.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with $values.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with $values.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 6 }}
+      {{- end }}
+      restartPolicy: OnFailure
+      volumes:
+      - name: config
+        configMap:
+          name: {{ include "runtime.fullname" . }}-spec
+{{- end }}

charts/codefresh/cf-runtime/6.3.52/templates/hooks/post-install/rbac-gencerts-dind.yaml

@@ -0,0 +1,37 @@
+{{ $cfCommonTplSemver := printf "cf-common-%s" (index .Subcharts "cf-common").Chart.Version }}
+{{ $values := .Values.runtime.gencerts }}
+{{- if and $values.enabled }}
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "runtime.fullname" . }}-gencerts-dind
+  namespace: {{ .Release.Namespace }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ include "runtime.fullname" . }}-gencerts-dind
+  namespace: {{ .Release.Namespace }}
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - secrets
+      - configmaps
+    verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ include "runtime.fullname" . }}-gencerts-dind
+  namespace: {{ .Release.Namespace }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ include "runtime.fullname" . }}-gencerts-dind
+subjects:
+  - kind: ServiceAccount
+    name: {{ include "runtime.fullname" . }}-gencerts-dind
+    namespace: {{ .Release.Namespace }}
+{{ end }}

charts/codefresh/cf-runtime/6.3.52/templates/hooks/pre-delete/job-cleanup-resources.yaml

@@ -0,0 +1,73 @@
+{{ $cfCommonTplSemver := printf "cf-common-%s" (index .Subcharts "cf-common").Chart.Version }}
+{{ $values := .Values.runtime.patch }}
+{{- if and $values.enabled }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ include "runtime.fullname" . }}-cleanup
+  labels:
+    {{- include "runtime.labels" . | nindent 4 }}
+  annotations:
+    helm.sh/hook: pre-delete
+    helm.sh/hook-delete-policy:  hook-succeeded,before-hook-creation
+    {{- with $values.annotations }}
+      {{- toYaml . | nindent 4 }}
+    {{- end }}
+spec:
+  {{- with $values.ttlSecondsAfterFinished }}
+  ttlSecondsAfterFinished: {{ . }}
+  {{- end }}
+  {{- with $values.backoffLimit }}
+  backoffLimit: {{ . | int }}
+  {{- end }}
+  template:
+    metadata:
+      name: {{ include "runtime.fullname" . }}-cleanup
+      labels:
+        {{- include "runtime.labels" . | nindent 8 }}
+    spec:
+      {{- if $values.rbac.enabled }}
+      serviceAccountName: {{ template "runtime.fullname" . }}-cleanup
+      {{- end }}
+      securityContext:
+        {{- toYaml $values.podSecurityContext | nindent 8 }}
+      containers:
+      - name: cleanup
+        image: {{ include (printf "%s.image.name" $cfCommonTplSemver ) (dict "image" $values.image "context" .) }}
+        imagePullPolicy: {{ $values.image.pullPolicy | default "Always" }}
+        command:
+        - "/bin/bash"
+        args:
+        - -ec
+        - | {{ .Files.Get "files/cleanup-runtime.sh" | nindent 10 }}
+        env:
+        - name: AGENT_NAME
+          value: {{ include "runtime.runtime-environment-spec.agent-name" . }}
+        - name: RUNTIME_NAME
+          value: {{ include "runtime.runtime-environment-spec.runtime-name" . }}
+        - name: API_HOST
+          value: {{ include "runtime.runtime-environment-spec.codefresh-host" . }}
+        - name: API_TOKEN
+          {{- include "runtime.installation-token-env-var-value" . | indent 10}}
+        - name: AGENT
+          value: {{ .Values.runtime.agent | quote }}
+        - name: AGENT_SECRET_NAME
+          value: {{ include "runner.fullname" . }}
+        - name: DIND_SECRET_NAME
+          value: codefresh-certs-server
+          {{- include (printf "%s.env-vars" $cfCommonTplSemver) (dict "Values" $values.env "context" .) | nindent 8 }}
+      {{- with $values.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with $values.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with $values.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 6 }}
+      {{- end }}
+      restartPolicy: OnFailure
+{{- end }}

charts/codefresh/cf-runtime/6.3.52/templates/hooks/pre-delete/rbac-cleanup-resources.yaml

@@ -0,0 +1,46 @@
+{{ $cfCommonTplSemver := printf "cf-common-%s" (index .Subcharts "cf-common").Chart.Version }}
+{{ $values := .Values.runtime.patch }}
+{{- if and $values.enabled }}
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "runtime.fullname" . }}-cleanup
+  namespace: {{ .Release.Namespace }}
+  annotations:
+    "helm.sh/hook": pre-delete
+    "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation,hook-failed
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ include "runtime.fullname" . }}-cleanup
+  namespace: {{ .Release.Namespace }}
+  annotations:
+    "helm.sh/hook": pre-delete
+    "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation,hook-failed
+rules:
+  - apiGroups:
+      - "*"
+    resources:
+      - "*"
+    verbs:
+      - "*"
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ include "runtime.fullname" . }}-cleanup
+  namespace: {{ .Release.Namespace }}
+  annotations:
+    "helm.sh/hook": pre-delete
+    "helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation,hook-failed
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ include "runtime.fullname" . }}-cleanup
+subjects:
+  - kind: ServiceAccount
+    name: {{ include "runtime.fullname" . }}-cleanup
+    namespace: {{ .Release.Namespace }}
+{{ end }}

charts/codefresh/cf-runtime/6.3.52/templates/monitor/deployment.yaml

@@ -0,0 +1,9 @@
+{{- $monitorContext := deepCopy . }}
+{{- $_ := set $monitorContext "Values" (get .Values "monitor") }}
+{{- $_ := set $monitorContext.Values "global" (get .Values "global") }}
+{{- $_ := set $monitorContext.Values "nameOverride" (get .Values "nameOverride") }}
+{{- $_ := set $monitorContext.Values "fullnameOverride" (get .Values "fullnameOverride") }}
+
+{{- if $monitorContext.Values.enabled }}
+{{- include "monitor.resources.deployment" $monitorContext }}
+{{- end }}

charts/codefresh/cf-runtime/6.3.52/templates/monitor/rbac.yaml

@@ -0,0 +1,9 @@
+{{- $monitorContext := deepCopy . }}
+{{- $_ := set $monitorContext "Values" (get .Values "monitor") }}
+{{- $_ := set $monitorContext.Values "global" (get .Values "global") }}
+{{- $_ := set $monitorContext.Values "nameOverride" (get .Values "nameOverride") }}
+{{- $_ := set $monitorContext.Values "fullnameOverride" (get .Values "fullnameOverride") }}
+
+{{- if $monitorContext.Values.enabled }}
+{{- include "monitor.resources.rbac" $monitorContext }}
+{{- end }}

charts/codefresh/cf-runtime/6.3.52/templates/monitor/service.yaml

@@ -0,0 +1,9 @@
+{{- $monitorContext := deepCopy . }}
+{{- $_ := set $monitorContext "Values" (get .Values "monitor") }}
+{{- $_ := set $monitorContext.Values "global" (get .Values "global") }}
+{{- $_ := set $monitorContext.Values "nameOverride" (get .Values "nameOverride") }}
+{{- $_ := set $monitorContext.Values "fullnameOverride" (get .Values "fullnameOverride") }}
+
+{{- if $monitorContext.Values.enabled }}
+{{- include "monitor.resources.service" $monitorContext }}
+{{- end }}

charts/codefresh/cf-runtime/6.3.52/templates/other/external-secrets.yaml

@@ -0,0 +1,2 @@
+{{ $templateName := printf "cf-common-%s.external-secrets" (index .Subcharts "cf-common").Chart.Version }}
+{{- include $templateName . -}}

charts/codefresh/cf-runtime/6.3.52/templates/other/podMonitor.yaml

@@ -0,0 +1,2 @@
+{{ $templateName := printf "cf-common-%s.podMonitor" (index .Subcharts "cf-common").Chart.Version }}
+{{- include $templateName . -}}

charts/codefresh/cf-runtime/6.3.52/templates/other/serviceMonitor.yaml

@@ -0,0 +1,2 @@
+{{ $templateName := printf "cf-common-%s.serviceMonitor" (index .Subcharts "cf-common").Chart.Version }}
+{{- include $templateName . -}}

charts/codefresh/cf-runtime/6.3.52/templates/runner/deployment.yaml

@@ -0,0 +1,9 @@
+{{- $runnerContext := deepCopy . }}
+{{- $_ := set $runnerContext "Values" (get .Values "runner") }}
+{{- $_ := set $runnerContext.Values "global" (get .Values "global") }}
+{{- $_ := set $runnerContext.Values "nameOverride" (get .Values "nameOverride") }}
+{{- $_ := set $runnerContext.Values "fullnameOverride" (get .Values "fullnameOverride") }}
+
+{{- if and $runnerContext.Values.enabled .Values.runtime.agent }}
+{{- include "runner.resources.deployment" $runnerContext }}
+{{- end }}

charts/codefresh/cf-runtime/6.3.52/templates/runner/rbac.yaml

@@ -0,0 +1,9 @@
+{{- $runnerContext := deepCopy . }}
+{{- $_ := set $runnerContext "Values" (get .Values "runner") }}
+{{- $_ := set $runnerContext.Values "global" (get .Values "global") }}
+{{- $_ := set $runnerContext.Values "nameOverride" (get .Values "nameOverride") }}
+{{- $_ := set $runnerContext.Values "fullnameOverride" (get .Values "fullnameOverride") }}
+
+{{- if and $runnerContext.Values.enabled .Values.runtime.agent }}
+{{- include "runner.resources.rbac" $runnerContext }}
+{{- end }}

charts/codefresh/cf-runtime/6.3.52/templates/runtime/_helpers.tpl

@@ -0,0 +1,123 @@
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "runtime.name" -}}
+    {{- printf "%s" (include "cf-runtime.name" .)  | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "runtime.fullname" -}}
+    {{- printf "%s" (include "cf-runtime.fullname" .) | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "runtime.labels" -}}
+{{ include "cf-runtime.labels" . }}
+codefresh.io/application: runtime
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "runtime.selectorLabels" -}}
+{{ include "cf-runtime.selectorLabels" . }}
+codefresh.io/application: runtime
+{{- end }}
+
+{{/*
+Return runtime image (classic runtime) with private registry prefix
+*/}}
+{{- define "runtime.runtimeImageName" -}}
+  {{- if .registry -}}
+    {{- $imageName :=  (trimPrefix "quay.io/" .imageFullName) -}}
+    {{- printf "%s/%s" .registry $imageName -}}
+  {{- else -}}
+    {{- printf "%s" .imageFullName -}}
+  {{- end -}}
+{{- end -}}
+
+{{/*
+Environment variable value of Codefresh installation token
+*/}}
+{{- define "runtime.installation-token-env-var-value" -}}
+  {{- if .Values.global.codefreshToken }}
+valueFrom:
+  secretKeyRef:
+    name: {{ include "runtime.installation-token-secret-name" . }}
+    key: codefresh-api-token
+  {{- else if .Values.global.codefreshTokenSecretKeyRef  }}
+valueFrom:
+  secretKeyRef:
+  {{- .Values.global.codefreshTokenSecretKeyRef | toYaml | nindent 4 }}
+  {{- end }}
+{{- end }}
+
+{{/*
+Environment variable value of Codefresh agent token
+*/}}
+{{- define "runtime.agent-token-env-var-value" -}}
+  {{- if .Values.global.agentToken }}
+{{- printf "%s" .Values.global.agentToken | toYaml }}
+  {{- else if .Values.global.agentTokenSecretKeyRef  }}
+valueFrom:
+  secretKeyRef:
+  {{- .Values.global.agentTokenSecretKeyRef | toYaml | nindent 4 }}
+  {{- end }}
+{{- end }}
+
+{{/*
+Print Codefresh API token secret name
+*/}}
+{{- define "runtime.installation-token-secret-name" }}
+{{- print "codefresh-user-token" }}
+{{- end }}
+
+{{/*
+Print Codefresh host
+*/}}
+{{- define "runtime.runtime-environment-spec.codefresh-host" }}
+{{- if and (not .Values.global.codefreshHost) }}
+  {{- fail "ERROR: .global.codefreshHost is required" }}
+{{- else }}
+  {{- printf "%s" (trimSuffix "/" .Values.global.codefreshHost) }}
+{{- end }}
+{{- end }}
+
+{{/*
+Print runtime-environment name
+*/}}
+{{- define "runtime.runtime-environment-spec.runtime-name" }}
+{{- if and (not .Values.global.runtimeName) }}
+  {{- printf "%s/%s" .Values.global.context .Release.Namespace }}
+{{- else }}
+  {{- printf "%s" .Values.global.runtimeName }}
+{{- end }}
+{{- end }}
+
+{{/*
+Print agent name
+*/}}
+{{- define "runtime.runtime-environment-spec.agent-name" }}
+{{- if and (not .Values.global.agentName) }}
+  {{- printf "%s_%s" .Values.global.context .Release.Namespace }}
+{{- else }}
+  {{- printf "%s" .Values.global.agentName }}
+{{- end }}
+{{- end }}
+
+{{/*
+Print context
+*/}}
+{{- define "runtime.runtime-environment-spec.context-name" }}
+{{- if and (not .Values.global.context) }}
+  {{- fail "ERROR: .global.context is required" }}
+{{- else }}
+  {{- printf "%s" .Values.global.context }}
+{{- end }}
+{{- end }}

charts/codefresh/cf-runtime/6.3.52/templates/runtime/cm-dind-daemon.yaml

@@ -0,0 +1,10 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  {{- /* has to be a constant */}}
+  name: codefresh-dind-config
+  labels:
+    {{- include "runtime.labels" . | nindent 4 }}
+data:
+  daemon.json: |
+{{ coalesce .Values.re.dindDaemon .Values.runtime.dindDaemon | toPrettyJson | indent 4 }}

charts/codefresh/cf-runtime/6.3.52/templates/runtime/rbac.yaml

@@ -0,0 +1,48 @@
+{{ $values := .Values.runtime }}
+---
+{{- if or $values.serviceAccount.create }}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  {{- /* has to be a constant */}}
+  name: codefresh-engine
+  labels:
+    {{- include "runtime.labels" . | nindent 4 }}
+  {{- with $values.serviceAccount.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+{{- end }}
+---
+{{- if $values.rbac.create }}
+kind: Role
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: codefresh-engine
+  labels:
+    {{- include "runner.labels" . | nindent 4 }}
+rules:
+  - apiGroups: [ "" ]
+    resources: [ "secrets" ]
+    verbs: [ "get" ]
+{{- with $values.rbac.rules }}
+  {{ toYaml . | nindent 2 }}
+{{- end }}
+{{- end }}
+---
+{{- if and $values.serviceAccount.create $values.rbac.create }}
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: codefresh-engine
+  labels:
+    {{- include "runner.labels" . | nindent 4 }}
+subjects:
+  - kind: ServiceAccount
+    name: codefresh-engine
+roleRef:
+  kind: Role
+  name: codefresh-engine
+  apiGroup: rbac.authorization.k8s.io
+{{- end }}
+

charts/codefresh/cf-runtime/6.3.52/templates/runtime/runtime-env-spec-tmpl.yaml

@@ -0,0 +1,210 @@
+{{- define "runtime.runtime-environment-spec.template" }}
+{{- $cfCommonTplSemver := printf "cf-common-%s" (index .Subcharts "cf-common").Chart.Version -}}
+{{- $kubeconfigFilePath := (include "runtime.runtime-environment-spec.runtime-name" .) -}}
+{{- $name := (include "runtime.runtime-environment-spec.runtime-name" .) -}}
+{{- $engineContext := .Values.runtime.engine -}}
+{{- $dindContext := .Values.runtime.dind -}}
+{{- $imageRegistry := .Values.global.imageRegistry -}}
+metadata:
+  name: {{ include "runtime.runtime-environment-spec.runtime-name" . }}
+  agent: {{ .Values.runtime.agent }}
+runtimeScheduler:
+  type: KubernetesPod
+  {{- if $engineContext.image }}
+  image: {{ include (printf "%s.image.name" $cfCommonTplSemver ) (dict "image" $engineContext.image "context" .) | squote }}
+  {{- end }}
+  imagePullPolicy: {{ $engineContext.image.pullPolicy }}
+  {{- with $engineContext.command }}
+  command: {{- toYaml . | nindent 4 }}
+  {{- end }}
+  envVars:
+  {{- with $engineContext.env }}
+    {{- range $key, $val := . }}
+      {{- if or (kindIs "bool" $val) (kindIs "int" $val) (kindIs "float64" $val) }}
+    {{ $key }}: {{ $val | squote }}
+      {{- else }}
+    {{ $key }}: {{ $val }}
+      {{- end }}
+    {{- end }}
+  {{- end }}
+    COMPOSE_IMAGE: {{ include "runtime.runtimeImageName" (dict "registry" $imageRegistry "imageFullName" $engineContext.runtimeImages.COMPOSE_IMAGE) | squote }}
+    CONTAINER_LOGGER_IMAGE: {{ include "runtime.runtimeImageName" (dict "registry" $imageRegistry "imageFullName" $engineContext.runtimeImages.CONTAINER_LOGGER_IMAGE) | squote }}
+    DOCKER_BUILDER_IMAGE: {{ include "runtime.runtimeImageName" (dict "registry" $imageRegistry "imageFullName" $engineContext.runtimeImages.DOCKER_BUILDER_IMAGE) | squote }}
+    DOCKER_PULLER_IMAGE: {{ include "runtime.runtimeImageName" (dict "registry" $imageRegistry "imageFullName" $engineContext.runtimeImages.DOCKER_PULLER_IMAGE) | squote }}
+    DOCKER_PUSHER_IMAGE: {{ include "runtime.runtimeImageName" (dict "registry" $imageRegistry "imageFullName" $engineContext.runtimeImages.DOCKER_PUSHER_IMAGE) | squote }}
+    DOCKER_TAG_PUSHER_IMAGE: {{ include "runtime.runtimeImageName" (dict "registry" $imageRegistry "imageFullName" $engineContext.runtimeImages.DOCKER_TAG_PUSHER_IMAGE) | squote }}
+    FS_OPS_IMAGE: {{ include "runtime.runtimeImageName" (dict "registry" $imageRegistry "imageFullName" $engineContext.runtimeImages.FS_OPS_IMAGE) | squote }}
+    GIT_CLONE_IMAGE: {{ include "runtime.runtimeImageName" (dict "registry" $imageRegistry "imageFullName" $engineContext.runtimeImages.GIT_CLONE_IMAGE) | squote }}
+    KUBE_DEPLOY: {{ include "runtime.runtimeImageName" (dict "registry" $imageRegistry "imageFullName" $engineContext.runtimeImages.KUBE_DEPLOY) | squote }}
+    PIPELINE_DEBUGGER_IMAGE: {{ include "runtime.runtimeImageName" (dict "registry" $imageRegistry "imageFullName" $engineContext.runtimeImages.PIPELINE_DEBUGGER_IMAGE) | squote }}
+    TEMPLATE_ENGINE: {{ include "runtime.runtimeImageName" (dict "registry" $imageRegistry "imageFullName" $engineContext.runtimeImages.TEMPLATE_ENGINE) | squote }}
+    CR_6177_FIXER: {{ include "runtime.runtimeImageName" (dict "registry" $imageRegistry "imageFullName" $engineContext.runtimeImages.CR_6177_FIXER) | squote }}
+    GC_BUILDER_IMAGE: {{ include "runtime.runtimeImageName" (dict "registry" $imageRegistry "imageFullName" $engineContext.runtimeImages.GC_BUILDER_IMAGE) | squote }}
+  {{- with $engineContext.userEnvVars }}
+  userEnvVars:  {{- toYaml . | nindent 4 }}
+  {{- end }}
+  {{- with $engineContext.workflowLimits }}
+  workflowLimits: {{- toYaml . | nindent 4 }}
+  {{- end }}
+  cluster:
+    namespace: {{ .Release.Namespace }}
+    serviceAccount: {{ $engineContext.serviceAccount }}
+    {{- if .Values.runtime.agent }}
+    clusterProvider:
+      accountId: {{ .Values.global.accountId }}
+      selector: {{ include "runtime.runtime-environment-spec.context-name" . }}
+    {{- else }}
+      {{- if .Values.runtime.inCluster }}
+    inCluster: true
+    kubeconfigFilePath: null
+      {{- else }}
+    name: {{ $name }}
+    kubeconfigFilePath: {{ printf "/etc/kubeconfig/%s" $kubeconfigFilePath }}
+      {{- end }}
+    {{- end }}
+    {{- with $engineContext.nodeSelector }}
+    nodeSelector: {{- toYaml . | nindent 6 }}
+    {{- end }}
+  {{- with $engineContext.affinity }}
+  affinity:  {{- toYaml . | nindent 4 }}
+  {{- end }}
+  {{- with $engineContext.tolerations }}
+  tolerations:  {{- toYaml . | nindent 4 }}
+  {{- end }}
+  {{- with $engineContext.podAnnotations }}
+  annotations:
+    {{- range $key, $val := . }}
+    {{ $key }}: {{ $val | squote }}
+    {{- end }}
+  {{- end }}
+  {{- with $engineContext.podLabels }}
+  labels: {{- toYaml . | nindent 4 }}
+  {{- end }}
+  {{- if $engineContext.schedulerName }}
+  schedulerName: {{ $engineContext.schedulerName }}
+  {{- end }}
+  resources:
+  {{- if $engineContext.resources}}
+  {{- toYaml $engineContext.resources | nindent 4 }}
+  {{- end }}
+dockerDaemonScheduler:
+  type: DindKubernetesPod
+  {{- if $dindContext.image }}
+  dindImage: {{ include (printf "%s.image.name" $cfCommonTplSemver ) (dict "image" $dindContext.image "context" .) | squote }}
+  {{- end }}
+  imagePullPolicy: {{ $dindContext.image.pullPolicy }}
+  {{- with $dindContext.userAccess }}
+  userAccess: {{ . }}
+  {{- end }}
+  {{- with $dindContext.env }}
+  envVars:
+    {{- range $key, $val := . }}
+      {{- if or (kindIs "bool" $val) (kindIs "int" $val) (kindIs "float64" $val) }}
+    {{ $key }}: {{ $val | squote }}
+      {{- else }}
+    {{ $key }}: {{ $val }}
+      {{- end }}
+    {{- end }}
+  {{- end }}
+  cluster:
+    namespace: {{ .Release.Namespace }}
+    serviceAccount: {{ $dindContext.serviceAccount }}
+    {{- if .Values.runtime.agent }}
+    clusterProvider:
+      accountId: {{ .Values.global.accountId }}
+      selector: {{ include "runtime.runtime-environment-spec.context-name" . }}
+    {{- else }}
+      {{- if .Values.runtime.inCluster }}
+    inCluster: true
+    kubeconfigFilePath: null
+      {{- else }}
+    name: {{ $name }}
+    kubeconfigFilePath: {{ printf "/etc/kubeconfig/%s" $kubeconfigFilePath }}
+      {{- end }}
+    {{- end }}
+    {{- with $dindContext.nodeSelector }}
+    nodeSelector: {{- toYaml . | nindent 6 }}
+    {{- end }}
+  {{- with $dindContext.affinity }}
+  affinity:  {{- toYaml . | nindent 4 }}
+  {{- end }}
+  {{- with $dindContext.tolerations }}
+  tolerations: {{- toYaml . | nindent 4 }}
+  {{- end }}
+  {{- with $dindContext.podAnnotations }}
+  annotations:
+    {{- range $key, $val := . }}
+    {{ $key }}: {{ $val | squote }}
+    {{- end }}
+  {{- end }}
+  {{- with $dindContext.podLabels }}
+  labels: {{- toYaml . | nindent 4 }}
+  {{- end }}
+  {{- if $dindContext.schedulerName }}
+  schedulerName: {{ $dindContext.schedulerName }}
+  {{- end }}
+  {{- if $dindContext.pvcs }}
+  pvcs:
+  {{- range $index, $pvc := $dindContext.pvcs }}
+    - name: {{ $pvc.name }}
+      reuseVolumeSelector: {{ $pvc.reuseVolumeSelector | squote }}
+      reuseVolumeSortOrder: {{ $pvc.reuseVolumeSortOrder }}
+      storageClassName: {{ include (printf "%v.tplrender" $cfCommonTplSemver) (dict "Values" $pvc.storageClassName "context" $) }}
+      volumeSize: {{ $pvc.volumeSize }}
+      {{- with $pvc.annotations }}
+      annotations: {{ . | toYaml | nindent 8 }}
+      {{- end }}
+  {{- end }}
+  {{- end }}
+  defaultDindResources:
+  {{- with $dindContext.resources }}
+  {{- if not .requests }}
+    limits: {{- toYaml .limits | nindent 6 }}
+    requests: null
+  {{- else }}
+  {{- toYaml . | nindent 4 }}
+  {{- end }}
+  {{- end }}
+  {{- with $dindContext.terminationGracePeriodSeconds }}
+  terminationGracePeriodSeconds: {{ . }}
+  {{- end }}
+  {{- with $dindContext.userVolumeMounts }}
+  userVolumeMounts: {{- toYaml . | nindent 4 }}
+  {{- end }}
+  {{- with $dindContext.userVolumes }}
+  userVolumes: {{- toYaml . | nindent 4 }}
+  {{- end }}
+  {{- if and (not .Values.runtime.agent)  }}
+  clientCertPath: /etc/ssl/cf/
+  volumeMounts:
+    codefresh-certs-server:
+      name: codefresh-certs-server
+      mountPath: /etc/ssl/cf
+      readOnly: false
+  volumes:
+    codefresh-certs-server:
+      name: codefresh-certs-server
+      secret:
+        secretName: codefresh-certs-server
+  {{- end }}
+extends: {{- toYaml .Values.runtime.runtimeExtends | nindent 2 }}
+  {{- if .Values.runtime.description }}
+description: {{ .Values.runtime.description }}
+  {{- else }}
+description: null
+  {{- end }}
+{{- if .Values.global.accountId }}
+accountId: {{ .Values.global.accountId }}
+{{- end }}
+{{- if not .Values.runtime.agent }}
+accounts: {{- toYaml .Values.runtime.accounts | nindent 2 }}
+{{- end }}
+{{- if .Values.appProxy.enabled }}
+appProxy:
+  externalIP: >-
+    {{ printf "https://%s%s" .Values.appProxy.ingress.host (.Values.appProxy.ingress.pathPrefix | default "/") }}
+{{- end }}
+{{- if not .Values.runtime.agent }}
+systemHybrid: true
+{{- end }}
+{{- end }}

charts/codefresh/cf-runtime/6.3.52/templates/runtime/secret.yaml

@@ -0,0 +1,11 @@
+{{- if and .Values.global.codefreshToken }}
+apiVersion: v1
+kind: Secret
+type: Opaque
+metadata:
+  name: {{ include "runtime.installation-token-secret-name" . }}
+  labels:
+    {{- include "runtime.labels" . | nindent 4 }}
+stringData:
+  codefresh-api-token: {{ .Values.global.codefreshToken }}
+{{- end }}

charts/codefresh/cf-runtime/6.3.52/templates/runtime/svc-dind.yaml

@@ -0,0 +1,16 @@
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    {{- include "runtime.labels" . | nindent 4 }}
+    app: dind
+  {{/* has to be a constant */}}
+  name: dind
+spec:
+  ports:
+  - name: "dind-port"
+    port: 1300
+    protocol: TCP
+  clusterIP: None
+  selector:
+    app: dind

charts/codefresh/cf-runtime/6.3.52/templates/volume-provisioner/cronjob.yaml

@@ -0,0 +1,11 @@
+{{- $volumeProvisionerContext := deepCopy . }}
+{{- $_ := set $volumeProvisionerContext "Values" (get .Values.volumeProvisioner "dind-volume-cleanup") }}
+{{- $_ := set $volumeProvisionerContext.Values "serviceAccount" (get .Values.volumeProvisioner "serviceAccount") }}
+{{- $_ := set $volumeProvisionerContext.Values "global" (get .Values "global") }}
+{{- $_ := set $volumeProvisionerContext.Values "storage" (get .Values "storage") }}
+{{- $_ := set $volumeProvisionerContext.Values "nameOverride" (get .Values "nameOverride") }}
+{{- $_ := set $volumeProvisionerContext.Values "fullnameOverride" (get .Values "fullnameOverride") }}
+
+{{- if and $volumeProvisionerContext.Values.enabled .Values.volumeProvisioner.enabled }}
+{{- include "dind-volume-provisioner.resources.cronjob" $volumeProvisionerContext }}
+{{- end }}

charts/codefresh/cf-runtime/6.3.52/templates/volume-provisioner/daemonset.yaml

@@ -0,0 +1,11 @@
+{{- $volumeProvisionerContext := deepCopy . }}
+{{- $_ := set $volumeProvisionerContext "Values" (get .Values.volumeProvisioner "dind-lv-monitor") }}
+{{- $_ := set $volumeProvisionerContext.Values "serviceAccount" (get .Values.volumeProvisioner "serviceAccount") }}
+{{- $_ := set $volumeProvisionerContext.Values "global" (get .Values "global") }}
+{{- $_ := set $volumeProvisionerContext.Values "storage" (get .Values "storage") }}
+{{- $_ := set $volumeProvisionerContext.Values "nameOverride" (get .Values "nameOverride") }}
+{{- $_ := set $volumeProvisionerContext.Values "fullnameOverride" (get .Values "fullnameOverride") }}
+
+{{- if and $volumeProvisionerContext.Values.enabled .Values.volumeProvisioner.enabled }}
+{{- include "dind-volume-provisioner.resources.daemonset" $volumeProvisionerContext }}
+{{- end }}

charts/codefresh/cf-runtime/6.3.52/templates/volume-provisioner/deployment.yaml

@@ -0,0 +1,10 @@
+{{- $volumeProvisionerContext := deepCopy . }}
+{{- $_ := set $volumeProvisionerContext "Values" (get .Values "volumeProvisioner") }}
+{{- $_ := set $volumeProvisionerContext.Values "global" (get .Values "global") }}
+{{- $_ := set $volumeProvisionerContext.Values "storage" (get .Values "storage") }}
+{{- $_ := set $volumeProvisionerContext.Values "nameOverride" (get .Values "nameOverride") }}
+{{- $_ := set $volumeProvisionerContext.Values "fullnameOverride" (get .Values "fullnameOverride") }}
+
+{{- if $volumeProvisionerContext.Values.enabled }}
+{{- include "dind-volume-provisioner.resources.deployment" $volumeProvisionerContext }}
+{{- end }}

charts/codefresh/cf-runtime/6.3.52/templates/volume-provisioner/rbac.yaml

@@ -0,0 +1,9 @@
+{{- $volumeProvisionerContext := deepCopy . }}
+{{- $_ := set $volumeProvisionerContext "Values" (get .Values "volumeProvisioner") }}
+{{- $_ := set $volumeProvisionerContext.Values "global" (get .Values "global") }}
+{{- $_ := set $volumeProvisionerContext.Values "nameOverride" (get .Values "nameOverride") }}
+{{- $_ := set $volumeProvisionerContext.Values "fullnameOverride" (get .Values "fullnameOverride") }}
+
+{{- if $volumeProvisionerContext.Values.enabled }}
+{{- include "dind-volume-provisioner.resources.rbac" $volumeProvisionerContext }}
+{{- end }}

charts/codefresh/cf-runtime/6.3.52/templates/volume-provisioner/secret.yaml

@@ -0,0 +1,10 @@
+{{- $volumeProvisionerContext := deepCopy . }}
+{{- $_ := set $volumeProvisionerContext "Values" (get .Values "volumeProvisioner") }}
+{{- $_ := set $volumeProvisionerContext.Values "global" (get .Values "global") }}
+{{- $_ := set $volumeProvisionerContext.Values "storage" (get .Values "storage") }}
+{{- $_ := set $volumeProvisionerContext.Values "nameOverride" (get .Values "nameOverride") }}
+{{- $_ := set $volumeProvisionerContext.Values "fullnameOverride" (get .Values "fullnameOverride") }}
+
+{{- if $volumeProvisionerContext.Values.enabled }}
+{{- include "dind-volume-provisioner.resources.secret" $volumeProvisionerContext }}
+{{- end }}

charts/codefresh/cf-runtime/6.3.52/templates/volume-provisioner/storageclass.yaml

@@ -0,0 +1,10 @@
+{{- $volumeProvisionerContext := deepCopy . }}
+{{- $_ := set $volumeProvisionerContext "Values" (get .Values "volumeProvisioner") }}
+{{- $_ := set $volumeProvisionerContext.Values "global" (get .Values "global") }}
+{{- $_ := set $volumeProvisionerContext.Values "storage" (get .Values "storage") }}
+{{- $_ := set $volumeProvisionerContext.Values "nameOverride" (get .Values "nameOverride") }}
+{{- $_ := set $volumeProvisionerContext.Values "fullnameOverride" (get .Values "fullnameOverride") }}
+
+{{- if $volumeProvisionerContext.Values.enabled }}
+{{- include "dind-volume-provisioner.resources.storageclass" $volumeProvisionerContext }}
+{{- end }}

charts/codefresh/cf-runtime/6.3.52/values.yaml

@@ -0,0 +1,946 @@
+# -- String to partially override cf-runtime.fullname template (will maintain the release name)
+nameOverride: ""
+# -- String to fully override cf-runtime.fullname template
+fullnameOverride: ""
+
+# -- Global parameters
+# @default -- See below
+global:
+  # -- Global Docker image registry
+  imageRegistry: ""
+  # -- Global Docker registry secret names as array
+  imagePullSecrets: []
+
+  # -- URL of Codefresh Platform (required!)
+  codefreshHost: "https://g.codefresh.io"
+  # -- User token in plain text (required if `global.codefreshTokenSecretKeyRef` is omitted!)
+  # Ref: https://g.codefresh.io/user/settings (see API Keys)
+  # Minimal API key scopes: Runner-Installation(read+write), Agent(read+write), Agents(read+write)
+  codefreshToken: ""
+  # -- User token that references an existing secret containing API key (required if `global.codefreshToken` is omitted!)
+  codefreshTokenSecretKeyRef: {}
+
+  # E.g.
+  # codefreshTokenSecretKeyRef:
+  #   name: my-codefresh-api-token
+  #   key: codefresh-api-token
+
+  # -- Account ID (required!)
+  # Can be obtained here https://g.codefresh.io/2.0/account-settings/account-information
+  accountId: ""
+
+  # -- K8s context name (required!)
+  context: ""
+  # E.g.
+  # context: prod-ue1-runtime-1
+
+  # -- Agent Name (optional!)
+  # If omitted, the following format will be used `{{ .Values.global.context }}_{{ .Release.Namespace }}`
+  agentName: ""
+  # E.g.
+  # agentName: prod-ue1-runtime-1
+
+  # -- Runtime name (optional!)
+  # If omitted, the following format will be used `{{ .Values.global.context }}/{{ .Release.Namespace }}`
+  runtimeName: ""
+  # E.g.
+  # runtimeName: prod-ue1-runtime-1/namespace
+
+  # -- DEPRECATED Agent token in plain text.
+  # !!! MUST BE provided if migrating from < 6.x chart version
+  agentToken: ""
+  # -- DEPRECATED Agent token that references an existing secret containing API key.
+  # !!! MUST BE provided if migrating from < 6.x chart version
+  agentTokenSecretKeyRef: {}
+  # E.g.
+  # agentTokenSecretKeyRef:
+  #   name: my-codefresh-agent-secret
+  #   key: codefresh-agent-token
+
+# DEPRECATED -- Use `.Values.global.imageRegistry` instead
+dockerRegistry: ""
+
+# DEPRECATED -- Use `.Values.runtime` instead
+re: {}
+
+# -- Runner parameters
+# @default -- See below
+runner:
+  # -- Enable the runner
+  enabled: true
+  # -- Set number of pods
+  replicasCount: 1
+  # -- Upgrade strategy
+  updateStrategy:
+    type: RollingUpdate
+  # -- Set pod annotations
+  podAnnotations: {}
+
+  # -- Set image
+  image:
+    registry: quay.io
+    repository: codefresh/venona
+    tag: 1.10.2
+
+  # -- Init container
+  init:
+    image:
+      registry: quay.io
+      repository: codefresh/cli
+      tag: 0.85.0-rootless
+
+    resources:
+      limits:
+        memory: 512Mi
+        cpu: '1'
+      requests:
+        memory: 256Mi
+        cpu: '0.2'
+
+  # -- Sidecar container
+  # Reconciles runtime spec from Codefresh API for drift detection
+  sidecar:
+    enabled: false
+    image:
+      registry: quay.io
+      repository: codefresh/codefresh-shell
+      tag: 0.0.2
+    env:
+      RECONCILE_INTERVAL: 300
+    resources: {}
+
+  # -- Add additional env vars
+  env: {}
+  # E.g.
+  # env:
+  #   WORKFLOW_CONCURRENCY: 50 # The number of workflow creation and termination tasks the Runner can handle in parallel. Defaults to 50
+
+  # -- Service Account parameters
+  serviceAccount:
+    # -- Create service account
+    create: true
+    # -- Override service account name
+    name: ""
+    # -- Additional service account annotations
+    annotations: {}
+
+  # -- RBAC parameters
+  rbac:
+    # -- Create RBAC resources
+    create: true
+    # -- Add custom rule to the role
+    rules: []
+
+  # -- Set security context for the pod
+  # @default -- See below
+  podSecurityContext:
+    enabled: true
+    runAsUser: 10001
+    runAsGroup: 10001
+    fsGroup: 10001
+
+  # -- Readiness probe configuration
+  # @default -- See below
+  readinessProbe:
+    failureThreshold: 5
+    initialDelaySeconds: 5
+    periodSeconds: 5
+    successThreshold: 1
+    timeoutSeconds: 5
+
+  # -- Set requests and limits
+  resources: {}
+  # -- Set node selector
+  nodeSelector: {}
+  # -- Set tolerations
+  tolerations: []
+  # -- Set affinity
+  affinity: {}
+
+# -- Volume Provisioner parameters
+# @default -- See below
+volumeProvisioner:
+  # -- Enable volume-provisioner
+  enabled: true
+  # -- Set number of pods
+  replicasCount: 1
+  # -- Upgrade strategy
+  updateStrategy:
+    type: Recreate
+  # -- Set pod annotations
+  podAnnotations: {}
+
+  # -- Set image
+  image:
+    registry: quay.io
+    repository: codefresh/dind-volume-provisioner
+    tag: 1.35.0
+  # -- Add additional env vars
+  env: {}
+  # E.g.
+  # env:
+  #   THREADINESS: 4 # The number of PVC requests the dind-volume-provisioner can process in parallel. Defaults to 4
+
+  # -- Service Account parameters
+  serviceAccount:
+    # -- Create service account
+    create: true
+    # -- Override service account name
+    name: ""
+    # -- Additional service account annotations
+    annotations: {}
+    # E.g.
+    #   serviceAccount:
+    #     annotations:
+    #       eks.amazonaws.com/role-arn: "arn:aws:iam::<ACCOUNT_ID>:role/<IAM_ROLE_NAME>"
+
+  # -- RBAC parameters
+  rbac:
+    # -- Create RBAC resources
+    create: true
+    # -- Add custom rule to the role
+    rules: []
+
+  # -- Set security context for the pod
+  # @default -- See below
+  podSecurityContext:
+    enabled: true
+    runAsUser: 3000
+    runAsGroup: 3000
+    fsGroup: 3000
+
+  # -- Set node selector
+  nodeSelector: {}
+  # -- Set resources
+  resources: {}
+  # -- Set tolerations
+  tolerations: []
+  # -- Set affinity
+  affinity: {}
+
+  # -- `dind-lv-monitor` DaemonSet parameters
+  # (local volumes cleaner)
+  # @default -- See below
+  dind-lv-monitor:
+    enabled: true
+    image:
+      registry: quay.io
+      repository: codefresh/dind-volume-utils
+      tag: 1.29.4
+    podAnnotations: {}
+    podSecurityContext:
+      enabled: true
+      runAsUser: 1000
+      fsGroup: 1000
+    containerSecurityContext: {}
+    env: {}
+    resources: {}
+    nodeSelector: {}
+    tolerations:
+    - key: 'codefresh/dind'
+      operator: 'Exists'
+      effect: 'NoSchedule'
+    volumePermissions:
+      enabled: true
+      image:
+        registry: docker.io
+        repository: alpine
+        tag: 3.18
+      resources: {}
+      securityContext:
+        runAsUser: 0 # auto
+
+  # `dind-volume-cleanup` CronJob parameters
+  # (external volumes cleaner)
+  # @default -- See below
+  dind-volume-cleanup:
+    enabled: true
+    image:
+      registry: quay.io
+      repository: codefresh/dind-volume-cleanup
+      tag: 1.2.0
+    env: {}
+    concurrencyPolicy: Forbid
+    schedule: "*/10 * * * *"
+    successfulJobsHistory: 3
+    failedJobsHistory: 1
+    suspend: false
+    podAnnotations: {}
+    podSecurityContext:
+      enabled: true
+      fsGroup: 3000
+      runAsGroup: 3000
+      runAsUser: 3000
+    nodeSelector: {}
+    affinity: {}
+    tolerations: []
+
+# Storage parameters for volume-provisioner
+# @default -- See below
+storage:
+  # -- Set backend volume type (`local`/`ebs`/`ebs-csi`/`gcedisk`/`azuredisk`)
+  backend: local
+  # -- Set filesystem type (`ext4`/`xfs`)
+  fsType: "ext4"
+
+  # Storage parametrs example for local volumes on the K8S nodes filesystem (i.e. `storage.backend=local`)
+  # https://kubernetes.io/docs/concepts/storage/volumes/#local
+  # @default -- See below
+  local:
+    # -- Set volume path on the host filesystem
+    volumeParentDir: /var/lib/codefresh/dind-volumes
+
+  # Storage parameters example for aws ebs disks (i.e. `storage.backend=ebs`/`storage.backend=ebs-csi`)
+  # https://aws.amazon.com/ebs/
+  # https://codefresh.io/docs/docs/installation/codefresh-runner/#aws-backend-volume-configuration
+  # @default -- See below
+  ebs:
+    # -- Set EBS volume type (`gp2`/`gp3`/`io1`) (required)
+    volumeType: "gp2"
+    # -- Set EBS volumes availability zone (required)
+    availabilityZone: "us-east-1a"
+    # -- Enable encryption (optional)
+    encrypted: "false"
+    # -- Set KMS encryption key ID (optional)
+    kmsKeyId: ""
+
+    # -- Set AWS_ACCESS_KEY_ID for volume-provisioner (optional)
+    # Ref: https://codefresh.io/docs/docs/installation/codefresh-runner/#dind-volume-provisioner-permissions
+    accessKeyId: ""
+    # -- Existing secret containing AWS_ACCESS_KEY_ID.
+    accessKeyIdSecretKeyRef: {}
+    # E.g.
+    # accessKeyIdSecretKeyRef:
+    #   name:
+    #   key:
+
+    # -- Set AWS_SECRET_ACCESS_KEY for volume-provisioner (optional)
+    # Ref: https://codefresh.io/docs/docs/installation/codefresh-runner/#dind-volume-provisioner-permissions
+    secretAccessKey: ""
+    # -- Existing secret containing AWS_SECRET_ACCESS_KEY
+    secretAccessKeySecretKeyRef: {}
+    # E.g.
+    # secretAccessKeySecretKeyRef:
+    #   name:
+    #   key:
+
+    # E.g.
+    # ebs:
+    #   volumeType: gp3
+    #   availabilityZone: us-east-1c
+    #   encrypted: false
+    #   iops: "5000"
+    #   # I/O operations per second. Only effetive when gp3 volume type is specified.
+    #   # Default value - 3000.
+    #   # Max - 16,000
+    #   throughput: "500"
+    #   # Throughput in MiB/s. Only effective when gp3 volume type is specified.
+    #   # Default value - 125.
+    #   # Max - 1000.
+    # ebs:
+    #   volumeType: gp2
+    #   availabilityZone: us-east-1c
+    #   encrypted: true
+    #   kmsKeyId: "1234abcd-12ab-34cd-56ef-1234567890ab"
+    #   accessKeyId: "MYKEYID"
+    #   secretAccessKey: "MYACCESSKEY"
+
+  # Storage parameters example for gce disks
+  # https://cloud.google.com/compute/docs/disks#pdspecs
+  # https://codefresh.io/docs/docs/installation/codefresh-runner/#gke-google-kubernetes-engine-backend-volume-configuration
+  # @default -- See below
+  gcedisk:
+    # -- Set GCP volume backend type (`pd-ssd`/`pd-standard`)
+    volumeType: "pd-ssd"
+    # -- Set GCP volume availability zone
+    availabilityZone: "us-west1-a"
+    # -- Set Google SA JSON key for volume-provisioner (optional)
+    serviceAccountJson: ""
+    # -- Existing secret containing containing Google SA JSON key for volume-provisioner (optional)
+    serviceAccountJsonSecretKeyRef: {}
+    # E.g.
+    # gcedisk:
+    #   volumeType: pd-ssd
+    #   availabilityZone: us-central1-c
+    #   serviceAccountJson: |-
+    #          {
+    #           "type": "service_account",
+    #           "project_id": "...",
+    #           "private_key_id": "...",
+    #           "private_key": "...",
+    #           "client_email": "...",
+    #           "client_id": "...",
+    #           "auth_uri": "...",
+    #           "token_uri": "...",
+    #           "auth_provider_x509_cert_url": "...",
+    #           "client_x509_cert_url": "..."
+    #           }
+
+  # Storage parameters example for Azure Disks
+  # https://codefresh.io/docs/docs/installation/codefresh-runner/#install-codefresh-runner-on-azure-kubernetes-service-aks
+  # @default -- See below
+  azuredisk:
+    # -- Set storage type (`Premium_LRS`)
+    skuName: Premium_LRS
+    cachingMode: None
+    # availabilityZone: northeurope-1
+    # resourceGroup:
+    # DiskIOPSReadWrite: 500
+    # DiskMBpsReadWrite: 100
+
+  mountAzureJson: false
+
+# -- Set runtime parameters
+# @default -- See below
+
+runtime:
+  # -- Set annotation on engine Service Account
+  # Ref: https://codefresh.io/docs/docs/administration/codefresh-runner/#injecting-aws-arn-roles-into-the-cluster
+  serviceAccount:
+    create: true
+    annotations: {}
+    # E.g.
+    #   serviceAccount:
+    #     annotations:
+    #       eks.amazonaws.com/role-arn: "arn:aws:iam::<ACCOUNT_ID>:role/<IAM_ROLE_NAME>"
+
+  # -- Set parent runtime to inherit.
+  # Should not be changes. Parent runtime is controlled from Codefresh side.
+  runtimeExtends:
+    - system/default/hybrid/k8s_low_limits
+  # -- Runtime description
+  description: ""
+
+  # -- RBAC parameters
+  rbac:
+    # -- Create RBAC resources
+    create: true
+    # -- Add custom rule to the engine role
+    rules: []
+
+  # -- (for On-Premise only) Enable agent
+  agent: true
+  # -- (for On-Premise only) Set inCluster runtime
+  inCluster: true
+  # -- (for On-Premise only) Assign accounts to runtime (list of account ids)
+  accounts: []
+
+  # -- Parameters for DinD (docker-in-docker) pod (aka "runtime" pod).
+  dind:
+    # -- Set dind image.
+    image:
+      registry: quay.io
+      repository: codefresh/dind
+      tag: 26.1.4-1.28.7  # use `latest-rootless/rootless/26.1.4-1.28.7-rootless` tags for rootless-dind
+      pullPolicy: IfNotPresent
+    # -- Set dind resources.
+    resources:
+      requests: null
+      limits:
+        cpu: 400m
+        memory: 800Mi
+    # -- PV claim spec parametes.
+    pvcs:
+      # -- Default dind PVC parameters
+      dind:
+        # -- PVC name prefix.
+        # Keep `dind` as default! Don't change!
+        name: dind
+        # -- PVC storage class name.
+        # Change ONLY if you need to use storage class NOT from Codefresh volume-provisioner
+        storageClassName: '{{ include "dind-volume-provisioner.storageClassName" . }}'
+        # -- PVC size.
+        volumeSize: 16Gi
+        # -- PV reuse selector.
+        # Ref: https://codefresh.io/docs/docs/installation/codefresh-runner/#volume-reuse-policy
+        reuseVolumeSelector: codefresh-app,io.codefresh.accountName
+        reuseVolumeSortOrder: pipeline_id
+        # -- PV annotations.
+        annotations: {}
+        # E.g.:
+        # annotations:
+        #   codefresh.io/volume-retention: 7d
+    # -- Set additional env vars.
+    env:
+      DOCKER_ENABLE_DEPRECATED_PULL_SCHEMA_1_IMAGE: true
+    # -- Set pod annotations.
+    podAnnotations: {}
+    # -- Set pod labels.
+    podLabels: {}
+    # -- Set node selector.
+    nodeSelector: {}
+    # -- Set affinity
+    affinity: {}
+    # -- Set tolerations.
+    tolerations: []
+    # -- Set scheduler name.
+    schedulerName: ""
+    # -- Set service account for pod.
+    serviceAccount: codefresh-engine
+    # -- Keep `true` as default!
+    userAccess: true
+    # -- Add extra volumes
+    userVolumes: {}
+    # E.g.:
+    # userVolumes:
+    #   regctl-docker-registry:
+    #     name: regctl-docker-registry
+    #     secret:
+    #       items:
+    #         - key: .dockerconfigjson
+    #           path: config.json
+    #       secretName: regctl-docker-registry
+    #       optional: true
+    # -- Add extra volume mounts
+    userVolumeMounts: {}
+    # E.g.:
+    # userVolumeMounts:
+    #   regctl-docker-registry:
+    #     name: regctl-docker-registry
+    #     mountPath: /home/appuser/.docker/
+    #     readOnly: true
+
+  # -- Parameters for Engine pod (aka "pipeline" orchestrator).
+  engine:
+    # -- Set image.
+    image:
+      registry: quay.io
+      repository: codefresh/engine
+      tag: 1.173.6
+      pullPolicy: IfNotPresent
+    # -- Set container command.
+    command:
+      - npm
+      - run
+      - start
+    # -- Set resources.
+    resources:
+      requests:
+        cpu: 100m
+        memory: 128Mi
+      limits:
+        cpu: 1000m
+        memory: 2048Mi
+    # -- Set system(base) runtime images.
+    # @default -- See below.
+    runtimeImages:
+      COMPOSE_IMAGE: quay.io/codefresh/compose:v2.28.1-1.5.0
+      CONTAINER_LOGGER_IMAGE: quay.io/codefresh/cf-container-logger:1.11.6
+      DOCKER_BUILDER_IMAGE: quay.io/codefresh/cf-docker-builder:1.3.13
+      DOCKER_PULLER_IMAGE: quay.io/codefresh/cf-docker-puller:8.0.17
+      DOCKER_PUSHER_IMAGE: quay.io/codefresh/cf-docker-pusher:6.0.15
+      DOCKER_TAG_PUSHER_IMAGE: quay.io/codefresh/cf-docker-tag-pusher:1.3.14
+      FS_OPS_IMAGE: quay.io/codefresh/fs-ops:1.2.3
+      GIT_CLONE_IMAGE: quay.io/codefresh/cf-git-cloner:10.1.26
+      KUBE_DEPLOY: quay.io/codefresh/cf-deploy-kubernetes:16.1.11
+      PIPELINE_DEBUGGER_IMAGE: quay.io/codefresh/cf-debugger:1.3.0
+      TEMPLATE_ENGINE: quay.io/codefresh/pikolo:0.14.1
+      CR_6177_FIXER: 'quay.io/codefresh/alpine:edge'
+      GC_BUILDER_IMAGE: 'quay.io/codefresh/cf-gc-builder:0.5.3'
+    # -- Set additional env vars.
+    env:
+      # -- Interval to check the exec status in the container-logger
+      CONTAINER_LOGGER_EXEC_CHECK_INTERVAL_MS: 1000
+      # -- Timeout while doing requests to the Docker daemon
+      DOCKER_REQUEST_TIMEOUT_MS: 30000
+      # -- If "true", composition images will be pulled sequentially
+      FORCE_COMPOSE_SERIAL_PULL: false
+      # -- Level of logging for engine
+      LOGGER_LEVEL: debug
+      # -- Enable debug-level logging of outgoing HTTP/HTTPS requests
+      LOG_OUTGOING_HTTP_REQUESTS: false
+      # -- Enable emitting metrics from engine
+      METRICS_PROMETHEUS_ENABLED: true
+      # -- Enable legacy metrics
+      METRICS_PROMETHEUS_ENABLE_LEGACY_METRICS: false
+      # -- Enable collecting process metrics
+      METRICS_PROMETHEUS_COLLECT_PROCESS_METRICS: false
+      # -- Host for Prometheus metrics server
+      METRICS_PROMETHEUS_HOST: '0.0.0.0'
+      # -- Port for Prometheus metrics server
+      METRICS_PROMETHEUS_PORT: 9100
+    # -- Set workflow limits.
+    workflowLimits:
+      # -- Maximum time allowed to the engine to wait for the pre-steps (aka "Initializing Process") to succeed; seconds.
+      MAXIMUM_ALLOWED_TIME_BEFORE_PRE_STEPS_SUCCESS: 600
+      # -- Maximum time for workflow execution; seconds.
+      MAXIMUM_ALLOWED_WORKFLOW_AGE_BEFORE_TERMINATION: 86400
+      # -- Maximum time allowed to workflow to spend in "elected" state; seconds.
+      MAXIMUM_ELECTED_STATE_AGE_ALLOWED: 900
+      # -- Maximum retry attempts allowed for workflow.
+      MAXIMUM_RETRY_ATTEMPTS_ALLOWED: 20
+      # -- Maximum time allowed to workflow to spend in "terminating" state until force terminated; seconds.
+      MAXIMUM_TERMINATING_STATE_AGE_ALLOWED: 900
+      # -- Maximum time allowed to workflow to spend in "terminating" state without logs activity until force terminated; seconds.
+      MAXIMUM_TERMINATING_STATE_AGE_ALLOWED_WITHOUT_UPDATE: 300
+      # -- Time since the last health check report after which workflow is terminated; seconds.
+      TIME_ENGINE_INACTIVE_UNTIL_TERMINATION: 300
+      # -- Time since the last health check report after which the engine is considered unhealthy; seconds.
+      TIME_ENGINE_INACTIVE_UNTIL_UNHEALTHY: 60
+      # -- Time since the last workflow logs activity after which workflow is terminated; seconds.
+      TIME_INACTIVE_UNTIL_TERMINATION: 2700
+    # -- Set pod annotations.
+    podAnnotations: {}
+    # -- Set pod labels.
+    podLabels: {}
+    # -- Set node selector.
+    nodeSelector: {}
+    # -- Set affinity
+    affinity: {}
+    # -- Set tolerations.
+    tolerations: []
+    # -- Set scheduler name.
+    schedulerName: ""
+    # -- Set service account for pod.
+    serviceAccount: codefresh-engine
+    # -- Set extra env vars
+    userEnvVars: []
+    # E.g.
+    # userEnvVars:
+    # - name: GITHUB_TOKEN
+    #   valueFrom:
+    #     secretKeyRef:
+    #       name: github-token
+    #       key: token
+
+  # -- Parameters for `runtime-patch` post-upgrade/install hook
+  # @default -- See below
+  patch:
+    enabled: true
+    image:
+      registry: quay.io
+      repository: codefresh/cli
+      tag: 0.85.0-rootless
+    rbac:
+      enabled: true
+    annotations: {}
+    affinity: {}
+    nodeSelector: {}
+    podSecurityContext: {}
+    resources: {}
+    tolerations: []
+    ttlSecondsAfterFinished: 180
+    env:
+      HOME: /tmp
+
+  # -- Parameters for `gencerts-dind` post-upgrade/install hook
+  # @default -- See below
+  gencerts:
+    enabled: true
+    image:
+      registry: quay.io
+      repository: codefresh/kubectl
+      tag: 1.28.4
+    rbac:
+      enabled: true
+    annotations: {}
+    affinity: {}
+    nodeSelector: {}
+    podSecurityContext: {}
+    resources: {}
+    tolerations: []
+    ttlSecondsAfterFinished: 180
+
+  # -- DinD pod daemon config
+  # @default -- See below
+  dindDaemon:
+    hosts:
+      - unix:///var/run/docker.sock
+      - tcp://0.0.0.0:1300
+    tlsverify: true
+    tls: true
+    tlscacert: /etc/ssl/cf-client/ca.pem
+    tlscert: /etc/ssl/cf/server-cert.pem
+    tlskey: /etc/ssl/cf/server-key.pem
+    insecure-registries:
+      - 192.168.99.100:5000
+    metrics-addr: 0.0.0.0:9323
+    experimental: true
+
+# App-Proxy parameters
+# Ref: https://codefresh.io/docs/docs/installation/codefresh-runner/#app-proxy-installation
+# @default -- See below
+appProxy:
+  # -- Enable app-proxy
+  enabled: false
+  # -- Set number of pods
+  replicasCount: 1
+  # -- Upgrade strategy
+  updateStrategy:
+    type: RollingUpdate
+  # -- Set pod annotations
+  podAnnotations: {}
+
+  # -- Set image
+  image:
+    registry: quay.io
+    repository: codefresh/cf-app-proxy
+    tag: 0.0.47
+  # -- Add additional env vars
+  env: {}
+
+  # Set app-proxy ingress parameters
+  # @default -- See below
+  ingress:
+    # -- Set path prefix for ingress (keep empty for default `/` path)
+    pathPrefix: ""
+    # -- Set ingress class
+    class: ""
+    # -- Set DNS hostname the ingress will use
+    host: ""
+    # -- Set k8s tls secret for the ingress object
+    tlsSecret: ""
+    # -- Set extra annotations for ingress object
+    annotations: {}
+    # E.g.
+    # ingress:
+    #   pathPrefix: "/cf-app-proxy"
+    #   class: "nginx"
+    #   host: "mydomain.com"
+    #   tlsSecret: "tls-cert-app-proxy"
+    #   annotations:
+    #     nginx.ingress.kubernetes.io/whitelist-source-range: 123.123.123.123/130
+
+  # -- Service Account parameters
+  serviceAccount:
+    # -- Create service account
+    create: true
+    # -- Override service account name
+    name: ""
+    # -- Use Role(true)/ClusterRole(true)
+    namespaced: true
+    # -- Additional service account annotations
+    annotations: {}
+
+  # -- RBAC parameters
+  rbac:
+    # -- Create RBAC resources
+    create: true
+    # -- Use Role(true)/ClusterRole(true)
+    namespaced: true
+    # -- Add custom rule to the role
+    rules: []
+
+  # -- Set security context for the pod
+  podSecurityContext: {}
+
+  # -- Readiness probe configuration
+  # @default -- See below
+  readinessProbe:
+    failureThreshold: 5
+    initialDelaySeconds: 5
+    periodSeconds: 5
+    successThreshold: 1
+    timeoutSeconds: 5
+
+  # -- Set requests and limits
+  resources: {}
+  # -- Set node selector
+  nodeSelector: {}
+  # -- Set tolerations
+  tolerations: []
+  # -- Set affinity
+  affinity: {}
+
+# Monitor parameters
+# @default -- See below
+monitor:
+  # -- Enable monitor
+  # Ref: https://codefresh.io/docs/docs/installation/codefresh-runner/#install-monitoring-component
+  enabled: false
+
+  # -- Set number of pods
+  replicasCount: 1
+  # -- Upgrade strategy
+  updateStrategy:
+    type: RollingUpdate
+  # -- Set pod annotations
+  podAnnotations: {}
+
+  # -- Set image
+  image:
+    registry: quay.io
+    repository: codefresh/cf-k8s-agent
+    tag: 1.3.17
+  # -- Add additional env vars
+  env: {}
+
+  # -- Service Account parameters
+  serviceAccount:
+    # -- Create service account
+    create: true
+    # -- Override service account name
+    name: ""
+    # -- Additional service account annotations
+    annotations: {}
+
+  # -- RBAC parameters
+  rbac:
+    # -- Create RBAC resources
+    create: true
+    # -- Use Role(true)/ClusterRole(true)
+    namespaced: true
+    # -- Add custom rule to the role
+    rules: []
+
+  # -- Readiness probe configuration
+  # @default -- See below
+  readinessProbe:
+    failureThreshold: 5
+    initialDelaySeconds: 5
+    periodSeconds: 5
+    successThreshold: 1
+    timeoutSeconds: 5
+
+  podSecurityContext: {}
+
+  # -- Set node selector
+  nodeSelector: {}
+  # -- Set resources
+  resources: {}
+  # -- Set tolerations
+  tolerations: []
+  # -- Set affinity
+  affinity: {}
+
+# -- Add serviceMonitor
+# @default -- See below
+serviceMonitor:
+  main:
+    # -- Enable service monitor for dind pods
+    enabled: false
+    nameOverride: dind
+    selector:
+      matchLabels:
+        app: dind
+    endpoints:
+    - path: /metrics
+      targetPort: 9100
+      relabelings:
+      - action: labelmap
+        regex: __meta_kubernetes_pod_label_(.+)
+
+# -- Add podMonitor (for engine pods)
+# @default -- See below
+podMonitor:
+  main:
+    # -- Enable pod monitor for engine pods
+    enabled: false
+    nameOverride: engine
+    selector:
+      matchLabels:
+        app: runtime
+    podMetricsEndpoints:
+    - path: /metrics
+      targetPort: 9100
+
+  runner:
+    # -- Enable pod monitor for runner pod
+    enabled: false
+    nameOverride: runner
+    selector:
+      matchLabels:
+        codefresh.io/application: runner
+    podMetricsEndpoints:
+    - path: /metrics
+      targetPort: 8080
+
+  volume-provisioner:
+    # -- Enable pod monitor for volumeProvisioner pod
+    enabled: false
+    nameOverride: volume-provisioner
+    selector:
+      matchLabels:
+        codefresh.io/application: volume-provisioner
+    podMetricsEndpoints:
+    - path: /metrics
+      targetPort: 8080
+
+# -- Event exporter parameters
+# @default -- See below
+event-exporter:
+  # -- Enable event-exporter
+  enabled: false
+  # -- Set number of pods
+  replicasCount: 1
+  # -- Upgrade strategy
+  updateStrategy:
+    type: Recreate
+  # -- Set pod annotations
+  podAnnotations: {}
+
+  # -- Set image
+  image:
+    registry: docker.io
+    repository: codefresh/k8s-event-exporter
+    tag: latest
+  # -- Add additional env vars
+  env: {}
+
+  # -- Service Account parameters
+  serviceAccount:
+    # -- Create service account
+    create: true
+    # -- Override service account name
+    name: ""
+    # -- Additional service account annotations
+    annotations: {}
+
+  # -- RBAC parameters
+  rbac:
+    # -- Create RBAC resources
+    create: true
+    # -- Add custom rule to the role
+    rules: []
+
+  # -- Set security context for the pod
+  # @default -- See below
+  podSecurityContext:
+    enabled: false
+
+  # -- Set node selector
+  nodeSelector: {}
+  # -- Set resources
+  resources: {}
+  # -- Set tolerations
+  tolerations: []
+  # -- Set affinity
+  affinity: {}
+
+# -- Array of extra objects to deploy with the release
+extraResources: []
+# E.g.
+# extraResources:
+# - apiVersion: rbac.authorization.k8s.io/v1
+#   kind: ClusterRole
+#   metadata:
+#     name: codefresh-role
+#   rules:
+#     - apiGroups: [ "*"]
+#       resources: ["*"]
+#       verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
+# - apiVersion: v1
+#   kind: ServiceAccount
+#   metadata:
+#     name: codefresh-user
+#     namespace: "{{ .Release.Namespace }}"
+# - apiVersion: rbac.authorization.k8s.io/v1
+#   kind: ClusterRoleBinding
+#   metadata:
+#     name: codefresh-user
+#   roleRef:
+#     apiGroup: rbac.authorization.k8s.io
+#     kind: ClusterRole
+#     name: codefresh-role
+#   subjects:
+#   - kind: ServiceAccount
+#     name: codefresh-user
+#     namespace: "{{ .Release.Namespace }}"
+# - apiVersion: v1
+#   kind: Secret
+#   type: kubernetes.io/service-account-token
+#   metadata:
+#     name: codefresh-user-token
+#     namespace: "{{ .Release.Namespace }}"
+#     annotations:
+#       kubernetes.io/service-account.name: "codefresh-user"

charts/digitalis/vals-operator/0.7.10/.gitignore

@@ -0,0 +1,49 @@
+# These are some examples of commonly ignored file patterns.
+# You should customize this list as applicable to your project.
+# Learn more about .gitignore:
+#     https://www.atlassian.com/git/tutorials/saving-changes/gitignore
+
+# Node artifact files
+node_modules/
+dist/
+
+# Compiled Java class files
+*.class
+
+# Compiled Python bytecode
+*.py[cod]
+
+# Log files
+*.log
+
+# Package files
+*.jar
+
+# Maven
+target/
+dist/
+
+# JetBrains IDE
+.idea/
+
+# Unit test reports
+TEST*.xml
+
+# Generated by MacOS
+.DS_Store
+
+# Generated by Windows
+Thumbs.db
+
+# Applications
+*.app
+*.exe
+*.war
+
+# Large media files
+*.mp4
+*.tiff
+*.avi
+*.flv
+*.mov
+*.wmv

charts/digitalis/vals-operator/0.7.10/Chart.yaml

@@ -0,0 +1,23 @@
+annotations:
+  catalog.cattle.io/certified: partner
+  catalog.cattle.io/display-name: Vals-Operator
+  catalog.cattle.io/kube-version: '>= 1.19.0-0'
+  catalog.cattle.io/release-name: vals-operator
+apiVersion: v2
+appVersion: v0.7.10
+description: 'This helm chart installs the Digitalis Vals Operator to manage and sync
+  secrets from supported backends into Kubernetes. ## About Vals-Operator Here at
+  [Digitalis](https://digitalis.io) we love [vals](https://github.com/helmfile/vals),
+  it''s a tool we use daily to keep secrets stored securely. Inspired by this tool,
+  we have created an operator to manage Kubernetes secrets. *vals-operator* syncs
+  secrets from any secrets store supported by [vals](https://github.com/helmfile/vals)
+  into Kubernetes. Also, `vals-operator` supports database secrets as provider by
+  [HashiCorp Vault Secret Engine](https://developer.hashicorp.com/vault/docs/secrets/databases). '
+icon: file://assets/icons/vals-operator.png
+kubeVersion: '>= 1.19.0-0'
+maintainers:
+- email: info@digitalis.io
+  name: Digitalis.IO
+name: vals-operator
+type: application
+version: 0.7.10

charts/digitalis/vals-operator/0.7.10/README.md

@@ -0,0 +1,55 @@
+# vals-operator
+
+![Version: 0.7.10](https://img.shields.io/badge/Version-0.7.10-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v0.7.10](https://img.shields.io/badge/AppVersion-v0.7.10-informational?style=flat-square)
+
+This helm chart installs the Digitalis Vals Operator to manage and sync secrets from supported backends into Kubernetes.
+## About Vals-Operator
+Here at [Digitalis](https://digitalis.io) we love [vals](https://github.com/helmfile/vals), it's a tool we use daily to keep secrets stored securely. Inspired by this tool, we have created an operator to manage Kubernetes secrets.
+*vals-operator* syncs secrets from any secrets store supported by [vals](https://github.com/helmfile/vals) into Kubernetes. Also, `vals-operator` supports database secrets as provider by [HashiCorp Vault Secret Engine](https://developer.hashicorp.com/vault/docs/secrets/databases).
+
+## Maintainers
+
+| Name | Email | Url |
+| ---- | ------ | --- |
+| Digitalis.IO | <info@digitalis.io> |  |
+
+## Requirements
+
+Kubernetes: `>= 1.19.0-0`
+
+## Values
+
+| Key | Type | Default | Description |
+|-----|------|---------|-------------|
+| affinity | object | `{}` |  |
+| args | list | `[]` |  |
+| enableDbSecrets | bool | `true` |  |
+| env | list | `[]` |  |
+| environmentSecret | string | `""` |  |
+| fullnameOverride | string | `""` |  |
+| image.pullPolicy | string | `"IfNotPresent"` |  |
+| image.repository | string | `"ghcr.io/digitalis-io/vals-operator"` |  |
+| image.tag | string | `""` |  |
+| imagePullSecrets | list | `[]` |  |
+| manageCrds | bool | `true` |  |
+| nameOverride | string | `""` |  |
+| nodeSelector | object | `{}` |  |
+| podMonitor.enabled | bool | `false` |  |
+| podMonitor.labels | object | `{}` |  |
+| podSecurityContext | object | `{}` |  |
+| prometheusRules.additionalRuleAnnotations | object | `{}` |  |
+| prometheusRules.additionalRuleLabels | object | `{}` |  |
+| prometheusRules.enabled | bool | `false` |  |
+| replicaCount | int | `1` |  |
+| resources | object | `{}` |  |
+| secretEnv | list | `[]` |  |
+| securityContext | object | `{}` |  |
+| serviceAccount.annotations | object | `{}` |  |
+| serviceAccount.create | bool | `true` |  |
+| serviceAccount.name | string | `""` |  |
+| tolerations | list | `[]` |  |
+| volumeMounts | list | `[]` |  |
+| volumes | list | `[]` |  |
+
+----------------------------------------------
+Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0)

charts/digitalis/vals-operator/0.7.10/app-readme.md

@@ -0,0 +1,9 @@
+# Vals-Operator
+
+Here at [Digitalis](https://digitalis.io) we love [vals](https://github.com/variantdev/vals), it's a tool we use daily to keep secrets stored securely. We also use [secrets-manager](https://github.com/tuenti/secrets-manager) on the Kubernetes deployment we manage. Inspired by these two wonderful tools we have created this operator.
+
+*vals-operator* syncs secrets from any secrets store supported by [vals](https://github.com/variantdev/vals) into Kubernetes. It works very similarly to [secrets-manager](https://github.com/tuenti/secrets-manager) and the code is actually based on it. Where they differ is that it not just supports HashiCorp Vault but many other secrets stores.
+
+## Mirroring secrets
+
+We have also added the ability to copy secrets between namespaces. It uses the format `ref+k8s://namespace/secret#key`. This way you can keep secrets generated in one namespace in sync with any other namespace in the cluster.

charts/digitalis/vals-operator/0.7.10/crds/dbsecrets.yaml

@@ -0,0 +1,85 @@
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.10.0
+    "helm.sh/hook": crd-install
+    "helm.sh/hook-delete-policy": "before-hook-creation"
+  creationTimestamp: null
+  name: dbsecrets.digitalis.io
+spec:
+  group: digitalis.io
+  names:
+    kind: DbSecret
+    listKind: DbSecretList
+    plural: dbsecrets
+    singular: dbsecret
+  scope: Namespaced
+  versions:
+  - name: v1beta1
+    schema:
+      openAPIV3Schema:
+        description: DbSecret is the Schema for the dbsecrets API
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: DbSecretSpec defines the desired state of DbSecret
+            properties:
+              renew:
+                type: boolean
+              rollout:
+                items:
+                  properties:
+                    kind:
+                      description: Kind is either Deployment, Pod or StatefulSet
+                      type: string
+                    name:
+                      description: Name is the object name
+                      type: string
+                  required:
+                  - kind
+                  - name
+                  type: object
+                type: array
+              secretName:
+                description: Name can override the secret name, defaults to manifests.name
+                type: string
+              template:
+                additionalProperties:
+                  type: string
+                type: object
+              vault:
+                properties:
+                  mount:
+                    description: Mount is the vault database
+                    type: string
+                  role:
+                    description: Role is the vault role used to connect to the database
+                    type: string
+                required:
+                - mount
+                - role
+                type: object
+            required:
+            - vault
+            type: object
+          status:
+            description: DbSecretStatus defines the observed state of DbSecret
+            type: object
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}

charts/digitalis/vals-operator/0.7.10/crds/valssecrets.yaml

@@ -0,0 +1,134 @@
+
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.4.1
+    "helm.sh/hook": crd-install
+    "helm.sh/hook-delete-policy": "before-hook-creation"
+  creationTimestamp: null
+  name: valssecrets.digitalis.io
+spec:
+  group: digitalis.io
+  names:
+    kind: ValsSecret
+    listKind: ValsSecretList
+    plural: valssecrets
+    singular: valssecret
+  scope: Namespaced
+  versions:
+  - name: v1
+    schema:
+      openAPIV3Schema:
+        description: ValsSecret is the Schema for the valssecrets API
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: ValsSecretSpec defines the desired state of ValsSecret
+            properties:
+              data:
+                additionalProperties:
+                  properties:
+                    encoding:
+                      description: Encoding type for the secret. Only base64 supported.
+                        Optional
+                      type: string
+                    ref:
+                      description: Ref value to the secret in the format ref+backend://path
+                        https://github.com/helmfile/vals
+                      type: string
+                  required:
+                  - ref
+                  type: object
+                type: object
+              databases:
+                items:
+                  properties:
+                    driver:
+                      description: Defines the database type
+                      type: string
+                    hosts:
+                      description: List of hosts to connect to, they'll be tried in
+                        sequence until one succeeds
+                      items:
+                        type: string
+                      type: array
+                    loginCredentials:
+                      description: Credentials to access the database
+                      properties:
+                        namespace:
+                          description: Optional namespace of the secret, default current
+                            namespace
+                          type: string
+                        passwordKey:
+                          description: Key in the secret containing the database username
+                          type: string
+                        secretName:
+                          description: Name of the secret containing the credentials
+                            to be able to log in to the database
+                          type: string
+                        usernameKey:
+                          description: Key in the secret containing the database username
+                          type: string
+                      required:
+                      - passwordKey
+                      - secretName
+                      type: object
+                    passwordKey:
+                      description: Key in the secret containing the database username
+                      type: string
+                    port:
+                      description: Database port number
+                      type: integer
+                    userHost:
+                      description: Used for MySQL only, the host part for the username
+                      type: string
+                    usernameKey:
+                      description: Key in the secret containing the database username
+                      type: string
+                  required:
+                  - driver
+                  - hosts
+                  - passwordKey
+                  type: object
+                type: array
+              name:
+                type: string
+              template:
+                type: object
+                additionalProperties:
+                  type: string
+              ttl:
+                format: int64
+                type: integer
+              type:
+                type: string
+            required:
+            - data
+            type: object
+          status:
+            description: ValsSecretStatus defines the observed state of ValsSecret
+            type: object
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []

charts/digitalis/vals-operator/0.7.10/questions.yaml

@@ -0,0 +1,26 @@
+questions:
+#image configurations
+- variable: image.repository
+  default: "digitalisdocker/vals-operator"
+  description: image registry
+  type: string
+  label: Image Registry
+  group: "Container Images"
+- variable: image.tag
+  default: "v0.3.0"
+  description: Image tag
+  type: string
+  label: Image Tag
+  group: "Container Images"
+- variable: imagePullSecrets
+  default: ""
+  description: secret name to pull image
+  type: string
+  label: Image Pull Secrets
+  group: "Container Images"
+- variable: environmentSecret
+  default: ""
+  description: "The secret containing env variables to access the backend secrets store."
+  label: Config Secret
+  type: string
+  group: "Settings"

charts/digitalis/vals-operator/0.7.10/templates/_helpers.tpl

@@ -0,0 +1,62 @@
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "vals-operator.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "vals-operator.fullname" -}}
+{{- if .Values.fullnameOverride }}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- $name := default .Chart.Name .Values.nameOverride }}
+{{- if contains $name .Release.Name }}
+{{- .Release.Name | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "vals-operator.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "vals-operator.labels" -}}
+helm.sh/chart: {{ include "vals-operator.chart" . }}
+{{ include "vals-operator.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "vals-operator.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "vals-operator.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "vals-operator.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create }}
+{{- default (include "vals-operator.fullname" .) .Values.serviceAccount.name }}
+{{- else }}
+{{- default "default" .Values.serviceAccount.name }}
+{{- end }}
+{{- end }}

charts/digitalis/vals-operator/0.7.10/templates/crds.yaml

@@ -0,0 +1,7 @@
+{{- if .Values.manageCrds -}}
+{{ $.Files.Get "crds/valssecrets.yaml" }}
+{{- if .Values.enableDbSecrets -}}
+---
+{{ $.Files.Get "crds/dbsecrets.yaml" }}
+{{- end }}
+{{- end }}

charts/digitalis/vals-operator/0.7.10/templates/deployment.yaml

@@ -0,0 +1,75 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ include "vals-operator.fullname" . }}
+  labels:
+    {{- include "vals-operator.labels" . | nindent 4 }}
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      {{- include "vals-operator.selectorLabels" . | nindent 6 }}
+  template:
+    metadata:
+      {{- with .Values.podAnnotations }}
+      annotations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      labels:
+        {{- include "vals-operator.selectorLabels" . | nindent 8 }}
+    spec:
+      {{- with .Values.imagePullSecrets }}
+      imagePullSecrets:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      serviceAccountName: {{ include "vals-operator.serviceAccountName" . }}
+      securityContext:
+        {{- toYaml .Values.podSecurityContext | nindent 8 }}
+      containers:
+        - name: {{ .Chart.Name }}
+          securityContext:
+            {{- toYaml .Values.securityContext | nindent 12 }}
+          image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
+          imagePullPolicy: {{ .Values.image.pullPolicy }}
+          {{- if .Values.args }}
+          args:
+            {{- toYaml .Values.args | nindent 12 }}
+          {{- end }}
+          {{- if .Values.environmentSecret }}
+          envFrom:
+            - secretRef:
+                name: "{{ .Values.environmentSecret }}"
+          {{- else }}
+          envFrom:
+            {{- toYaml .Values.secretEnv | nindent 12 }}
+          {{- end }}
+          {{- if .Values.env }}
+          env:
+            {{- toYaml .Values.env | nindent 12 }}
+          {{- end }}
+          resources:
+            {{- toYaml .Values.resources | nindent 12 }}
+          {{- if .Values.volumeMounts }}
+          volumeMounts:
+            {{- toYaml .Values.volumeMounts | nindent 12 }}
+          {{- end }}
+          ports:
+            - containerPort: {{ .Values.metricsPort | default 8080 }}
+              name: metrics
+              protocol: TCP
+      {{- with .Values.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- if .Values.volumes }}
+      volumes:
+        {{- toYaml .Values.volumes | nindent 8 }}
+      {{- end }}

charts/digitalis/vals-operator/0.7.10/templates/podmonitor.yaml

@@ -0,0 +1,20 @@
+{{- if .Values.podMonitor.enabled }}
+apiVersion: monitoring.coreos.com/v1
+kind: PodMonitor
+metadata:
+  name: {{ include "vals-operator.fullname" . }}
+  labels:
+    {{- include "vals-operator.labels" . | nindent 4 }}
+spec:
+  podMetricsEndpoints:
+  - interval: 30s
+    port: "metrics"
+    path: "/metrics"
+  namespaceSelector:
+    matchNames:
+    - "{{ .Release.Namespace }}"
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: {{ include "vals-operator.name" . }}
+      app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}

charts/digitalis/vals-operator/0.7.10/templates/prometheusrules.yaml

@@ -0,0 +1,68 @@
+{{- if .Values.prometheusRules.enabled }}
+apiVersion: monitoring.coreos.com/v1
+kind: PrometheusRule
+metadata:
+  name: {{ include "vals-operator.fullname" . }}
+  labels:
+    {{- include "vals-operator.labels" . | nindent 4 }}
+spec:
+  groups:
+    - name: vals-operator
+      rules:
+{{- if .Values.enableDbSecrets }}
+        - alert: ValsOperatorDbSecretError
+          expr: vals_operator_dbsecret_error > time() - 300
+          for: 30m
+          labels:
+            severity: warning
+      {{- if .Values.prometheusRules.additionalRuleLabels }}
+        {{- with .Values.prometheusRules.additionalRuleLabels }}
+          {{- toYaml . | nindent 12 }}
+        {{- end }}
+      {{- end }}
+          annotations:
+            summary: vals-operator database secret not issued
+            description: "Vals operator has been unable to issue database credentials for secret {{`{{`}}$labels.secret{{`}}`}} in namespace {{`{{`}}$labels.namespace{{`}}`}}"
+      {{- if .Values.prometheusRules.additionalRuleAnnotations }}
+        {{- with .Values.prometheusRules.additionalRuleAnnotations }}
+          {{- toYaml . | nindent 12 }}
+        {{- end }}
+      {{- end }}
+        - alert: ValsOperatorDbSecretExpired
+          expr: time() > vals_operator_dbsecret_expire_time
+          for: 30m
+          labels:
+            severity: warning
+      {{- if .Values.prometheusRules.additionalRuleLabels }}
+        {{- with .Values.prometheusRules.additionalRuleLabels }}
+          {{- toYaml . | nindent 12 }}
+        {{- end }}
+      {{- end }}
+          annotations:
+            summary: vals-operator database secret expired
+            description: "Vals operator database credentials for secret {{`{{`}}$labels.secret{{`}}`}} in namespace {{`{{`}}$labels.namespace{{`}}`}} expired"
+      {{- if .Values.prometheusRules.additionalRuleAnnotations }}
+        {{- with .Values.prometheusRules.additionalRuleAnnotations }}
+          {{- toYaml . | nindent 12 }}
+        {{- end }}
+      {{- end }}
+{{- end }}
+        - alert: ValsOperatorSecretError
+          expr: vals_operator_secret_error > time() - 300
+          for: 30m
+          labels:
+            severity: warning
+      {{- if .Values.prometheusRules.additionalRuleLabels }}
+        {{- with .Values.prometheusRules.additionalRuleLabels }}
+          {{- toYaml . | nindent 12 }}
+        {{- end }}
+      {{- end }}
+          annotations:
+            summary: vals-operator secret not issued
+            description: "Vals operator has been unable to create the secret for {{`{{`}}$labels.secret{{`}}`}} in namespace {{`{{`}}$labels.namespace{{`}}`}}"
+      {{- if .Values.prometheusRules.additionalRuleAnnotations }}
+        {{- with .Values.prometheusRules.additionalRuleAnnotations }}
+          {{- toYaml . | nindent 12 }}
+        {{- end }}
+      {{- end }}
+{{- end }}

charts/digitalis/vals-operator/0.7.10/templates/serviceaccount.yaml

@@ -0,0 +1,91 @@
+{{- if .Values.serviceAccount.create -}}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: vals-operator
+  labels:
+    {{- include "vals-operator.labels" . | nindent 4 }}
+rules:
+  {{- if .Values.enableDbSecrets }}
+- apiGroups:
+  - "apps"
+  resources:
+  - "statefulsets"
+  - "deployments"
+  verbs:
+  - "get"
+  - "list"
+  - "watch"
+  - "update"
+  - "delete"
+  - "create"
+  {{- end }}
+- apiGroups:
+  - ""
+  resources:
+  - "secrets"
+  verbs:
+  - "get"
+  - "list"
+  - "watch"
+  - "update"
+  - "delete"
+  - "create"
+- apiGroups:
+  - ""
+  resources:
+  - "events"
+  verbs:
+  - "create"
+  - "patch"
+- apiGroups:
+  - "digitalis.io"
+  resources:
+  - "valssecrets"
+  verbs:
+  - "get"
+  - "list"
+  - "watch"
+  - "update"
+  - "delete"
+  - "create"
+{{- if .Values.enableDbSecrets }}
+- apiGroups:
+  - "digitalis.io"
+  resources:
+  - "dbsecrets"
+  verbs:
+  - "get"
+  - "list"
+  - "watch"
+  - "update"
+  - "delete"
+  - "create"
+{{- end }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: vals-operator
+  labels:
+    {{- include "vals-operator.labels" . | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: vals-operator
+subjects:
+  - kind: ServiceAccount
+    name: {{ include "vals-operator.serviceAccountName" . }}
+    namespace: {{ .Release.Namespace }}
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "vals-operator.serviceAccountName" . }}
+  labels:
+    {{- include "vals-operator.labels" . | nindent 4 }}
+  {{- with .Values.serviceAccount.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+{{- end }}

charts/digitalis/vals-operator/0.7.10/values.yaml

@@ -0,0 +1,117 @@
+replicaCount: 1
+
+image:
+  repository: ghcr.io/digitalis-io/vals-operator
+  pullPolicy: IfNotPresent
+  # Overrides the image tag whose default is the chart appVersion.
+  tag: ""
+
+imagePullSecrets: []
+nameOverride: ""
+fullnameOverride: ""
+
+serviceAccount:
+  # Specifies whether a service account should be created
+  create: true
+  # Annotations to add to the service account
+  annotations: {}
+  # The name of the service account to use.
+  # If not set and create is true, a name is generated using the fullname template
+  name: ""
+
+manageCrds: true
+
+# This may not be required by everyone and the pod will require wider permissions
+# which may not be desired on secure environments
+enableDbSecrets: true
+
+prometheusRules:
+  enabled: false
+  ## Additional labels for PrometheusRule alerts
+  additionalRuleLabels: {}
+
+  ## Additional annotations for PrometheusRule alerts
+  additionalRuleAnnotations: {}
+
+# additional arguments to operator
+args: []
+  # -exclude-namespaces string
+  #   	Comma separated list of namespaces to ignore.
+  # -health-probe-bind-address string
+  #   	The address the probe endpoint binds to. (default ":8081")
+  # -kubeconfig string
+  #   	Paths to a kubeconfig. Only required if out-of-cluster.
+  # -leader-elect
+  #   	Enable leader election for controller manager. Enabling this will ensure there is only one active controller manager.
+  # -metrics-bind-address string
+  #   	The address the metric endpoint binds to. (default ":8080")
+  # -reconcile-period duration
+  #   	How often the controller will re-queue vals-operator events. (default 5s)
+  # -record-changes
+  #   	Records every time a secret has been updated. You can view them with kubectl describe. It may also be disabled globally and enabled per secret via the annotation 'vals-operator.digitalis.io/record: "true"' (default true)
+  # -ttl duration
+  #   	How often to check backend for updates. (default 5m0s)
+  # -watch-namespaces string
+  #   	Comma separated list of namespaces that vals-operator will watch.
+  # -zap-devel
+  #   	Development Mode defaults(encoder=consoleEncoder,logLevel=Debug,stackTraceLevel=Warn). Production Mode defaults(encoder=jsonEncoder,logLevel=Info,stackTraceLevel=Error) (default true)
+  # -zap-encoder value
+  #   	Zap log encoding (one of 'json' or 'console')
+  # -zap-log-level value
+  #   	Zap Level to configure the verbosity of logging. Can be one of 'debug', 'info', 'error', or any integer value > 0 which corresponds to custom debug levels of increasing verbosity
+  # -zap-stacktrace-level value
+  #   	Zap Level at and above which stacktraces are captured (one of 'info', 'error', 'panic').
+
+
+environmentSecret: ""
+
+# See https://github.com/helmfile/vals
+# for information on setting up your backend environment.
+env: []
+  # - name: VAULT_SKIP_VERIFY
+  #   value: "true"
+
+secretEnv: []
+  # - secretRef:
+  #     name: aws-creds
+
+volumes: []
+  # - name: creds
+  #   secret:
+  #     secretName: gcs-credentials
+volumeMounts: []
+  # - name: creds
+  #   mountPath: /secret
+  #   readOnly: true
+
+
+podSecurityContext: {}
+  # fsGroup: 2000
+
+securityContext: {}
+  # capabilities:
+  #   drop:
+  #   - ALL
+  # readOnlyRootFilesystem: true
+  # runAsNonRoot: true
+  # runAsUser: 1000
+
+podMonitor:
+  # When set to true then use a podMonitor to collect metrics
+  enabled: false
+  # Custom labels to use in the podMonitor to be matched with a specific Prometheus
+  labels: {}
+  # Set the namespace the podMonitor should be deployed to
+  # namespace: default
+  # Set how frequently Prometheus should scrape
+  # interval: 30s
+  # Set timeout for scrape
+  # scrapeTimeout: 10s
+
+resources: {}
+
+nodeSelector: {}
+
+tolerations: []
+
+affinity: {}

charts/kuma/kuma/2.8.2/.helmdocsignore

@@ -0,0 +1 @@
+# Charts to ignore from helm-docs