andata
/
rancher-partner-charts
mirror of https://git.rancher.io/partner-charts
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Added chart versions: 

cockroach-labs/cockroachdb:
    - 14.0.3
  dynatrace/dynatrace-operator:
    - 1.3.0
  speedscale/speedscale-operator:
    - 2.2.425
pull/1062/head
github-actions[bot] 2024-09-24 00:56:38 +00:00
parent 9e15e23b7c
commit ef7f5ff504
101 changed files with 14190 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

BIN
assets/cockroach-labs/cockroachdb-14.0.3.tgz Normal file
View File

Binary file not shown.

BIN
assets/dynatrace/dynatrace-operator-1.3.0.tgz Normal file
View File

Binary file not shown.

BIN
assets/speedscale/speedscale-operator-2.2.425.tgz Normal file
View File

Binary file not shown.

14
charts/cockroach-labs/cockroachdb/14.0.3/CONTRIBUTING.md Normal file
View File

@ -0,0 +1,14 @@
# Contributing
Contributions are welcome!
For every change, please increment the `version` contained in
[Chart.yaml](https://github.com/cockroachdb/helm-charts/blob/master/cockroachdb/Chart.yaml).
The `version` roughly follows the [SEMVER](https://semver.org/) versioning
pattern. For changes which do not affect backwards compatibility, the PATCH or
MINOR version must be incremented, e.g. `4.1.3` -> `4.1.4`. For changes which
affect the backwards compatibility of the chart, the major version must be
incremented, e.g. `4.1.3` -> `5.0.0`. Examples of changes which affect backwards
compatibility include any major version releases of CockroachDB, as well as any
breaking changes to the CockroachDB chart templates.

18
charts/cockroach-labs/cockroachdb/14.0.3/Chart.yaml Normal file
View File

@ -0,0 +1,18 @@
annotations:
catalog.cattle.io/certified: partner
catalog.cattle.io/display-name: CockroachDB
catalog.cattle.io/kube-version: '>=1.8-0'
catalog.cattle.io/release-name: cockroachdb
apiVersion: v1
appVersion: 24.2.2
description: CockroachDB is a scalable, survivable, strongly-consistent SQL database.
home: https://www.cockroachlabs.com
icon: file://assets/icons/cockroachdb.png
kubeVersion: '>=1.8-0'
maintainers:
- email: helm-charts@cockroachlabs.com
name: cockroachlabs
name: cockroachdb
sources:
- https://github.com/cockroachdb/cockroach
version: 14.0.3

588
charts/cockroach-labs/cockroachdb/14.0.3/README.md Normal file
View File

@ -0,0 +1,588 @@
<!--- Generated file, DO NOT EDIT. Source: build/templates/README.md --->
# CockroachDB Helm Chart
[CockroachDB](https://github.com/cockroachdb/cockroach) - the open source, cloud-native distributed SQL database.
## Documentation
Below is a brief overview of operating the CockroachDB Helm Chart and some specific implementation details. For additional information on deploying CockroachDB, please see:
> <https://www.cockroachlabs.com/docs/stable/orchestrate-cockroachdb-with-kubernetes.html>
Note that the documentation requires Helm 3.0 or higher.
## Prerequisites Details
* Kubernetes 1.8
* PV support on the underlying infrastructure (only if using `storage.persistentVolume`). [Docker for windows hostpath provisioner is not supported](https://github.com/cockroachdb/docs/issues/3184).
* If you want to secure your cluster to use TLS certificates for all network communication, [Helm must be installed with RBAC privileges](https://helm.sh/docs/topics/rbac/) or else you will get an "attempt to grant extra privileges" error.
## StatefulSet Details
* <http://kubernetes.io/docs/concepts/abstractions/controllers/statefulsets/>
## StatefulSet Caveats
* <http://kubernetes.io/docs/concepts/abstractions/controllers/statefulsets/#limitations>
## Chart Details
This chart will do the following:
* Set up a dynamically scalable CockroachDB cluster using a Kubernetes StatefulSet.
## Add the CockroachDB Repository
```shell
helm repo add cockroachdb https://charts.cockroachdb.com/
```
## Installing the Chart
To install the chart with the release name `my-release`:
```shell
helm install my-release cockroachdb/cockroachdb
```
Note that for a production cluster, you will likely want to override the following parameters in [`values.yaml`](values.yaml) with your own values.
- `statefulset.resources.requests.memory` and `statefulset.resources.limits.memory` allocate memory resources to CockroachDB pods in your cluster.
- `conf.cache` and `conf.max-sql-memory` are memory limits that we recommend setting to 1/4 of the above resource allocation. When running CockroachDB, you must set these limits explicitly to avoid running out of memory.
- `storage.persistentVolume.size` defaults to `100Gi` of disk space per pod, which you may increase or decrease for your use case.
- `storage.persistentVolume.storageClass` uses the default storage class for your environment. We strongly recommend that you specify a storage class which uses an SSD.
- `tls.enabled` must be set to `yes`/`true` to deploy in secure mode.
For more information on overriding the `values.yaml` parameters, please see:
> <https://www.cockroachlabs.com/docs/stable/orchestrate-cockroachdb-with-kubernetes.html#step-2-start-cockroachdb>
Confirm that all pods are `Running` successfully and init has been completed:
```shell
kubectl get pods
```
```
NAME READY STATUS RESTARTS AGE
my-release-cockroachdb-0 1/1 Running 0 1m
my-release-cockroachdb-1 1/1 Running 0 1m
my-release-cockroachdb-2 1/1 Running 0 1m
my-release-cockroachdb-init-k6jcr 0/1 Completed 0 1m
```
Confirm that persistent volumes are created and claimed for each pod:
```shell
kubectl get pv
```
```
NAME CAPACITY ACCESS MODES RECLAIM POLICY STATUS CLAIM STORAGECLASS REASON AGE
pvc-64878ebf-f3f0-11e8-ab5b-42010a8e0035 100Gi RWO Delete Bound default/datadir-my-release-cockroachdb-0 standard 51s
pvc-64945b4f-f3f0-11e8-ab5b-42010a8e0035 100Gi RWO Delete Bound default/datadir-my-release-cockroachdb-1 standard 51s
pvc-649d920d-f3f0-11e8-ab5b-42010a8e0035 100Gi RWO Delete Bound default/datadir-my-release-cockroachdb-2 standard 51s
```
### Running in secure mode
In order to set up a secure cockroachdb cluster set `tls.enabled` to `yes`/`true`
There are 3 ways to configure a secure cluster, with this chart. This all relates to how the certificates are issued:
* Self-signer (default)
* Cert-manager
* Manual
#### Self-signer
This is the default behaviour, and requires no configuration beyond setting certificate durations if user wants to set custom duration.
If you are running in this mode, self-signed certificates are created by self-signed utility for the nodes and root client and are stored in a secret.
You can look for the certificates created:
```shell
kubectl get secrets
```
```shell
crdb-cockroachdb-ca-secret Opaque 2 23s
crdb-cockroachdb-client-secret kubernetes.io/tls 3 22s
crdb-cockroachdb-node-secret kubernetes.io/tls 3 23s
```
#### Manual
If you wish to supply the certificates to the nodes yourself set `tls.certs.provided` to `yes`/`true`. You may want to use this if you want to use a different certificate authority from the one being used by Kubernetes or if your Kubernetes cluster doesn't fully support certificate-signing requests. To use this, first set up your certificates and load them into your Kubernetes cluster as Secrets using the commands below:
```shell
$ mkdir certs
$ mkdir my-safe-directory
$ cockroach cert create-ca --certs-dir=certs --ca-key=my-safe-directory/ca.key
$ cockroach cert create-client root --certs-dir=certs --ca-key=my-safe-directory/ca.key
$ kubectl create secret generic cockroachdb-root --from-file=certs
secret/cockroachdb-root created
$ cockroach cert create-node --certs-dir=certs --ca-key=my-safe-directory/ca.key localhost 127.0.0.1 my-release-cockroachdb-public my-release-cockroachdb-public.my-namespace my-release-cockroachdb-public.my-namespace.svc.cluster.local *.my-release-cockroachdb *.my-release-cockroachdb.my-namespace *.my-release-cockroachdb.my-namespace.svc.cluster.local
$ kubectl create secret generic cockroachdb-node --from-file=certs
secret/cockroachdb-node created
```
> Note: The subject alternative names are based on a release called `my-release` in the `my-namespace` namespace. Make sure they match the services created with the release during `helm install`
If your certificates are stored in tls secrets such as secrets generated by cert-manager, the secret will contain files named:
* `ca.crt`
* `tls.crt`
* `tls.key`
Cockroachdb, however, expects the files to be named like this:
* `ca.crt`
* `node.crt`
* `node.key`
* `client.root.crt`
* `client.root.key`
By enabling `tls.certs.tlsSecret` the tls secrets are projected on to the correct filenames, when they are mounted to the cockroachdb pods.
#### Cert-manager
If you wish to supply certificates with [cert-manager][3], set
* `tls.certs.certManager` to `yes`/`true`
* `tls.certs.certManagerIssuer` to an IssuerRef (as they appear in certificate resources) pointing to a clusterIssuer or issuer, you have set up in the cluster
Example issuer:
```yaml
apiVersion: v1
kind: Secret
metadata:
name: cockroachdb-ca
namespace: cockroachdb
data:
tls.crt: [BASE64 Encoded ca.crt]
tls.key: [BASE64 Encoded ca.key]
type: kubernetes.io/tls
---
apiVersion: cert-manager.io/v1alpha3
kind: Issuer
metadata:
name: cockroachdb-cert-issuer
namespace: cockroachdb
spec:
ca:
secretName: cockroachdb-ca
```
## Upgrading the cluster
### Chart version 3.0.0 and after
Launch a temporary interactive pod and start the built-in SQL client:
```shell
kubectl run cockroachdb --rm -it \
--image=cockroachdb/cockroach \
--restart=Never \
-- sql --insecure --host=my-release-cockroachdb-public
```
> If you are running in secure mode, you will have to provide a client certificate to the cluster in order to authenticate, so the above command will not work. See [here](https://github.com/cockroachdb/cockroach/blob/master/cloud/kubernetes/client-secure.yaml) for an example of how to set up an interactive SQL shell against a secure cluster or [here](https://github.com/cockroachdb/cockroach/blob/master/cloud/kubernetes/example-app-secure.yaml) for an example application connecting to a secure cluster.
Set `cluster.preserve_downgrade_option`, where `$current_version` is the CockroachDB version currently running (e.g., `19.2`):
```sql
> SET CLUSTER SETTING cluster.preserve_downgrade_option = '$current_version';
```
Exit the shell and delete the temporary pod:
```sql
> \q
```
Kick off the upgrade process by changing the new Docker image, where `$new_version` is the CockroachDB version to which you are upgrading:
```shell
helm upgrade my-release cockroachdb/cockroachdb \
--set image.tag=$new_version \
--reuse-values
```
Kubernetes will carry out a safe [rolling upgrade](https://kubernetes.io/docs/tutorials/stateful-application/basic-stateful-set/#updating-statefulsets) of your CockroachDB nodes one-by-one. Monitor the cluster's pods until all have been successfully restarted:
```shell
kubectl get pods
```
```
NAME READY STATUS RESTARTS AGE
my-release-cockroachdb-0 1/1 Running 0 2m
my-release-cockroachdb-1 1/1 Running 0 3m
my-release-cockroachdb-2 1/1 Running 0 3m
my-release-cockroachdb-3 0/1 ContainerCreating 0 25s
my-release-cockroachdb-init-nwjkh 0/1 ContainerCreating 0 6s
```
```shell
kubectl get pods \
-o jsonpath='{range .items[*]}{.metadata.name}{"\t"}{.spec.containers[0].image}{"\n"}'
```
```
my-release-cockroachdb-0 cockroachdb/cockroach:v24.2.2
my-release-cockroachdb-1 cockroachdb/cockroach:v24.2.2
my-release-cockroachdb-2 cockroachdb/cockroach:v24.2.2
my-release-cockroachdb-3 cockroachdb/cockroach:v24.2.2
```
Resume normal operations. Once you are comfortable that the stability and performance of the cluster is what you'd expect post-upgrade, finalize the upgrade:
```shell
kubectl run cockroachdb --rm -it \
--image=cockroachdb/cockroach \
--restart=Never \
-- sql --insecure --host=my-release-cockroachdb-public
```
```sql
> RESET CLUSTER SETTING cluster.preserve_downgrade_option;
> \q
```
### Chart versions prior to 3.0.0
Due to a change in the label format in version 3.0.0 of this chart, upgrading requires that you delete the StatefulSet. Luckily there is a way to do it without actually deleting all the resources managed by the StatefulSet. Use the workaround below to upgrade from charts versions previous to 3.0.0:
Get the new labels from the specs rendered by Helm:
```shell
helm template -f deploy.vals.yml cockroachdb/cockroachdb -x templates/statefulset.yaml \
| yq r - spec.template.metadata.labels
```
```
app.kubernetes.io/name: cockroachdb
app.kubernetes.io/instance: my-release
app.kubernetes.io/component: cockroachdb
```
Place the new labels on all pods of the StatefulSet (change `my-release-cockroachdb-0` to the name of each pod):
```shell
kubectl label pods my-release-cockroachdb-0 \
app.kubernetes.io/name=cockroachdb \
app.kubernetes.io/instance=my-release \
app.kubernetes.io/component=cockroachdb
```
Delete the StatefulSet without deleting pods:
```shell
kubectl delete statefulset my-release-cockroachdb --cascade=false
```
Verify that no pod is deleted and then upgrade as normal. A new StatefulSet will be created, taking over the management of the existing pods and upgrading them if needed.
### See also
For more information about upgrading a cluster to the latest major release of CockroachDB, see [Upgrade to CockroachDB](https://www.cockroachlabs.com/docs/stable/upgrade-cockroach-version.html).
Note that there are sometimes backward-incompatible changes to SQL features between major CockroachDB releases. For details, see the [Upgrade Policy](https://www.cockroachlabs.com/docs/cockroachcloud/upgrade-policy).
## Configuration
The following table lists the configurable parameters of the CockroachDB chart and their default values.
For details see the [`values.yaml`](values.yaml) file.
| Parameter | Description | Default |
| --------- | ----------- | ------- |
| `clusterDomain` | Cluster's default DNS domain | `cluster.local` |
| `conf.attrs` | CockroachDB node attributes | `[]` |
| `conf.cache` | Size of CockroachDB's in-memory cache | `25%` |
| `conf.cluster-name` | Name of CockroachDB cluster | `""` |
| `conf.disable-cluster-name-verification` | Disable CockroachDB cluster name verification | `no` |
| `conf.join` | List of already-existing CockroachDB instances | `[]` |
| `conf.max-disk-temp-storage` | Max storage capacity for temp data | `0` |
| `conf.max-offset` | Max allowed clock offset for CockroachDB cluster | `500ms` |
| `conf.max-sql-memory` | Max memory to use processing SQL querie | `25%` |
| `conf.locality` | Locality attribute for this deployment | `""` |
| `conf.single-node` | Disable CockroachDB clustering (standalone mode) | `no` |
| `conf.sql-audit-dir` | Directory for SQL audit log | `""` |
| `conf.port` | CockroachDB primary serving port in Pods | `26257` |
| `conf.http-port` | CockroachDB HTTP port in Pods | `8080` |
| `conf.path` | CockroachDB data directory mount path | `cockroach-data` |
| `conf.store.enabled` | Enable store configuration for CockroachDB | `false` |
| `conf.store.type` | CockroachDB storage type | `""` |
| `conf.store.size` | CockroachDB storage size | `""` |
| `conf.store.attrs` | CockroachDB storage attributes | `""` |
| `image.repository` | Container image name | `cockroachdb/cockroach` |
| `image.tag` | Container image tag | `v24.2.2` |
| `image.pullPolicy` | Container pull policy | `IfNotPresent` |
| `image.credentials` | `registry`, `user` and `pass` credentials to pull private image | `{}` |
| `statefulset.replicas` | StatefulSet replicas number | `3` |
| `statefulset.updateStrategy` | Update strategy for StatefulSet Pods | `{"type": "RollingUpdate"}` |
| `statefulset.podManagementPolicy` | `OrderedReady`/`Parallel` Pods creation/deletion order | `Parallel` |
| `statefulset.budget.maxUnavailable` | k8s PodDisruptionBudget parameter | `1` |
| `statefulset.args` | Extra command-line arguments | `[]` |
| `statefulset.env` | Extra env vars | `[]` |
| `statefulset.secretMounts` | Additional Secrets to mount at cluster members | `[]` |
| `statefulset.labels` | Additional labels of StatefulSet and its Pods | `{"app.kubernetes.io/component": "cockroachdb"}` |
| `statefulset.annotations` | Additional annotations of StatefulSet Pods | `{}` |
| `statefulset.nodeAffinity` | [Node affinity rules][2] of StatefulSet Pods | `{}` |
| `statefulset.podAffinity` | [Inter-Pod affinity rules][1] of StatefulSet Pods | `{}` |
| `statefulset.podAntiAffinity` | [Anti-affinity rules][1] of StatefulSet Pods | auto |
| `statefulset.podAntiAffinity.topologyKey` | The topologyKey for auto [anti-affinity rules][1] | `kubernetes.io/hostname` |
| `statefulset.podAntiAffinity.type` | Type of auto [anti-affinity rules][1] | `soft` |
| `statefulset.podAntiAffinity.weight` | Weight for `soft` auto [anti-affinity rules][1] | `100` |
| `statefulset.nodeSelector` | Node labels for StatefulSet Pods assignment | `{}` |
| `statefulset.priorityClassName` | [PriorityClassName][4] for StatefulSet Pods | `""` |
| `statefulset.tolerations` | Node taints to tolerate by StatefulSet Pods | `[]` |
| `statefulset.topologySpreadConstraints` | [Topology Spread Constraints rules][5] of StatefulSet Pods | auto |
| `statefulset.topologySpreadConstraints.maxSkew` | Degree to which Pods may be unevenly distributed | `1` |
| `statefulset.topologySpreadConstraints.topologyKey` | The key of node labels | `topology.kubernetes.io/zone` |
| `statefulset.topologySpreadConstraints.whenUnsatisfiable` | `ScheduleAnyway`/`DoNotSchedule` for unsatisfiable constraints | `ScheduleAnyway` |
| `statefulset.resources` | Resource requests and limits for StatefulSet Pods | `{}` |
| `statefulset.customLivenessProbe` | Custom Liveness probe | `{}` |
| `statefulset.customReadinessProbe` | Custom Rediness probe | `{}` |
| `statefulset.terminationGracePeriodSeconds` | Termination grace period for CRDB statefulset pods | `300` |
| `service.ports.grpc.external.port` | CockroachDB primary serving port in Services | `26257` |
| `service.ports.grpc.external.name` | CockroachDB primary serving port name in Services | `grpc` |
| `service.ports.grpc.internal.port` | CockroachDB inter-communication port in Services | `26257` |
| `service.ports.grpc.internal.name` | CockroachDB inter-communication port name in Services | `grpc-internal` |
| `service.ports.http.port` | CockroachDB HTTP port in Services | `8080` |
| `service.ports.http.name` | CockroachDB HTTP port name in Services | `http` |
| `service.public.type` | Public Service type | `ClusterIP` |
| `service.public.labels` | Additional labels of public Service | `{"app.kubernetes.io/component": "cockroachdb"}` |
| `service.public.annotations` | Additional annotations of public Service | `{}` |
| `service.discovery.labels` | Additional labels of discovery Service | `{"app.kubernetes.io/component": "cockroachdb"}` |
| `service.discovery.annotations` | Additional annotations of discovery Service | `{}` |
| `ingress.enabled` | Enable ingress resource for CockroachDB | `false` |
| `ingress.labels` | Additional labels of Ingress | `{}` |
| `ingress.annotations` | Additional annotations of Ingress | `{}` |
| `ingress.paths` | Paths for the default host | `[/]` |
| `ingress.hosts` | CockroachDB Ingress hostnames | `[]` |
| `ingress.tls[0].hosts` | CockroachDB Ingress tls hostnames | `nil` |
| `ingress.tls[0].secretName` | CockroachDB Ingress tls secret name | `nil` |
| `prometheus.enabled` | Enable automatic monitoring of all instances when Prometheus is running | `true` |
| `serviceMonitor.enabled` | Create [ServiceMonitor](https://github.com/prometheus-operator/prometheus-operator/blob/master/Documentation/design.md#servicemonitor) Resource for scraping metrics using [PrometheusOperator](https://github.com/prometheus-operator/prometheus-operator/blob/master/Documentation/user-guides/getting-started.md#prometheus-operator) | `false` |
| `serviceMonitor.labels` | Additional labels of ServiceMonitor | `{}` |
| `serviceMonitor.annotations` | Additional annotations of ServiceMonitor | `{}` |
| `serviceMonitor.interval` | ServiceMonitor scrape metrics interval | `10s` |
| `serviceMonitor.scrapeTimeout` | ServiceMonitor scrape timeout | `nil` |
| `serviceMonitor.tlsConfig` | Additional TLS configuration of ServiceMonitor | `{}` |
| `serviceMonitor.namespaced` | Limit ServiceMonitor to current namespace | `false` |
| `storage.hostPath` | Absolute path on host to store data | `""` |
| `storage.persistentVolume.enabled` | Whether to use PersistentVolume to store data | `yes` |
| `storage.persistentVolume.size` | PersistentVolume size | `100Gi` |
| `storage.persistentVolume.storageClass` | PersistentVolume class | `""` |
| `storage.persistentVolume.labels` | Additional labels of PersistentVolumeClaim | `{}` |
| `storage.persistentVolume.annotations` | Additional annotations of PersistentVolumeClaim | `{}` |
| `init.labels` | Additional labels of init Job and its Pod | `{"app.kubernetes.io/component": "init"}` |
| `init.jobAnnotations` | Additional annotations of the init Job itself | `{}` |
| `init.annotations` | Additional annotations of the Pod of init Job | `{}` |
| `init.affinity` | [Affinity rules][2] of init Job Pod | `{}` |
| `init.nodeSelector` | Node labels for init Job Pod assignment | `{}` |
| `init.tolerations` | Node taints to tolerate by init Job Pod | `[]` |
| `init.resources` | Resource requests and limits for the `cluster-init` container | `{}` |
| `init.terminationGracePeriodSeconds` | Termination grace period for CRDB init job | `300` |
| `tls.enabled` | Whether to run securely using TLS certificates | `no` |
| `tls.serviceAccount.create` | Whether to create a new RBAC service account | `yes` |
| `tls.serviceAccount.name` | Name of RBAC service account to use | `""` |
| `tls.copyCerts.image` | Image used in copy certs init container | `busybox` |
| `tls.copyCerts.resources` | Resource requests and limits for the `copy-certs` container | `{}` |
| `tls.certs.provided` | Bring your own certs scenario, i.e certificates are provided | `no` |
| `tls.certs.clientRootSecret` | If certs are provided, secret name for client root cert | `cockroachdb-root` |
| `tls.certs.nodeSecret` | If certs are provided, secret name for node cert | `cockroachdb-node` |
| `tls.certs.tlsSecret` | Own certs are stored in TLS secret | `no` |
| `tls.certs.selfSigner.enabled` | Whether cockroachdb should generate its own self-signed certs | `true` |
| `tls.certs.selfSigner.caProvided` | Bring your own CA scenario. This CA will be used to generate node and client cert | `false` |
| `tls.certs.selfSigner.caSecret` | If CA is provided, secret name for CA cert | `""` |
| `tls.certs.selfSigner.minimumCertDuration` | Minimum cert duration for all the certs, all certs duration will be validated against this duration | `624h` |
| `tls.certs.selfSigner.caCertDuration` | Duration of CA cert in hour | `43824h` |
| `tls.certs.selfSigner.caCertExpiryWindow` | Expiry window of CA cert means a window before actual expiry in which CA cert should be rotated | `648h` |
| `tls.certs.selfSigner.clientCertDuration` | Duration of client cert in hour | `672h |
| `tls.certs.selfSigner.clientCertExpiryWindow` | Expiry window of client cert means a window before actual expiry in which client cert should be rotated | `48h` |
| `tls.certs.selfSigner.nodeCertDuration` | Duration of node cert in hour | `8760h` |
| `tls.certs.selfSigner.nodeCertExpiryWindow` | Expiry window of node cert means a window before actual expiry in which node certs should be rotated | `168h` |
| `tls.certs.selfSigner.rotateCerts` | Whether to rotate the certs generate by cockroachdb | `true` |
| `tls.certs.selfSigner.readinessWait` | Wait time for each cockroachdb replica to become ready once it comes in running state. Only considered when rotateCerts is set to true | `30s` |
| `tls.certs.selfSigner.podUpdateTimeout` | Wait time for each cockroachdb replica to get to running state. Only considered when rotateCerts is set to true | `2m` |
| `tls.certs.certManager` | Provision certificates with cert-manager | `false` |
| `tls.certs.certManagerIssuer.group` | IssuerRef group to use when generating certificates | `cert-manager.io` |
| `tls.certs.certManagerIssuer.kind` | IssuerRef kind to use when generating certificates | `Issuer` |
| `tls.certs.certManagerIssuer.name` | IssuerRef name to use when generating certificates | `cockroachdb` |
| `tls.certs.certManagerIssuer.caCertDuration` | Duration of CA cert in hour | `43824h` |
| `tls.certs.certManagerIssuer.caCertExpiryWindow` | Expiry window of CA cert means a window before actual expiry in which CA cert should be rotated | `648h` |
| `tls.certs.certManagerIssuer.clientCertDuration` | Duration of client cert in hours | `672h` |
| `tls.certs.certManagerIssuer.clientCertExpiryWindow` | Expiry window of client cert means a window before actual expiry in which client cert should be rotated | `48h` |
| `tls.certs.certManagerIssuer.nodeCertDuration` | Duration of node cert in hours | `8760h` |
| `tls.certs.certManagerIssuer.nodeCertExpiryWindow` | Expiry window of node certificates means a window before actual expiry in which node certs should be rotated. | `168h` |
| `tls.selfSigner.image.repository` | Image to use for self signing TLS certificates | `cockroachlabs-helm-charts/cockroach-self-signer-cert`|
| `tls.selfSigner.image.tag` | Image tag to use for self signing TLS certificates | `0.1` |
| `tls.selfSigner.image.pullPolicy` | Self signing TLS certificates container pull policy | `IfNotPresent` |
| `tls.selfSigner.image.credentials` | `registry`, `user` and `pass` credentials to pull private image | `{}` |
| `networkPolicy.enabled` | Enable NetworkPolicy for CockroachDB's Pods | `no` |
| `networkPolicy.ingress.grpc` | Whitelist resources to access gRPC port of CockroachDB's Pods | `[]` |
| `networkPolicy.ingress.http` | Whitelist resources to access gRPC port of CockroachDB's Pods | `[]` |
Override the default parameters using the `--set key=value[,key=value]` argument to `helm install`.
Alternatively, a YAML file that specifies custom values for the parameters can be provided while installing the chart. For example:
```shell
helm install my-release -f my-values.yaml cockroachdb/cockroachdb
```
> **Tip**: You can use the default [values.yaml](values.yaml)
## Deep dive
### Connecting to the CockroachDB cluster
Once you've created the cluster, you can start talking to it by connecting to its `-public` Service. CockroachDB is PostgreSQL wire protocol compatible, so there's a [wide variety of supported clients](https://www.cockroachlabs.com/docs/install-client-drivers.html). As an example, we'll open up a SQL shell using CockroachDB's built-in shell and play around with it a bit, like this (likely needing to replace `my-release-cockroachdb-public` with the name of the `-public` Service that was created with your installed chart):
```shell
kubectl run cockroach-client --rm -it \
--image=cockroachdb/cockroach \
--restart=Never \
-- sql --insecure --host my-release-cockroachdb-public
```
```
Waiting for pod default/cockroach-client to be running, status is Pending,
pod ready: false
If you don't see a command prompt, try pressing enter.
root@my-release-cockroachdb-public:26257> SHOW DATABASES;
+--------------------+
| Database |
+--------------------+
| information_schema |
| pg_catalog |
| system |
+--------------------+
(3 rows)
root@my-release-cockroachdb-public:26257> CREATE DATABASE bank;
CREATE DATABASE
root@my-release-cockroachdb-public:26257> CREATE TABLE bank.accounts (id INT
PRIMARY KEY, balance DECIMAL);
CREATE TABLE
root@my-release-cockroachdb-public:26257> INSERT INTO bank.accounts VALUES
(1234, 10000.50);
INSERT 1
root@my-release-cockroachdb-public:26257> SELECT * FROM bank.accounts;
+------+---------+
| id | balance |
+------+---------+
| 1234 | 10000.5 |
+------+---------+
(1 row)
root@my-release-cockroachdb-public:26257> \q
Waiting for pod default/cockroach-client to terminate, status is Running
pod "cockroach-client" deleted
```
> If you are running in secure mode, you will have to provide a client certificate to the cluster in order to authenticate, so the above command will not work. See [here](https://github.com/cockroachdb/cockroach/blob/master/cloud/kubernetes/client-secure.yaml) for an example of how to set up an interactive SQL shell against a secure cluster or [here](https://github.com/cockroachdb/cockroach/blob/master/cloud/kubernetes/example-app-secure.yaml) for an example application connecting to a secure cluster.
### Cluster health
Because our pod spec includes regular health checks of the CockroachDB processes, simply running `kubectl get pods` and looking at the `STATUS` column is sufficient to determine the health of each instance in the cluster.
If you want more detailed information about the cluster, the best place to look is the Admin UI.
### Accessing the Admin UI
If you want to see information about how the cluster is doing, you can try pulling up the CockroachDB Admin UI by port-forwarding from your local machine to one of the pods (replacing `my-release-cockroachdb-0` with the name of one of your pods:
```shell
kubectl port-forward my-release-cockroachdb-0 8080
```
You should then be able to access the Admin UI by visiting <http://localhost:8080/> in your web browser.
### Failover
If any CockroachDB member fails, it is restarted or recreated automatically by the Kubernetes infrastructure, and will re-join the cluster automatically when it comes back up. You can test this scenario by killing any of the CockroachDB pods:
```shell
kubectl delete pod my-release-cockroachdb-1
```
```shell
kubectl get pods -l "app.kubernetes.io/instance=my-release,app.kubernetes.io/component=cockroachdb"
```
```
NAME READY STATUS RESTARTS AGE
my-release-cockroachdb-0 1/1 Running 0 5m
my-release-cockroachdb-2 1/1 Running 0 5m
```
After a while:
```shell
kubectl get pods -l "app.kubernetes.io/instance=my-release,app.kubernetes.io/component=cockroachdb"
```
```
NAME READY STATUS RESTARTS AGE
my-release-cockroachdb-0 1/1 Running 0 5m
my-release-cockroachdb-1 1/1 Running 0 20s
my-release-cockroachdb-2 1/1 Running 0 5m
```
You can check the state of re-joining from the new pod's logs:
```shell
kubectl logs my-release-cockroachdb-1
```
```
[...]
I161028 19:32:09.754026 1 server/node.go:586 [n1] node connected via gossip and
verified as part of cluster {"35ecbc27-3f67-4e7d-9b8f-27c31aae17d6"}
[...]
cockroachdb-0.my-release-cockroachdb.default.svc.cluster.local:26257
build: beta-20161027-55-gd2d3c7f @ 2016/10/28 19:27:25 (go1.7.3)
admin: http://0.0.0.0:8080
sql:
postgresql://root@my-release-cockroachdb-1.my-release-cockroachdb.default.svc.cluster.local:26257?sslmode=disable
logs: cockroach-data/logs
store[0]: path=cockroach-data
status: restarted pre-existing node
clusterID: {35ecbc27-3f67-4e7d-9b8f-27c31aae17d6}
nodeID: 2
[...]
```
### NetworkPolicy
To enable NetworkPolicy for CockroachDB, install [a networking plugin that implements the Kubernetes NetworkPolicy spec](https://kubernetes.io/docs/tasks/administer-cluster/declare-network-policy#before-you-begin), and set `networkPolicy.enabled` to `yes`/`true`.
For Kubernetes v1.5 & v1.6, you must also turn on NetworkPolicy by setting the `DefaultDeny` Namespace annotation. Note: this will enforce policy for _all_ pods in the Namespace:
```shell
kubectl annotate namespace default "net.beta.kubernetes.io/network-policy={\"ingress\":{\"isolation\":\"DefaultDeny\"}}"
```
For more precise policy, set `networkPolicy.ingress.grpc` and `networkPolicy.ingress.http` rules. This will only allow pods that match the provided rules to connect to CockroachDB.
### Scaling
Scaling should be managed via the `helm upgrade` command. After resizing your cluster on your cloud environment (e.g., GKE or EKS), run the following command to add a pod. This assumes you scaled from 3 to 4 nodes:
```shell
helm upgrade \
my-release \
cockroachdb/cockroachdb \
--set statefulset.replicas=4 \
--reuse-values
```
Note, that if you are running in secure mode (`tls.enabled` is `yes`/`true`) and increase the size of your cluster, you will also have to approve the CSR (certificate-signing request) of each new node (using `kubectl get csr` and `kubectl certificate approve`).
[1]: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#inter-pod-affinity-and-anti-affinity
[2]: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#node-affinity
[3]: https://cert-manager.io/
[4]: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass
[5]: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/

9
charts/cockroach-labs/cockroachdb/14.0.3/app-readme.md Normal file
View File

@ -0,0 +1,9 @@
# CockroachDB Chart
CockroachDB is a Distributed SQL database that runs natively in Kubernetes. It gives you resilient, horizontal scale across multiple clouds with always-on availability and data partitioned by location.
CockroachDB scales horizontally without reconfiguration or need for a massive architectural overhaul. Simply add a new node to the cluster and CockroachDB takes care of the underlying complexity.
- Scale by simply adding new nodes to a CockroachDB cluster
- Automate balancing and distribution of ranges, not shards
- Optimize server utilization evenly across all nodes

50
charts/cockroach-labs/cockroachdb/14.0.3/templates/NOTES.txt Normal file
View File

@ -0,0 +1,50 @@
CockroachDB can be accessed via port {{ .Values.service.ports.grpc.external.port }} at the
following DNS name from within your cluster:
{{ template "cockroachdb.fullname" . }}-public.{{ .Release.Namespace }}.svc.cluster.local
Because CockroachDB supports the PostgreSQL wire protocol, you can connect to
the cluster using any available PostgreSQL client.
{{- if not .Values.tls.enabled }}
For example, you can open up a SQL shell to the cluster by running:
kubectl run -it --rm cockroach-client \
--image=cockroachdb/cockroach \
--restart=Never \
{{- if .Values.networkPolicy.enabled }}
--labels="{{ template "cockroachdb.fullname" . }}-client=true" \
{{- end }}
--command -- \
./cockroach sql --insecure --host={{ template "cockroachdb.fullname" . }}-public.{{ .Release.Namespace }}
From there, you can interact with the SQL shell as you would any other SQL
shell, confident that any data you write will be safe and available even if
parts of your cluster fail.
{{- else }}
Note that because the cluster is running in secure mode, any client application
that you attempt to connect will either need to have a valid client certificate
or a valid username and password.
{{- end }}
{{- if and (.Values.networkPolicy.enabled) (not (empty .Values.networkPolicy.ingress.grpc)) }}
Note: Since NetworkPolicy is enabled, the only Pods allowed to connect to this
CockroachDB cluster are:
1. Having the label: "{{ template "cockroachdb.fullname" . }}-client=true"
2. Matching the following rules: {{- toYaml .Values.networkPolicy.ingress.grpc | nindent 0 }}
{{- end }}
Finally, to open up the CockroachDB admin UI, you can port-forward from your
local machine into one of the instances in the cluster:
kubectl port-forward -n {{ .Release.Namespace }} {{ template "cockroachdb.fullname" . }}-0 {{ index .Values.conf `http-port` | int64 }}
Then you can access the admin UI at http{{ if .Values.tls.enabled }}s{{ end }}://localhost:{{ index .Values.conf `http-port` | int64 }}/ in your web browser.
For more information on using CockroachDB, please see the project's docs at:
https://www.cockroachlabs.com/docs/

291
charts/cockroach-labs/cockroachdb/14.0.3/templates/_helpers.tpl Normal file
View File

@ -0,0 +1,291 @@
{{/*
Expand the name of the chart.
*/}}
{{- define "cockroachdb.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 56 | trimSuffix "-" -}}
{{- end -}}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
If release name contains chart name it will be used as a full name.
*/}}
{{- define "cockroachdb.fullname" -}}
{{- if .Values.fullnameOverride -}}
{{- .Values.fullnameOverride | trunc 56 | trimSuffix "-" -}}
{{- else -}}
{{- $name := default .Chart.Name .Values.nameOverride -}}
{{- if contains $name .Release.Name -}}
{{- .Release.Name | trunc 56 | trimSuffix "-" -}}
{{- else -}}
{{- printf "%s-%s" .Release.Name $name | trunc 56 | trimSuffix "-" -}}
{{- end -}}
{{- end -}}
{{- end -}}
{{/*
Create a default fully qualified app name for cluster scope resource.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
If release name contains chart name it will be used as a full name with release namespace appended at the end.
*/}}
{{- define "cockroachdb.clusterfullname" -}}
{{- if .Values.fullnameOverride -}}
{{- printf "%s-%s" .Values.fullnameOverride .Release.Namespace | trunc 56 | trimSuffix "-" -}}
{{- else -}}
{{- $name := default .Chart.Name .Values.nameOverride -}}
{{- if contains $name .Release.Name -}}
{{- printf "%s-%s" .Release.Name .Release.Namespace | trunc 56 | trimSuffix "-" -}}
{{- else -}}
{{- printf "%s-%s-%s" .Release.Name $name .Release.Namespace | trunc 56 | trimSuffix "-" -}}
{{- end -}}
{{- end -}}
{{- end -}}
{{/*
Create chart name and version as used by the chart label.
*/}}
{{- define "cockroachdb.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 56 | trimSuffix "-" -}}
{{- end -}}
{{/*
Create the name of the ServiceAccount to use.
*/}}
{{- define "cockroachdb.serviceAccount.name" -}}
{{- if .Values.statefulset.serviceAccount.create -}}
{{- default (include "cockroachdb.fullname" .) .Values.statefulset.serviceAccount.name -}}
{{- else -}}
{{- default "default" .Values.statefulset.serviceAccount.name -}}
{{- end -}}
{{- end -}}
{{/*
Return the appropriate apiVersion for NetworkPolicy.
*/}}
{{- define "cockroachdb.networkPolicy.apiVersion" -}}
{{- if semverCompare ">=1.4-0, <=1.7-0" .Capabilities.KubeVersion.Version -}}
{{- print "extensions/v1beta1" -}}
{{- else if semverCompare "^1.7-0" .Capabilities.KubeVersion.Version -}}
{{- print "networking.k8s.io/v1" -}}
{{- end -}}
{{- end -}}
{{/*
Return the appropriate apiVersion for StatefulSets
*/}}
{{- define "cockroachdb.statefulset.apiVersion" -}}
{{- if semverCompare "<1.12-0" .Capabilities.KubeVersion.Version -}}
{{- print "apps/v1beta1" -}}
{{- else -}}
{{- print "apps/v1" -}}
{{- end -}}
{{- end -}}
{{/*
Return CockroachDB store expression
*/}}
{{- define "cockroachdb.conf.store" -}}
{{- $isInMemory := eq (.Values.conf.store.type | toString) "mem" -}}
{{- $persistentSize := empty .Values.conf.store.size | ternary .Values.storage.persistentVolume.size .Values.conf.store.size -}}
{{- $store := dict -}}
{{- $_ := set $store "type" ($isInMemory | ternary "type=mem" "") -}}
{{- $_ := set $store "path" ($isInMemory | ternary "" (print "path=" .Values.conf.path)) -}}
{{- $_ := set $store "size" (print "size=" ($isInMemory | ternary .Values.conf.store.size $persistentSize)) -}}
{{- $_ := set $store "attrs" (empty .Values.conf.store.attrs | ternary "" (print "attrs=" .Values.conf.store.attrs)) -}}
{{ compact (values $store) | join "," }}
{{- end -}}
{{/*
Define the default values for the certificate selfSigner inputs
*/}}
{{- define "selfcerts.fullname" -}}
{{- printf "%s-%s" (include "cockroachdb.fullname" .) "self-signer" | trunc 56 | trimSuffix "-" -}}
{{- end -}}
{{- define "rotatecerts.fullname" -}}
{{- printf "%s-%s" (include "cockroachdb.fullname" .) "rotate-self-signer" | trunc 56 | trimSuffix "-" -}}
{{- end -}}
{{- define "selfcerts.minimumCertDuration" -}}
{{- if .Values.tls.certs.selfSigner.minimumCertDuration -}}
{{- print (.Values.tls.certs.selfSigner.minimumCertDuration | trimSuffix "h") -}}
{{- else }}
{{- $minCertDuration := min (sub (.Values.tls.certs.selfSigner.clientCertDuration | trimSuffix "h" ) (.Values.tls.certs.selfSigner.clientCertExpiryWindow | trimSuffix "h")) (sub (.Values.tls.certs.selfSigner.nodeCertDuration | trimSuffix "h") (.Values.tls.certs.selfSigner.nodeCertExpiryWindow | trimSuffix "h")) -}}
{{- print $minCertDuration -}}
{{- end }}
{{- end -}}
{{/*
Define the cron schedules for certificate rotate jobs and converting from hours to valid cron string.
We assume that each month has 31 days, hence the cron job may run few days earlier in a year. In a cron schedule,
we can not set a cron of more than a year, hence we try to run the cron in such a way that the cron run comes to
as close possible to the expiry window. However, it is possible that cron may run earlier than the expiry window.
*/}}
{{- define "selfcerts.caRotateSchedule" -}}
{{- $tempHours := sub (.Values.tls.certs.selfSigner.caCertDuration | trimSuffix "h") (.Values.tls.certs.selfSigner.caCertExpiryWindow | trimSuffix "h") -}}
{{- $days := "*" -}}
{{- $months := "*" -}}
{{- $hours := mod $tempHours 24 -}}
{{- if not (eq $hours $tempHours) -}}
{{- $tempDays := div $tempHours 24 -}}
{{- $days = mod $tempDays 31 -}}
{{- if not (eq $days $tempDays) -}}
{{- $days = add $days 1 -}}
{{- $tempMonths := div $tempDays 31 -}}
{{- $months = mod $tempMonths 12 -}}
{{- if not (eq $months $tempMonths) -}}
{{- $months = add $months 1 -}}
{{- end -}}
{{- end -}}
{{- end -}}
{{- if ne (toString $months) "*" -}}
{{- $months = printf "*/%s" (toString $months) -}}
{{- else -}}
{{- if ne (toString $days) "*" -}}
{{- $days = printf "*/%s" (toString $days) -}}
{{- else -}}
{{- if ne $hours 0 -}}
{{- $hours = printf "*/%s" (toString $hours) -}}
{{- end -}}
{{- end -}}
{{- end -}}
{{- printf "0 %s %s %s *" (toString $hours) (toString $days) (toString $months) -}}
{{- end -}}
{{- define "selfcerts.clientRotateSchedule" -}}
{{- $tempHours := int64 (include "selfcerts.minimumCertDuration" .) -}}
{{- $days := "*" -}}
{{- $months := "*" -}}
{{- $hours := mod $tempHours 24 -}}
{{- if not (eq $hours $tempHours) -}}
{{- $tempDays := div $tempHours 24 -}}
{{- $days = mod $tempDays 31 -}}
{{- if not (eq $days $tempDays) -}}
{{- $days = add $days 1 -}}
{{- $tempMonths := div $tempDays 31 -}}
{{- $months = mod $tempMonths 12 -}}
{{- if not (eq $months $tempMonths) -}}
{{- $months = add $months 1 -}}
{{- end -}}
{{- end -}}
{{- end -}}
{{- if ne (toString $months) "*" -}}
{{- $months = printf "*/%s" (toString $months) -}}
{{- else -}}
{{- if ne (toString $days) "*" -}}
{{- $days = printf "*/%s" (toString $days) -}}
{{- else -}}
{{- if ne $hours 0 -}}
{{- $hours = printf "*/%s" (toString $hours) -}}
{{- end -}}
{{- end -}}
{{- end -}}
{{- printf "0 %s %s %s *" (toString $hours) (toString $days) (toString $months) -}}
{{- end -}}
{{/*
Define the appropriate validations for the certificate selfSigner inputs
*/}}
{{/*
Validate that if caProvided is true, then the caSecret must not be empty and secret must be present in the namespace.
*/}}
{{- define "cockroachdb.tls.certs.selfSigner.caProvidedValidation" -}}
{{- if .Values.tls.certs.selfSigner.caProvided -}}
{{- if eq "" .Values.tls.certs.selfSigner.caSecret -}}
{{ fail "CA secret can't be empty if caProvided is set to true" }}
{{- else -}}
{{- if not (lookup "v1" "Secret" .Release.Namespace .Values.tls.certs.selfSigner.caSecret) }}
{{ fail "CA secret is not present in the release namespace" }}
{{- end }}
{{- end -}}
{{- end -}}
{{- end -}}
{{/*
Validate that if caCertDuration or caCertExpiryWindow must not be empty and caCertExpiryWindow must be greater than
minimumCertDuration.
*/}}
{{- define "cockroachdb.tls.certs.selfSigner.caCertValidation" -}}
{{- if not .Values.tls.certs.selfSigner.caProvided -}}
{{- if or (not .Values.tls.certs.selfSigner.caCertDuration) (not .Values.tls.certs.selfSigner.caCertExpiryWindow) }}
{{ fail "CA cert duration or CA cert expiry window can not be empty" }}
{{- else }}
{{- if gt (int64 (include "selfcerts.minimumCertDuration" .)) (int64 (.Values.tls.certs.selfSigner.caCertExpiryWindow | trimSuffix "h")) -}}
{{ fail "CA cert expiration window should not be less than minimum Cert duration" }}
{{- end -}}
{{- if gt (int64 (include "selfcerts.minimumCertDuration" .)) (sub (.Values.tls.certs.selfSigner.caCertDuration | trimSuffix "h") (.Values.tls.certs.selfSigner.caCertExpiryWindow | trimSuffix "h")) -}}
{{ fail "CA cert Duration minus CA cert expiration window should not be less than minimum Cert duration" }}
{{- end -}}
{{- end -}}
{{- end }}
{{- end -}}
{{/*
Validate that if clientCertDuration must not be empty and it must be greater than minimumCertDuration.
*/}}
{{- define "cockroachdb.tls.certs.selfSigner.clientCertValidation" -}}
{{- if or (not .Values.tls.certs.selfSigner.clientCertDuration) (not .Values.tls.certs.selfSigner.clientCertExpiryWindow) }}
{{ fail "Client cert duration can not be empty" }}
{{- else }}
{{- if lt (sub (.Values.tls.certs.selfSigner.clientCertDuration | trimSuffix "h") (.Values.tls.certs.selfSigner.clientCertExpiryWindow | trimSuffix "h")) (int64 (include "selfcerts.minimumCertDuration" .)) }}
{{ fail "Client cert duration minus client cert expiry window should not be less than minimum Cert duration" }}
{{- end }}
{{- end }}
{{- end -}}
{{/*
Validate that nodeCertDuration must not be empty and nodeCertDuration minus nodeCertExpiryWindow must be greater than minimumCertDuration.
*/}}
{{- define "cockroachdb.tls.certs.selfSigner.nodeCertValidation" -}}
{{- if or (not .Values.tls.certs.selfSigner.nodeCertDuration) (not .Values.tls.certs.selfSigner.nodeCertExpiryWindow) }}
{{ fail "Node cert duration can not be empty" }}
{{- else }}
{{- if lt (sub (.Values.tls.certs.selfSigner.nodeCertDuration | trimSuffix "h") (.Values.tls.certs.selfSigner.nodeCertExpiryWindow | trimSuffix "h")) (int64 (include "selfcerts.minimumCertDuration" .))}}
{{ fail "Node cert duration minus node cert expiry window should not be less than minimum Cert duration" }}
{{- end }}
{{- end }}
{{- end -}}
{{/*
Validate that if user enabled tls, then either self-signed certificates or certificate manager is enabled
*/}}
{{- define "cockroachdb.tlsValidation" -}}
{{- if .Values.tls.enabled -}}
{{- if and .Values.tls.certs.selfSigner.enabled .Values.tls.certs.certManager -}}
{{ fail "Can not enable the self signed certificates and certificate manager at the same time" }}
{{- end -}}
{{- if and (not .Values.tls.certs.selfSigner.enabled) (not .Values.tls.certs.certManager) -}}
{{- if not .Values.tls.certs.provided -}}
{{ fail "You have to enable either self signed certificates or certificate manager, if you have enabled tls" }}
{{- end -}}
{{- end -}}
{{- end -}}
{{- end -}}
{{- define "cockroachdb.tls.certs.selfSigner.validation" -}}
{{ include "cockroachdb.tls.certs.selfSigner.caProvidedValidation" . }}
{{ include "cockroachdb.tls.certs.selfSigner.caCertValidation" . }}
{{ include "cockroachdb.tls.certs.selfSigner.clientCertValidation" . }}
{{ include "cockroachdb.tls.certs.selfSigner.nodeCertValidation" . }}
{{- end -}}
{{- define "cockroachdb.securityContext.versionValidation" }}
{{- /* Allow using `securityContext` for custom images. */}}
{{- if ne "cockroachdb/cockroach" .Values.image.repository -}}
{{ print true }}
{{- else -}}
{{- if semverCompare ">=22.1.2" .Values.image.tag -}}
{{ print true }}
{{- else -}}
{{- if semverCompare ">=21.2.13, <22.1.0" .Values.image.tag -}}
{{ print true }}
{{- else -}}
{{ print false }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}

21
charts/cockroach-labs/cockroachdb/14.0.3/templates/backendconfig.yaml Normal file
View File

@ -0,0 +1,21 @@
{{- if .Values.iap.enabled }}
apiVersion: cloud.google.com/v1beta1
kind: BackendConfig
metadata:
name: {{ template "cockroachdb.fullname" . }}
namespace: {{ .Release.Namespace | quote }}
labels:
helm.sh/chart: {{ template "cockroachdb.chart" . }}
app.kubernetes.io/name: {{ template "cockroachdb.name" . }}
app.kubernetes.io/instance: {{ .Release.Name | quote }}
app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
{{- with .Values.labels }}
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
iap:
enabled: true
oauthclientCredentials:
secretName: {{ template "cockroachdb.fullname" . }}.iap
timeoutSec: 120
{{- end }}

33
charts/cockroach-labs/cockroachdb/14.0.3/templates/certificate.ca.yaml Normal file
View File

@ -0,0 +1,33 @@
{{- if and .Values.tls.enabled .Values.tls.certs.certManager }}
{{- if .Values.tls.certs.certManagerIssuer.isSelfSignedIssuer }}
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: {{ template "cockroachdb.fullname" . }}-ca-cert
namespace: {{ .Release.Namespace | quote }}
labels:
helm.sh/chart: {{ template "cockroachdb.chart" . }}
app.kubernetes.io/name: {{ template "cockroachdb.name" . }}
app.kubernetes.io/instance: {{ .Release.Name | quote }}
app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
{{- with .Values.labels }}
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
duration: {{ .Values.tls.certs.certManagerIssuer.caCertDuration }}
renewBefore: {{ .Values.tls.certs.certManagerIssuer.caCertExpiryWindow }}
isCA: true
secretName: {{ .Values.tls.certs.caSecret }}
privateKey:
algorithm: ECDSA
size: 256
commonName: root
subject:
organizations:
- Cockroach
issuerRef:
name: {{ .Values.tls.certs.certManagerIssuer.name }}
kind: {{ .Values.tls.certs.certManagerIssuer.kind }}
group: {{ .Values.tls.certs.certManagerIssuer.group }}
{{- end }}
{{- end }}

40
charts/cockroach-labs/cockroachdb/14.0.3/templates/certificate.client.yaml Normal file
View File

@ -0,0 +1,40 @@
{{- if and .Values.tls.enabled .Values.tls.certs.certManager }}
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: {{ template "cockroachdb.fullname" . }}-root-client
namespace: {{ .Release.Namespace | quote }}
labels:
helm.sh/chart: {{ template "cockroachdb.chart" . }}
app.kubernetes.io/name: {{ template "cockroachdb.name" . }}
app.kubernetes.io/instance: {{ .Release.Name | quote }}
app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
{{- with .Values.labels }}
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
duration: {{ .Values.tls.certs.certManagerIssuer.clientCertDuration }}
renewBefore: {{ .Values.tls.certs.certManagerIssuer.clientCertExpiryWindow }}
usages:
- digital signature
- key encipherment
- client auth
privateKey:
algorithm: RSA
size: 2048
commonName: root
subject:
organizations:
- Cockroach
secretName: {{ .Values.tls.certs.clientRootSecret }}
issuerRef:
{{- if .Values.tls.certs.certManagerIssuer.isSelfSignedIssuer }}
name: {{ template "cockroachdb.fullname" . }}-ca-issuer
kind: Issuer
group: cert-manager.io
{{- else }}
name: {{ .Values.tls.certs.certManagerIssuer.name }}
kind: {{ .Values.tls.certs.certManagerIssuer.kind }}
group: {{ .Values.tls.certs.certManagerIssuer.group }}
{{- end }}
{{- end }}

20
charts/cockroach-labs/cockroachdb/14.0.3/templates/certificate.issuer.yaml Normal file
View File

@ -0,0 +1,20 @@
{{- if and .Values.tls.enabled .Values.tls.certs.certManager }}
{{- if .Values.tls.certs.certManagerIssuer.isSelfSignedIssuer }}
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: {{ template "cockroachdb.fullname" . }}-ca-issuer
namespace: {{ .Release.Namespace | quote }}
labels:
helm.sh/chart: {{ template "cockroachdb.chart" . }}
app.kubernetes.io/name: {{ template "cockroachdb.name" . }}
app.kubernetes.io/instance: {{ .Release.Name | quote }}
app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
{{- with .Values.labels }}
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
ca:
secretName: {{ .Values.tls.certs.caSecret }}
{{- end }}
{{- end }}

50
charts/cockroach-labs/cockroachdb/14.0.3/templates/certificate.node.yaml Normal file
View File

@ -0,0 +1,50 @@
{{- if and .Values.tls.enabled .Values.tls.certs.certManager }}
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: {{ template "cockroachdb.fullname" . }}-node
namespace: {{ .Release.Namespace | quote }}
labels:
helm.sh/chart: {{ template "cockroachdb.chart" . }}
app.kubernetes.io/name: {{ template "cockroachdb.name" . }}
app.kubernetes.io/instance: {{ .Release.Name | quote }}
app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
{{- with .Values.labels }}
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
duration: {{ .Values.tls.certs.certManagerIssuer.nodeCertDuration }}
renewBefore: {{ .Values.tls.certs.certManagerIssuer.nodeCertExpiryWindow }}
usages:
- digital signature
- key encipherment
- server auth
- client auth
privateKey:
algorithm: RSA
size: 2048
commonName: node
subject:
organizations:
- Cockroach
dnsNames:
- "localhost"
- "127.0.0.1"
- {{ printf "%s-public" (include "cockroachdb.fullname" .) | quote }}
- {{ printf "%s-public.%s" (include "cockroachdb.fullname" .) .Release.Namespace | quote }}
- {{ printf "%s-public.%s.svc.%s" (include "cockroachdb.fullname" .) .Release.Namespace .Values.clusterDomain | quote }}
- {{ printf "*.%s" (include "cockroachdb.fullname" .) | quote }}
- {{ printf "*.%s.%s" (include "cockroachdb.fullname" .) .Release.Namespace | quote }}
- {{ printf "*.%s.%s.svc.%s" (include "cockroachdb.fullname" .) .Release.Namespace .Values.clusterDomain | quote }}
secretName: {{ .Values.tls.certs.nodeSecret }}
issuerRef:
{{- if .Values.tls.certs.certManagerIssuer.isSelfSignedIssuer }}
name: {{ template "cockroachdb.fullname" . }}-ca-issuer
kind: Issuer
group: cert-manager.io
{{- else }}
name: {{ .Values.tls.certs.certManagerIssuer.name }}
kind: {{ .Values.tls.certs.certManagerIssuer.kind }}
group: {{ .Values.tls.certs.certManagerIssuer.group }}
{{- end }}
{{- end }}

19
charts/cockroach-labs/cockroachdb/14.0.3/templates/clusterrole.yaml Normal file
View File

@ -0,0 +1,19 @@
{{- if and .Values.tls.enabled (not .Values.tls.certs.provided) (not .Values.tls.certs.certManager) }}
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: {{ template "cockroachdb.clusterfullname" . }}
namespace: {{ .Release.Namespace | quote }}
labels:
helm.sh/chart: {{ template "cockroachdb.chart" . }}
app.kubernetes.io/name: {{ template "cockroachdb.name" . }}
app.kubernetes.io/instance: {{ .Release.Name | quote }}
app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
{{- with .Values.labels }}
{{- toYaml . | nindent 4 }}
{{- end }}
rules:
- apiGroups: ["certificates.k8s.io"]
resources: ["certificatesigningrequests"]
verbs: ["create", "get", "watch"]
{{- end }}

23
charts/cockroach-labs/cockroachdb/14.0.3/templates/clusterrolebinding.yaml Normal file
View File

@ -0,0 +1,23 @@
{{- if and .Values.tls.enabled (not .Values.tls.certs.provided) (not .Values.tls.certs.certManager) }}
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: {{ template "cockroachdb.clusterfullname" . }}
namespace: {{ .Release.Namespace | quote }}
labels:
helm.sh/chart: {{ template "cockroachdb.chart" . }}
app.kubernetes.io/name: {{ template "cockroachdb.name" . }}
app.kubernetes.io/instance: {{ .Release.Name | quote }}
app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
{{- with .Values.labels }}
{{- toYaml . | nindent 4 }}
{{- end }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ template "cockroachdb.clusterfullname" . }}
subjects:
- kind: ServiceAccount
name: {{ template "cockroachdb.serviceAccount.name" . }}
namespace: {{ .Release.Namespace | quote }}
{{- end }}

62
charts/cockroach-labs/cockroachdb/14.0.3/templates/cronjob-ca-certSelfSigner.yaml Normal file
View File

@ -0,0 +1,62 @@
{{- if and .Values.tls.enabled (and .Values.tls.certs.selfSigner.enabled (not .Values.tls.certs.selfSigner.caProvided)) }}
{{- if .Values.tls.certs.selfSigner.rotateCerts }}
{{- if .Capabilities.APIVersions.Has "batch/v1/CronJob" }}
apiVersion: batch/v1
{{- else }}
apiVersion: batch/v1beta1
{{- end }}
kind: CronJob
metadata:
name: {{ template "rotatecerts.fullname" . }}
namespace: {{ .Release.Namespace | quote }}
labels:
helm.sh/chart: {{ template "cockroachdb.chart" . }}
app.kubernetes.io/name: {{ template "cockroachdb.name" . }}
app.kubernetes.io/instance: {{ .Release.Name | quote }}
app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
spec:
schedule: {{ template "selfcerts.caRotateSchedule" . }}
jobTemplate:
spec:
backoffLimit: 1
template:
metadata:
{{- with .Values.tls.selfSigner.labels }}
labels: {{- toYaml . | nindent 12 }}
{{- end }}
{{- with .Values.tls.selfSigner.annotations }}
annotations: {{- toYaml . | nindent 12 }}
{{- end }}
spec:
restartPolicy: Never
{{- with .Values.tls.selfSigner.affinity }}
affinity: {{- toYaml . | nindent 12 }}
{{- end }}
{{- with .Values.tls.selfSigner.nodeSelector }}
nodeSelector: {{- toYaml . | nindent 12 }}
{{- end }}
{{- with .Values.tls.selfSigner.tolerations }}
tolerations: {{- toYaml . | nindent 12 }}
{{- end }}
containers:
- name: cert-rotate-job
image: "{{ .Values.tls.selfSigner.image.registry }}/{{ .Values.tls.selfSigner.image.repository }}:{{ .Values.tls.selfSigner.image.tag }}"
imagePullPolicy: "{{ .Values.tls.selfSigner.image.pullPolicy }}"
args:
- rotate
- --ca
- --ca-duration={{ .Values.tls.certs.selfSigner.caCertDuration }}
- --ca-expiry={{ .Values.tls.certs.selfSigner.caCertExpiryWindow }}
- --ca-cron={{ template "selfcerts.caRotateSchedule" . }}
- --readiness-wait={{ .Values.tls.certs.selfSigner.readinessWait }}
- --pod-update-timeout={{ .Values.tls.certs.selfSigner.podUpdateTimeout }}
env:
- name: STATEFULSET_NAME
value: {{ template "cockroachdb.fullname" . }}
- name: NAMESPACE
value: {{ .Release.Namespace }}
- name: CLUSTER_DOMAIN
value: {{ .Values.clusterDomain}}
serviceAccountName: {{ template "rotatecerts.fullname" . }}
{{- end }}
{{- end }}

69
charts/cockroach-labs/cockroachdb/14.0.3/templates/cronjob-client-node-certSelfSigner.yaml Normal file
View File

@ -0,0 +1,69 @@
{{- if and .Values.tls.certs.selfSigner.enabled .Values.tls.certs.selfSigner.rotateCerts }}
{{- if .Capabilities.APIVersions.Has "batch/v1/CronJob" }}
apiVersion: batch/v1
{{- else }}
apiVersion: batch/v1beta1
{{- end }}
kind: CronJob
metadata:
name: {{ template "rotatecerts.fullname" . }}-client
namespace: {{ .Release.Namespace | quote }}
labels:
helm.sh/chart: {{ template "cockroachdb.chart" . }}
app.kubernetes.io/name: {{ template "cockroachdb.name" . }}
app.kubernetes.io/instance: {{ .Release.Name | quote }}
app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
spec:
schedule: {{ template "selfcerts.clientRotateSchedule" . }}
jobTemplate:
spec:
backoffLimit: 1
template:
metadata:
{{- with .Values.tls.selfSigner.labels }}
labels: {{- toYaml . | nindent 12 }}
{{- end }}
{{- with .Values.tls.selfSigner.annotations }}
annotations: {{- toYaml . | nindent 12 }}
{{- end }}
spec:
restartPolicy: Never
{{- with .Values.tls.selfSigner.affinity }}
affinity: {{- toYaml . | nindent 12 }}
{{- end }}
{{- with .Values.tls.selfSigner.nodeSelector }}
nodeSelector: {{- toYaml . | nindent 12 }}
{{- end }}
{{- with .Values.tls.selfSigner.tolerations }}
tolerations: {{- toYaml . | nindent 12 }}
{{- end }}
containers:
- name: cert-rotate-job
image: "{{ .Values.tls.selfSigner.image.registry }}/{{ .Values.tls.selfSigner.image.repository }}:{{ .Values.tls.selfSigner.image.tag }}"
imagePullPolicy: "{{ .Values.tls.selfSigner.image.pullPolicy }}"
args:
- rotate
{{- if .Values.tls.certs.selfSigner.caProvided }}
- --ca-secret={{ .Values.tls.certs.selfSigner.caSecret }}
{{- else }}
- --ca-duration={{ .Values.tls.certs.selfSigner.caCertDuration }}
- --ca-expiry={{ .Values.tls.certs.selfSigner.caCertExpiryWindow }}
{{- end }}
- --client
- --client-duration={{ .Values.tls.certs.selfSigner.clientCertDuration }}
- --client-expiry={{ .Values.tls.certs.selfSigner.clientCertExpiryWindow }}
- --node
- --node-duration={{ .Values.tls.certs.selfSigner.nodeCertDuration }}
- --node-expiry={{ .Values.tls.certs.selfSigner.nodeCertExpiryWindow }}
- --node-client-cron={{ template "selfcerts.clientRotateSchedule" . }}
- --readiness-wait={{ .Values.tls.certs.selfSigner.readinessWait }}
- --pod-update-timeout={{ .Values.tls.certs.selfSigner.podUpdateTimeout }}
env:
- name: STATEFULSET_NAME
value: {{ template "cockroachdb.fullname" . }}
- name: NAMESPACE
value: {{ .Release.Namespace }}
- name: CLUSTER_DOMAIN
value: {{ .Values.clusterDomain}}
serviceAccountName: {{ template "rotatecerts.fullname" . }}
{{- end}}

90
charts/cockroach-labs/cockroachdb/14.0.3/templates/ingress.yaml Normal file
View File

@ -0,0 +1,90 @@
{{- if .Values.ingress.enabled -}}
{{- $paths := .Values.ingress.paths -}}
{{- $ports := .Values.service.ports -}}
{{- $fullName := include "cockroachdb.fullname" . -}}
{{- if $.Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress" }}
apiVersion: networking.k8s.io/v1
{{- else if $.Capabilities.APIVersions.Has "networking.k8s.io/v1beta1/Ingress" }}
apiVersion: networking.k8s.io/v1beta1
{{- else -}}
apiVersion: extensions/v1beta1
{{- end }}
kind: Ingress
metadata:
{{- if or .Values.ingress.annotations .Values.iap.enabled }}
annotations:
{{- range $key, $value := .Values.ingress.annotations }}
{{ $key }}: {{ $value | quote }}
{{- end }}
{{- if .Values.iap.enabled }}
kubernetes.io/ingress.class: "gce"
kubernetes.io/ingress.allow-http: "false"
{{- end }}
{{- end }}
name: {{ $fullName }}-ingress
namespace: {{ .Release.Namespace }}
labels:
helm.sh/chart: {{ template "cockroachdb.chart" . }}
app.kubernetes.io/name: {{ template "cockroachdb.name" . }}
app.kubernetes.io/instance: {{ $.Release.Name | quote }}
app.kubernetes.io/managed-by: {{ $.Release.Service | quote }}
{{- if .Values.ingress.labels }}
{{- toYaml .Values.ingress.labels | nindent 4 }}
{{- end }}
spec:
rules:
{{- if .Values.ingress.hosts }}
{{- range $host := .Values.ingress.hosts }}
- host: {{ $host }}
http:
paths:
{{- range $path := $paths }}
- path: {{ $path | quote }}
{{- if $.Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress" }}
{{- if $.Values.iap.enabled }}
pathType: ImplementationSpecific
{{- else }}
pathType: Prefix
{{- end }}
{{- end }}
backend:
{{- if $.Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress" }}
service:
name: {{ $fullName }}-public
port:
name: {{ $ports.http.name | quote }}
{{- else }}
serviceName: {{ $fullName }}-public
servicePort: {{ $ports.http.name | quote }}
{{- end }}
{{- end }}
{{- end }}
{{- else }}
- http:
paths:
{{- range $path := $paths }}
- path: {{ $path | quote }}
{{- if $.Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress" }}
{{- if $.Values.iap.enabled }}
pathType: ImplementationSpecific
{{- else }}
pathType: Prefix
{{- end }}
{{- end }}
backend:
{{- if $.Capabilities.APIVersions.Has "networking.k8s.io/v1/Ingress" }}
service:
name: {{ $fullName }}-public
port:
name: {{ $ports.http.name | quote }}
{{- else }}
serviceName: {{ $fullName }}-public
servicePort: {{ $ports.http.name | quote }}
{{- end }}
{{- end }}
{{- end }}
{{- if .Values.ingress.tls }}
tls:
{{- toYaml .Values.ingress.tls | nindent 4 }}
{{- end }}
{{- end }}

83
charts/cockroach-labs/cockroachdb/14.0.3/templates/job-certSelfSigner.yaml Normal file
View File

@ -0,0 +1,83 @@
{{- if and .Values.tls.enabled .Values.tls.certs.selfSigner.enabled }}
apiVersion: batch/v1
kind: Job
metadata:
name: {{ template "selfcerts.fullname" . }}
namespace: {{ .Release.Namespace | quote }}
annotations:
# This is what defines this resource as a hook. Without this line, the
# job is considered part of the release.
"helm.sh/hook": pre-install,pre-upgrade
"helm.sh/hook-weight": "4"
"helm.sh/hook-delete-policy": hook-succeeded,hook-failed
labels:
helm.sh/chart: {{ template "cockroachdb.chart" . }}
app.kubernetes.io/name: {{ template "cockroachdb.name" . }}
app.kubernetes.io/instance: {{ .Release.Name | quote }}
app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
spec:
template:
metadata:
name: {{ template "selfcerts.fullname" . }}
labels:
helm.sh/chart: {{ template "cockroachdb.chart" . }}
app.kubernetes.io/name: {{ template "cockroachdb.name" . }}
app.kubernetes.io/instance: {{ .Release.Name | quote }}
app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
{{- with .Values.tls.selfSigner.labels }}
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.tls.selfSigner.annotations }}
annotations: {{- toYaml . | nindent 8 }}
{{- end }}
spec:
{{- if and .Values.tls.certs.selfSigner.securityContext.enabled }}
securityContext:
seccompProfile:
type: "RuntimeDefault"
runAsGroup: 1000
runAsUser: 1000
fsGroup: 1000
runAsNonRoot: true
{{- end }}
restartPolicy: Never
{{- with .Values.tls.selfSigner.affinity }}
affinity: {{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.tls.selfSigner.nodeSelector }}
nodeSelector: {{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.tls.selfSigner.tolerations }}
tolerations: {{- toYaml . | nindent 8 }}
{{- end }}
containers:
- name: cert-generate-job
image: "{{ .Values.tls.selfSigner.image.registry }}/{{ .Values.tls.selfSigner.image.repository }}:{{ .Values.tls.selfSigner.image.tag }}"
imagePullPolicy: "{{ .Values.tls.selfSigner.image.pullPolicy }}"
args:
- generate
{{- if .Values.tls.certs.selfSigner.caProvided }}
- --ca-secret={{ .Values.tls.certs.selfSigner.caSecret }}
{{- else }}
- --ca-duration={{ .Values.tls.certs.selfSigner.caCertDuration }}
- --ca-expiry={{ .Values.tls.certs.selfSigner.caCertExpiryWindow }}
{{- end }}
- --client-duration={{ .Values.tls.certs.selfSigner.clientCertDuration }}
- --client-expiry={{ .Values.tls.certs.selfSigner.clientCertExpiryWindow }}
- --node-duration={{ .Values.tls.certs.selfSigner.nodeCertDuration }}
- --node-expiry={{ .Values.tls.certs.selfSigner.nodeCertExpiryWindow }}
env:
- name: STATEFULSET_NAME
value: {{ template "cockroachdb.fullname" . }}
- name: NAMESPACE
value: {{ .Release.Namespace | quote }}
- name: CLUSTER_DOMAIN
value: {{ .Values.clusterDomain}}
{{- if and .Values.tls.certs.selfSigner.securityContext.enabled }}
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop: ["ALL"]
{{- end }}
serviceAccountName: {{ template "selfcerts.fullname" . }}
{{- end}}

70
charts/cockroach-labs/cockroachdb/14.0.3/templates/job-cleaner.yaml Normal file
View File

@ -0,0 +1,70 @@
{{- if and .Values.tls.enabled .Values.tls.certs.selfSigner.enabled }}
apiVersion: batch/v1
kind: Job
metadata:
name: {{ template "selfcerts.fullname" . }}-cleaner
namespace: {{ .Release.Namespace | quote }}
annotations:
# This is what defines this resource as a hook. Without this line, the
# job is considered part of the release.
"helm.sh/hook": pre-delete
"helm.sh/hook-delete-policy": hook-succeeded,hook-failed
labels:
helm.sh/chart: {{ template "cockroachdb.chart" . }}
app.kubernetes.io/name: {{ template "cockroachdb.name" . }}
app.kubernetes.io/instance: {{ .Release.Name | quote }}
app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
spec:
backoffLimit: 1
template:
metadata:
name: {{ template "selfcerts.fullname" . }}-cleaner
labels:
helm.sh/chart: {{ template "cockroachdb.chart" . }}
app.kubernetes.io/name: {{ template "cockroachdb.name" . }}
app.kubernetes.io/instance: {{ .Release.Name | quote }}
app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
{{- with .Values.tls.selfSigner.labels }}
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.tls.selfSigner.annotations }}
annotations: {{- toYaml . | nindent 8 }}
{{- end }}
spec:
{{- if and .Values.tls.certs.selfSigner.securityContext.enabled }}
securityContext:
seccompProfile:
type: "RuntimeDefault"
runAsGroup: 1000
runAsUser: 1000
fsGroup: 1000
runAsNonRoot: true
{{- end }}
restartPolicy: Never
{{- with .Values.tls.selfSigner.affinity }}
affinity: {{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.tls.selfSigner.nodeSelector }}
nodeSelector: {{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.tls.selfSigner.tolerations }}
tolerations: {{- toYaml . | nindent 8 }}
{{- end }}
containers:
- name: cleaner
image: "{{ .Values.tls.selfSigner.image.registry }}/{{ .Values.tls.selfSigner.image.repository }}:{{ .Values.tls.selfSigner.image.tag }}"
imagePullPolicy: "{{ .Values.tls.selfSigner.image.pullPolicy }}"
args:
- cleanup
- --namespace={{ .Release.Namespace }}
env:
- name: STATEFULSET_NAME
value: {{ template "cockroachdb.fullname" . }}
{{- if and .Values.tls.certs.selfSigner.securityContext.enabled }}
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop: ["ALL"]
{{- end }}
serviceAccountName: {{ template "rotatecerts.fullname" . }}
{{- end}}

303
charts/cockroach-labs/cockroachdb/14.0.3/templates/job.init.yaml Normal file
View File

@ -0,0 +1,303 @@
{{ $isClusterInitEnabled := and (eq (len .Values.conf.join) 0) (not (index .Values.conf `single-node`)) }}
{{ $isDatabaseProvisioningEnabled := .Values.init.provisioning.enabled }}
{{- if or $isClusterInitEnabled $isDatabaseProvisioningEnabled }}
{{ template "cockroachdb.tlsValidation" . }}
kind: Job
apiVersion: batch/v1
metadata:
name: {{ template "cockroachdb.fullname" . }}-init
namespace: {{ .Release.Namespace | quote }}
labels:
helm.sh/chart: {{ template "cockroachdb.chart" . }}
app.kubernetes.io/name: {{ template "cockroachdb.name" . }}
app.kubernetes.io/instance: {{ .Release.Name | quote }}
app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
{{- with .Values.init.labels }}
{{- toYaml . | nindent 4 }}
{{- end }}
{{- with .Values.labels }}
{{- toYaml . | nindent 4 }}
{{- end }}
annotations:
helm.sh/hook: post-install,post-upgrade
helm.sh/hook-delete-policy: before-hook-creation
{{- with .Values.init.jobAnnotations }}
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
template:
metadata:
labels:
app.kubernetes.io/name: {{ template "cockroachdb.name" . }}
app.kubernetes.io/instance: {{ .Release.Name | quote }}
{{- with .Values.init.labels }}
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.init.annotations }}
annotations: {{- toYaml . | nindent 8 }}
{{- end }}
spec:
{{- if eq (include "cockroachdb.securityContext.versionValidation" .) "true" }}
{{- if and .Values.init.securityContext.enabled }}
securityContext:
seccompProfile:
type: "RuntimeDefault"
runAsGroup: 1000
runAsUser: 1000
fsGroup: 1000
runAsNonRoot: true
{{- end }}
{{- end }}
restartPolicy: OnFailure
terminationGracePeriodSeconds: {{ .Values.init.terminationGracePeriodSeconds }}
{{- if or .Values.image.credentials (and .Values.tls.enabled .Values.tls.selfSigner.image.credentials (not .Values.tls.certs.provided) (not .Values.tls.certs.certManager)) }}
imagePullSecrets:
{{- if .Values.image.credentials }}
- name: {{ template "cockroachdb.fullname" . }}.db.registry
{{- end }}
{{- if and .Values.tls.enabled .Values.tls.selfSigner.image.credentials (not .Values.tls.certs.provided) (not .Values.tls.certs.certManager) }}
- name: {{ template "cockroachdb.fullname" . }}.self-signed-certs.registry
{{- end }}
{{- end }}
serviceAccountName: {{ template "cockroachdb.serviceAccount.name" . }}
{{- if .Values.tls.enabled }}
initContainers:
- name: copy-certs
image: {{ .Values.tls.copyCerts.image | quote }}
imagePullPolicy: {{ .Values.tls.selfSigner.image.pullPolicy | quote }}
command:
- /bin/sh
- -c
- "cp -f /certs/* /cockroach-certs/; chmod 0400 /cockroach-certs/*.key"
env:
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
{{- if and .Values.init.securityContext.enabled }}
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop: ["ALL"]
{{- end }}
volumeMounts:
- name: client-certs
mountPath: /cockroach-certs/
- name: certs-secret
mountPath: /certs/
{{- with .Values.tls.copyCerts.resources }}
resources: {{- toYaml . | nindent 12 }}
{{- end }}
{{- end }}
{{- with .Values.init.affinity }}
affinity: {{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.init.nodeSelector }}
nodeSelector: {{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.init.tolerations }}
tolerations: {{- toYaml . | nindent 8 }}
{{- end }}
containers:
- name: cluster-init
image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
imagePullPolicy: {{ .Values.image.pullPolicy | quote }}
# Run the command in an `while true` loop because this Job is bound
# to come up before the CockroachDB Pods (due to the time needed to
# get PersistentVolumes attached to Nodes), and sleeping 5 seconds
# between attempts is much better than letting the Pod fail when
# the init command does and waiting out Kubernetes' non-configurable
# exponential back-off for Pod restarts.
# Command completes either when cluster initialization succeeds,
# or when cluster has been initialized already.
command:
- /bin/bash
- -c
- >-
{{- if $isClusterInitEnabled }}
initCluster() {
while true; do
local output=$(
set -x;
/cockroach/cockroach init \
{{- if .Values.tls.enabled }}
--certs-dir=/cockroach-certs/ \
{{- else }}
--insecure \
{{- end }}
{{- with index .Values.conf "cluster-name" }}
--cluster-name={{.}} \
{{- end }}
--host={{ template "cockroachdb.fullname" . }}-0.{{ template "cockroachdb.fullname" . -}}
:{{ .Values.service.ports.grpc.internal.port | int64 }} \
{{- if .Values.init.pcr.enabled -}}
{{- if .Values.init.pcr.isPrimary }}
--virtualized \
{{- else }}
--virtualized-empty \
{{- end }}
{{- end }}
2>&1);
local exitCode="$?";
echo $output;
if [[ "$output" =~ .*"Cluster successfully initialized".* || "$output" =~ .*"cluster has already been initialized".* ]]; then
break;
fi
echo "Cluster is not ready to be initialized, retrying in 5 seconds"
sleep 5;
done
}
initCluster;
{{- end }}
{{- if $isDatabaseProvisioningEnabled }}
provisionCluster() {
while true; do
/cockroach/cockroach sql \
{{- if .Values.tls.enabled }}
--certs-dir=/cockroach-certs/ \
{{- else }}
--insecure \
{{- end }}
--host={{ template "cockroachdb.fullname" . }}-0.{{ template "cockroachdb.fullname" . -}}
:{{ .Values.service.ports.grpc.internal.port | int64 }} \
--execute="
{{- range $clusterSetting, $clusterSettingValue := .Values.init.provisioning.clusterSettings }}
SET CLUSTER SETTING {{ $clusterSetting }} = '${{ $clusterSetting | replace "." "_" }}_CLUSTER_SETTING';
{{- end }}
{{- range $user := .Values.init.provisioning.users }}
CREATE USER IF NOT EXISTS {{ $user.name }} WITH
{{- if $user.password }}
PASSWORD '${{ $user.name }}_PASSWORD'
{{- else }}
PASSWORD null
{{- end }}
{{ join " " $user.options }}
;
{{- end }}
{{- range $database := .Values.init.provisioning.databases }}
CREATE DATABASE IF NOT EXISTS {{ $database.name }}
{{- if $database.options }}
{{ join " " $database.options }}
{{- end }}
;
{{- range $owner := $database.owners }}
GRANT ALL ON DATABASE {{ $database.name }} TO {{ $owner }};
{{- end }}
{{- range $owner := $database.owners_with_grant_option }}
GRANT ALL ON DATABASE {{ $database.name }} TO {{ $owner }} WITH GRANT OPTION;
{{- end }}
{{- if $database.backup }}
CREATE SCHEDULE IF NOT EXISTS {{ $database.name }}_scheduled_backup
FOR BACKUP DATABASE {{ $database.name }} INTO '{{ $database.backup.into }}'
{{- if $database.backup.options }}
WITH {{ join "," $database.backup.options }}
{{- end }}
RECURRING '{{ $database.backup.recurring }}'
{{- if $database.backup.fullBackup }}
FULL BACKUP '{{ $database.backup.fullBackup }}'
{{- else }}
FULL BACKUP ALWAYS
{{- end }}
{{- if and $database.backup.schedule $database.backup.schedule.options }}
WITH SCHEDULE OPTIONS {{ join "," $database.backup.schedule.options }}
{{- end }}
;
{{- end }}
{{- end }}
"
&>/dev/null;
local exitCode="$?";
if [[ "$exitCode" -eq "0" ]]
then break;
fi
sleep 5;
done
echo "Provisioning completed successfully";
}
provisionCluster;
{{- end }}
env:
{{- $secretName := printf "%s-init" (include "cockroachdb.fullname" .) }}
{{- range $user := .Values.init.provisioning.users }}
{{- if $user.password }}
- name: {{ $user.name }}_PASSWORD
valueFrom:
secretKeyRef:
name: {{ $secretName }}
key: {{ $user.name }}-password
{{- end }}
{{- end }}
{{- range $clusterSetting, $clusterSettingValue := .Values.init.provisioning.clusterSettings }}
{{- if $clusterSettingValue }}
- name: {{ $clusterSetting | replace "." "_" }}_CLUSTER_SETTING
valueFrom:
secretKeyRef:
name: {{ $secretName }}
key: {{ $clusterSetting | replace "." "-" }}-cluster-setting
{{- end }}
{{- end }}
{{- if .Values.tls.enabled }}
volumeMounts:
- name: client-certs
mountPath: /cockroach-certs/
{{- end }}
{{- with .Values.init.resources }}
resources: {{- toYaml . | nindent 12 }}
{{- end }}
{{- if and .Values.init.securityContext.enabled }}
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop: ["ALL"]
{{- end }}
{{- if .Values.tls.enabled }}
volumes:
- name: client-certs
emptyDir: {}
{{- if or .Values.tls.certs.provided .Values.tls.certs.certManager .Values.tls.certs.selfSigner.enabled }}
- name: certs-secret
{{- if or .Values.tls.certs.tlsSecret .Values.tls.certs.certManager .Values.tls.certs.selfSigner.enabled }}
projected:
sources:
- secret:
{{- if .Values.tls.certs.selfSigner.enabled }}
name: {{ template "cockroachdb.fullname" . }}-client-secret
{{ else }}
name: {{ .Values.tls.certs.clientRootSecret }}
{{ end -}}
items:
- key: ca.crt
path: ca.crt
mode: 0400
- key: tls.crt
path: client.root.crt
mode: 0400
- key: tls.key
path: client.root.key
mode: 0400
{{- else }}
secret:
secretName: {{ .Values.tls.certs.clientRootSecret }}
defaultMode: 0400
{{- end }}
{{- end }}
{{- end }}
{{- end }}

59
charts/cockroach-labs/cockroachdb/14.0.3/templates/networkpolicy.yaml Normal file
View File

@ -0,0 +1,59 @@
{{- if .Values.networkPolicy.enabled }}
kind: NetworkPolicy
apiVersion: {{ template "cockroachdb.networkPolicy.apiVersion" . }}
metadata:
name: {{ template "cockroachdb.serviceAccount.name" . }}
namespace: {{ .Release.Namespace | quote }}
labels:
helm.sh/chart: {{ template "cockroachdb.chart" . }}
app.kubernetes.io/name: {{ template "cockroachdb.name" . }}
app.kubernetes.io/instance: {{ .Release.Name | quote }}
app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
{{- with .Values.labels }}
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
podSelector:
matchLabels:
app.kubernetes.io/name: {{ template "cockroachdb.name" . }}
app.kubernetes.io/instance: {{ .Release.Name | quote }}
{{- with .Values.statefulset.labels }}
{{- toYaml . | nindent 6 }}
{{- end }}
ingress:
- ports:
- port: grpc
{{- with .Values.networkPolicy.ingress.grpc }}
from:
# Allow connections via custom rules.
{{- toYaml . | nindent 8 }}
# Allow client connection via pre-considered label.
- podSelector:
matchLabels:
{{ template "cockroachdb.fullname" . }}-client: "true"
# Allow other CockroachDBs to connect to form a cluster.
- podSelector:
matchLabels:
app.kubernetes.io/name: {{ template "cockroachdb.name" . }}
app.kubernetes.io/instance: {{ .Release.Name | quote }}
{{- with .Values.statefulset.labels }}
{{- toYaml . | nindent 14 }}
{{- end }}
{{- if gt (.Values.statefulset.replicas | int64) 1 }}
# Allow init Job to connect to bootstrap a cluster.
- podSelector:
matchLabels:
app.kubernetes.io/name: {{ template "cockroachdb.name" . }}
app.kubernetes.io/instance: {{ .Release.Name | quote }}
{{- with .Values.init.labels }}
{{- toYaml . | nindent 14 }}
{{- end }}
{{- end }}
{{- end }}
# Allow connections to admin UI and for Prometheus.
- ports:
- port: http
{{- with .Values.networkPolicy.ingress.http }}
from: {{- toYaml . | nindent 8 }}
{{- end }}
{{- end }}

26
charts/cockroach-labs/cockroachdb/14.0.3/templates/poddisruptionbudget.yaml Normal file
View File

@ -0,0 +1,26 @@
kind: PodDisruptionBudget
{{- if or (.Capabilities.APIVersions.Has "policy/v1") (semverCompare ">=1.21-0" .Capabilities.KubeVersion.Version) }}
apiVersion: policy/v1
{{- else }}
apiVersion: policy/v1beta1
{{- end }}
metadata:
name: {{ template "cockroachdb.fullname" . }}-budget
namespace: {{ .Release.Namespace | quote }}
labels:
helm.sh/chart: {{ template "cockroachdb.chart" . }}
app.kubernetes.io/name: {{ template "cockroachdb.name" . }}
app.kubernetes.io/instance: {{ .Release.Name | quote }}
app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
{{- with .Values.labels }}
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
selector:
matchLabels:
app.kubernetes.io/name: {{ template "cockroachdb.name" . }}
app.kubernetes.io/instance: {{ .Release.Name | quote }}
{{- with .Values.statefulset.labels }}
{{- toYaml . | nindent 6 }}
{{- end }}
maxUnavailable: {{ .Values.statefulset.budget.maxUnavailable | int64 }}

27
charts/cockroach-labs/cockroachdb/14.0.3/templates/role-certRotateSelfSigner.yaml Normal file
View File

@ -0,0 +1,27 @@
{{- if and .Values.tls.enabled .Values.tls.certs.selfSigner.enabled }}
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: {{ template "rotatecerts.fullname" . }}
namespace: {{ .Release.Namespace | quote }}
labels:
helm.sh/chart: {{ template "cockroachdb.chart" . }}
app.kubernetes.io/name: {{ template "cockroachdb.name" . }}
app.kubernetes.io/instance: {{ .Release.Name | quote }}
app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
{{- with .Values.labels }}
{{- toYaml . | nindent 4 }}
{{- end }}
rules:
- apiGroups: [""]
resources: ["secrets"]
verbs: ["create", "get", "update", "delete"]
- apiGroups: ["apps"]
resources: ["statefulsets"]
verbs: ["get"]
resourceNames:
- {{ template "cockroachdb.fullname" . }}
- apiGroups: [""]
resources: ["pods"]
verbs: ["delete", "get"]
{{- end }}

33
charts/cockroach-labs/cockroachdb/14.0.3/templates/role-certSelfSigner.yaml Normal file
View File

@ -0,0 +1,33 @@
{{- if and .Values.tls.enabled .Values.tls.certs.selfSigner.enabled }}
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: {{ template "selfcerts.fullname" . }}
namespace: {{ .Release.Namespace | quote }}
annotations:
# This is what defines this resource as a hook. Without this line, the
# job is considered part of the release.
"helm.sh/hook": pre-install,pre-upgrade
"helm.sh/hook-weight": "2"
"helm.sh/hook-delete-policy": hook-succeeded,hook-failed
labels:
helm.sh/chart: {{ template "cockroachdb.chart" . }}
app.kubernetes.io/name: {{ template "cockroachdb.name" . }}
app.kubernetes.io/instance: {{ .Release.Name | quote }}
app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
{{- with .Values.labels }}
{{- toYaml . | nindent 4 }}
{{- end }}
rules:
- apiGroups: [""]
resources: ["secrets"]
verbs: ["create", "get", "update", "delete"]
- apiGroups: ["apps"]
resources: ["statefulsets"]
verbs: ["get"]
resourceNames:
- {{ template "cockroachdb.fullname" . }}
- apiGroups: [""]
resources: ["pods"]
verbs: ["delete", "get"]
{{- end }}

23
charts/cockroach-labs/cockroachdb/14.0.3/templates/role.yaml Normal file
View File

@ -0,0 +1,23 @@
{{- if .Values.tls.enabled }}
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: {{ template "cockroachdb.fullname" . }}
namespace: {{ .Release.Namespace | quote }}
labels:
helm.sh/chart: {{ template "cockroachdb.chart" . }}
app.kubernetes.io/name: {{ template "cockroachdb.name" . }}
app.kubernetes.io/instance: {{ .Release.Name | quote }}
app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
{{- with .Values.labels }}
{{- toYaml . | nindent 4 }}
{{- end }}
rules:
- apiGroups: [""]
resources: ["secrets"]
{{- if or .Values.tls.certs.provided .Values.tls.certs.certManager }}
verbs: ["get"]
{{- else }}
verbs: ["create", "get"]
{{- end }}
{{- end }}

23
charts/cockroach-labs/cockroachdb/14.0.3/templates/rolebinding-certRotateSelfSigner.yaml Normal file
View File

@ -0,0 +1,23 @@
{{- if and .Values.tls.enabled .Values.tls.certs.selfSigner.enabled }}
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: {{ template "rotatecerts.fullname" . }}
namespace: {{ .Release.Namespace | quote }}
labels:
helm.sh/chart: {{ template "cockroachdb.chart" . }}
app.kubernetes.io/name: {{ template "cockroachdb.name" . }}
app.kubernetes.io/instance: {{ .Release.Name | quote }}
app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
{{- with .Values.labels }}
{{- toYaml . | nindent 4 }}
{{- end }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: {{ template "rotatecerts.fullname" . }}
subjects:
- kind: ServiceAccount
name: {{ template "rotatecerts.fullname" . }}
namespace: {{ .Release.Namespace | quote }}
{{- end }}

29
charts/cockroach-labs/cockroachdb/14.0.3/templates/rolebinding-certSelfSigner.yaml Normal file
View File

@ -0,0 +1,29 @@
{{- if and .Values.tls.enabled .Values.tls.certs.selfSigner.enabled }}
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: {{ template "selfcerts.fullname" . }}
namespace: {{ .Release.Namespace | quote }}
annotations:
# This is what defines this resource as a hook. Without this line, the
# job is considered part of the release.
"helm.sh/hook": pre-install,pre-upgrade
"helm.sh/hook-weight": "3"
"helm.sh/hook-delete-policy": hook-succeeded,hook-failed
labels:
helm.sh/chart: {{ template "cockroachdb.chart" . }}
app.kubernetes.io/name: {{ template "cockroachdb.name" . }}
app.kubernetes.io/instance: {{ .Release.Name | quote }}
app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
{{- with .Values.labels }}
{{- toYaml . | nindent 4 }}
{{- end }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: {{ template "selfcerts.fullname" . }}
subjects:
- kind: ServiceAccount
name: {{ template "selfcerts.fullname" . }}
namespace: {{ .Release.Namespace | quote }}
{{- end }}

23
charts/cockroach-labs/cockroachdb/14.0.3/templates/rolebinding.yaml Normal file
View File

@ -0,0 +1,23 @@
{{- if .Values.tls.enabled }}
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: {{ template "cockroachdb.fullname" . }}
namespace: {{ .Release.Namespace | quote }}
labels:
helm.sh/chart: {{ template "cockroachdb.chart" . }}
app.kubernetes.io/name: {{ template "cockroachdb.name" . }}
app.kubernetes.io/instance: {{ .Release.Name | quote }}
app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
{{- with .Values.labels }}
{{- toYaml . | nindent 4 }}
{{- end }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: {{ template "cockroachdb.fullname" . }}
subjects:
- kind: ServiceAccount
name: {{ template "cockroachdb.serviceAccount.name" . }}
namespace: {{ .Release.Namespace | quote }}
{{- end }}

25
charts/cockroach-labs/cockroachdb/14.0.3/templates/secret.backendconfig.yaml Normal file
View File

@ -0,0 +1,25 @@
{{- if .Values.iap.enabled }}
kind: Secret
apiVersion: v1
metadata:
name: {{ template "cockroachdb.fullname" . }}.iap
namespace: {{ .Release.Namespace | quote }}
labels:
helm.sh/chart: {{ template "cockroachdb.chart" . }}
app.kubernetes.io/name: {{ template "cockroachdb.name" . }}
app.kubernetes.io/instance: {{ .Release.Name | quote }}
app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
{{- with .Values.labels }}
{{- toYaml . | nindent 4 }}
{{- end }}
type: Opaque
data:
{{- if eq "" .Values.iap.clientId }}
{{ fail "iap.clientID can't be empty if iap.enabled is set to true" }}
{{- end }}
client_id: {{ .Values.iap.clientId | b64enc }}
{{- if eq "" .Values.iap.clientSecret }}
{{ fail "iap.clientSecret can't be empty if iap.enabled is set to true" }}
{{- end }}
client_secret: {{ .Values.iap.clientSecret | b64enc }}
{{- end }}

19
charts/cockroach-labs/cockroachdb/14.0.3/templates/secret.logconfig.yaml Normal file
View File

@ -0,0 +1,19 @@
{{- if .Values.conf.log.enabled }}
kind: Secret
apiVersion: v1
metadata:
name: {{ template "cockroachdb.fullname" . }}-log-config
namespace: {{ .Release.Namespace | quote }}
labels:
helm.sh/chart: {{ template "cockroachdb.chart" . }}
app.kubernetes.io/name: {{ template "cockroachdb.name" . }}
app.kubernetes.io/instance: {{ .Release.Name | quote }}
app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
{{- with .Values.labels }}
{{- toYaml . | nindent 4 }}
{{- end }}
type: Opaque
stringData:
log-config.yaml: |
{{- toYaml .Values.conf.log.config | nindent 4 }}
{{- end }}

23
charts/cockroach-labs/cockroachdb/14.0.3/templates/secret.registry.yaml Normal file
View File

@ -0,0 +1,23 @@
{{- range $name, $cred := dict "db" (.Values.image.credentials) "init-certs" (.Values.tls.selfSigner.image.credentials) }}
{{- if not (empty $cred) }}
{{- if or (and (eq $name "init-certs") $.Values.tls.enabled) (ne $name "init-certs") }}
---
kind: Secret
apiVersion: v1
metadata:
name: {{ template "cockroachdb.fullname" $ }}.{{ $name }}.registry
namespace: {{ $.Release.Namespace | quote }}
labels:
helm.sh/chart: {{ template "cockroachdb.chart" $ }}
app.kubernetes.io/name: {{ template "cockroachdb.name" $ }}
app.kubernetes.io/instance: {{ $.Release.Name | quote }}
app.kubernetes.io/managed-by: {{ $.Release.Service | quote }}
{{- with $.Values.labels }}
{{- toYaml . | nindent 4 }}
{{- end }}
type: kubernetes.io/dockerconfigjson
data:
.dockerconfigjson: {{ printf `{"auths":{%s:{"auth":"%s"}}}` ($cred.registry | quote) (printf "%s:%s" $cred.username $cred.password | b64enc) | b64enc | quote }}
{{- end }}
{{- end }}
{{- end }}

20
charts/cockroach-labs/cockroachdb/14.0.3/templates/secrets.init.yaml Normal file
View File

@ -0,0 +1,20 @@
{{- if .Values.init.provisioning.enabled }}
apiVersion: v1
kind: Secret
metadata:
name: {{ template "cockroachdb.fullname" . }}-init
namespace: {{ .Release.Namespace | quote }}
type: Opaque
stringData:
{{- range $user := .Values.init.provisioning.users }}
{{- if $user.password }}
{{ $user.name }}-password: {{ $user.password | quote }}
{{- end }}
{{- end }}
{{- range $clusterSetting, $clusterSettingValue := .Values.init.provisioning.clusterSettings }}
{{ $clusterSetting | replace "." "-" }}-cluster-setting: {{ $clusterSettingValue | quote }}
{{- end }}
{{- end }}

64
charts/cockroach-labs/cockroachdb/14.0.3/templates/service.discovery.yaml Normal file
View File

@ -0,0 +1,64 @@
# This service only exists to create DNS entries for each pod in
# the StatefulSet such that they can resolve each other's IP addresses.
# It does not create a load-balanced ClusterIP and should not be used directly
# by clients in most circumstances.
kind: Service
apiVersion: v1
metadata:
name: {{ template "cockroachdb.fullname" . }}
namespace: {{ .Release.Namespace | quote }}
labels:
helm.sh/chart: {{ template "cockroachdb.chart" . }}
app.kubernetes.io/name: {{ template "cockroachdb.name" . }}
app.kubernetes.io/instance: {{ .Release.Name | quote }}
app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
{{- with .Values.service.discovery.labels }}
{{- toYaml . | nindent 4 }}
{{- end }}
{{- with .Values.labels }}
{{- toYaml . | nindent 4 }}
{{- end }}
annotations:
# Use this annotation in addition to the actual field below because the
# annotation will stop being respected soon, but the field is broken in
# some versions of Kubernetes:
# https://github.com/kubernetes/kubernetes/issues/58662
service.alpha.kubernetes.io/tolerate-unready-endpoints: "true"
# Enable automatic monitoring of all instances when Prometheus is running
# in the cluster.
{{- if .Values.prometheus.enabled }}
prometheus.io/scrape: "true"
prometheus.io/path: _status/vars
prometheus.io/port: {{ .Values.service.ports.http.port | quote }}
{{- end }}
{{- with .Values.service.discovery.annotations }}
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
clusterIP: None
# We want all Pods in the StatefulSet to have their addresses published for
# the sake of the other CockroachDB Pods even before they're ready, since they
# have to be able to talk to each other in order to become ready.
publishNotReadyAddresses: true
ports:
{{- $ports := .Values.service.ports }}
# The main port, served by gRPC, serves Postgres-flavor SQL, inter-node
# traffic and the CLI.
- name: {{ $ports.grpc.external.name | quote }}
port: {{ $ports.grpc.external.port | int64 }}
targetPort: grpc
{{- if ne ($ports.grpc.internal.port | int64) ($ports.grpc.external.port | int64) }}
- name: {{ $ports.grpc.internal.name | quote }}
port: {{ $ports.grpc.internal.port | int64 }}
targetPort: grpc
{{- end }}
# The secondary port serves the UI as well as health and debug endpoints.
- name: {{ $ports.http.name | quote }}
port: {{ $ports.http.port | int64 }}
targetPort: http
selector:
app.kubernetes.io/name: {{ template "cockroachdb.name" . }}
app.kubernetes.io/instance: {{ .Release.Name | quote }}
{{- with .Values.statefulset.labels }}
{{- toYaml . | nindent 4 }}
{{- end }}

55
charts/cockroach-labs/cockroachdb/14.0.3/templates/service.public.yaml Normal file
View File

@ -0,0 +1,55 @@
# This Service is meant to be used by clients of the database.
# It exposes a ClusterIP that will automatically load balance connections
# to the different database Pods.
kind: Service
apiVersion: v1
metadata:
name: {{ template "cockroachdb.fullname" . }}-public
namespace: {{ .Release.Namespace | quote }}
labels:
helm.sh/chart: {{ template "cockroachdb.chart" . }}
app.kubernetes.io/name: {{ template "cockroachdb.name" . }}
app.kubernetes.io/instance: {{ .Release.Name | quote }}
app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
{{- with .Values.service.public.labels }}
{{- toYaml . | nindent 4 }}
{{- end }}
{{- with .Values.labels }}
{{- toYaml . | nindent 4 }}
{{- end }}
{{- if or .Values.service.public.annotations .Values.tls.enabled .Values.iap.enabled }}
annotations:
{{- with .Values.service.public.annotations }}
{{- toYaml . | nindent 4 }}
{{- end }}
{{- if .Values.tls.enabled }}
service.alpha.kubernetes.io/app-protocols: '{"http":"HTTPS"}'
{{- end }}
{{- if .Values.iap.enabled }}
beta.cloud.google.com/backend-config: '{"default": "{{ template "cockroachdb.fullname" . }}"}'
{{- end }}
{{- end }}
spec:
type: {{ .Values.service.public.type | quote }}
ports:
{{- $ports := .Values.service.ports }}
# The main port, served by gRPC, serves Postgres-flavor SQL, inter-node
# traffic and the CLI.
- name: {{ $ports.grpc.external.name | quote }}
port: {{ $ports.grpc.external.port | int64 }}
targetPort: grpc
{{- if ne ($ports.grpc.internal.port | int64) ($ports.grpc.external.port | int64) }}
- name: {{ $ports.grpc.internal.name | quote }}
port: {{ $ports.grpc.internal.port | int64 }}
targetPort: grpc
{{- end }}
# The secondary port serves the UI as well as health and debug endpoints.
- name: {{ $ports.http.name | quote }}
port: {{ $ports.http.port | int64 }}
targetPort: http
selector:
app.kubernetes.io/name: {{ template "cockroachdb.name" . }}
app.kubernetes.io/instance: {{ .Release.Name | quote }}
{{- with .Values.statefulset.labels }}
{{- toYaml . | nindent 4 }}
{{- end }}

54
charts/cockroach-labs/cockroachdb/14.0.3/templates/serviceMonitor.yaml Normal file
View File

@ -0,0 +1,54 @@
{{- $serviceMonitor := .Values.serviceMonitor -}}
{{- $ports := .Values.service.ports -}}
{{- if $serviceMonitor.enabled }}
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
name: {{ template "cockroachdb.fullname" . }}
namespace: {{ .Release.Namespace | quote }}
labels:
helm.sh/chart: {{ template "cockroachdb.chart" . }}
app.kubernetes.io/name: {{ template "cockroachdb.name" . }}
app.kubernetes.io/instance: {{ .Release.Name | quote }}
app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
{{- if $serviceMonitor.labels }}
{{- toYaml $serviceMonitor.labels | nindent 4 }}
{{- end }}
{{- with .Values.labels }}
{{- toYaml . | nindent 4 }}
{{- end }}
{{- if $serviceMonitor.annotations }}
annotations:
{{- toYaml $serviceMonitor.annotations | nindent 4 }}
{{- end }}
spec:
selector:
matchLabels:
app.kubernetes.io/name: {{ template "cockroachdb.name" . }}
app.kubernetes.io/instance: {{ .Release.Name | quote }}
{{- with .Values.service.discovery.labels }}
{{- toYaml . | nindent 6 }}
{{- end }}
{{- with .Values.labels }}
{{- toYaml . | nindent 6 }}
{{- end }}
namespaceSelector:
{{- if $serviceMonitor.namespaced }}
matchNames:
- {{ .Release.Namespace }}
{{- else }}
any: true
{{- end }}
endpoints:
- port: {{ $ports.http.name | quote }}
path: /_status/vars
{{- if $serviceMonitor.interval }}
interval: {{ $serviceMonitor.interval }}
{{- end }}
{{- if $serviceMonitor.scrapeTimeout }}
scrapeTimeout: {{ $serviceMonitor.scrapeTimeout }}
{{- end }}
{{- if .Values.serviceMonitor.tlsConfig }}
tlsConfig: {{ toYaml .Values.serviceMonitor.tlsConfig | nindent 6 }}
{{- end }}
{{- end }}

22
charts/cockroach-labs/cockroachdb/14.0.3/templates/serviceaccount-certRotateSelfSigner.yaml Normal file
View File

@ -0,0 +1,22 @@
{{- if and .Values.tls.enabled .Values.tls.certs.selfSigner.enabled }}
{{ template "cockroachdb.tls.certs.selfSigner.validation" . }}
kind: ServiceAccount
apiVersion: v1
metadata:
name: {{ template "rotatecerts.fullname" . }}
namespace: {{ .Release.Namespace | quote }}
labels:
helm.sh/chart: {{ template "cockroachdb.chart" . }}
app.kubernetes.io/name: {{ template "cockroachdb.name" . }}
app.kubernetes.io/instance: {{ .Release.Name | quote }}
app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
{{- with .Values.labels }}
{{- toYaml . | nindent 4 }}
{{- end }}
{{- if .Values.tls.certs.selfSigner.svcAccountAnnotations }}
annotations:
{{- with .Values.tls.certs.selfSigner.svcAccountAnnotations }}
{{- toYaml . | nindent 4 }}
{{- end }}
{{- end }}
{{- end }}

25
charts/cockroach-labs/cockroachdb/14.0.3/templates/serviceaccount-certSelfSigner.yaml Normal file
View File

@ -0,0 +1,25 @@
{{- if and .Values.tls.enabled .Values.tls.certs.selfSigner.enabled }}
{{ template "cockroachdb.tls.certs.selfSigner.validation" . }}
kind: ServiceAccount
apiVersion: v1
metadata:
name: {{ template "selfcerts.fullname" . }}
namespace: {{ .Release.Namespace | quote }}
annotations:
# This is what defines this resource as a hook. Without this line, the
# job is considered part of the release.
"helm.sh/hook": pre-install,pre-upgrade
"helm.sh/hook-weight": "1"
"helm.sh/hook-delete-policy": hook-succeeded,hook-failed
{{- with .Values.tls.certs.selfSigner.svcAccountAnnotations }}
{{- toYaml . | nindent 4 }}
{{- end }}
labels:
helm.sh/chart: {{ template "cockroachdb.chart" . }}
app.kubernetes.io/name: {{ template "cockroachdb.name" . }}
app.kubernetes.io/instance: {{ .Release.Name | quote }}
app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
{{- with .Values.labels }}
{{- toYaml . | nindent 4 }}
{{- end }}
{{- end }}

21
charts/cockroach-labs/cockroachdb/14.0.3/templates/serviceaccount.yaml Normal file
View File

@ -0,0 +1,21 @@
{{- if .Values.statefulset.serviceAccount.create }}
kind: ServiceAccount
apiVersion: v1
metadata:
name: {{ template "cockroachdb.serviceAccount.name" . }}
namespace: {{ .Release.Namespace | quote }}
labels:
helm.sh/chart: {{ template "cockroachdb.chart" . }}
app.kubernetes.io/name: {{ template "cockroachdb.name" . }}
app.kubernetes.io/instance: {{ .Release.Name | quote }}
app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
{{- with .Values.labels }}
{{- toYaml . | nindent 4 }}
{{- end }}
{{- if .Values.statefulset.serviceAccount.annotations }}
annotations:
{{- with .Values.statefulset.serviceAccount.annotations }}
{{- toYaml . | nindent 4 }}
{{- end }}
{{- end }}
{{- end }}

402
charts/cockroach-labs/cockroachdb/14.0.3/templates/statefulset.yaml Normal file
View File

@ -0,0 +1,402 @@
kind: StatefulSet
apiVersion: {{ template "cockroachdb.statefulset.apiVersion" . }}
metadata:
name: {{ template "cockroachdb.fullname" . }}
namespace: {{ .Release.Namespace | quote }}
labels:
helm.sh/chart: {{ template "cockroachdb.chart" . }}
app.kubernetes.io/name: {{ template "cockroachdb.name" . }}
app.kubernetes.io/instance: {{ .Release.Name | quote }}
app.kubernetes.io/managed-by: {{ .Release.Service | quote }}
{{- with .Values.statefulset.labels }}
{{- toYaml . | nindent 4 }}
{{- end }}
{{- with .Values.labels }}
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
serviceName: {{ template "cockroachdb.fullname" . }}
replicas: {{ .Values.statefulset.replicas | int64 }}
updateStrategy: {{- toYaml .Values.statefulset.updateStrategy | nindent 4 }}
podManagementPolicy: {{ .Values.statefulset.podManagementPolicy | quote }}
selector:
matchLabels:
app.kubernetes.io/name: {{ template "cockroachdb.name" . }}
app.kubernetes.io/instance: {{ .Release.Name | quote }}
{{- with .Values.statefulset.labels }}
{{- toYaml . | nindent 6 }}
{{- end }}
template:
metadata:
labels:
app.kubernetes.io/name: {{ template "cockroachdb.name" . }}
app.kubernetes.io/instance: {{ .Release.Name | quote }}
{{- with .Values.statefulset.labels }}
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.labels }}
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.statefulset.annotations }}
annotations: {{- toYaml . | nindent 8 }}
{{- end }}
spec:
{{- if or .Values.image.credentials (and .Values.tls.enabled .Values.tls.selfSigner.image.credentials (not .Values.tls.certs.provided) (not .Values.tls.certs.certManager)) }}
imagePullSecrets:
{{- if .Values.image.credentials }}
- name: {{ template "cockroachdb.fullname" . }}.db.registry
{{- end }}
{{- if and .Values.tls.enabled .Values.tls.selfSigner.image.credentials (not .Values.tls.certs.provided) (not .Values.tls.certs.certManager) }}
- name: {{ template "cockroachdb.fullname" . }}.self-signed-certs.registry
{{- end }}
{{- end }}
serviceAccountName: {{ template "cockroachdb.serviceAccount.name" . }}
{{- if .Values.tls.enabled }}
initContainers:
- name: copy-certs
image: {{ .Values.tls.copyCerts.image | quote }}
imagePullPolicy: {{ .Values.tls.selfSigner.image.pullPolicy | quote }}
command:
- /bin/sh
- -c
- "cp -f /certs/* /cockroach-certs/; chmod 0400 /cockroach-certs/*.key"
env:
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
{{- if .Values.statefulset.securityContext.enabled }}
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
privileged: false
readOnlyRootFilesystem: true
{{- end }}
volumeMounts:
- name: certs
mountPath: /cockroach-certs/
- name: certs-secret
mountPath: /certs/
{{- with .Values.tls.copyCerts.resources }}
resources: {{- toYaml . | nindent 12 }}
{{- end }}
{{- end }}
{{- if or .Values.statefulset.nodeAffinity .Values.statefulset.podAffinity .Values.statefulset.podAntiAffinity }}
affinity:
{{- with .Values.statefulset.nodeAffinity }}
nodeAffinity: {{- toYaml . | nindent 10 }}
{{- end }}
{{- with .Values.statefulset.podAffinity }}
podAffinity: {{- toYaml . | nindent 10 }}
{{- end }}
{{- if .Values.statefulset.podAntiAffinity }}
podAntiAffinity:
{{- if .Values.statefulset.podAntiAffinity.type }}
{{- if eq .Values.statefulset.podAntiAffinity.type "hard" }}
requiredDuringSchedulingIgnoredDuringExecution:
- topologyKey: {{ .Values.statefulset.podAntiAffinity.topologyKey }}
labelSelector:
matchLabels:
app.kubernetes.io/name: {{ template "cockroachdb.name" . }}
app.kubernetes.io/instance: {{ .Release.Name | quote }}
{{- with .Values.statefulset.labels }}
{{- toYaml . | nindent 18 }}
{{- end }}
{{- else if eq .Values.statefulset.podAntiAffinity.type "soft" }}
preferredDuringSchedulingIgnoredDuringExecution:
- weight: {{ .Values.statefulset.podAntiAffinity.weight | int64 }}
podAffinityTerm:
topologyKey: {{ .Values.statefulset.podAntiAffinity.topologyKey }}
labelSelector:
matchLabels:
app.kubernetes.io/name: {{ template "cockroachdb.name" . }}
app.kubernetes.io/instance: {{ .Release.Name | quote }}
{{- with .Values.statefulset.labels }}
{{- toYaml . | nindent 20 }}
{{- end }}
{{- end }}
{{- else }}
{{- toYaml .Values.statefulset.podAntiAffinity | nindent 10 }}
{{- end }}
{{- end }}
{{- end }}
{{- if semverCompare ">=1.16-0" .Capabilities.KubeVersion.Version }}
topologySpreadConstraints:
- labelSelector:
matchLabels:
app.kubernetes.io/name: {{ template "cockroachdb.name" . }}
app.kubernetes.io/instance: {{ .Release.Name | quote }}
{{- with .Values.statefulset.labels }}
{{- toYaml . | nindent 12 }}
{{- end }}
{{- with .Values.statefulset.topologySpreadConstraints }}
maxSkew: {{ .maxSkew }}
topologyKey: {{ .topologyKey }}
whenUnsatisfiable: {{ .whenUnsatisfiable }}
{{- end }}
{{- end }}
{{- with .Values.statefulset.nodeSelector }}
nodeSelector: {{- toYaml . | nindent 8 }}
{{- end }}
{{- if .Values.statefulset.priorityClassName }}
priorityClassName: {{ .Values.statefulset.priorityClassName }}
{{- end }}
{{- with .Values.statefulset.tolerations }}
tolerations: {{- toYaml . | nindent 8 }}
{{- end }}
# No pre-stop hook is required, a SIGTERM plus some time is all that's
# needed for graceful shutdown of a node.
terminationGracePeriodSeconds: {{ .Values.init.terminationGracePeriodSeconds }}
containers:
- name: db
image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
imagePullPolicy: {{ .Values.image.pullPolicy | quote }}
args:
- shell
- -ecx
# The use of qualified `hostname -f` is crucial:
# Other nodes aren't able to look up the unqualified hostname.
#
# `--join` CLI flag is hardcoded to exactly 3 Pods, because:
# 1. Having `--join` value depending on `statefulset.replicas`
# will trigger undesired restart of existing Pods when
# StatefulSet is scaled up/down. We want to scale without
# restarting existing Pods.
# 2. At least one Pod in `--join` is enough to successfully
# join CockroachDB cluster and gossip with all other existing
# Pods, even if there are 3 or more Pods.
# 3. It's harmless for `--join` to have 3 Pods even for 1-Pod
# clusters, while it gives us opportunity to scale up even if
# some Pods of existing cluster are down (for whatever reason).
# See details explained here:
# https://github.com/helm/charts/pull/18993#issuecomment-558795102
- >-
exec /cockroach/cockroach
{{- if index .Values.conf `single-node` }}
start-single-node
{{- else }}
start --join=
{{- if .Values.conf.join }}
{{- join `,` .Values.conf.join -}}
{{- else }}
{{- range $i, $_ := until 3 -}}
{{- if gt $i 0 -}},{{- end -}}
${STATEFULSET_NAME}-{{ $i }}.${STATEFULSET_FQDN}:{{ $.Values.service.ports.grpc.internal.port | int64 -}}
{{- end -}}
{{- end }}
{{- with index .Values.conf `cluster-name` }}
--cluster-name={{ . }}
{{- if index $.Values.conf `disable-cluster-name-verification` }}
--disable-cluster-name-verification
{{- end }}
{{- end }}
{{- end }}
--advertise-host=$(hostname).${STATEFULSET_FQDN}
{{- if .Values.tls.enabled }}
--certs-dir=/cockroach/cockroach-certs/
{{- else }}
--insecure
{{- end }}
{{- with .Values.conf.attrs }}
--attrs={{ join `:` . }}
{{- end }}
--http-port={{ index .Values.conf `http-port` | int64 }}
--port={{ .Values.conf.port | int64 }}
--cache={{ .Values.conf.cache }}
{{- with index .Values.conf `max-disk-temp-storage` }}
--max-disk-temp-storage={{ . }}
{{- end }}
{{- with index .Values.conf `max-offset` }}
--max-offset={{ . }}
{{- end }}
--max-sql-memory={{ index .Values.conf `max-sql-memory` }}
{{- with .Values.conf.locality }}
--locality={{ . }}
{{- end }}
{{- with index .Values.conf `sql-audit-dir` }}
--sql-audit-dir={{ . }}
{{- end }}
{{- if .Values.conf.store.enabled }}
--store={{ template "cockroachdb.conf.store" . }}
{{- end }}
{{- if .Values.conf.log.enabled }}
--log-config-file=/cockroach/log-config/log-config.yaml
{{- else }}
--logtostderr={{ .Values.conf.logtostderr }}
{{- end }}
{{- range .Values.statefulset.args }}
{{ . }}
{{- end }}
env:
- name: STATEFULSET_NAME
value: {{ template "cockroachdb.fullname" . }}
- name: STATEFULSET_FQDN
value: {{ template "cockroachdb.fullname" . }}.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain }}
- name: COCKROACH_CHANNEL
value: kubernetes-helm
{{- with .Values.statefulset.env }}
{{- toYaml . | nindent 12 }}
{{- end }}
ports:
- name: grpc
containerPort: {{ .Values.conf.port | int64 }}
protocol: TCP
- name: http
containerPort: {{ index .Values.conf `http-port` | int64 }}
protocol: TCP
volumeMounts:
- name: datadir
mountPath: /cockroach/{{ .Values.conf.path }}/
{{- if .Values.tls.enabled }}
- name: certs
mountPath: /cockroach/cockroach-certs/
{{- if .Values.tls.certs.provided }}
- name: certs-secret
mountPath: /cockroach/certs/
{{- end }}
{{- end }}
{{- range .Values.statefulset.secretMounts }}
- name: {{ printf "secret-%s" . | quote }}
mountPath: {{ printf "/etc/cockroach/secrets/%s" . | quote }}
readOnly: true
{{- end }}
{{- if .Values.conf.log.enabled }}
- name: log-config
mountPath: /cockroach/log-config
readOnly: true
{{- end }}
livenessProbe:
{{- if .Values.statefulset.customLivenessProbe }}
{{ toYaml .Values.statefulset.customLivenessProbe | nindent 12 }}
{{- else }}
httpGet:
path: /health
port: http
{{- if .Values.tls.enabled }}
scheme: HTTPS
{{- end }}
initialDelaySeconds: 30
periodSeconds: 5
{{- end }}
readinessProbe:
{{- if .Values.statefulset.customReadinessProbe }}
{{ toYaml .Values.statefulset.customReadinessProbe | nindent 12 }}
{{- else }}
httpGet:
path: /health?ready=1
port: http
{{- if .Values.tls.enabled }}
scheme: HTTPS
{{- end }}
initialDelaySeconds: 10
periodSeconds: 5
failureThreshold: 2
{{- end }}
{{- if eq (include "cockroachdb.securityContext.versionValidation" .) "true" }}
{{- if .Values.statefulset.securityContext.enabled }}
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
privileged: false
readOnlyRootFilesystem: true
{{- end }}
{{- end }}
{{- with .Values.statefulset.resources }}
resources: {{- toYaml . | nindent 12 }}
{{- end }}
volumes:
- name: datadir
{{- if .Values.storage.persistentVolume.enabled }}
persistentVolumeClaim:
claimName: datadir
{{- else if .Values.storage.hostPath }}
hostPath:
path: {{ .Values.storage.hostPath | quote }}
{{- else }}
emptyDir: {}
{{- end }}
{{- if .Values.tls.enabled }}
- name: certs
emptyDir: {}
{{- if or .Values.tls.certs.provided .Values.tls.certs.certManager .Values.tls.certs.selfSigner.enabled }}
- name: certs-secret
{{- if or .Values.tls.certs.tlsSecret .Values.tls.certs.certManager .Values.tls.certs.selfSigner.enabled }}
projected:
sources:
- secret:
{{- if .Values.tls.certs.selfSigner.enabled }}
name: {{ template "cockroachdb.fullname" . }}-node-secret
{{ else }}
name: {{ .Values.tls.certs.nodeSecret }}
{{ end -}}
items:
- key: ca.crt
path: ca.crt
mode: 256
- key: tls.crt
path: node.crt
mode: 256
- key: tls.key
path: node.key
mode: 256
{{- else }}
secret:
secretName: {{ .Values.tls.certs.nodeSecret }}
defaultMode: 256
{{- end }}
{{- end }}
{{- end }}
{{- range .Values.statefulset.secretMounts }}
- name: {{ printf "secret-%s" . | quote }}
secret:
secretName: {{ . | quote }}
{{- end }}
{{- if .Values.conf.log.enabled }}
- name: log-config
secret:
secretName: {{ template "cockroachdb.fullname" . }}-log-config
{{- end }}
{{- if eq (include "cockroachdb.securityContext.versionValidation" .) "true" }}
{{- if and .Values.securityContext.enabled }}
securityContext:
seccompProfile:
type: "RuntimeDefault"
fsGroup: 1000
runAsGroup: 1000
runAsUser: 1000
runAsNonRoot: true
{{- end }}
{{- end }}
{{- if .Values.storage.persistentVolume.enabled }}
volumeClaimTemplates:
- metadata:
name: datadir
labels:
app.kubernetes.io/name: {{ template "cockroachdb.name" . }}
app.kubernetes.io/instance: {{ .Release.Name | quote }}
{{- with .Values.storage.persistentVolume.labels }}
{{- toYaml . | nindent 10 }}
{{- end }}
{{- with .Values.labels }}
{{- toYaml . | nindent 10 }}
{{- end }}
{{- with .Values.storage.persistentVolume.annotations }}
annotations: {{- toYaml . | nindent 10 }}
{{- end }}
spec:
accessModes: ["ReadWriteOnce"]
{{- if .Values.storage.persistentVolume.storageClass }}
{{- if (eq "-" .Values.storage.persistentVolume.storageClass) }}
storageClassName: ""
{{- else }}
storageClassName: {{ .Values.storage.persistentVolume.storageClass | quote}}
{{- end }}
{{- end }}
resources:
requests:
storage: {{ .Values.storage.persistentVolume.size | quote }}
{{- end }}

65
charts/cockroach-labs/cockroachdb/14.0.3/templates/tests/client.yaml Normal file
View File

@ -0,0 +1,65 @@
kind: Pod
apiVersion: v1
metadata:
name: {{ template "cockroachdb.fullname" . }}-test
namespace: {{ .Release.Namespace | quote }}
{{- if .Values.networkPolicy.enabled }}
labels:
{{ template "cockroachdb.fullname" . }}-client: "true"
{{- end }}
annotations:
helm.sh/hook: test-success
spec:
restartPolicy: Never
{{- if .Values.image.credentials }}
imagePullSecrets:
- name: {{ template "cockroachdb.fullname" . }}.db.registry
{{- end }}
{{- if or .Values.tls.certs.provided .Values.tls.certs.certManager }}
volumes:
- name: client-certs
{{- if or .Values.tls.certs.tlsSecret .Values.tls.certs.certManager }}
projected:
sources:
- secret:
name: {{ .Values.tls.certs.clientRootSecret }}
items:
- key: ca.crt
path: ca.crt
mode: 0400
- key: tls.crt
path: client.root.crt
mode: 0400
- key: tls.key
path: client.root.key
mode: 0400
{{- else }}
secret:
secretName: {{ .Values.tls.certs.clientRootSecret }}
defaultMode: 0400
{{- end }}
{{- end }}
containers:
- name: client-test
image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
imagePullPolicy: {{ .Values.image.pullPolicy | quote }}
{{- if or .Values.tls.certs.provided .Values.tls.certs.certManager }}
volumeMounts:
- name: client-certs
mountPath: /cockroach-certs
{{- end }}
command:
- /cockroach/cockroach
- sql
{{- if or .Values.tls.certs.provided .Values.tls.certs.certManager }}
- --certs-dir
- /cockroach-certs
{{- else }}
- --insecure
{{- end}}
- --host
- {{ template "cockroachdb.fullname" . }}-public.{{ .Release.Namespace }}
- --port
- {{ .Values.service.ports.grpc.external.port | quote }}
- -e
- SHOW DATABASES;

97
charts/cockroach-labs/cockroachdb/14.0.3/values.schema.json Normal file
View File

@ -0,0 +1,97 @@
{
"$schema": "http://json-schema.org/draft-07/schema#",
"properties": {
"tls": {
"type": "object",
"properties": {
"certs": {
"type": "object",
"properties": {
"selfSigner": {
"type": "object",
"required": ["enabled", "caProvided"],
"properties": {
"enabled": {
"type": "boolean"
},
"caProvided": {
"type": "boolean"
}
},
"if": {
"properties": {
"enabled": {
"const": true
}
}
},
"then": {
"if": {
"properties": {
"caProvided": {
"const": false
}
}
},
"then": {
"properties": {
"caCertDuration" : {
"type": "string",
"pattern": "^[0-9]*h$"
},
"caCertExpiryWindow": {
"type": "string",
"pattern": "^[0-9]*h$"
}
}
},
"properties": {
"clientCertDuration": {
"type": "string",
"pattern": "^[0-9]*h$"
},
"clientCertExpiryWindow": {
"type": "string",
"pattern": "^[0-9]*h$"
},
"nodeCertDuration": {
"type": "string",
"pattern": "^[0-9]*h$"
},
"nodeCertExpiryWindow": {
"type": "string",
"pattern": "^[0-9]*h$"
},
"rotateCerts": {
"type": "boolean"
}
}
}
}
}
},
"selfSigner": {
"type": "object",
"properties": {
"image": {
"type": "object",
"required": ["repository", "tag", "pullPolicy"],
"properties": {
"repository": {
"type": "string"
},
"tag": {
"type": "string"
},
"pullPolicy": {
"type": "string",
"pattern": "^(Always|Never|IfNotPresent)$"
}
}
}
}
}
}
}
}
}

606
charts/cockroach-labs/cockroachdb/14.0.3/values.yaml Normal file
View File

@ -0,0 +1,606 @@
# Generated file, DO NOT EDIT. Source: build/templates/values.yaml
# Overrides the chart name against the label "app.kubernetes.io/name: " placed on every resource this chart creates.
nameOverride: ""
# Override the resource names created by this chart which originally is generated using release and chart name.
fullnameOverride: ""
image:
repository: cockroachdb/cockroach
tag: v24.2.2
pullPolicy: IfNotPresent
credentials: {}
# registry: docker.io
# username: john_doe
# password: changeme
# Additional labels to apply to all Kubernetes resources created by this chart.
labels: {}
# app.kubernetes.io/part-of: my-app
# Cluster's default DNS domain.
# You should overwrite it if you're using a different one,
# otherwise CockroachDB nodes discovery won't work.
clusterDomain: cluster.local
conf:
# An ordered list of CockroachDB node attributes.
# Attributes are arbitrary strings specifying machine capabilities.
# Machine capabilities might include specialized hardware or number of cores
# (e.g. "gpu", "x16c").
attrs: []
# - x16c
# - gpu
# Total size in bytes for caches, shared evenly if there are multiple
# storage devices. Size suffixes are supported (e.g. `1GB` and `1GiB`).
# A percentage of physical memory can also be specified (e.g. `.25`).
cache: 25%
# Sets a name to verify the identity of a cluster.
# The value must match between all nodes specified via `conf.join`.
# This can be used as an additional verification when either the node or
# cluster, or both, have not yet been initialized and do not yet know their
# cluster ID.
# To introduce a cluster name into an already-initialized cluster, pair this
# option with `conf.disable-cluster-name-verification: yes`.
cluster-name: ""
# Tell the server to ignore `conf.cluster-name` mismatches.
# This is meant for use when opting an existing cluster into starting to use
# cluster name verification, or when changing the cluster name.
# The cluster should be restarted once with `conf.cluster-name` and
# `conf.disable-cluster-name-verification: yes` combined, and once all nodes
# have been updated to know the new cluster name, the cluster can be restarted
# again with `conf.disable-cluster-name-verification: no`.
# This option has no effect if `conf.cluster-name` is not specified.
disable-cluster-name-verification: false
# The addresses for connecting a CockroachDB nodes to an existing cluster.
# If you are deploying a second CockroachDB instance that should join a first
# one, use the below list to join to the existing instance.
# Each item in the array should be a FQDN (and port if needed) resolvable by
# new Pods.
join: []
# New logging configuration.
log:
enabled: false
# https://www.cockroachlabs.com/docs/v21.1/configure-logs
config: {}
# file-defaults:
# dir: /custom/dir/path/
# fluent-defaults:
# format: json-fluent
# sinks:
# stderr:
# channels: [DEV]
# Logs at or above this threshold to STDERR. Ignored when "log" is enabled
logtostderr: INFO
# Maximum storage capacity available to store temporary disk-based data for
# SQL queries that exceed the memory budget (e.g. join, sorts, etc are
# sometimes able to spill intermediate results to disk).
# Accepts numbers interpreted as bytes, size suffixes (e.g. `32GB` and
# `32GiB`) or a percentage of disk size (e.g. `10%`).
# The location of the temporary files is within the first store dir.
# If expressed as a percentage, `max-disk-temp-storage` is interpreted
# relative to the size of the storage device on which the first store is
# placed. The temp space usage is never counted towards any store usage
# (although it does share the device with the first store) so, when
# configuring this, make sure that the size of this temp storage plus the size
# of the first store don't exceed the capacity of the storage device.
# If the first store is an in-memory one (i.e. `type=mem`), then this
# temporary "disk" data is also kept in-memory.
# A percentage value is interpreted as a percentage of the available internal
# memory.
# max-disk-temp-storage: 0GB
# Maximum allowed clock offset for the cluster. If observed clock offsets
# exceed this limit, servers will crash to minimize the likelihood of
# reading inconsistent data. Increasing this value will increase the time
# to recovery of failures as well as the frequency of uncertainty-based
# read restarts.
# Note, that this value must be the same on all nodes in the cluster.
# In order to change it, all nodes in the cluster must be stopped
# simultaneously and restarted with the new value.
# max-offset: 500ms
# Maximum memory capacity available to store temporary data for SQL clients,
# including prepared queries and intermediate data rows during query
# execution. Accepts numbers interpreted as bytes, size suffixes
# (e.g. `1GB` and `1GiB`) or a percentage of physical memory (e.g. `.25`).
max-sql-memory: 25%
# An ordered, comma-separated list of key-value pairs that describe the
# topography of the machine. Topography might include country, datacenter
# or rack designations. Data is automatically replicated to maximize
# diversities of each tier. The order of tiers is used to determine
# the priority of the diversity, so the more inclusive localities like
# country should come before less inclusive localities like datacenter.
# The tiers and order must be the same on all nodes. Including more tiers
# is better than including fewer. For example:
# locality: country=us,region=us-west,datacenter=us-west-1b,rack=12
# locality: country=ca,region=ca-east,datacenter=ca-east-2,rack=4
# locality: planet=earth,province=manitoba,colo=secondary,power=3
locality: ""
# Run CockroachDB instances in standalone mode with replication disabled
# (replication factor = 1).
# Enabling this option makes the following values to be ignored:
# - `conf.cluster-name`
# - `conf.disable-cluster-name-verification`
# - `conf.join`
#
# WARNING: Enabling this option makes each deployed Pod as a STANDALONE
# CockroachDB instance, so the StatefulSet does NOT FORM A CLUSTER.
# Don't use this option for production deployments unless you clearly
# understand what you're doing.
# Usually, this option is intended to be used in conjunction with
# `statefulset.replicas: 1` for temporary one-time deployments (like
# running E2E tests, for example).
single-node: false
# If non-empty, create a SQL audit log in the specified directory.
sql-audit-dir: ""
# CockroachDB's port to listen to inter-communications and client connections.
port: 26257
# CockroachDB's port to listen to HTTP requests.
http-port: 8080
# CockroachDB's data mount path.
path: cockroach-data
# CockroachDB's storage configuration https://www.cockroachlabs.com/docs/v21.1/cockroach-start.html#storage
# Uses --store flag
store:
enabled: false
# Should be empty or 'mem'
type:
# Required for type=mem. If type and size is empty - storage.persistentVolume.size is used
size:
# Arbitrary strings, separated by colons, specifying disk type or capability
attrs:
statefulset:
replicas: 3
updateStrategy:
type: RollingUpdate
podManagementPolicy: Parallel
budget:
maxUnavailable: 1
# List of additional command-line arguments you want to pass to the
# `cockroach start` command.
args: []
# - --disable-cluster-name-verification
# List of extra environment variables to pass into container
env: []
# - name: COCKROACH_ENGINE_MAX_SYNC_DURATION
# value: "24h"
# List of Secrets names in the same Namespace as the CockroachDB cluster,
# which shall be mounted into `/etc/cockroach/secrets/` for every cluster
# member.
secretMounts: []
# Additional labels to apply to this StatefulSet and all its Pods.
labels:
app.kubernetes.io/component: cockroachdb
# Additional annotations to apply to the Pods of this StatefulSet.
annotations: {}
# Affinity rules for scheduling Pods of this StatefulSet on Nodes.
# https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#node-affinity
nodeAffinity: {}
# Inter-Pod Affinity rules for scheduling Pods of this StatefulSet.
# https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#inter-pod-affinity-and-anti-affinity
podAffinity: {}
# Anti-affinity rules for scheduling Pods of this StatefulSet.
# https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#inter-pod-affinity-and-anti-affinity
# You may either toggle options below for default anti-affinity rules,
# or specify the whole set of anti-affinity rules instead of them.
podAntiAffinity:
# The topologyKey to be used.
# Can be used to spread across different nodes, AZs, regions etc.
topologyKey: kubernetes.io/hostname
# Type of anti-affinity rules: either `soft`, `hard` or empty value (which
# disables anti-affinity rules).
type: soft
# Weight for `soft` anti-affinity rules.
# Does not apply for other anti-affinity types.
weight: 100
# Node selection constraints for scheduling Pods of this StatefulSet.
# https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector
nodeSelector: {}
# PriorityClassName given to Pods of this StatefulSet
# https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass
priorityClassName: ""
# Taints to be tolerated by Pods of this StatefulSet.
# https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
tolerations: []
# https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/
topologySpreadConstraints:
maxSkew: 1
topologyKey: topology.kubernetes.io/zone
whenUnsatisfiable: ScheduleAnyway
# Uncomment the following resources definitions or pass them from
# command line to control the CPU and memory resources allocated
# by Pods of this StatefulSet.
resources: {}
# limits:
# cpu: 100m
# memory: 512Mi
# requests:
# cpu: 100m
# memory: 512Mi
# terminationGracePeriodSeconds is the duration in seconds the Pod needs to terminate gracefully.
terminationGracePeriodSeconds: 300
# Custom Liveness probe
# https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#define-a-liveness-http-request
customLivenessProbe: {}
# httpGet:
# path: /health
# port: http
# scheme: HTTPS
# initialDelaySeconds: 30
# periodSeconds: 5
# Custom Rediness probe
# https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#define-readiness-probes
customReadinessProbe: {}
# httpGet:
# path: /health
# port: http
# scheme: HTTPS
# initialDelaySeconds: 30
# periodSeconds: 5
securityContext:
enabled: true
serviceAccount:
# Specifies whether this ServiceAccount should be created.
create: true
# The name of this ServiceAccount to use.
# If not set and `create` is `true`, then service account is auto-generated.
# If not set and `create` is `false`, then it uses default service account.
name: ""
# Additional serviceAccount annotations (e.g. for attaching AWS IAM roles to pods)
annotations: {}
service:
ports:
# You can set a different external and internal gRPC ports and their name.
grpc:
external:
port: 26257
name: grpc
# If the port number is different than `external.port`, then it will be
# named as `internal.name` in Service.
internal:
port: 26257
# If using Istio set it to `cockroach`.
name: grpc-internal
http:
port: 8080
name: http
# This Service is meant to be used by clients of the database.
# It exposes a ClusterIP that will automatically load balance connections
# to the different database Pods.
public:
type: ClusterIP
# Additional labels to apply to this Service.
labels:
app.kubernetes.io/component: cockroachdb
# Additional annotations to apply to this Service.
annotations: {}
# This service only exists to create DNS entries for each pod in
# the StatefulSet such that they can resolve each other's IP addresses.
# It does not create a load-balanced ClusterIP and should not be used directly
# by clients in most circumstances.
discovery:
# Additional labels to apply to this Service.
labels:
app.kubernetes.io/component: cockroachdb
# Additional annotations to apply to this Service.
annotations: {}
# CockroachDB's ingress for web ui.
ingress:
enabled: false
labels: {}
annotations: {}
# kubernetes.io/ingress.class: nginx
# cert-manager.io/cluster-issuer: letsencrypt
paths: [/]
hosts: []
# - cockroachlabs.com
tls: []
# - hosts: [cockroachlabs.com]
# secretName: cockroachlabs-tls
prometheus:
enabled: true
securityContext:
enabled: true
# CockroachDB's Prometheus operator ServiceMonitor support
serviceMonitor:
enabled: false
labels: {}
annotations: {}
interval: 10s
# scrapeTimeout: 10s
# Limits the ServiceMonitor to the current namespace if set to `true`.
namespaced: false
# tlsConfig: TLS configuration to use when scraping the endpoint.
# Of type: https://github.com/coreos/prometheus-operator/blob/main/Documentation/api.md#tlsconfig
tlsConfig: {}
# CockroachDB's data persistence.
# If neither `persistentVolume` nor `hostPath` is used, then data will be
# persisted in ad-hoc `emptyDir`.
storage:
# Absolute path on host to store CockroachDB's data.
# If not specified, then `emptyDir` will be used instead.
# If specified, but `persistentVolume.enabled` is `true`, then has no effect.
hostPath: ""
# If `enabled` is `true` then a PersistentVolumeClaim will be created and
# used to store CockroachDB's data, otherwise `hostPath` is used.
persistentVolume:
enabled: true
size: 100Gi
# If defined, then `storageClassName: <storageClass>`.
# If set to "-", then `storageClassName: ""`, which disables dynamic
# provisioning.
# If undefined or empty (default), then no `storageClassName` spec is set,
# so the default provisioner will be chosen (gp2 on AWS, standard on
# GKE, AWS & OpenStack).
storageClass: ""
# Additional labels to apply to the created PersistentVolumeClaims.
labels: {}
# Additional annotations to apply to the created PersistentVolumeClaims.
annotations: {}
# Kubernetes Job which initializes multi-node CockroachDB cluster.
# It's not created if `statefulset.replicas` is `1`.
init:
# Additional labels to apply to this Job and its Pod.
labels:
app.kubernetes.io/component: init
# Additional annotations to apply to this Job.
jobAnnotations: {}
# Additional annotations to apply to the Pod of this Job.
annotations: {}
# Affinity rules for scheduling the Pod of this Job.
# https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#node-affinity
affinity: {}
# Node selection constraints for scheduling the Pod of this Job.
# https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector
nodeSelector: {}
# Taints to be tolerated by the Pod of this Job.
# https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
tolerations: []
# The init Pod runs at cluster creation to initialize CockroachDB. It finishes
# quickly and doesn't continue to consume resources in the Kubernetes
# cluster. Normally, you should leave this section commented out, but if your
# Kubernetes cluster uses Resource Quotas and requires all pods to specify
# resource requests or limits, you can set those here.
resources: {}
# requests:
# cpu: "10m"
# memory: "128Mi"
# limits:
# cpu: "10m"
# memory: "128Mi"
# terminationGracePeriodSeconds is the duration in seconds the Pod needs to terminate gracefully.
terminationGracePeriodSeconds: 300
securityContext:
enabled: true
# Setup Physical Cluster Replication (PCR) between primary and standby cluster.
# If isPrimary is set to true, the CockroachDB cluster created is the primary cluster.
# If isPrimary is set to false, the CockroachDB cluster created is the standby cluster.
pcr:
enabled: false
# isPrimary: true
provisioning:
enabled: false
# https://www.cockroachlabs.com/docs/stable/cluster-settings.html
clusterSettings:
# cluster.organization: "'FooCorp - Local Testing'"
# enterprise.license: "'xxxxx'"
users: []
# - name:
# password:
# # https://www.cockroachlabs.com/docs/stable/create-user.html#parameters
# options: [LOGIN]
databases: []
# - name:
# # https://www.cockroachlabs.com/docs/stable/create-database.html#parameters
# options: [encoding='utf-8']
# owners: []
# # https://www.cockroachlabs.com/docs/stable/grant.html#parameters
# owners_with_grant_option: []
# # Backup schedules are not idemponent for now and will fail on next run
# # https://github.com/cockroachdb/cockroach/issues/57892
# backup:
# into: s3://
# # Enterprise-only option (revision_history)
# # https://www.cockroachlabs.com/docs/stable/create-schedule-for-backup.html#backup-options
# options: [revision_history]
# recurring: '@always'
# # Enterprise-only feature. Remove this value to use `FULL BACKUP ALWAYS`
# fullBackup: '@daily'
# schedule:
# # https://www.cockroachlabs.com/docs/stable/create-schedule-for-backup.html#schedule-options
# options: [first_run = 'now']
# Whether to run securely using TLS certificates.
tls:
enabled: true
copyCerts:
image: busybox
certs:
# Bring your own certs scenario. If provided, tls.init section will be ignored.
provided: false
# Secret name for the client root cert.
clientRootSecret: cockroachdb-root
# Secret name for node cert.
nodeSecret: cockroachdb-node
# Secret name for CA cert
caSecret: cockroach-ca
# Enable if the secret is a dedicated TLS.
# TLS secrets are created by cert-mananger, for example.
tlsSecret: false
# Enable if the you want cockroach db to create its own certificates
selfSigner:
# If set, the cockroach db will generate its own certificates
enabled: true
# Run selfSigner as non-root
securityContext:
enabled: true
# If set, the user should provide the CA certificate to sign other certificates.
caProvided: false
# It holds the name of the secret with caCerts. If caProvided is set, this can not be empty.
caSecret: ""
# Minimum Certificate duration for all the certificates, all certs duration will be validated against this.
minimumCertDuration: 624h
# Duration of CA certificates in hour
caCertDuration: 43800h
# Expiry window of CA certificates means a window before actual expiry in which CA certs should be rotated.
caCertExpiryWindow: 648h
# Duration of Client certificates in hour
clientCertDuration: 672h
# Expiry window of client certificates means a window before actual expiry in which client certs should be rotated.
clientCertExpiryWindow: 48h
# Duration of node certificates in hour
nodeCertDuration: 8760h
# Expiry window of node certificates means a window before actual expiry in which node certs should be rotated.
nodeCertExpiryWindow: 168h
# If set, the cockroachdb cert selfSigner will rotate the certificates before expiry.
rotateCerts: true
# Wait time for each cockroachdb replica to become ready once it comes in running state. Only considered when rotateCerts is set to true
readinessWait: 30s
# Wait time for each cockroachdb replica to get to running state. Only considered when rotateCerts is set to true
podUpdateTimeout: 2m
# ServiceAccount annotations for selfSigner jobs (e.g. for attaching AWS IAM roles to pods)
svcAccountAnnotations: {}
# Use cert-manager to issue certificates for mTLS.
certManager: false
# Specify an Issuer or a ClusterIssuer to use, when issuing
# node and client certificates. The values correspond to the
# issuerRef specified in the certificate.
certManagerIssuer:
group: cert-manager.io
kind: Issuer
name: cockroachdb
# Make it false when you are providing your own CA issuer
isSelfSignedIssuer: true
# Duration of CA certificates in hour
caCertDuration: 43800h
# Expiry window of CA certificates means a window before actual expiry in which CA certs should be rotated.
caCertExpiryWindow: 648h
# Duration of Client certificates in hours
clientCertDuration: 672h
# Expiry window of client certificates means a window before actual expiry in which client certs should be rotated.
clientCertExpiryWindow: 48h
# Duration of node certificates in hours
nodeCertDuration: 8760h
# Expiry window of node certificates means a window before actual expiry in which node certs should be rotated.
nodeCertExpiryWindow: 168h
selfSigner:
# Additional labels to apply to the Pod of this Job.
labels: {}
# Additional annotations to apply to the Pod of this Job.
annotations: {}
# Affinity rules for scheduling the Pod of this Job.
# https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#node-affinity
affinity: {}
# Node selection constraints for scheduling the Pod of this Job.
# https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector
nodeSelector: {}
# Taints to be tolerated by the Pod of this Job.
# https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
tolerations: []
# Image Placeholder for the selfSigner utility. This will be changed once the CI workflows for the image is in place.
image:
repository: cockroachlabs-helm-charts/cockroach-self-signer-cert
tag: "1.5"
pullPolicy: IfNotPresent
credentials: {}
registry: gcr.io
# username: john_doe
# password: changeme
networkPolicy:
enabled: false
ingress:
# List of sources which should be able to access the CockroachDB Pods via
# gRPC port. Items in this list are combined using a logical OR operation.
# Rules for allowing inter-communication are applied automatically.
# If empty, then connections from any Pod is allowed.
grpc: []
# - podSelector:
# matchLabels:
# app.kubernetes.io/name: my-app-django
# app.kubernetes.io/instance: my-app
# List of sources which should be able to access the CockroachDB Pods via
# HTTP port. Items in this list are combined using a logical OR operation.
# If empty, then connections from any Pod is allowed.
http: []
# - namespaceSelector:
# matchLabels:
# project: my-project
# To put the admin interface behind Identity Aware Proxy (IAP) on Google Cloud Platform
# make sure to set ingress.paths: ['/*']
iap:
enabled: false
# Create Google Cloud OAuth credentials and set client id and secret
# clientId:
# clientSecret:

25
charts/dynatrace/dynatrace-operator/1.3.0/.helmignore Normal file
View File

@ -0,0 +1,25 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*.orig
*~
# Various IDEs
.project
.idea/
*.tmproj
.vscode/
tests/

23
charts/dynatrace/dynatrace-operator/1.3.0/Chart.yaml Normal file
View File

@ -0,0 +1,23 @@
annotations:
catalog.cattle.io/certified: partner
catalog.cattle.io/display-name: Dynatrace Operator
catalog.cattle.io/kube-version: '>=1.19.0-0'
catalog.cattle.io/release-name: dynatrace-operator
apiVersion: v2
appVersion: 1.3.0
description: The Dynatrace Operator Helm chart for Kubernetes and OpenShift
home: https://www.dynatrace.com/
icon: file://assets/icons/dynatrace-operator.png
kubeVersion: '>=1.19.0-0'
maintainers:
- email: marcell.sevcsik@dynatrace.com
name: 0sewa0
- email: christoph.muellner@dynatrace.com
name: chrismuellner
- email: lukas.hinterreiter@dynatrace.com
name: luhi-DT
name: dynatrace-operator
sources:
- https://github.com/Dynatrace/dynatrace-operator
type: application
version: 1.3.0

48
charts/dynatrace/dynatrace-operator/1.3.0/README.md Normal file
View File

@ -0,0 +1,48 @@
# Dynatrace Operator Helm Chart
The Dynatrace Operator supports rollout and lifecycle of various Dynatrace components in Kubernetes and OpenShift.
This Helm Chart requires Helm 3.
## Quick Start
Migration instructions can be found in the [official help page](https://www.dynatrace.com/support/help/shortlink/k8s-dto-helm#migrate).
Install the Dynatrace Operator via Helm by running the following commands.
### Installation
> For instructions on how to install the dynatrace-operator on Openshift, head to the
> [official help page](https://www.dynatrace.com/support/help/shortlink/k8s-helm)
#### For versions older than 0.15.0
Add `dynatrace` helm repository:
```console
helm repo add dynatrace https://raw.githubusercontent.com/Dynatrace/dynatrace-operator/main/config/helm/repos/stable
```
Install `dynatrace-operator` helm chart and create the corresponding `dynatrace` namespace:
```console
helm install dynatrace-operator dynatrace/dynatrace-operator -n dynatrace --create-namespace --atomic
```
#### For versions 0.15.0 and after
Install `dynatrace-operator` helm chart using the OCI repository and create the corresponding `dynatrace` namespace:
```console
helm install dynatrace-operator oci://public.ecr.aws/dynatrace/dynatrace-operator -n dynatrace --create-namespace --atomic
```
## Uninstall chart
> Full instructions can be found in the [official help page](https://www.dynatrace.com/support/help/shortlink/k8s-helm#uninstall-dynatrace-operator)
Uninstall the Dynatrace Operator by running the following command:
```console
helm uninstall dynatrace-operator -n dynatrace
```

5
charts/dynatrace/dynatrace-operator/1.3.0/app-readme.md Normal file
View File

@ -0,0 +1,5 @@
# Dynatrace Operator
The Dynatrace Operator supports rollout and lifecycle of various Dynatrace components in Kubernetes and OpenShift.
As of launch, the Dynatrace Operator can be used to deploy a containerized ActiveGate for Kubernetes API monitoring. New capabilities will be added to the Dynatrace Operator over time including metric routing, and API monitoring for AWS, Azure, GCP, and vSphere.

BIN
charts/dynatrace/dynatrace-operator/1.3.0/logo.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 9.7 KiB

236
charts/dynatrace/dynatrace-operator/1.3.0/questions.yml Normal file
View File

@ -0,0 +1,236 @@
categories:
- APM
- Monitoring
questions:
#################### Global Configuration ####################
- variable: installCRD
label: "Install Custom Resource Definitions"
description: "Installs the Custom Resource Definitions for the Dynakube. This is recommended if you haven't installed it manually yet. Default: true"
default: true
type: boolean
group: "Global Configuration"
- variable: image
label: "Set a custom image for operator components"
description: "Set a custom image for operator. Defaults to public.ecr.aws/dynatrace/dynatrace-operator"
default: ""
type: string
group: "Global Configuration"
- variable: customPullSecret
label: "Set a custom pull secret for operator image"
description: "Set a custom pull secret for the operator image"
default: ""
type: string
group: "Global Configuration"
#################### Operator Deployment Configuration ####################
- variable: operator.nodeSelector
label: "Assign the Dynatrace Operator's pod to certain nodes"
description: "Defines a NodeSelector to customize to which nodes the Dynatrace Operator can be deployed on - Please edit as Yaml for the best experience - see https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector"
default: ""
type: string
group: "Operator Deployment Configuration"
- variable: operator.tolerations
label: "Custom tolerations for the Dynatrace Operator's pod"
description: "Defines custom tolerations to the Dynatrace Operator - Please edit as Yaml for the best experience - see https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/"
default: ""
type: string
group: "Operator Deployment Configuration"
- variable: operator.apparmor
label: "Enable AppArmor for the Dynatrace Operator's pod"
description: "Adds AppArmor security annotations to the Dynatrace Operator's pod. Default: false"
default: false
type: boolean
group: "Operator Deployment Configuration"
- variable: operator.requests.cpu
label: "CPU resource requests settings for Dynatrace Operator's pods"
description: "The minimum amount of CPU resources that the Dynatrace Operator's pods should request. Affects scheduling. Default: 50m"
default: "50m"
type: string
group: "Operator Deployment Configuration"
- variable: operator.requests.memory
label: "Memory resource requests settings for Dynatrace Operator's pods"
description: "The minimum amount of memory that the Dynatrace Operator's pods should request. Affects scheduling. Default: 64Mi"
default: "64Mi"
type: string
group: "Operator Deployment Configuration"
- variable: operator.limits.cpu
label: "CPU resource limits settings for Dynatrace Operator's pods"
description: "The maximum amount of CPU resources that the Dynatrace Operator's pods can use. Default: 100m"
default: "100m"
type: string
group: "Operator Deployment Configuration"
- variable: operator.limits.memory
label: "Memory resource limits settings for Dynatrace Operator's pods"
description: "The maximum amount of memory that the Dynatrace Operator's pods can use. Pod restarted if exceeded. Default: 128Mi"
default: "128Mi"
type: string
group: "Operator Deployment Configuration"
#################### Webhook Deployment Configuration ####################
- variable: webhook.apparmor
label: "Enable AppArmor for the Dynatrace Webhook's pod"
description: "Adds AppArmor security annotations to the Dynatrace Webhook's pod. Default: false"
default: false
type: boolean
group: "Webhook Deployment Configuration"
- variable: webhook.highAvailability
label: "Enable high availability for the Dynatrace Webhook's pod"
description: "Adds topologySpreadConstraints and increases the replicas to 2 for the Dynatrace Webhook's pod. Default: false"
default: false
type: boolean
group: "Webhook Deployment Configuration"
- variable: webhook.hostNetwork
label: "Enable hostNetwork for the Dynatrace Webhook's pod"
description: "Enables hostNetwork for the Dynatrace Webhook's pod. Default: false"
default: false
type: boolean
group: "Webhook Deployment Configuration"
- variable: webhook.requests.cpu
label: "CPU resource requests settings for Dynatrace Webhook's pods"
description: "The minimum amount of CPU resources that the Dynatrace Webhook's pods should request. Affects scheduling. Default: 300m"
default: "300m"
type: string
group: "Webhook Deployment Configuration"
- variable: webhook.requests.memory
label: "Memory resource requests settings for Dynatrace Webhook's pods"
description: "The minimum amount of memory that the Dynatrace Webhook's pods should request. Affects scheduling. Default: 128Mi"
default: "128Mi"
type: string
group: "Webhook Deployment Configuration"
- variable: webhook.limits.cpu
label: "CPU resource limits settings for Dynatrace Webhook's pods"
description: "The maximum amount of CPU resources that the Dynatrace Webhook's pods can use. Default: 300m"
default: "300m"
type: string
group: "Webhook Deployment Configuration"
- variable: webhook.limits.memory
label: "Memory resource limits settings for Dynatrace Webhook's pods"
description: "The maximum amount of memory that the Dynatrace Webhook's pods can use. Pod restarted if exceeded. Default: 128Mi"
default: "128Mi"
type: string
group: "Webhook Deployment Configuration"
#################### CSI Driver Deployment Configuration ####################
- variable: csidriver.enabled
label: "Deploy the Dynatrace CSI Driver"
description: "Deploys the Dynatrace CSI Driver via a DaemonSet to enable Cloud Native FullStack. Default: false"
default: false
type: boolean
group: "CSI Driver Deployment Configuration"
- variable: csidriver.server.requests.cpu
label: "CPU resource requests settings for Dynatrace CSI Driver's server container"
description: "The minimum amount of CPU resources that the Dynatrace CSI Driver's server container should request. Affects scheduling. Default: 50m"
default: "50m"
type: string
group: "CSI Driver Deployment Configuration"
- variable: csidriver.server.requests.memory
label: "Memory resource requests settings for Dynatrace CSI Driver's server container"
description: "The minimum amount of memory that the Dynatrace CSI Driver's server container should request. Affects scheduling. Default: 100Mi"
default: "100Mi"
type: string
group: "CSI Driver Deployment Configuration"
- variable: csidriver.server.limits.cpu
label: "CPU resource limits settings for Dynatrace CSI Driver's server container"
description: "The maximum amount of CPU resources that the Dynatrace CSI Driver's server container can use. Default: 50m"
default: "50m"
type: string
group: "CSI Driver Deployment Configuration"
- variable: csidriver.server.limits.memory
label: "Memory resource limits settings for Dynatrace CSI Driver's server container"
description: "The maximum amount of memory that the Dynatrace CSI Driver's server container can use. Pod restarted if exceeded. Default: 100Mi"
default: "100Mi"
type: string
group: "CSI Driver Deployment Configuration"
- variable: csidriver.provisioner.requests.cpu
label: "CPU resource requests settings for Dynatrace CSI Driver's provisioner container"
description: "The minimum amount of CPU resources that the Dynatrace CSI Driver's provisioner container should request. Affects scheduling. Default: 300m"
default: "300m"
type: string
group: "CSI Driver Deployment Configuration"
- variable: csidriver.provisioner.requests.memory
label: "Memory resource requests settings for Dynatrace CSI Driver's provisioner container"
description: "The minimum amount of memory that the Dynatrace CSI Driver's provisioner container should request. Affects scheduling. Default: 100Mi"
default: "100Mi"
type: string
group: "CSI Driver Deployment Configuration"
- variable: csidriver.registrar.requests.cpu
label: "CPU resource requests settings for Dynatrace CSI Driver's registrar container"
description: "The minimum amount of CPU resources that the Dynatrace CSI Driver's registrar container should request. Affects scheduling. Default: 20m"
default: "20m"
type: string
group: "CSI Driver Deployment Configuration"
- variable: csidriver.registrar.requests.memory
label: "Memory resource requests settings for Dynatrace CSI Driver's registrar container"
description: "The minimum amount of memory that the Dynatrace CSI Driver's registrar container should request. Affects scheduling. Default: 30Mi"
default: "30Mi"
type: string
group: "CSI Driver Deployment Configuration"
- variable: csidriver.registrar.limits.cpu
label: "CPU resource limits settings for Dynatrace CSI Driver's registrar container"
description: "The maximum amount of CPU resources that the Dynatrace CSI Driver's registrar container can use. Default: 20m"
default: "20m"
type: string
group: "CSI Driver Deployment Configuration"
- variable: csidriver.registrar.limits.memory
label: "Memory resource limits settings for Dynatrace CSI Driver's registrar container"
description: "The maximum amount of memory that the Dynatrace CSI Driver's registrar container can use. Pod restarted if exceeded. Default: 30Mi"
default: "30Mi"
type: string
group: "CSI Driver Deployment Configuration"
- variable: csidriver.livenessprobe.requests.cpu
label: "CPU resource requests settings for Dynatrace CSI Driver's livenessprobe container"
description: "The minimum amount of CPU resources that the Dynatrace CSI Driver's livenessprobe container should request. Affects scheduling. Default: 20m"
default: "20m"
type: string
group: "CSI Driver Deployment Configuration"
- variable: csidriver.livenessprobe.requests.memory
label: "Memory resource requests settings for Dynatrace CSI Driver's livenessprobe container"
description: "The minimum amount of memory that the Dynatrace CSI Driver's livenessprobe container should request. Affects scheduling. Default: 30Mi"
default: "30Mi"
type: string
group: "CSI Driver Deployment Configuration"
- variable: csidriver.livenessprobe.limits.cpu
label: "CPU resource limits settings for Dynatrace CSI Driver's livenessprobe container"
description: "The maximum amount of CPU resources that the Dynatrace CSI Driver's livenessprobe container can use. Default: 20m"
default: "20m"
type: string
group: "CSI Driver Deployment Configuration"
- variable: csidriver.livenessprobe.limits.memory
label: "Memory resource limits settings for Dynatrace CSI Driver's livenessprobe container"
description: "The maximum amount of memory that the Dynatrace CSI Driver's livenessprobe container can use. Pod restarted if exceeded. Default: 30Mi"
default: "30Mi"
type: string
group: "CSI Driver Deployment Configuration"

47
charts/dynatrace/dynatrace-operator/1.3.0/templates/Common/activegate/clusterrole-activegate.yaml Normal file
View File

@ -0,0 +1,47 @@
{{- if (eq (include "dynatrace-operator.openshiftOrOlm" .) "true") }}
# Copyright 2021 Dynatrace LLC
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
# http://www.apache.org/licenses/LICENSE-2.0
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: dynatrace-activegate
labels:
{{- include "dynatrace-operator.activegateLabels" . | nindent 4 }}
rules:
- apiGroups:
- security.openshift.io
resourceNames:
- privileged
- nonroot-v2
resources:
- securitycontextconstraints
verbs:
- use
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: dynatrace-activegate
labels:
{{- include "dynatrace-operator.activegateLabels" . | nindent 4 }}
subjects:
- kind: ServiceAccount
name: dynatrace-activegate
namespace: {{ .Release.Namespace }}
roleRef:
kind: ClusterRole
name: dynatrace-activegate
apiGroup: rbac.authorization.k8s.io
{{- end -}}

20
charts/dynatrace/dynatrace-operator/1.3.0/templates/Common/activegate/serviceaccount-activegate.yaml Normal file
View File

@ -0,0 +1,20 @@
# Copyright 2021 Dynatrace LLC
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
# http://www.apache.org/licenses/LICENSE-2.0
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
apiVersion: v1
kind: ServiceAccount
metadata:
name: dynatrace-activegate
namespace: {{ .Release.Namespace }}
labels:
{{- include "dynatrace-operator.activegateLabels" . | nindent 4 }}

5783
charts/dynatrace/dynatrace-operator/1.3.0/templates/Common/crd/dynatrace-operator-crd.yaml Normal file
View File

File diff suppressed because it is too large Load Diff

47
charts/dynatrace/dynatrace-operator/1.3.0/templates/Common/csi/clusterrole-csi.yaml Normal file
View File

@ -0,0 +1,47 @@
{{ if eq (include "dynatrace-operator.needCSI" .) "true" }}
# Copyright 2021 Dynatrace LLC
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
# http://www.apache.org/licenses/LICENSE-2.0
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: dynatrace-oneagent-csi-driver
labels:
{{- include "dynatrace-operator.csiLabels" . | nindent 4 }}
rules:
{{- if (eq (include "dynatrace-operator.platform" .) "openshift") }}
- apiGroups:
- security.openshift.io
resourceNames:
- privileged
resources:
- securitycontextconstraints
verbs:
- use
{{ end }}
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: dynatrace-oneagent-csi-driver
labels:
{{- include "dynatrace-operator.csiLabels" . | nindent 4 }}
subjects:
- kind: ServiceAccount
name: dynatrace-oneagent-csi-driver
namespace: {{ .Release.Namespace }}
roleRef:
kind: ClusterRole
name: dynatrace-oneagent-csi-driver
apiGroup: rbac.authorization.k8s.io
{{- end -}}

29
charts/dynatrace/dynatrace-operator/1.3.0/templates/Common/csi/csidriver.yaml Normal file
View File

@ -0,0 +1,29 @@
{{ if eq (include "dynatrace-operator.needCSI" .) "true" }}
# Copyright 2021 Dynatrace LLC
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
# http://www.apache.org/licenses/LICENSE-2.0
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
apiVersion: storage.k8s.io/v1
kind: CSIDriver
metadata:
name: csi.oneagent.dynatrace.com
labels:
{{- if eq (include "dynatrace-operator.platform" .) "openshift" }}
security.openshift.io/csi-ephemeral-volume-profile: "restricted"
{{- end }}
{{- include "dynatrace-operator.csiLabels" . | nindent 4 }}
spec:
attachRequired: false
podInfoOnMount: true
volumeLifecycleModes:
- Ephemeral
{{- end -}}

280
charts/dynatrace/dynatrace-operator/1.3.0/templates/Common/csi/daemonset.yaml Normal file
View File

@ -0,0 +1,280 @@
{{ if eq (include "dynatrace-operator.needCSI" .) "true" }}
# Copyright 2021 Dynatrace LLC
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
# http://www.apache.org/licenses/LICENSE-2.0
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
apiVersion: apps/v1
kind: DaemonSet
metadata:
annotations:
{{- if .Values.csidriver.annotations }}
{{- toYaml .Values.csidriver.annotations | nindent 4 }}
{{- end }}
labels:
{{- include "dynatrace-operator.csiLabels" . | nindent 4 }}
{{- if .Values.csidriver.labels }}
{{- toYaml .Values.csidriver.labels | nindent 4 }}
{{- end}}
name: dynatrace-oneagent-csi-driver
namespace: {{ .Release.Namespace }}
spec:
revisionHistoryLimit: 10
selector:
matchLabels:
{{- include "dynatrace-operator.csiSelectorLabels" . | nindent 6 }}
template:
metadata:
annotations:
dynatrace.com/inject: "false"
kubectl.kubernetes.io/default-container: provisioner
cluster-autoscaler.kubernetes.io/enable-ds-eviction: "false"
{{- if and (eq (default false .Values.apparmor) true) (ne (include "dynatrace-operator.platform" .) "openshift") }}
container.apparmor.security.beta.kubernetes.io/csi-init: runtime/default
container.apparmor.security.beta.kubernetes.io/server: runtime/default
container.apparmor.security.beta.kubernetes.io/provisioner: runtime/default
container.apparmor.security.beta.kubernetes.io/registrar: runtime/default
container.apparmor.security.beta.kubernetes.io/liveness-probe: runtime/default
{{- end}}
{{- if .Values.csidriver.annotations }}
{{- toYaml .Values.csidriver.annotations | nindent 8 }}
{{- end }}
labels:
{{- include "dynatrace-operator.csiLabels" . | nindent 8 }}
{{- include "dynatrace-operator.csiSelectorLabels" . | nindent 8 }}
{{- if .Values.csidriver.labels }}
{{- toYaml .Values.csidriver.labels | nindent 8 }}
{{- end }}
spec:
initContainers:
- name: csi-init
image: {{ include "dynatrace-operator.image" . }}
imagePullPolicy: Always
args:
- csi-init
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
resources:
{{- if .Values.csidriver.csiInit.resources }}
{{- toYaml .Values.csidriver.csiInit.resources | nindent 10 }}
{{- end }}
securityContext:
{{- toYaml .Values.csidriver.csiInit.securityContext| nindent 10 }}
volumeMounts:
- mountPath: /data
name: data-dir
containers:
# Used to receive/execute gRPC requests (NodePublishVolume/NodeUnpublishVolume) from kubelet to mount/unmount volumes for a pod
# - Needs access to the csi socket, needs to read/write to it, needs root permissions to do so.
# - Needs access to the filesystem of pods on the node, and mount stuff to it,needs to read/write to it, needs root permissions to do so
# - Needs access to a dedicated folder on the node to persist data, needs to read/write to it.
- name: server
image: {{ include "dynatrace-operator.image" . }}
imagePullPolicy: Always
args:
- csi-server
- --endpoint=unix://csi/csi.sock
- --node-id=$(KUBE_NODE_NAME)
env:
- name: POD_NAMESPACE
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
- name: KUBE_NODE_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: spec.nodeName
livenessProbe:
failureThreshold: 3
httpGet:
path: /healthz
port: healthz
scheme: HTTP
initialDelaySeconds: 5
periodSeconds: 5
successThreshold: 1
timeoutSeconds: 1
ports:
- containerPort: 9808
name: healthz
- containerPort: 8080
name: metrics
resources:
{{- if .Values.csidriver.server.resources }}
{{- toYaml .Values.csidriver.server.resources | nindent 10 }}
{{- end }}
securityContext:
{{- toYaml .Values.csidriver.server.securityContext | nindent 10 }}
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
volumeMounts:
- mountPath: /csi
name: plugin-dir
- mountPath: {{ include "dynatrace-operator.CSIMountPointDir" . }}
mountPropagation: Bidirectional
name: mountpoint-dir
- mountPath: /data
name: data-dir
mountPropagation: Bidirectional
- name: tmp-dir
mountPath: /tmp
- name: provisioner
image: {{ include "dynatrace-operator.image" . }}
imagePullPolicy: Always
args:
- csi-provisioner
- --health-probe-bind-address=:10090
env:
- name: POD_NAMESPACE
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
{{- if .Values.csidriver.maxUnmountedVolumeAge }}
- name: MAX_UNMOUNTED_VOLUME_AGE
value: "{{ .Values.csidriver.maxUnmountedVolumeAge}}"
{{- end }}
{{- include "dynatrace-operator.startupProbe" . | nindent 8 }}
livenessProbe:
failureThreshold: 3
httpGet:
path: /livez
port: livez
scheme: HTTP
initialDelaySeconds: 5
periodSeconds: 5
successThreshold: 1
timeoutSeconds: 1
ports:
- name: livez
containerPort: 10090
- name: metrics
containerPort: 8090
resources:
{{- if .Values.csidriver.provisioner.resources }}
{{- toYaml .Values.csidriver.provisioner.resources | nindent 10 }}
{{- end }}
securityContext:
{{- toYaml .Values.csidriver.provisioner.securityContext | nindent 10 }}
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
volumeMounts:
- mountPath: /data
name: data-dir
mountPropagation: Bidirectional
- mountPath: /tmp
name: tmp-dir
# Used to make a gRPC request (GetPluginInfo()) to the driver to get driver name and driver contain
# - Needs access to the csi socket, needs to read/write to it, needs root permissions to do so.
# Used for registering the driver with kubelet
# - Needs access to the registration socket, needs to read/write to it, needs root permissions to do so.
- name: registrar
image: {{ include "dynatrace-operator.image" . }}
imagePullPolicy: Always
env:
- name: DRIVER_REG_SOCK_PATH
value: {{ include "dynatrace-operator.CSISocketPath" . }}
args:
- --csi-address=/csi/csi.sock
- --kubelet-registration-path=$(DRIVER_REG_SOCK_PATH)
command:
- csi-node-driver-registrar
resources:
{{- if .Values.csidriver.registrar.resources }}
{{- toYaml .Values.csidriver.registrar.resources | nindent 10 }}
{{- end }}
securityContext:
{{- toYaml .Values.csidriver.registrar.securityContext | nindent 10 }}
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
volumeMounts:
- mountPath: /csi
name: plugin-dir
- mountPath: /registration
name: registration-dir
- mountPath: {{ include "dynatrace-operator.CSIPluginDir" . }}
name: lockfile-dir
# Used to make a gRPC request (Probe()) to the driver to check if its running
# - Needs access to the csi socket, needs to read/write to it, needs root permissions to do so.
- name: liveness-probe
image: {{ include "dynatrace-operator.image" . }}
imagePullPolicy: Always
args:
- --csi-address=/csi/csi.sock
- --health-port=9808
command:
- livenessprobe
resources:
{{- if .Values.csidriver.livenessprobe.resources }}
{{- toYaml .Values.csidriver.livenessprobe.resources | nindent 10 }}
{{- end }}
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
securityContext:
{{- toYaml .Values.csidriver.livenessprobe.securityContext| nindent 10 }}
volumeMounts:
- mountPath: /csi
name: plugin-dir
dnsPolicy: ClusterFirst
restartPolicy: Always
schedulerName: default-scheduler
securityContext: {}
serviceAccountName: dynatrace-oneagent-csi-driver
terminationGracePeriodSeconds: 30
priorityClassName: {{ include "dynatrace-operator.CSIPriorityClassName" . }}
volumes:
# This volume is where the registrar registers the plugin with kubelet
- name: registration-dir
hostPath:
path: {{ include "dynatrace-operator.CSIRegistrationDir" . }}
type: Directory
# This volume is where the socket for kubelet->driver communication is done
- name: plugin-dir
hostPath:
path: {{ include "dynatrace-operator.CSIPluginDir" . }}
type: DirectoryOrCreate
- name: data-dir
hostPath:
path: {{ include "dynatrace-operator.CSIDataDir" . }}
type: DirectoryOrCreate
# This volume is where the driver mounts volumes
- name: mountpoint-dir
hostPath:
path: {{ include "dynatrace-operator.CSIMountPointDir" . }}
type: DirectoryOrCreate
# Used by the registrar to create its lockfile
- name: lockfile-dir
emptyDir: {}
# A volume for the driver to write temporary files to
- name: tmp-dir
emptyDir: {}
{{- if .Values.customPullSecret }}
imagePullSecrets:
- name: {{ .Values.customPullSecret }}
{{- end }}
{{- if .Values.csidriver.nodeSelector }}
nodeSelector: {{- toYaml .Values.csidriver.nodeSelector | nindent 8 }}
{{- end }}
{{- include "dynatrace-operator.nodeAffinity" . | nindent 6 }}
tolerations:
{{- if .Values.csidriver.tolerations }}
{{- toYaml .Values.csidriver.tolerations | nindent 8 }}
{{- end }}
{{- include "dynatrace-operator.defaultTolerations" . | nindent 8 }}
- key: ToBeDeletedByClusterAutoscaler
operator: Exists
effect: NoSchedule
updateStrategy:
{{- toYaml .Values.csidriver.updateStrategy | nindent 4 }}
{{- end -}}

23
charts/dynatrace/dynatrace-operator/1.3.0/templates/Common/csi/priority-class.yaml Normal file
View File

@ -0,0 +1,23 @@
{{ if (eq (include "dynatrace-operator.needPriorityClass" .) "true") }}
# Copyright 2021 Dynatrace LLC
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
# http://www.apache.org/licenses/LICENSE-2.0
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
kind: PriorityClass
apiVersion: scheduling.k8s.io/v1
metadata:
name: dynatrace-high-priority
value: {{ default 1000000 (int (.Values.csidriver).priorityClassValue) }}
globalDefault: false
description: "This priority class is used for Dynatrace Components in order to make sure they are not evicted in favor of other pods"
{{- end -}}

70
charts/dynatrace/dynatrace-operator/1.3.0/templates/Common/csi/role-csi.yaml Normal file
View File

@ -0,0 +1,70 @@
{{ if eq (include "dynatrace-operator.needCSI" .) "true" }}
# Copyright 2021 Dynatrace LLC
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
# http://www.apache.org/licenses/LICENSE-2.0
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: dynatrace-oneagent-csi-driver
namespace: {{ .Release.Namespace }}
labels:
{{- include "dynatrace-operator.csiLabels" . | nindent 4 }}
rules:
- apiGroups:
- dynatrace.com
resources:
- dynakubes
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- secrets
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- configmaps
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- events
verbs:
- create
- patch
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: dynatrace-oneagent-csi-driver
namespace: {{ .Release.Namespace }}
labels:
{{- include "dynatrace-operator.csiLabels" . | nindent 4 }}
subjects:
- kind: ServiceAccount
name: dynatrace-oneagent-csi-driver
namespace: {{ .Release.Namespace }}
roleRef:
kind: Role
name: dynatrace-oneagent-csi-driver
apiGroup: rbac.authorization.k8s.io
{{- end -}}

22
charts/dynatrace/dynatrace-operator/1.3.0/templates/Common/csi/serviceaccount-csi.yaml Normal file
View File

@ -0,0 +1,22 @@
{{ if eq (include "dynatrace-operator.needCSI" .) "true" }}
# Copyright 2021 Dynatrace LLC
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
# http://www.apache.org/licenses/LICENSE-2.0
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
apiVersion: v1
kind: ServiceAccount
metadata:
name: dynatrace-oneagent-csi-driver
namespace: {{ .Release.Namespace }}
labels:
{{- include "dynatrace-operator.csiLabels" . | nindent 4 }}
{{- end -}}

20
charts/dynatrace/dynatrace-operator/1.3.0/templates/Common/edge-connect/serviceaccount-operator.yaml Normal file
View File

@ -0,0 +1,20 @@
# Copyright 2021 Dynatrace LLC
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
# http://www.apache.org/licenses/LICENSE-2.0
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
apiVersion: v1
kind: ServiceAccount
metadata:
name: dynatrace-edgeconnect
namespace: {{ .Release.Namespace }}
labels:
{{- include "dynatrace-operator.operatorLabels" . | nindent 4 }}

114
charts/dynatrace/dynatrace-operator/1.3.0/templates/Common/kubernetes-monitoring/clusterrole-kubernetes-monitoring.yaml Normal file
View File

@ -0,0 +1,114 @@
# Copyright 2021 Dynatrace LLC
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
# http://www.apache.org/licenses/LICENSE-2.0
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: dynatrace-kubernetes-monitoring
labels:
{{- include "dynatrace-operator.activegateLabels" . | nindent 4 }}
rules:
- apiGroups:
- ""
resources:
- nodes
- pods
- namespaces
- replicationcontrollers
- events
- resourcequotas
- pods/proxy
- nodes/proxy
- nodes/metrics
- services
verbs:
- list
- watch
- get
- apiGroups:
- batch
resources:
- jobs
- cronjobs
verbs:
- list
- watch
- get
- apiGroups:
- apps
resources:
- deployments
- replicasets
- statefulsets
- daemonsets
verbs:
- list
- watch
- get
- apiGroups:
- apps.openshift.io
resources:
- deploymentconfigs
verbs:
- list
- watch
- get
- apiGroups:
- config.openshift.io
resources:
- clusterversions
verbs:
- list
- watch
- get
- apiGroups:
- dynatrace.com
resources:
- dynakubes
verbs:
- list
- watch
- get
- nonResourceURLs:
- /metrics
- /version
- /readyz
- /livez
verbs:
- get
{{- if (eq (include "dynatrace-operator.openshiftOrOlm" .) "true") }}
- apiGroups:
- security.openshift.io
resourceNames:
- privileged
- nonroot-v2
resources:
- securitycontextconstraints
verbs:
- use
{{ end }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: dynatrace-kubernetes-monitoring
labels:
{{- include "dynatrace-operator.activegateLabels" . | nindent 4 }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: dynatrace-kubernetes-monitoring
subjects:
- kind: ServiceAccount
name: dynatrace-kubernetes-monitoring
namespace: {{ .Release.Namespace }}

20
charts/dynatrace/dynatrace-operator/1.3.0/templates/Common/kubernetes-monitoring/serviceaccount-kubernetes-monitoring.yaml Normal file
View File

@ -0,0 +1,20 @@
# Copyright 2021 Dynatrace LLC
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
# http://www.apache.org/licenses/LICENSE-2.0
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
apiVersion: v1
kind: ServiceAccount
metadata:
name: dynatrace-kubernetes-monitoring
namespace: {{ .Release.Namespace }}
labels:
{{- include "dynatrace-operator.activegateLabels" . | nindent 4 }}

45
charts/dynatrace/dynatrace-operator/1.3.0/templates/Common/oneagent/clusterrole-oneagent.yaml Normal file
View File

@ -0,0 +1,45 @@
{{- if (eq (include "dynatrace-operator.openshiftOrOlm" .) "true") }}
# Copyright 2021 Dynatrace LLC
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
# http://www.apache.org/licenses/LICENSE-2.0
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: dynatrace-dynakube-oneagent
labels:
{{- include "dynatrace-operator.oneagentLabels" . | nindent 4 }}
rules:
- apiGroups:
- security.openshift.io
resourceNames:
- privileged
resources:
- securitycontextconstraints
verbs:
- use
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: dynatrace-dynakube-oneagent
labels:
{{- include "dynatrace-operator.oneagentLabels" . | nindent 4 }}
subjects:
- kind: ServiceAccount
name: dynatrace-dynakube-oneagent
namespace: {{ .Release.Namespace }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: dynatrace-dynakube-oneagent
{{ end }}

21
charts/dynatrace/dynatrace-operator/1.3.0/templates/Common/oneagent/serviceaccount-oneagent.yaml Normal file
View File

@ -0,0 +1,21 @@
# Copyright 2021 Dynatrace LLC
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
# http://www.apache.org/licenses/LICENSE-2.0
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
apiVersion: v1
kind: ServiceAccount
metadata:
name: dynatrace-dynakube-oneagent
namespace: {{ .Release.Namespace }}
labels:
{{- include "dynatrace-operator.oneagentLabels" . | nindent 4 }}
automountServiceAccountToken: false

109
charts/dynatrace/dynatrace-operator/1.3.0/templates/Common/operator/clusterrole-operator.yaml Normal file
View File

@ -0,0 +1,109 @@
# Copyright 2021 Dynatrace LLC
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
# http://www.apache.org/licenses/LICENSE-2.0
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: dynatrace-operator
labels:
{{- include "dynatrace-operator.operatorLabels" . | nindent 4 }}
rules:
- apiGroups:
- ""
resources:
- nodes
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- namespaces
verbs:
- get
- list
- watch
- update
- apiGroups:
- ""
resources:
- secrets
verbs:
- create
- apiGroups:
- ""
resources:
- secrets
resourceNames:
- dynatrace-dynakube-config
- dynatrace-metadata-enrichment-endpoint
verbs:
- get
- update
- delete
- list
- apiGroups:
- admissionregistration.k8s.io
resources:
- mutatingwebhookconfigurations
resourceNames:
- dynatrace-webhook
verbs:
- get
- update
- apiGroups:
- admissionregistration.k8s.io
resources:
- validatingwebhookconfigurations
resourceNames:
- dynatrace-webhook
verbs:
- get
- update
- apiGroups:
- apiextensions.k8s.io
resources:
- customresourcedefinitions
resourceNames:
- dynakubes.dynatrace.com
- edgeconnects.dynatrace.com
verbs:
- get
- update
{{- if (eq (include "dynatrace-operator.openshiftOrOlm" .) "true") }}
- apiGroups:
- security.openshift.io
resourceNames:
- privileged
- nonroot-v2
resources:
- securitycontextconstraints
verbs:
- use
{{ end }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: dynatrace-operator
labels:
{{- include "dynatrace-operator.operatorLabels" . | nindent 4 }}
subjects:
- kind: ServiceAccount
name: dynatrace-operator
namespace: {{ .Release.Namespace }}
roleRef:
kind: ClusterRole
name: dynatrace-operator
apiGroup: rbac.authorization.k8s.io

111
charts/dynatrace/dynatrace-operator/1.3.0/templates/Common/operator/deployment-operator.yaml Normal file
View File

@ -0,0 +1,111 @@
# Copyright 2021 Dynatrace LLC
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
# http://www.apache.org/licenses/LICENSE-2.0
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
apiVersion: apps/v1
kind: Deployment
metadata:
name: dynatrace-operator
namespace: {{ .Release.Namespace }}
annotations:
{{- if .Values.operator.annotations }}
{{- toYaml .Values.operator.annotations | nindent 4 }}
{{- end }}
labels:
dynatrace.com/install-source: {{ include "dynatrace-operator.installSource" . }}
{{- include "dynatrace-operator.operatorLabels" . | nindent 4 }}
{{- if .Values.operator.labels }}
{{- toYaml .Values.operator.labels | nindent 4 }}
{{- end }}
spec:
replicas: 1
revisionHistoryLimit: 1
selector:
matchLabels:
{{- include "dynatrace-operator.operatorSelectorLabels" . | nindent 6 }}
strategy:
type: RollingUpdate
template:
metadata:
annotations:
dynatrace.com/inject: "false"
{{- if (.Values.operator).apparmor}}
container.apparmor.security.beta.kubernetes.io/operator: runtime/default
{{- end }}
{{- if .Values.operator.annotations }}
{{- toYaml .Values.operator.annotations | nindent 8 }}
{{- end }}
labels:
{{- include "dynatrace-operator.operatorLabels" . | nindent 8 }}
{{- include "dynatrace-operator.operatorSelectorLabels" . | nindent 8 }}
{{- if .Values.operator.labels }}
{{- toYaml .Values.operator.labels | nindent 8 }}
{{- end }}
spec:
containers:
- name: operator
args:
- operator
# Replace this with the built image name
image: {{ include "dynatrace-operator.image" . }}
imagePullPolicy: Always
env:
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
ports:
- containerPort: 10080
name: livez
- containerPort: 8080
name: metrics
resources:
requests:
{{- toYaml (.Values.operator).requests | nindent 14 }}
limits:
{{- toYaml (.Values.operator).limits | nindent 14 }}
volumeMounts:
- name: tmp-cert-dir
mountPath: /tmp/dynatrace-operator
livenessProbe:
httpGet:
path: /livez
port: livez
scheme: HTTP
initialDelaySeconds: 15
periodSeconds: 10
{{- include "dynatrace-operator.startupProbe" . | nindent 10 }}
securityContext:
{{- toYaml .Values.operator.securityContext | nindent 12 }}
{{- include "dynatrace-operator.nodeAffinity" . | nindent 6 }}
volumes:
- emptyDir: { }
name: tmp-cert-dir
serviceAccountName: dynatrace-operator
securityContext:
{{- toYaml .Values.operator.podSecurityContext | nindent 8 }}
{{- if .Values.customPullSecret }}
imagePullSecrets:
- name: {{ .Values.customPullSecret }}
{{- end }}
{{- if .Values.operator.nodeSelector }}
nodeSelector: {{- toYaml .Values.operator.nodeSelector | nindent 8 }}
{{- end }}
tolerations:
{{- if .Values.operator.tolerations }}
{{- toYaml .Values.operator.tolerations | nindent 8 }}
{{- end }}
{{- include "dynatrace-operator.defaultTolerations" . | nindent 8 }}

170
charts/dynatrace/dynatrace-operator/1.3.0/templates/Common/operator/role-operator.yaml Normal file
View File

@ -0,0 +1,170 @@
# Copyright 2021 Dynatrace LLC
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
# http://www.apache.org/licenses/LICENSE-2.0
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: dynatrace-operator
namespace: {{ .Release.Namespace }}
labels:
{{- include "dynatrace-operator.operatorLabels" . | nindent 4 }}
rules:
- apiGroups:
- dynatrace.com
resources:
- dynakubes
- edgeconnects
verbs:
- get
- list
- watch
- update
- create
- apiGroups:
- dynatrace.com
resources:
- dynakubes/finalizers
- dynakubes/status
- edgeconnects/finalizers
- edgeconnects/status
verbs:
- update
- apiGroups:
- apps
resources:
- statefulsets
verbs:
- get
- list
- watch
- create
- update
- delete
- apiGroups:
- apps
resources:
- daemonsets
verbs:
- get
- list
- watch
- create
- update
- delete
- apiGroups:
- apps
resources:
- replicasets
- deployments
verbs:
- get
- list
- watch
- create
- update
- delete
- apiGroups:
- apps
resources:
- deployments/finalizers
verbs:
- update
- apiGroups:
- ""
resources:
- configmaps
verbs:
- get
- list
- watch
- create
- update
- delete
- apiGroups:
- ""
resources:
- pods
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- secrets
verbs:
- get
- list
- watch
- create
- update
- delete
- apiGroups:
- ""
resources:
- events
verbs:
- create
- get
- list
- apiGroups:
- ""
resources:
- services
verbs:
- create
- update
- delete
- get
- list
- watch
- apiGroups:
- ""
resources:
- pods/log
verbs:
- get
- apiGroups:
- networking.istio.io
resources:
- serviceentries
- virtualservices
verbs:
- get
- list
- create
- update
- delete
- apiGroups:
- coordination.k8s.io
resources:
- leases
verbs:
- get
- update
- create
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: dynatrace-operator
namespace: {{ .Release.Namespace }}
labels:
{{- include "dynatrace-operator.operatorLabels" . | nindent 4 }}
subjects:
- kind: ServiceAccount
name: dynatrace-operator
roleRef:
kind: Role
name: dynatrace-operator
apiGroup: rbac.authorization.k8s.io

20
charts/dynatrace/dynatrace-operator/1.3.0/templates/Common/operator/serviceaccount-operator.yaml Normal file
View File

@ -0,0 +1,20 @@
# Copyright 2021 Dynatrace LLC
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
# http://www.apache.org/licenses/LICENSE-2.0
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
apiVersion: v1
kind: ServiceAccount
metadata:
name: dynatrace-operator
namespace: {{ .Release.Namespace }}
labels:
{{- include "dynatrace-operator.operatorLabels" . | nindent 4 }}

102
charts/dynatrace/dynatrace-operator/1.3.0/templates/Common/webhook/clusterrole-webhook.yaml Normal file
View File

@ -0,0 +1,102 @@
# Copyright 2021 Dynatrace LLC
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
# http://www.apache.org/licenses/LICENSE-2.0
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: dynatrace-webhook
labels:
{{- include "dynatrace-operator.webhookLabels" . | nindent 4 }}
rules:
- apiGroups:
- ""
resources:
- namespaces
verbs:
- get
- list
- watch
- update
- apiGroups:
- ""
resources:
- secrets
verbs:
- create
- apiGroups:
- ""
resources:
- secrets
resourceNames:
- dynatrace-dynakube-config
- dynatrace-metadata-enrichment-endpoint
verbs:
- get
- list
- watch
- update
# metadata-enrichment workload owner lookup
- apiGroups:
- ""
resources:
- replicationcontrollers
verbs:
- get
- apiGroups:
- apps
resources:
- replicasets
- statefulsets
- daemonsets
- deployments
verbs:
- get
- apiGroups:
- batch
resources:
- jobs
- cronjobs
verbs:
- get
- apiGroups:
- apps.openshift.io
resources:
- deploymentconfigs
verbs:
- get
{{- if (eq (include "dynatrace-operator.openshiftOrOlm" .) "true") }}
- apiGroups:
- security.openshift.io
resourceNames:
- privileged
- nonroot-v2
resources:
- securitycontextconstraints
verbs:
- use
{{ end }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: dynatrace-webhook
labels:
{{- include "dynatrace-operator.webhookLabels" . | nindent 4 }}
subjects:
- kind: ServiceAccount
name: dynatrace-webhook
namespace: {{ .Release.Namespace }}
roleRef:
kind: ClusterRole
name: dynatrace-webhook
apiGroup: rbac.authorization.k8s.io

138
charts/dynatrace/dynatrace-operator/1.3.0/templates/Common/webhook/deployment-webhook.yaml Normal file
View File

@ -0,0 +1,138 @@
# Copyright 2021 Dynatrace LLC
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
# http://www.apache.org/licenses/LICENSE-2.0
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
apiVersion: apps/v1
kind: Deployment
metadata:
name: dynatrace-webhook
namespace: {{ .Release.Namespace }}
annotations:
{{- if .Values.webhook.annotations}}
{{- toYaml .Values.webhook.annotations | nindent 4 }}
{{- end }}
labels:
{{- include "dynatrace-operator.webhookLabels" . | nindent 4 }}
{{- if .Values.webhook.labels }}
{{- toYaml .Values.webhook.labels | nindent 4 }}
{{- end }}
spec:
replicas: {{ (default false (.Values.webhook).highAvailability) | ternary 2 1 }}
revisionHistoryLimit: 1
selector:
matchLabels:
{{- include "dynatrace-operator.webhookSelectorLabels" . | nindent 6 }}
strategy:
type: RollingUpdate
template:
metadata:
annotations:
dynatrace.com/inject: "false"
kubectl.kubernetes.io/default-container: webhook
{{- if (.Values.webhook).apparmor}}
container.apparmor.security.beta.kubernetes.io/webhook: runtime/default
{{- end }}
{{- if .Values.webhook.annotations}}
{{- toYaml .Values.webhook.annotations | nindent 8 }}
{{- end }}
labels:
{{- include "dynatrace-operator.webhookLabels" . | nindent 8 }}
{{- include "dynatrace-operator.webhookSelectorLabels" . | nindent 8 }}
{{- if .Values.webhook.labels }}
{{- toYaml .Values.webhook.labels | nindent 8 }}
{{- end }}
spec:
{{- if (.Values.webhook).highAvailability }}
topologySpreadConstraints:
- maxSkew: 1
topologyKey: "topology.kubernetes.io/zone"
whenUnsatisfiable: ScheduleAnyway
labelSelector:
matchLabels:
{{- include "dynatrace-operator.webhookSelectorLabels" . | nindent 14 }}
- maxSkew: 1
topologyKey: "kubernetes.io/hostname"
whenUnsatisfiable: DoNotSchedule
labelSelector:
matchLabels:
{{- include "dynatrace-operator.webhookSelectorLabels" . | nindent 14 }}
{{- end }}
volumes:
- emptyDir: {}
name: certs-dir
{{- include "dynatrace-operator.nodeAffinity" . | nindent 6 }}
containers:
- name: webhook
args:
- webhook-server
# OLM mounts the certificates here, so we reuse it for simplicity
- --certs-dir=/tmp/k8s-webhook-server/serving-certs/
image: {{ include "dynatrace-operator.image" . }}
imagePullPolicy: Always
env:
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
readinessProbe:
httpGet:
path: /readyz
port: livez
scheme: HTTP
initialDelaySeconds: 15
periodSeconds: 10
livenessProbe:
httpGet:
path: /livez
port: livez
scheme: HTTP
initialDelaySeconds: 15
periodSeconds: 10
ports:
- name: server-port
containerPort: 8443
- name: livez
containerPort: 10080
- name: metrics
containerPort: 8080
resources:
requests:
{{- toYaml (.Values.webhook).requests | nindent 14 }}
limits:
{{- toYaml (.Values.webhook).limits | nindent 14 }}
volumeMounts:
- name: certs-dir
mountPath: /tmp/k8s-webhook-server/serving-certs/
securityContext:
{{- toYaml .Values.webhook.securityContext | nindent 12 }}
serviceAccountName: dynatrace-webhook
{{- if (.Values.webhook).hostNetwork }}
hostNetwork: true
{{- end }}
securityContext:
{{- toYaml .Values.webhook.podSecurityContext | nindent 8 }}
{{- if .Values.customPullSecret }}
imagePullSecrets:
- name: {{ .Values.customPullSecret }}
{{- end }}
{{- if .Values.webhook.nodeSelector }}
nodeSelector: {{- toYaml .Values.webhook.nodeSelector | nindent 8 }}
{{- end }}
tolerations:
{{- if .Values.webhook.tolerations }}
{{- toYaml .Values.webhook.tolerations | nindent 8 }}
{{- end }}
{{- include "dynatrace-operator.defaultTolerations" . | nindent 8 }}

58
charts/dynatrace/dynatrace-operator/1.3.0/templates/Common/webhook/mutatingwebhookconfiguration.yaml Normal file
View File

@ -0,0 +1,58 @@
# Copyright 2021 Dynatrace LLC
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
# http://www.apache.org/licenses/LICENSE-2.0
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
apiVersion: admissionregistration.k8s.io/v1
kind: MutatingWebhookConfiguration
metadata:
name: dynatrace-webhook
labels:
{{- include "dynatrace-operator.webhookLabels" . | nindent 4 }}
webhooks:
- name: webhook.pod.dynatrace.com
reinvocationPolicy: IfNeeded
failurePolicy: {{.Values.webhook.mutatingWebhook.failurePolicy}}
timeoutSeconds: {{.Values.webhook.mutatingWebhook.timeoutSeconds}}
rules:
- apiGroups: [ "" ]
apiVersions: [ "v1" ]
operations: [ "CREATE" ]
resources: [ "pods" ]
scope: Namespaced
namespaceSelector:
matchExpressions:
- key: dynakube.internal.dynatrace.com/instance
operator: Exists
clientConfig:
service:
name: dynatrace-webhook
namespace: {{ .Release.Namespace }}
path: /inject
admissionReviewVersions: [ "v1beta1", "v1" ]
sideEffects: None
- name: webhook.ns.dynatrace.com
reinvocationPolicy: IfNeeded
failurePolicy: {{.Values.webhook.mutatingWebhook.failurePolicy}}
timeoutSeconds: {{.Values.webhook.mutatingWebhook.timeoutSeconds}}
rules:
- apiGroups: [ "" ]
apiVersions: [ "v1" ]
operations: [ "CREATE", "UPDATE"]
resources: [ "namespaces" ]
scope: Cluster
clientConfig:
service:
name: dynatrace-webhook
namespace: {{ .Release.Namespace }}
path: /label-ns
admissionReviewVersions: [ "v1beta1", "v1" ]
sideEffects: None

11
charts/dynatrace/dynatrace-operator/1.3.0/templates/Common/webhook/poddisruptionbudget-webhook.yaml Normal file
View File

@ -0,0 +1,11 @@
# v1 version supported since k8s 1.21
apiVersion: {{ .Capabilities.APIVersions.Has "policy/v1" | ternary "policy/v1" "policy/v1beta1" }}
kind: PodDisruptionBudget
metadata:
name: dynatrace-webhook
namespace: {{ .Release.Namespace }}
spec:
minAvailable: 1
selector:
matchLabels:
app.kubernetes.io/component: webhook

70
charts/dynatrace/dynatrace-operator/1.3.0/templates/Common/webhook/role-webhook.yaml Normal file
View File

@ -0,0 +1,70 @@
# Copyright 2021 Dynatrace LLC
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
# http://www.apache.org/licenses/LICENSE-2.0
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: dynatrace-webhook
namespace: {{ .Release.Namespace }}
labels:
{{- include "dynatrace-operator.webhookLabels" . | nindent 4 }}
rules:
- apiGroups:
- ""
resources:
- events
verbs:
- create
- patch
- apiGroups:
- ""
resources:
- secrets
- pods
- configmaps
verbs:
- get
- list
- watch
- apiGroups:
- dynatrace.com
resources:
- dynakubes
verbs:
- get
- list
- watch
- apiGroups:
- apps
resources:
- daemonsets
verbs:
- get
- list
- watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: dynatrace-webhook
namespace: {{ .Release.Namespace }}
labels:
{{- include "dynatrace-operator.webhookLabels" . | nindent 4 }}
subjects:
- kind: ServiceAccount
name: dynatrace-webhook
namespace: {{ .Release.Namespace }}
roleRef:
kind: Role
name: dynatrace-webhook
apiGroup: rbac.authorization.k8s.io

27
charts/dynatrace/dynatrace-operator/1.3.0/templates/Common/webhook/service.yaml Normal file
View File

@ -0,0 +1,27 @@
# Copyright 2021 Dynatrace LLC
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
# http://www.apache.org/licenses/LICENSE-2.0
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
apiVersion: v1
kind: Service
metadata:
name: dynatrace-webhook
namespace: {{ .Release.Namespace }}
labels:
{{- include "dynatrace-operator.webhookLabels" . | nindent 4 }}
spec:
selector:
{{- include "dynatrace-operator.webhookLabels" . | nindent 4 }}
ports:
- port: 443
protocol: TCP
targetPort: server-port

21
charts/dynatrace/dynatrace-operator/1.3.0/templates/Common/webhook/serviceaccount-webhook.yaml Normal file
View File

@ -0,0 +1,21 @@
# Copyright 2021 Dynatrace LLC
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
# http://www.apache.org/licenses/LICENSE-2.0
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
apiVersion: v1
kind: ServiceAccount
metadata:
name: dynatrace-webhook
namespace: {{ .Release.Namespace }}
labels:
{{- include "dynatrace-operator.webhookLabels" . | nindent 4 }}

104
charts/dynatrace/dynatrace-operator/1.3.0/templates/Common/webhook/validatingwebhookconfiguration.yaml Normal file
View File

@ -0,0 +1,104 @@
# Copyright 2021 Dynatrace LLC
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
# http://www.apache.org/licenses/LICENSE-2.0
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
name: dynatrace-webhook
labels:
{{- include "dynatrace-operator.webhookLabels" . | nindent 4 }}
webhooks:
- admissionReviewVersions:
- v1
clientConfig:
service:
name: dynatrace-webhook
namespace: {{ .Release.Namespace }}
path: /validate-dynatrace-com-v1beta1-dynakube
rules:
- operations:
- CREATE
- UPDATE
apiGroups:
- dynatrace.com
apiVersions:
- v1beta1
resources:
- dynakubes
name: v1beta1.dynakube.webhook.dynatrace.com
timeoutSeconds: {{.Values.webhook.validatingWebhook.timeoutSeconds}}
sideEffects: None
matchPolicy: Exact
- admissionReviewVersions:
- v1
clientConfig:
service:
name: dynatrace-webhook
namespace: {{ .Release.Namespace }}
path: /validate-dynatrace-com-v1beta2-dynakube
rules:
- operations:
- CREATE
- UPDATE
apiGroups:
- dynatrace.com
apiVersions:
- v1beta2
resources:
- dynakubes
name: v1beta2.dynakube.webhook.dynatrace.com
timeoutSeconds: {{.Values.webhook.validatingWebhook.timeoutSeconds}}
sideEffects: None
matchPolicy: Exact
- admissionReviewVersions:
- v1
clientConfig:
service:
name: dynatrace-webhook
namespace: {{ .Release.Namespace }}
path: /validate-dynatrace-com-v1alpha1-edgeconnect
rules:
- operations:
- CREATE
- UPDATE
apiGroups:
- dynatrace.com
apiVersions:
- v1alpha1
resources:
- edgeconnects
name: v1alpha1.edgeconnect.webhook.dynatrace.com
timeoutSeconds: {{.Values.webhook.validatingWebhook.timeoutSeconds}}
sideEffects: None
matchPolicy: Exact
- admissionReviewVersions:
- v1
clientConfig:
service:
name: dynatrace-webhook
namespace: {{ .Release.Namespace }}
path: /validate-dynatrace-com-v1alpha2-edgeconnect
rules:
- operations:
- CREATE
- UPDATE
apiGroups:
- dynatrace.com
apiVersions:
- v1alpha2
resources:
- edgeconnects
name: v1alpha2.edgeconnect.webhook.dynatrace.com
timeoutSeconds: {{.Values.webhook.validatingWebhook.timeoutSeconds}}
sideEffects: None
matchPolicy: Exact

10
charts/dynatrace/dynatrace-operator/1.3.0/templates/NOTES.txt Normal file
View File

@ -0,0 +1,10 @@
Thank you for installing {{ .Chart.Name }}.
Your release is named {{ .Release.Name }}.
To find more information about the Dynatrace Operator, try:
https://github.com/Dynatrace/dynatrace-operator
To verify the current state of the deployments, try:
$ kubectl get pods -n {{ .Release.Namespace }}
$ kubectl logs -f deployment/dynatrace-operator -n {{ .Release.Namespace }}

74
charts/dynatrace/dynatrace-operator/1.3.0/templates/_csidriver.tpl Normal file
View File

@ -0,0 +1,74 @@
// Copyright 2020 Dynatrace LLC
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
// http://www.apache.org/licenses/LICENSE-2.0
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
{{/*
Check if we need the csi driver.
*/}}
{{- define "dynatrace-operator.needCSI" -}}
{{- if or (.Values.csidriver.enabled) -}}
{{- printf "true" -}}
{{- end -}}
{{- end -}}
{{/*
CSI PriorityClassName
*/}}
{{- define "dynatrace-operator.CSIPriorityClassName" -}}
{{- default "dynatrace-high-priority" .Values.csidriver.existingPriorityClassName -}}
{{- end -}}
{{/*
Check if we need the csi default priority class
*/}}
{{- define "dynatrace-operator.needPriorityClass" -}}
{{- if and (eq (include "dynatrace-operator.needCSI" .) "true") (not .Values.csidriver.existingPriorityClassName) -}}
{{- printf "true" -}}
{{- end -}}
{{- end -}}
{{/*
CSI plugin-dir path
*/}}
{{- define "dynatrace-operator.CSIPluginDir" -}}
{{ printf "%s/plugins/csi.oneagent.dynatrace.com/" (trimSuffix "/" (default "/var/lib/kubelet" .Values.csidriver.kubeletPath)) }}
{{- end -}}
{{/*
CSI data-dir path
*/}}
{{- define "dynatrace-operator.CSIDataDir" -}}
{{ printf "%s/data" (trimSuffix "/" (include "dynatrace-operator.CSIPluginDir" .)) }}
{{- end -}}
{{/*
CSI socket path
*/}}
{{- define "dynatrace-operator.CSISocketPath" -}}
{{ printf "%s/csi.sock" (trimSuffix "/" (include "dynatrace-operator.CSIPluginDir" .)) }}
{{- end -}}
{{/*
CSI mountpoint-dir path
*/}}
{{- define "dynatrace-operator.CSIMountPointDir" -}}
{{ printf "%s/pods/" (trimSuffix "/" (default "/var/lib/kubelet" .Values.csidriver.kubeletPath)) }}
{{- end -}}
{{/*
CSI registration-dir path
*/}}
{{- define "dynatrace-operator.CSIRegistrationDir" -}}
{{ printf "%s/plugins_registry/" (trimSuffix "/" (default "/var/lib/kubelet" .Values.csidriver.kubeletPath)) }}
{{- end -}}

53
charts/dynatrace/dynatrace-operator/1.3.0/templates/_helpers.tpl Normal file
View File

@ -0,0 +1,53 @@
// Copyright 2020 Dynatrace LLC
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
// http://www.apache.org/licenses/LICENSE-2.0
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
{{/*
Create chart name and version as used by the chart label.
*/}}
{{- define "dynatrace-operator.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
{{- end }}
{{/*
Check if default image or imageref is used
*/}}
{{- define "dynatrace-operator.image" -}}
{{- if .Values.image -}}
{{- printf "%s" .Values.image -}}
{{- else -}}
{{- if (.Values.imageRef).repository -}}
{{- .Values.imageRef.tag | default (printf "v%s" .Chart.AppVersion) | printf "%s:%s" .Values.imageRef.repository -}}
{{- else if eq (include "dynatrace-operator.platform" .) "openshift" -}}
{{- printf "%s:v%s" "registry.connect.redhat.com/dynatrace/dynatrace-operator" .Chart.AppVersion }}
{{- else if eq (include "dynatrace-operator.platform" .) "google-marketplace" -}}
{{- printf "%s:%s" "gcr.io/dynatrace-marketplace-prod/dynatrace-operator" .Chart.AppVersion }}
{{- else if eq (include "dynatrace-operator.platform" .) "azure-marketplace" -}}
{{- printf "%s/%s@%s" .Values.global.azure.images.operator.registry .Values.global.azure.images.operator.image .Values.global.azure.images.operator.digest }}
{{- else -}}
{{- printf "%s:v%s" "public.ecr.aws/dynatrace/dynatrace-operator" .Chart.AppVersion }}
{{- end -}}
{{- end -}}
{{- end -}}
{{- define "dynatrace-operator.startupProbe" -}}
startupProbe:
exec:
command:
- /usr/local/bin/dynatrace-operator
- startup-probe
periodSeconds: 10
timeoutSeconds: 5
failureThreshold: 1
{{- end -}}

102
charts/dynatrace/dynatrace-operator/1.3.0/templates/_labels.tpl Normal file
View File

@ -0,0 +1,102 @@
// Copyright 2020 Dynatrace LLC
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
// http://www.apache.org/licenses/LICENSE-2.0
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
{{/*
Selector labels
*/}}
{{- define "dynatrace-operator.futureSelectorLabels" -}}
app.kubernetes.io/name: dynatrace-operator
{{- if not (.Values).manifests }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- end -}}
{{- end -}}
{{/*
Common labels
*/}}
{{- define "dynatrace-operator.commonLabels" -}}
{{ include "dynatrace-operator.futureSelectorLabels" . }}
{{- if .Chart.AppVersion }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
{{- end }}
{{- if not (.Values).manifests }}
helm.sh/chart: {{ include "dynatrace-operator.chart" . }}
{{- end -}}
{{- if eq (include "dynatrace-operator.platform" .) "azure-marketplace" }}
azure-extensions-usage-release-identifier: {{ .Release.Name | quote }}
{{- end -}}
{{- end -}}
{{/*
Operator labels
*/}}
{{- define "dynatrace-operator.operatorLabels" -}}
{{ include "dynatrace-operator.commonLabels" . }}
app.kubernetes.io/component: operator
{{- end -}}
{{/*
Operator selector labels
*/}}
{{- define "dynatrace-operator.operatorSelectorLabels" -}}
name: {{ .Release.Name }}
{{- end -}}
{{/*
Webhook labels
*/}}
{{- define "dynatrace-operator.webhookLabels" -}}
{{ include "dynatrace-operator.commonLabels" . }}
app.kubernetes.io/component: webhook
{{- end -}}
{{/*
Webhook selector labels
*/}}
{{- define "dynatrace-operator.webhookSelectorLabels" -}}
internal.dynatrace.com/component: webhook
internal.dynatrace.com/app: webhook
{{- end -}}
{{/*
CSI labels
*/}}
{{- define "dynatrace-operator.csiLabels" -}}
{{ include "dynatrace-operator.commonLabels" . }}
app.kubernetes.io/component: csi-driver
{{- end -}}
{{/*
CSI selector labels
*/}}
{{- define "dynatrace-operator.csiSelectorLabels" -}}
internal.oneagent.dynatrace.com/app: csi-driver
internal.oneagent.dynatrace.com/component: csi-driver
{{- end -}}
{{/*
ActiveGate labels
*/}}
{{- define "dynatrace-operator.activegateLabels" -}}
{{ include "dynatrace-operator.commonLabels" . }}
app.kubernetes.io/component: activegate
{{- end -}}
{{/*
OneAgent labels
*/}}
{{- define "dynatrace-operator.oneagentLabels" -}}
{{ include "dynatrace-operator.commonLabels" . }}
app.kubernetes.io/component: oneagent
{{- end -}}

84
charts/dynatrace/dynatrace-operator/1.3.0/templates/_platform.tpl Normal file
View File

@ -0,0 +1,84 @@
// Copyright 2020 Dynatrace LLC
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
// http://www.apache.org/licenses/LICENSE-2.0
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
{{/*
Auto-detect the platform (if not set), according to the available APIVersions
*/}}
{{- define "dynatrace-operator.platform" -}}
{{- if .Values.platform}}
{{- printf .Values.platform -}}
{{- else if .Capabilities.APIVersions.Has "security.openshift.io/v1" }}
{{- printf "openshift" -}}
{{- else }}
{{- printf "kubernetes" -}}
{{- end -}}
{{- end }}
{{/*
Set install source how the Operator was installed
*/}}
{{- define "dynatrace-operator.installSource" -}}
{{- if .Values.olm }}
{{- printf "operatorhub" -}}
{{- else if .Values.manifests }}
{{- printf "manifest" -}}
{{- else if (and (.Values.platform) (not (has .Values.platform (list "kubernetes" "openshift")))) }}
{{- printf .Values.platform -}}
{{- else }}
{{- printf "helm" -}}
{{- end -}}
{{- end }}
{{/*
Exclude Kubernetes manifest not running on OLM
*/}}
{{- define "dynatrace-operator.openshiftOrOlm" -}}
{{- if and (or (eq (include "dynatrace-operator.platform" .) "openshift") (.Values.olm)) -}}
{{ default "true" }}
{{- end -}}
{{- end -}}
{{- define "dynatrace-operator.nodeAffinity" -}}
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: kubernetes.io/arch
operator: In
values:
- amd64
- arm64
- ppc64le
- s390x
- key: kubernetes.io/os
operator: In
values:
- linux
{{- end -}}
{{- define "dynatrace-operator.defaultTolerations" -}}
- key: kubernetes.io/arch
value: arm64
effect: NoSchedule
- key: kubernetes.io/arch
value: amd64
effect: NoSchedule
- key: kubernetes.io/arch
value: ppc64le
effect: NoSchedule
- key: kubernetes.io/arch
value: s390x
effect: NoSchedule
{{- end -}}

98
charts/dynatrace/dynatrace-operator/1.3.0/templates/application.yaml Normal file
View File

@ -0,0 +1,98 @@
{{- if eq (include "dynatrace-operator.platform" .) "google-marketplace" }}
# Copyright 2020 Dynatrace LLC
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
# http://www.apache.org/licenses/LICENSE-2.0
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
apiVersion: app.k8s.io/v1beta1
kind: Application
metadata:
name: {{ .Release.Name }}
namespace: {{ .Release.Namespace }}
labels:
{{- include "dynatrace-operator.operatorLabels" . | nindent 4 }}
annotations:
kubernetes-engine.cloud.google.com/icon: data:image/png;base64,{{ .Files.Get "logo.png" | b64enc }}
marketplace.cloud.google.com/deploy-info: '{"partner_id": "dynatrace-marketplace-prod", "product_id": "dynatrace-operator", "partner_name": "Dynatrace LLC"}'
spec:
descriptor:
type: "Dynatrace Operator"
version: {{ .Chart.AppVersion }}
maintainers:
- name: Dynatrace LLC
url: https://www.dynatrace.com/
keywords:
- "dynatrace"
- "operator"
- "activegate"
- "k8s"
- "monitoring"
- "apm"
description: |
# Dynatrace Operator
The Dynatrace Operator supports rollout and lifecycle management of various Dynatrace components in Kubernetes and OpenShift.
* OneAgent
* `classicFullStack` rolls out a OneAgent pod per node to monitor pods on it and the node itself
* `applicationMonitoring` is a webhook based injection mechanism for automatic app-only injection
* CSI Driver can be enabled to cache OneAgent downloads per node
* `hostMonitoring` is only monitoring the hosts (i.e. nodes) in the cluster without app-only injection
* `cloudNativeFullStack` is a combination of `applicationMonitoring` with CSI driver and `hostMonitoring`
* ActiveGate
* `routing` routes OneAgent traffic through the ActiveGate
* `kubernetes-monitoring` allows monitoring of the Kubernetes API
* `metrics-ingest` routes enriched metrics through ActiveGate
For more information please have a look at [our DynaKube Custom Resource examples](config/samples) and
our [official help page](https://www.dynatrace.com/support/help/setup-and-configuration/setup-on-container-platforms/kubernetes/).
links:
- description: Dynatrace Website
url: https://www.dynatrace.com/
- description: Operator Deploy Guide
url: ToDo
- description: Kubernetes Monitoring Info
url: https://www.dynatrace.com/technologies/kubernetes-monitoring
selector:
matchLabels:
app.kubernetes.io/name: dynatrace-operator
componentKinds:
- group: apps/v1
kind: DaemonSet
- group: v1
kind: Pod
- group: v1
kind: ConfigMap
- group: apps/v1
kind: Deployment
- group: v1
kind: Secret
- group: batch/v1
kind: Job
- group: v1
kind: Service
- group: v1
kind: ServiceAccount
- group: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
- group: admissionregistration.k8s.io/v1
kind: MutatingWebhookConfiguration
- group: apps/v1
kind: StatefulSet
- group: storage.k8s.io/v1
kind: CSIDriver
- group: rbac.authorization.k8s.io/v1
kind: ClusterRole
- group: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
- group: rbac.authorization.k8s.io/v1
kind: Role
- group: rbac.authorization.k8s.io/v1
kind: RoleBinding
{{ end }}

196
charts/dynatrace/dynatrace-operator/1.3.0/values.yaml Normal file
View File

@ -0,0 +1,196 @@
# Copyright 2021 Dynatrace LLC
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
# http://www.apache.org/licenses/LICENSE-2.0
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# special handling for "openshift" and "gke-autopilot" (deprecated)
platform: ""
#image qualifier; OBSOLETE -> use imageref instead!
# supply either image or imageref; if both supplied, imageref will be disregarded
image: ""
#image description using tags
#resulting image will be named <repository>:v<tag>
imageRef:
repository: "" #path to repo
tag: "" #defaults to chart version
customPullSecret: ""
installCRD: true
operator:
nodeSelector: {}
tolerations: []
labels: {}
annotations: {}
apparmor: false
securityContext:
privileged: false
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 1001
runAsGroup: 1001
capabilities:
drop:
- ALL
seccompProfile:
type: RuntimeDefault
podSecurityContext:
seccompProfile:
type: RuntimeDefault
requests:
cpu: 50m
memory: 64Mi
limits:
cpu: 100m
memory: 128Mi
webhook:
hostNetwork: false
nodeSelector: {}
tolerations: []
labels: {}
annotations: {}
apparmor: false
securityContext:
privileged: false
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 1001
runAsGroup: 1001
capabilities:
drop:
- ALL
seccompProfile:
type: RuntimeDefault
podSecurityContext:
seccompProfile:
type: RuntimeDefault
requests:
cpu: 300m
memory: 128Mi
limits:
cpu: 300m
memory: 128Mi
highAvailability: true
validatingWebhook:
timeoutSeconds: 10
mutatingWebhook:
failurePolicy: Ignore
timeoutSeconds: 10
csidriver:
enabled: true
nodeSelector: {}
kubeletPath: "/var/lib/kubelet"
existingPriorityClassName: "" # if defined, use this priorityclass instead of creating a new one
priorityClassValue: "1000000"
maxUnmountedVolumeAge: "" # defined in days, must be a plain number
tolerations:
- effect: NoSchedule
key: node-role.kubernetes.io/master
operator: Exists
- effect: NoSchedule
key: node-role.kubernetes.io/control-plane
operator: Exists
labels: {}
annotations: {}
updateStrategy:
rollingUpdate:
maxSurge: 0
maxUnavailable: 1
type: RollingUpdate
csiInit:
securityContext:
runAsUser: 0
privileged: false
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
runAsNonRoot: false
seLinuxOptions:
level: s0
seccompProfile:
type: RuntimeDefault
resources:
requests:
cpu: 50m
memory: 100Mi
limits:
cpu: 50m
memory: 100Mi
server:
securityContext:
runAsUser: 0
privileged: true # Needed for mountPropagation
allowPrivilegeEscalation: true # Needed for privileged
readOnlyRootFilesystem: true
runAsNonRoot: false
seLinuxOptions:
level: s0
seccompProfile:
type: RuntimeDefault
resources:
requests:
cpu: 50m
memory: 100Mi
limits:
cpu: 50m
memory: 100Mi
provisioner:
securityContext:
runAsUser: 0
privileged: true # Needed for mountPropagation
allowPrivilegeEscalation: true # Needed for privileged
readOnlyRootFilesystem: true
runAsNonRoot: false
seLinuxOptions:
level: s0
seccompProfile:
type: RuntimeDefault
resources:
requests:
cpu: 300m
memory: 100Mi
registrar:
securityContext:
runAsUser: 0
privileged: false
readOnlyRootFilesystem: true
runAsNonRoot: false
seccompProfile:
type: RuntimeDefault
resources:
requests:
cpu: 20m
memory: 30Mi
limits:
cpu: 20m
memory: 30Mi
livenessprobe:
securityContext:
runAsUser: 0
privileged: false
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
runAsNonRoot: false
seccompProfile:
type: RuntimeDefault
resources:
requests:
cpu: 20m
memory: 30Mi
limits:
cpu: 20m
memory: 30Mi

23
charts/speedscale/speedscale-operator/2.2.425/.helmignore Normal file
View File

@ -0,0 +1,23 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*.orig
*~
# Various IDEs
.project
.idea/
*.tmproj
.vscode/

27
charts/speedscale/speedscale-operator/2.2.425/Chart.yaml Normal file
View File

@ -0,0 +1,27 @@
annotations:
catalog.cattle.io/certified: partner
catalog.cattle.io/display-name: Speedscale Operator
catalog.cattle.io/kube-version: '>= 1.17.0-0'
catalog.cattle.io/release-name: speedscale-operator
apiVersion: v1
appVersion: 2.2.425
description: Stress test your APIs with real world scenarios. Collect and replay
traffic without scripting.
home: https://speedscale.com
icon: file://assets/icons/speedscale-operator.png
keywords:
- speedscale
- test
- testing
- regression
- reliability
- load
- replay
- network
- traffic
kubeVersion: '>= 1.17.0-0'
maintainers:
- email: support@speedscale.com
name: Speedscale Support
name: speedscale-operator
version: 2.2.425

201
charts/speedscale/speedscale-operator/2.2.425/LICENSE Normal file
View File

@ -0,0 +1,201 @@
Apache License
Version 2.0, January 2004
http://www.apache.org/licenses/
TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
1. Definitions.
"License" shall mean the terms and conditions for use, reproduction,
and distribution as defined by Sections 1 through 9 of this document.
"Licensor" shall mean the copyright owner or entity authorized by
the copyright owner that is granting the License.
"Legal Entity" shall mean the union of the acting entity and all
other entities that control, are controlled by, or are under common
control with that entity. For the purposes of this definition,
"control" means (i) the power, direct or indirect, to cause the
direction or management of such entity, whether by contract or
otherwise, or (ii) ownership of fifty percent (50%) or more of the
outstanding shares, or (iii) beneficial ownership of such entity.
"You" (or "Your") shall mean an individual or Legal Entity
exercising permissions granted by this License.
"Source" form shall mean the preferred form for making modifications,
including but not limited to software source code, documentation
source, and configuration files.
"Object" form shall mean any form resulting from mechanical
transformation or translation of a Source form, including but
not limited to compiled object code, generated documentation,
and conversions to other media types.
"Work" shall mean the work of authorship, whether in Source or
Object form, made available under the License, as indicated by a
copyright notice that is included in or attached to the work
(an example is provided in the Appendix below).
"Derivative Works" shall mean any work, whether in Source or Object
form, that is based on (or derived from) the Work and for which the
editorial revisions, annotations, elaborations, or other modifications
represent, as a whole, an original work of authorship. For the purposes
of this License, Derivative Works shall not include works that remain
separable from, or merely link (or bind by name) to the interfaces of,
the Work and Derivative Works thereof.
"Contribution" shall mean any work of authorship, including
the original version of the Work and any modifications or additions
to that Work or Derivative Works thereof, that is intentionally
submitted to Licensor for inclusion in the Work by the copyright owner
or by an individual or Legal Entity authorized to submit on behalf of
the copyright owner. For the purposes of this definition, "submitted"
means any form of electronic, verbal, or written communication sent
to the Licensor or its representatives, including but not limited to
communication on electronic mailing lists, source code control systems,
and issue tracking systems that are managed by, or on behalf of, the
Licensor for the purpose of discussing and improving the Work, but
excluding communication that is conspicuously marked or otherwise
designated in writing by the copyright owner as "Not a Contribution."
"Contributor" shall mean Licensor and any individual or Legal Entity
on behalf of whom a Contribution has been received by Licensor and
subsequently incorporated within the Work.
2. Grant of Copyright License. Subject to the terms and conditions of
this License, each Contributor hereby grants to You a perpetual,
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
copyright license to reproduce, prepare Derivative Works of,
publicly display, publicly perform, sublicense, and distribute the
Work and such Derivative Works in Source or Object form.
3. Grant of Patent License. Subject to the terms and conditions of
this License, each Contributor hereby grants to You a perpetual,
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
(except as stated in this section) patent license to make, have made,
use, offer to sell, sell, import, and otherwise transfer the Work,
where such license applies only to those patent claims licensable
by such Contributor that are necessarily infringed by their
Contribution(s) alone or by combination of their Contribution(s)
with the Work to which such Contribution(s) was submitted. If You
institute patent litigation against any entity (including a
cross-claim or counterclaim in a lawsuit) alleging that the Work
or a Contribution incorporated within the Work constitutes direct
or contributory patent infringement, then any patent licenses
granted to You under this License for that Work shall terminate
as of the date such litigation is filed.
4. Redistribution. You may reproduce and distribute copies of the
Work or Derivative Works thereof in any medium, with or without
modifications, and in Source or Object form, provided that You
meet the following conditions:
(a) You must give any other recipients of the Work or
Derivative Works a copy of this License; and
(b) You must cause any modified files to carry prominent notices
stating that You changed the files; and
(c) You must retain, in the Source form of any Derivative Works
that You distribute, all copyright, patent, trademark, and
attribution notices from the Source form of the Work,
excluding those notices that do not pertain to any part of
the Derivative Works; and
(d) If the Work includes a "NOTICE" text file as part of its
distribution, then any Derivative Works that You distribute must
include a readable copy of the attribution notices contained
within such NOTICE file, excluding those notices that do not
pertain to any part of the Derivative Works, in at least one
of the following places: within a NOTICE text file distributed
as part of the Derivative Works; within the Source form or
documentation, if provided along with the Derivative Works; or,
within a display generated by the Derivative Works, if and
wherever such third-party notices normally appear. The contents
of the NOTICE file are for informational purposes only and
do not modify the License. You may add Your own attribution
notices within Derivative Works that You distribute, alongside
or as an addendum to the NOTICE text from the Work, provided
that such additional attribution notices cannot be construed
as modifying the License.
You may add Your own copyright statement to Your modifications and
may provide additional or different license terms and conditions
for use, reproduction, or distribution of Your modifications, or
for any such Derivative Works as a whole, provided Your use,
reproduction, and distribution of the Work otherwise complies with
the conditions stated in this License.
5. Submission of Contributions. Unless You explicitly state otherwise,
any Contribution intentionally submitted for inclusion in the Work
by You to the Licensor shall be under the terms and conditions of
this License, without any additional terms or conditions.
Notwithstanding the above, nothing herein shall supersede or modify
the terms of any separate license agreement you may have executed
with Licensor regarding such Contributions.
6. Trademarks. This License does not grant permission to use the trade
names, trademarks, service marks, or product names of the Licensor,
except as required for reasonable and customary use in describing the
origin of the Work and reproducing the content of the NOTICE file.
7. Disclaimer of Warranty. Unless required by applicable law or
agreed to in writing, Licensor provides the Work (and each
Contributor provides its Contributions) on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
implied, including, without limitation, any warranties or conditions
of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
PARTICULAR PURPOSE. You are solely responsible for determining the
appropriateness of using or redistributing the Work and assume any
risks associated with Your exercise of permissions under this License.
8. Limitation of Liability. In no event and under no legal theory,
whether in tort (including negligence), contract, or otherwise,
unless required by applicable law (such as deliberate and grossly
negligent acts) or agreed to in writing, shall any Contributor be
liable to You for damages, including any direct, indirect, special,
incidental, or consequential damages of any character arising as a
result of this License or out of the use or inability to use the
Work (including but not limited to damages for loss of goodwill,
work stoppage, computer failure or malfunction, or any and all
other commercial damages or losses), even if such Contributor
has been advised of the possibility of such damages.
9. Accepting Warranty or Additional Liability. While redistributing
the Work or Derivative Works thereof, You may choose to offer,
and charge a fee for, acceptance of support, warranty, indemnity,
or other liability obligations and/or rights consistent with this
License. However, in accepting such obligations, You may act only
on Your own behalf and on Your sole responsibility, not on behalf
of any other Contributor, and only if You agree to indemnify,
defend, and hold each Contributor harmless for any liability
incurred by, or claims asserted against, such Contributor by reason
of your accepting any such warranty or additional liability.
END OF TERMS AND CONDITIONS
APPENDIX: How to apply the Apache License to your work.
To apply the Apache License to your work, attach the following
boilerplate notice, with the fields enclosed by brackets "[]"
replaced with your own identifying information. (Don't include
the brackets!) The text should be enclosed in the appropriate
comment syntax for the file format. We also recommend that a
file or class name and description of purpose be included on the
same "printed page" as the copyright notice for easier
identification within third-party archives.
Copyright 2021 Speedscale
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.

111
charts/speedscale/speedscale-operator/2.2.425/README.md Normal file
View File

@ -0,0 +1,111 @@
![GitHub Tag](https://img.shields.io/github/v/tag/speedscale/operator-helm)
# Speedscale Operator
The [Speedscale](https://www.speedscale.com) Operator is a [Kubernetes operator](https://kubernetes.io/docs/concepts/extend-kubernetes/operator/)
that watches for deployments to be applied to the cluster and takes action based on annotations. The operator
can inject a proxy to capture traffic into or out of applications, or setup an isolation test environment around
a deployment for testing. The operator itself is a deployment that will be always present on the cluster once
the helm chart is installed.
## Prerequisites
- Kubernetes 1.20+
- Helm 3+
- Appropriate [network and firewall configuration](https://docs.speedscale.com/reference/networking) for Speedscale cloud and webhook traffic
## Get Repo Info
```bash
helm repo add speedscale https://speedscale.github.io/operator-helm/
helm repo update
```
_See [helm repo](https://helm.sh/docs/helm/helm_repo/) for command documentation._
## Install Chart
An API key is required. Sign up for a [free Speedscale trial](https://speedscale.com/free-trial/) if you do not have one.
```bash
helm install speedscale-operator speedscale/speedscale-operator \
-n speedscale \
--create-namespace \
--set apiKey=<YOUR-SPEEDSCALE-API-KEY> \
--set clusterName=<YOUR-CLUSTER-NAME>
```
_See [helm install](https://helm.sh/docs/helm/helm_install/) for command documentation._
### Pre-install job failure
We use pre-install job to check provided API key and provision some of the required resources.
If the job failed during the installation, you'll see the following error during install:
```
Error: INSTALLATION FAILED: failed pre-install: job failed: BackoffLimitExceeded
```
You can inspect the logs using this command:
```bash
kubectl -n speedscale logs job/speedscale-operator-pre-install
```
After fixing the error, uninstall the helm release, delete the failed job
and try installing again:
```bash
helm -n speedscale uninstall speedscale-operator
kubectl -n speedscale delete job speedscale-operator-pre-install
```
## Uninstall Chart
```bash
helm -n speedscale uninstall speedscale-operator
```
This removes all the Kubernetes components associated with the chart and deletes the release.
_See [helm uninstall](https://helm.sh/docs/helm/helm_uninstall/) for command documentation._
CRDs created by this chart are not removed by default and should be manually cleaned up:
```bash
kubectl delete crd trafficreplays.speedscale.com
```
## Upgrading Chart
```bash
helm repo update
helm -n speedscale upgrade speedscale-operator speedscale/speedscale-operator
```
Resources capturing traffic will need to be rolled to pick up the latest
Speedscale sidecar. Use the rollout restart command for each namespace and
resource type:
```bash
kubectl -n <namespace> rollout restart deployment
```
With Helm v3, CRDs created by this chart are not updated by default
and should be manually updated.
Consult also the [Helm Documentation on CRDs](https://helm.sh/docs/chart_best_practices/custom_resource_definitions).
_See [helm upgrade](https://helm.sh/docs/helm/helm_upgrade/) for command documentation._
### Upgrading an existing Release to a new version
A major chart version change (like v1.2.3 -> v2.0.0) indicates that there is an
incompatible breaking change needing manual actions.
## Help
Speedscale docs information available at [docs.speedscale.com](https://docs.speedscale.com) or join us
on the [Speedscale community Slack](https://join.slack.com/t/speedscalecommunity/shared_invite/zt-x5rcrzn4-XHG1QqcHNXIM~4yozRrz8A)!

111
charts/speedscale/speedscale-operator/2.2.425/app-readme.md Normal file
View File

@ -0,0 +1,111 @@
![GitHub Tag](https://img.shields.io/github/v/tag/speedscale/operator-helm)
# Speedscale Operator
The [Speedscale](https://www.speedscale.com) Operator is a [Kubernetes operator](https://kubernetes.io/docs/concepts/extend-kubernetes/operator/)
that watches for deployments to be applied to the cluster and takes action based on annotations. The operator
can inject a proxy to capture traffic into or out of applications, or setup an isolation test environment around
a deployment for testing. The operator itself is a deployment that will be always present on the cluster once
the helm chart is installed.
## Prerequisites
- Kubernetes 1.20+
- Helm 3+
- Appropriate [network and firewall configuration](https://docs.speedscale.com/reference/networking) for Speedscale cloud and webhook traffic
## Get Repo Info
```bash
helm repo add speedscale https://speedscale.github.io/operator-helm/
helm repo update
```
_See [helm repo](https://helm.sh/docs/helm/helm_repo/) for command documentation._
## Install Chart
An API key is required. Sign up for a [free Speedscale trial](https://speedscale.com/free-trial/) if you do not have one.
```bash
helm install speedscale-operator speedscale/speedscale-operator \
-n speedscale \
--create-namespace \
--set apiKey=<YOUR-SPEEDSCALE-API-KEY> \
--set clusterName=<YOUR-CLUSTER-NAME>
```
_See [helm install](https://helm.sh/docs/helm/helm_install/) for command documentation._
### Pre-install job failure
We use pre-install job to check provided API key and provision some of the required resources.
If the job failed during the installation, you'll see the following error during install:
```
Error: INSTALLATION FAILED: failed pre-install: job failed: BackoffLimitExceeded
```
You can inspect the logs using this command:
```bash
kubectl -n speedscale logs job/speedscale-operator-pre-install
```
After fixing the error, uninstall the helm release, delete the failed job
and try installing again:
```bash
helm -n speedscale uninstall speedscale-operator
kubectl -n speedscale delete job speedscale-operator-pre-install
```
## Uninstall Chart
```bash
helm -n speedscale uninstall speedscale-operator
```
This removes all the Kubernetes components associated with the chart and deletes the release.
_See [helm uninstall](https://helm.sh/docs/helm/helm_uninstall/) for command documentation._
CRDs created by this chart are not removed by default and should be manually cleaned up:
```bash
kubectl delete crd trafficreplays.speedscale.com
```
## Upgrading Chart
```bash
helm repo update
helm -n speedscale upgrade speedscale-operator speedscale/speedscale-operator
```
Resources capturing traffic will need to be rolled to pick up the latest
Speedscale sidecar. Use the rollout restart command for each namespace and
resource type:
```bash
kubectl -n <namespace> rollout restart deployment
```
With Helm v3, CRDs created by this chart are not updated by default
and should be manually updated.
Consult also the [Helm Documentation on CRDs](https://helm.sh/docs/chart_best_practices/custom_resource_definitions).
_See [helm upgrade](https://helm.sh/docs/helm/helm_upgrade/) for command documentation._
### Upgrading an existing Release to a new version
A major chart version change (like v1.2.3 -> v2.0.0) indicates that there is an
incompatible breaking change needing manual actions.
## Help
Speedscale docs information available at [docs.speedscale.com](https://docs.speedscale.com) or join us
on the [Speedscale community Slack](https://join.slack.com/t/speedscalecommunity/shared_invite/zt-x5rcrzn4-XHG1QqcHNXIM~4yozRrz8A)!

9
charts/speedscale/speedscale-operator/2.2.425/questions.yaml Normal file
View File

@ -0,0 +1,9 @@
questions:
- variable: apiKey
default: "fffffffffffffffffffffffffffffffffffffffffffff"
description: "An API key is required to connect to the Speedscale cloud."
required: true
type: string
label: API Key
group: Authentication

12
charts/speedscale/speedscale-operator/2.2.425/templates/NOTES.txt Normal file
View File

@ -0,0 +1,12 @@
Thank you for installing the Speedscale Operator!
Next you'll need to add the Speedscale Proxy Sidecar to your deployments.
See https://docs.speedscale.com/setup/sidecar/install/
If upgrading use the rollout restart command for each namespace and resource
type to ensure Speedscale sidecars are updated:
kubectl -n <namespace> rollout restart deployment
Once your deployment is running the sidecar your service will show up on
https://app.speedscale.com/.

209
charts/speedscale/speedscale-operator/2.2.425/templates/admission.yaml Normal file
View File

@ -0,0 +1,209 @@
{{- $cacrt := "" -}}
{{- $crt := "" -}}
{{- $key := "" -}}
{{- $s := (lookup "v1" "Secret" .Release.Namespace "speedscale-webhook-certs") -}}
{{- if $s -}}
{{- $cacrt = index $s.data "ca.crt" | default (index $s.data "tls.crt") | b64dec -}}
{{- $crt = index $s.data "tls.crt" | b64dec -}}
{{- $key = index $s.data "tls.key" | b64dec -}}
{{ else }}
{{- $altNames := list ( printf "speedscale-operator.%s" .Release.Namespace ) ( printf "speedscale-operator.%s.svc" .Release.Namespace ) -}}
{{- $ca := genCA "speedscale-operator" 3650 -}}
{{- $cert := genSignedCert "speedscale-operator" nil $altNames 3650 $ca -}}
{{- $cacrt = $ca.Cert -}}
{{- $crt = $cert.Cert -}}
{{- $key = $cert.Key -}}
{{- end -}}
---
apiVersion: admissionregistration.k8s.io/v1
kind: MutatingWebhookConfiguration
metadata:
creationTimestamp: null
name: speedscale-operator
annotations:
argocd.argoproj.io/hook: PreSync
{{- if .Values.globalAnnotations }}
{{ toYaml .Values.globalAnnotations | indent 4}}
{{- end }}
webhooks:
- admissionReviewVersions:
- v1
clientConfig:
caBundle: {{ $cacrt | b64enc }}
service:
name: speedscale-operator
namespace: {{ .Release.Namespace }}
path: /mutate
failurePolicy: Ignore
name: sidecar.speedscale.com
namespaceSelector:
matchExpressions:
- key: kubernetes.io/metadata.name
operator: "NotIn"
values:
- kube-system
- kube-node-lease
{{- if .Values.namespaceSelector }}
- key: kubernetes.io/metadata.name
operator: "In"
values:
{{- range .Values.namespaceSelector }}
- {{ . | quote }}
{{- end }}
{{- end }}
reinvocationPolicy: IfNeeded
rules:
- apiGroups:
- apps
- batch
apiVersions:
- v1
operations:
- CREATE
- UPDATE
- DELETE
resources:
- deployments
- statefulsets
- daemonsets
- jobs
- replicasets
- apiGroups:
- ""
apiVersions:
- v1
operations:
- CREATE
- UPDATE
- DELETE
resources:
- pods
- apiGroups:
- argoproj.io
apiVersions:
- "*"
operations:
- CREATE
- UPDATE
- DELETE
resources:
- rollouts
sideEffects: None
timeoutSeconds: 10
---
apiVersion: admissionregistration.k8s.io/v1
kind: MutatingWebhookConfiguration
metadata:
creationTimestamp: null
name: speedscale-operator-replay
annotations:
argocd.argoproj.io/hook: PreSync
{{- if .Values.globalAnnotations }}
{{ toYaml .Values.globalAnnotations | indent 4}}
{{- end }}
webhooks:
- admissionReviewVersions:
- v1
clientConfig:
caBundle: {{ $cacrt | b64enc }}
service:
name: speedscale-operator
namespace: {{ .Release.Namespace }}
path: /mutate-speedscale-com-v1-trafficreplay
failurePolicy: Fail
name: replay.speedscale.com
namespaceSelector:
matchExpressions:
- key: kubernetes.io/metadata.name
operator: "NotIn"
values:
- kube-system
- kube-node-lease
{{- if .Values.namespaceSelector }}
- key: kubernetes.io/metadata.name
operator: "In"
values:
{{- range .Values.namespaceSelector }}
- {{ . | quote }}
{{- end }}
{{- end }}
rules:
- apiGroups:
- speedscale.com
apiVersions:
- v1
operations:
- CREATE
- UPDATE
resources:
- trafficreplays
sideEffects: None
timeoutSeconds: 10
---
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
creationTimestamp: null
name: speedscale-operator-replay
annotations:
argocd.argoproj.io/hook: PreSync
{{- if .Values.globalAnnotations }}
{{ toYaml .Values.globalAnnotations | indent 4}}
{{- end }}
webhooks:
- admissionReviewVersions:
- v1
clientConfig:
caBundle: {{ $cacrt | b64enc }}
service:
name: speedscale-operator
namespace: {{ .Release.Namespace }}
path: /validate-speedscale-com-v1-trafficreplay
failurePolicy: Fail
name: replay.speedscale.com
namespaceSelector:
matchExpressions:
- key: kubernetes.io/metadata.name
operator: "NotIn"
values:
- kube-system
- kube-node-lease
{{- if .Values.namespaceSelector }}
- key: kubernetes.io/metadata.name
operator: "In"
values:
{{- range .Values.namespaceSelector }}
- {{ . | quote }}
{{- end }}
{{- end }}
rules:
- apiGroups:
- speedscale.com
apiVersions:
- v1
operations:
- CREATE
- UPDATE
- DELETE
resources:
- trafficreplays
sideEffects: None
timeoutSeconds: 10
---
apiVersion: v1
kind: Secret
metadata:
annotations:
helm.sh/hook: pre-install
helm.sh/hook-delete-policy: before-hook-creation
{{- if .Values.globalAnnotations }}
{{ toYaml .Values.globalAnnotations | indent 4}}
{{- end }}
creationTimestamp: null
name: speedscale-webhook-certs
namespace: {{ .Release.Namespace }}
type: kubernetes.io/tls
data:
ca.crt: {{ $cacrt | b64enc }}
tls.crt: {{ $crt | b64enc }}
tls.key: {{ $key | b64enc }}

43
charts/speedscale/speedscale-operator/2.2.425/templates/configmap.yaml Normal file
View File

@ -0,0 +1,43 @@
---
apiVersion: v1
kind: ConfigMap
metadata:
name: speedscale-operator
namespace: {{ .Release.Namespace }}
annotations:
argocd.argoproj.io/hook: PreSync
{{- if .Values.globalAnnotations }}
{{ toYaml .Values.globalAnnotations | indent 4}}
{{- end }}
data:
CLUSTER_NAME: {{ .Values.clusterName }}
IMAGE_PULL_POLICY: {{ .Values.image.pullPolicy }}
IMAGE_PULL_SECRETS: ""
IMAGE_REGISTRY: {{ .Values.image.registry }}
IMAGE_TAG: {{ .Values.image.tag }}
INSTANCE_ID: '{{- $cm := (lookup "v1" "ConfigMap" .Release.Namespace "speedscale-operator") -}}{{ if $cm }}{{ $cm.data.INSTANCE_ID }}{{ else }}{{ ( printf "%s-%s" .Values.clusterName uuidv4 ) }}{{ end }}'
LOG_LEVEL: {{ .Values.logLevel }}
SPEEDSCALE_DLP_CONFIG: {{ .Values.dlp.config }}
SPEEDSCALE_FILTER_RULE: {{ .Values.filterRule }}
TELEMETRY_INTERVAL: 1s
WITH_DLP: {{ .Values.dlp.enabled | quote }}
WITH_INSPECTOR: {{ .Values.dashboardAccess | quote }}
API_KEY_SECRET_NAME: {{ .Values.apiKeySecret | quote }}
DEPLOY_DEMO: {{ .Values.deployDemo | quote }}
GLOBAL_ANNOTATIONS: {{ .Values.globalAnnotations | toJson | quote }}
GLOBAL_LABELS: {{ .Values.globalLabels | toJson | quote }}
{{- if .Values.http_proxy }}
HTTP_PROXY: {{ .Values.http_proxy }}
{{- end }}
{{- if .Values.https_proxy }}
HTTPS_PROXY: {{ .Values.https_proxy }}
{{- end }}
{{- if .Values.no_proxy }}
NO_PROXY: {{ .Values.no_proxy }}
{{- end }}
PRIVILEGED_SIDECARS: {{ .Values.privilegedSidecars | quote }}
DISABLE_SMARTDNS: {{ .Values.disableSidecarSmartReverseDNS | quote }}
SIDECAR_CONFIG: {{ .Values.sidecar | toJson | quote }}
FORWARDER_CONFIG: {{ .Values.forwarder | toJson | quote }}
TEST_PREP_TIMEOUT: {{ .Values.operator.test_prep_timeout }}
CONTROL_PLANE_TIMEOUT: {{ .Values.operator.control_plane_timeout }}

523
charts/speedscale/speedscale-operator/2.2.425/templates/crds/trafficreplays.yaml Normal file
View File

@ -0,0 +1,523 @@
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.15.0
creationTimestamp: null
name: trafficreplays.speedscale.com
spec:
group: speedscale.com
names:
kind: TrafficReplay
listKind: TrafficReplayList
plural: trafficreplays
shortNames:
- replay
singular: trafficreplay
scope: Namespaced
versions:
- additionalPrinterColumns:
- jsonPath: .status.active
name: Active
type: boolean
- jsonPath: .spec.mode
name: Mode
type: string
- jsonPath: .status.conditions[-1:].message
name: Status
type: string
- jsonPath: .metadata.creationTimestamp
name: Age
type: date
name: v1
schema:
openAPIV3Schema:
description: TrafficReplay is the Schema for the trafficreplays API
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: TrafficReplaySpec defines the desired state of TrafficReplay
properties:
buildTag:
description: |-
BuildTag links a unique tag, build hash, etc. to the generated
traffic replay report. That way you can connect the report results to the
version of the code that was tested.
type: string
cleanup:
description: |-
Cleanup is the name of cleanup mode used for this
TrafficReplay.
enum:
- inventory
- all
- none
type: string
collectLogs:
description: |-
CollectLogs enables or disables log collection from target
workload. Defaults to true.
DEPRECATED: use TestReport.ActualConfig.Cluster.CollectLogs
type: boolean
configChecksum:
description: |-
ConfigChecksum, managed my the operator, is the SHA1 checksum of the
configuration.
type: string
customURL:
description: |-
CustomURL specifies a custom URL to send *ALL* traffic to. Use
Workload.CustomURI to send traffic to a specific URL for only that
workload.
type: string
generatorLowData:
description: |-
GeneratorLowData forces the generator into a high
efficiency/low data output mode. This is ideal for high volume
performance tests. Defaults to false.
DEPRECATED
type: boolean
mode:
description: Mode is the name of replay mode used for this TrafficReplay.
enum:
- full-replay
- responder-only
- generator-only
type: string
needsReport:
description: Indicates whether a responder-only replay needs a report.
type: boolean
proxyMode:
description: |-
ProxyMode defines proxy operational mode used with injected sidecar.
DEPRECATED
type: string
responderLowData:
description: |-
ResponderLowData forces the responder into a high
efficiency/low data output mode. This is ideal for high volume
performance tests. Defaults to false.
DEPRECATED
type: boolean
secretRefs:
description: |-
SecretRefs hold the references to the secrets which contain
various secrets like (e.g. short-lived JWTs to be used by the generator
for authorization with HTTP calls).
items:
description: |-
LocalObjectReference contains enough information to locate the referenced
Kubernetes resource object.
properties:
name:
description: Name of the referent.
type: string
required:
- name
type: object
type: array
sidecar:
description: |-
Sidecar defines sidecar specific configuration.
DEPRECATED: use Workloads
properties:
inject:
description: 'DEPRECATED: do not use'
type: boolean
patch:
description: Patch is .yaml file patch for the Workload
format: byte
type: string
tls:
properties:
in:
description: In provides configuration for sidecar inbound
TLS.
properties:
private:
description: Private is the filename of the TLS inbound
private key.
type: string
public:
description: Public is the filename of the TLS inbound
public key.
type: string
secret:
description: Secret is a secret with the TLS keys to use
for inbound traffic.
type: string
type: object
mutual:
description: Mutual provides configuration for sidecar mutual
TLS.
properties:
private:
description: Private is the filename of the mutual TLS
private key.
type: string
public:
description: Public is the filename of the mutual TLS
public key.
type: string
secret:
description: Secret is a secret with the mutual TLS keys.
type: string
type: object
out:
description: |-
Out enables or disables TLS out on the
sidecar during replay.
type: boolean
type: object
type: object
snapshotID:
description: |-
SnapshotID is the id of the traffic snapshot for this
TrafficReplay.
type: string
testConfigID:
description: |-
TestConfigID is the id of the replay configuration to be used
by the generator and responder for the TrafficReplay.
type: string
timeout:
description: |-
Timeout is the time to wait for replay test to finish. Defaults
to value of the `TIMEOUT` setting of the operator.
type: string
ttlAfterReady:
description: |-
TTLAfterReady provides a TTL (time to live) mechanism to limit
the lifetime of TrafficReplay object that have finished the execution and
reached its final state (either complete or failed).
type: string
workloadRef:
description: |-
WorkloadRef is the reference to the target workload (SUT) for
TrafficReplay. The operations will be performed in the namespace of the
target object.
DEPRECATED: use Workloads
properties:
apiVersion:
description: API version of the referenced object.
type: string
kind:
description: Kind of the referenced object. Defaults to "Deployment".
type: string
name:
description: |-
Name of the referenced object. Required when defining for a test unless a
custom URI is provided. Always required when defining mocks.
type: string
namespace:
description: Namespace of the referenced object. Defaults to the
TrafficReplay namespace.
type: string
required:
- name
type: object
workloads:
description: |-
Workloads define target workloads (SUT) for a TrafficReplay. Many
workloads may be provided, or none. Workloads may be modified and
restarted during replay to configure communication with a responder.
items:
description: |-
Workload represents a Kubernetes workload to be targeted during replay and
associated settings.
properties:
customURI:
description: |-
CustomURI will be target of the traffic instead of directly targeting
workload. This is required if a Ref is not specified.
type: string
inTrafficKey:
description: 'DEPRECATED: use Tests'
type: string
inTrafficKeys:
description: 'DEPRECATED: use Tests'
items:
type: string
type: array
mocks:
description: |-
Mocks are strings used to identify slices of outbound snapshot traffic to
mock for this workload and maps directly to a snapshot's `OutTraffic`
field. Snapshot egress traffic can be split across multiple slices where
each slice contains part of the traffic. A workload may specify multiple
keys and multiple workloads may specify the same key.
Only the traffic slices defined here will be mocked. A workload with no
keys defined will not mock any traffic. Pass '*' to mock all traffic.
Mock strings may only match part of the snapshot's `OutTraffic` key if the
string matches exactly one key. For example, the test string
`foo.example.com` would match the `OutTraffic` key of
my-service:foo.example.com:8080, as long as no other keys would match
`foo.example.com`. Multiple mocks must be specified for multiple keys
unless using '*'.
items:
type: string
type: array
outTrafficKeys:
description: 'DEPRECATED: use Mocks'
items:
type: string
type: array
ref:
description: |-
Ref is a reference to a cluster workload, like a deployment or a
statefulset. This is required unless a CustomURI is specified.
properties:
apiVersion:
description: API version of the referenced object.
type: string
kind:
description: Kind of the referenced object. Defaults to
"Deployment".
type: string
name:
description: |-
Name of the referenced object. Required when defining for a test unless a
custom URI is provided. Always required when defining mocks.
type: string
namespace:
description: Namespace of the referenced object. Defaults
to the TrafficReplay namespace.
type: string
required:
- name
type: object
routing:
description: Routing configures how workloads route egress traffic
to responders
enum:
- hostalias
- nat
type: string
sidecar:
description: |-
TODO: this is not implemented, come back and replace deprecated Sidecar with workload specific settings
Sidecar defines sidecar specific configuration.
properties:
inject:
description: 'DEPRECATED: do not use'
type: boolean
patch:
description: Patch is .yaml file patch for the Workload
format: byte
type: string
tls:
properties:
in:
description: In provides configuration for sidecar inbound
TLS.
properties:
private:
description: Private is the filename of the TLS
inbound private key.
type: string
public:
description: Public is the filename of the TLS inbound
public key.
type: string
secret:
description: Secret is a secret with the TLS keys
to use for inbound traffic.
type: string
type: object
mutual:
description: Mutual provides configuration for sidecar
mutual TLS.
properties:
private:
description: Private is the filename of the mutual
TLS private key.
type: string
public:
description: Public is the filename of the mutual
TLS public key.
type: string
secret:
description: Secret is a secret with the mutual
TLS keys.
type: string
type: object
out:
description: |-
Out enables or disables TLS out on the
sidecar during replay.
type: boolean
type: object
type: object
tests:
description: |-
Tests are strings used to identify slices of inbound snapshot traffic this
workload is targeting and maps directly to a snapshot's `InTraffic` field.
Snapshot ingress traffic can be split across multiple slices where each
slice contains part of the traffic. A key must only be specified once
across all workloads, but a workload may specify multiple keys. Pass '*'
to match all keys.
Test strings may only match part of the snapshot's `InTraffic` key if the
string matches exactly one key. For example, the test string
`foo.example.com` would match the `InTraffic` key of
my-service:foo.example.com:8080, as long as no other keys would match
`foo.example.com`
This field is optional in the spec to provide support for single-workload
and legacy replays, but must be specified for multi-workload replays in
order to provide deterministic replay configuration.
items:
type: string
type: array
type: object
type: array
required:
- snapshotID
- testConfigID
type: object
status:
default:
observedGeneration: -1
description: TrafficReplayStatus defines the observed state of TrafficReplay
properties:
active:
description: Active indicates whether this traffic replay is currently
underway or not.
type: boolean
conditions:
items:
description: "Condition contains details for one aspect of the current
state of this API Resource.\n---\nThis struct is intended for
direct use as an array at the field path .status.conditions. For
example,\n\n\n\ttype FooStatus struct{\n\t // Represents the
observations of a foo's current state.\n\t // Known .status.conditions.type
are: \"Available\", \"Progressing\", and \"Degraded\"\n\t //
+patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t
\ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\"
patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t
\ // other fields\n\t}"
properties:
lastTransitionTime:
description: |-
lastTransitionTime is the last time the condition transitioned from one status to another.
This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
format: date-time
type: string
message:
description: |-
message is a human readable message indicating details about the transition.
This may be an empty string.
maxLength: 32768
type: string
observedGeneration:
description: |-
observedGeneration represents the .metadata.generation that the condition was set based upon.
For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
with respect to the current state of the instance.
format: int64
minimum: 0
type: integer
reason:
description: |-
reason contains a programmatic identifier indicating the reason for the condition's last transition.
Producers of specific condition types may define expected values and meanings for this field,
and whether the values are considered a guaranteed API.
The value should be a CamelCase string.
This field may not be empty.
maxLength: 1024
minLength: 1
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
type: string
status:
description: status of the condition, one of True, False, Unknown.
enum:
- "True"
- "False"
- Unknown
type: string
type:
description: |-
type of condition in CamelCase or in foo.example.com/CamelCase.
---
Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be
useful (see .node.status.conditions), the ability to deconflict is important.
The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
required:
- lastTransitionTime
- message
- reason
- status
- type
type: object
type: array
finishedTime:
description: Information when the traffic replay has finished.
format: date-time
type: string
initializedTime:
description: Information when the test environment was successfully
prepared.
format: date-time
type: string
lastHeartbeatTime:
description: 'DEPRECATED: will not be set'
format: date-time
type: string
observedGeneration:
description: ObservedGeneration is the last observed generation.
format: int64
type: integer
reconcileFailures:
description: |-
ReconcileFailures is the number of times the traffic replay controller
experienced an error during the reconciliation process. The traffic
replay will be deleted if too many errors occur.
format: int64
type: integer
reportID:
description: The id of the traffic replay report created.
type: string
reportURL:
description: The url to the traffic replay report.
type: string
startedTime:
description: Information when the traffic replay has started.
format: date-time
type: string
type: object
type: object
served: true
storage: true
subresources:
status: {}
status:
acceptedNames:
kind: ""
plural: ""
conditions: null
storedVersions: null

132
charts/speedscale/speedscale-operator/2.2.425/templates/deployments.yaml Normal file
View File

@ -0,0 +1,132 @@
---
apiVersion: apps/v1
kind: Deployment
metadata:
annotations:
operator.speedscale.com/ignore: "true"
{{- if .Values.globalAnnotations }}
{{ toYaml .Values.globalAnnotations | indent 4}}
{{- end }}
labels:
app: speedscale-operator
controlplane.speedscale.com/component: operator
{{- if .Values.globalLabels }}
{{ toYaml .Values.globalLabels | indent 4}}
{{- end }}
name: speedscale-operator
namespace: {{ .Release.Namespace }}
spec:
replicas: 1
selector:
matchLabels:
app: speedscale-operator
controlplane.speedscale.com/component: operator
strategy:
type: Recreate
template:
metadata:
annotations:
{{- if .Values.globalAnnotations }}
{{ toYaml .Values.globalAnnotations | indent 8}}
{{- end }}
labels:
app: speedscale-operator
controlplane.speedscale.com/component: operator
{{- if .Values.globalLabels }}
{{ toYaml .Values.globalLabels | indent 8}}
{{- end }}
spec:
containers:
- command:
- /operator
env:
- name: POD_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
envFrom:
- configMapRef:
name: speedscale-operator
# https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#container-v1-core
# When a key exists in multiple sources, the value associated with the last source will take precedence.
# Values defined by an Env with a duplicate key will take precedence.
- configMapRef:
name: speedscale-operator-override
optional: true
- secretRef:
name: '{{ ne .Values.apiKeySecret "" | ternary .Values.apiKeySecret "speedscale-apikey" }}'
optional: false
image: '{{ .Values.image.registry }}/operator:{{ .Values.image.tag }}'
imagePullPolicy: {{ .Values.image.pullPolicy }}
livenessProbe:
failureThreshold: 5
httpGet:
path: /healthz
port: health-check
scheme: HTTP
initialDelaySeconds: 30
periodSeconds: 30
successThreshold: 1
timeoutSeconds: 5
name: operator
ports:
- containerPort: 443
name: webhook-server
- containerPort: 8081
name: health-check
readinessProbe:
failureThreshold: 10
httpGet:
path: /readyz
port: health-check
scheme: HTTP
initialDelaySeconds: 5
periodSeconds: 5
successThreshold: 1
timeoutSeconds: 5
resources: {{- toYaml .Values.operator.resources | nindent 10 }}
securityContext:
allowPrivilegeEscalation: false
privileged: false
readOnlyRootFilesystem: true
runAsNonRoot: false
# Run as root to bind 443 https://github.com/kubernetes/kubernetes/issues/56374
runAsUser: 0
volumeMounts:
- mountPath: /tmp
name: tmp
- mountPath: /tmp/k8s-webhook-server/serving-certs
name: webhook-certs
readOnly: true
- mountPath: /etc/ssl/speedscale
name: speedscale-tls-out
readOnly: true
hostNetwork: {{ .Values.hostNetwork }}
securityContext:
runAsNonRoot: true
serviceAccountName: speedscale-operator
terminationGracePeriodSeconds: 10
volumes:
- emptyDir: {}
name: tmp
- name: webhook-certs
secret:
secretName: speedscale-webhook-certs
- name: speedscale-tls-out
secret:
secretName: speedscale-certs
{{- if .Values.affinity }}
affinity: {{ toYaml .Values.affinity | nindent 8 }}
{{- end }}
{{- if .Values.tolerations }}
tolerations: {{ toYaml .Values.tolerations | nindent 8 }}
{{- end }}
{{- if .Values.nodeSelector }}
nodeSelector: {{ toYaml .Values.nodeSelector | nindent 8 }}
{{- end }}

73
charts/speedscale/speedscale-operator/2.2.425/templates/hooks.yaml Normal file
View File

@ -0,0 +1,73 @@
---
apiVersion: batch/v1
kind: Job
metadata:
annotations:
helm.sh/hook: pre-install
helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
helm.sh/hook-weight: "4"
{{- if .Values.globalAnnotations }}
{{ toYaml .Values.globalAnnotations | indent 4}}
{{- end }}
creationTimestamp: null
name: speedscale-operator-pre-install
namespace: {{ .Release.Namespace }}
labels:
{{- if .Values.globalLabels }}
{{ toYaml .Values.globalLabels | indent 4}}
{{- end }}
spec:
backoffLimit: 0
ttlSecondsAfterFinished: 30
template:
metadata:
annotations:
{{- if .Values.globalAnnotations }}
{{ toYaml .Values.globalAnnotations | indent 8}}
{{- end }}
creationTimestamp: null
labels:
{{- if .Values.globalLabels }}
{{ toYaml .Values.globalLabels | indent 8}}
{{- end }}
spec:
containers:
- args:
- |-
# ensure valid settings before the chart reports a successfull install
{{- if .Values.http_proxy }}
HTTP_PROXY={{ .Values.http_proxy | quote }} \
{{- end }}
{{- if .Values.https_proxy }}
HTTPS_PROXY={{ .Values.https_proxy | quote }} \
{{- end }}
{{- if .Values.no_proxy }}
NO_PROXY={{ .Values.no_proxy | quote }} \
{{- end }}
speedctl init --overwrite --no-rcfile-update \
--api-key $SPEEDSCALE_API_KEY \
--app-url $SPEEDSCALE_APP_URL
# in case we're in istio
curl -X POST http://127.0.0.1:15000/quitquitquit || true
command:
- sh
- -c
envFrom:
- secretRef:
name: '{{ ne .Values.apiKeySecret "" | ternary .Values.apiKeySecret "speedscale-apikey" }}'
optional: false
image: '{{ .Values.image.registry }}/speedscale-cli:{{ .Values.image.tag }}'
imagePullPolicy: {{ .Values.image.pullPolicy }}
name: speedscale-cli
resources: {}
restartPolicy: Never
{{- if .Values.affinity }}
affinity: {{ toYaml .Values.affinity | nindent 8 }}
{{- end }}
{{- if .Values.tolerations }}
tolerations: {{ toYaml .Values.tolerations | nindent 8 }}
{{- end }}
{{- if .Values.nodeSelector }}
nodeSelector: {{ toYaml .Values.nodeSelector | nindent 8 }}
{{- end }}

244
charts/speedscale/speedscale-operator/2.2.425/templates/rbac.yaml Normal file
View File

@ -0,0 +1,244 @@
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
creationTimestamp: null
name: speedscale-operator
{{- if .Values.globalAnnotations }}
annotations: {{ toYaml .Values.globalAnnotations | nindent 4 }}
{{- end }}
rules:
- apiGroups:
- apps
resources:
- deployments
- statefulsets
- daemonsets
verbs:
- create
- delete
- deletecollection
- get
- list
- patch
- update
- watch
- apiGroups:
- apps
resources:
- replicasets
verbs:
- delete
- deletecollection
- get
- list
- patch
- update
- watch
- apiGroups:
- batch
resources:
- jobs
verbs:
- create
- delete
- deletecollection
- get
- list
- patch
- update
- watch
- apiGroups:
- apiextensions.k8s.io
resources:
- customresourcedefinitions
verbs:
- get
- list
- apiGroups:
- admissionregistration.k8s.io
resources:
- mutatingwebhookconfigurations
- validatingwebhookconfigurations
verbs:
- get
- list
- apiGroups:
- rbac.authorization.k8s.io
resources:
- clusterrolebindings
- clusterroles
verbs:
- get
- list
- apiGroups:
- ""
resources:
- namespaces
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- configmaps
- secrets
- pods
- services
- serviceaccounts
verbs:
- create
- delete
- deletecollection
- get
- list
- patch
- update
- watch
- apiGroups:
- ""
resources:
- pods/log
verbs:
- get
- list
- apiGroups:
- ""
resources:
- events
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- nodes
verbs:
- get
- list
- watch
- apiGroups:
- metrics.k8s.io
resources:
- pods
verbs:
- get
- list
- watch
- apiGroups:
- rbac.authorization.k8s.io
resources:
- rolebindings
- roles
verbs:
- create
- delete
- deletecollection
- get
- list
- patch
- update
- watch
- apiGroups:
- networking.istio.io
resources:
- envoyfilters
- sidecars
verbs:
- create
- delete
- deletecollection
- get
- list
- patch
- update
- watch
- apiGroups:
- security.istio.io
resources:
- peerauthentications
verbs:
- create
- delete
- deletecollection
- get
- list
- patch
- update
- watch
- apiGroups:
- coordination.k8s.io
resources:
- leases
verbs:
- create
- delete
- deletecollection
- get
- list
- patch
- update
- watch
- apiGroups:
- speedscale.com
resources:
- trafficreplays
verbs:
- create
- delete
- deletecollection
- get
- list
- patch
- update
- watch
- apiGroups:
- speedscale.com
resources:
- trafficreplays/status
verbs:
- get
- update
- patch
- apiGroups:
- argoproj.io
resources:
- rollouts
verbs:
- get
- list
- patch
- update
- watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: speedscale-operator
{{- if .Values.globalAnnotations }}
annotations: {{ toYaml .Values.globalAnnotations | nindent 4 }}
{{- end }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: speedscale-operator
subjects:
- kind: ServiceAccount
name: speedscale-operator
namespace: {{ .Release.Namespace }}
---
apiVersion: v1
automountServiceAccountToken: true
kind: ServiceAccount
metadata:
creationTimestamp: null
labels:
app: speedscale-operator
controlplane.speedscale.com/component: operator
name: speedscale-operator
namespace: {{ .Release.Namespace }}
{{- if .Values.globalAnnotations }}
annotations: {{ toYaml .Values.globalAnnotations | nindent 4 }}
{{- end }}

18
charts/speedscale/speedscale-operator/2.2.425/templates/secrets.yaml Normal file
View File

@ -0,0 +1,18 @@
---
{{ if .Values.apiKey }}
apiVersion: v1
kind: Secret
metadata:
name: speedscale-apikey
namespace: {{ .Release.Namespace }}
annotations:
helm.sh/hook: pre-install
helm.sh/hook-weight: "3"
{{- if .Values.globalAnnotations }}
{{ toYaml .Values.globalAnnotations | indent 4}}
{{- end }}
type: Opaque
data:
SPEEDSCALE_API_KEY: {{ .Values.apiKey | b64enc }}
SPEEDSCALE_APP_URL: {{ .Values.appUrl | b64enc }}
{{ end }}

22
charts/speedscale/speedscale-operator/2.2.425/templates/services.yaml Normal file
View File

@ -0,0 +1,22 @@
---
apiVersion: v1
kind: Service
metadata:
creationTimestamp: null
labels:
app: speedscale-operator
controlplane.speedscale.com/component: operator
name: speedscale-operator
namespace: {{ .Release.Namespace }}
{{- if .Values.globalAnnotations }}
annotations: {{ toYaml .Values.globalAnnotations | nindent 4 }}
{{- end }}
spec:
ports:
- port: 443
protocol: TCP
selector:
app: speedscale-operator
controlplane.speedscale.com/component: operator
status:
loadBalancer: {}

183
charts/speedscale/speedscale-operator/2.2.425/templates/tls.yaml Normal file
View File

@ -0,0 +1,183 @@
{{- $crt := "" -}}
{{- $key := "" -}}
{{- $s := (lookup "v1" "Secret" .Release.Namespace "speedscale-certs") -}}
{{- if $s -}}
{{- $crt = index $s.data "tls.crt" | b64dec -}}
{{- $key = index $s.data "tls.key" | b64dec -}}
{{ else }}
{{- $cert := genCA "Speedscale" 3650 -}}
{{- $crt = $cert.Cert -}}
{{- $key = $cert.Key -}}
{{- end -}}
---
apiVersion: batch/v1
kind: Job
metadata:
annotations:
helm.sh/hook: pre-install
helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
helm.sh/hook-weight: "5"
{{- if .Values.globalAnnotations }}
{{ toYaml .Values.globalAnnotations | indent 4}}
{{- end }}
creationTimestamp: null
name: speedscale-operator-create-jks
namespace: {{ .Release.Namespace }}
labels:
{{- if .Values.globalLabels }}
{{ toYaml .Values.globalLabels | indent 4}}
{{- end }}
spec:
backoffLimit: 0
ttlSecondsAfterFinished: 30
template:
metadata:
annotations:
{{- if .Values.globalAnnotations }}
{{ toYaml .Values.globalAnnotations | indent 8}}
{{- end }}
creationTimestamp: null
labels:
{{- if .Values.globalAnnotations }}
{{ toYaml .Values.globalAnnotations | indent 8}}
{{- end }}
spec:
containers:
- args:
- |-
keytool -keystore /usr/lib/jvm/jre/lib/security/cacerts -importcert -noprompt -trustcacerts -storepass changeit -alias speedscale -file /etc/ssl/speedscale/tls.crt
kubectl -n ${POD_NAMESPACE} delete secret speedscale-jks || true
kubectl -n ${POD_NAMESPACE} create secret generic speedscale-jks --from-file=cacerts.jks=/usr/lib/jvm/jre/lib/security/cacerts
# in case we're in istio
curl -X POST http://127.0.0.1:15000/quitquitquit || true
command:
- sh
- -c
volumeMounts:
- mountPath: /etc/ssl/speedscale
name: speedscale-tls-out
readOnly: true
env:
- name: POD_NAMESPACE
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
envFrom:
- secretRef:
name: '{{ ne .Values.apiKeySecret "" | ternary .Values.apiKeySecret "speedscale-apikey" }}'
optional: false
image: '{{ .Values.image.registry }}/amazoncorretto'
imagePullPolicy: {{ .Values.image.pullPolicy }}
name: create-jks
resources: {}
restartPolicy: Never
serviceAccountName: speedscale-operator-provisioning
volumes:
- name: speedscale-tls-out
secret:
secretName: speedscale-certs
{{- if .Values.affinity }}
affinity: {{ toYaml .Values.affinity | nindent 8 }}
{{- end }}
{{- if .Values.tolerations }}
tolerations: {{ toYaml .Values.tolerations | nindent 8 }}
{{- end }}
{{- if .Values.nodeSelector }}
nodeSelector: {{ toYaml .Values.nodeSelector | nindent 8 }}
{{- end }}
---
apiVersion: v1
automountServiceAccountToken: true
kind: ServiceAccount
metadata:
annotations:
helm.sh/hook: pre-install
helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
helm.sh/hook-weight: "1"
{{- if .Values.globalAnnotations }}
{{ toYaml .Values.globalAnnotations | indent 4}}
{{- end }}
creationTimestamp: null
labels:
app: speedscale-operator
controlplane.speedscale.com/component: operator
name: speedscale-operator-provisioning
namespace: {{ .Release.Namespace }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
annotations:
helm.sh/hook: pre-install
helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
helm.sh/hook-weight: "2"
creationTimestamp: null
name: speedscale-operator-provisioning
rules:
- apiGroups:
- ""
resources:
- secrets
verbs:
- create
- delete
- deletecollection
- get
- list
- patch
- update
- watch
- apiGroups:
- admissionregistration.k8s.io
resources:
- mutatingwebhookconfigurations
- validatingwebhookconfigurations
verbs:
- create
- delete
- deletecollection
- get
- list
- patch
- update
- watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
annotations:
helm.sh/hook: pre-install
helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
helm.sh/hook-weight: "3"
{{- if .Values.globalAnnotations }}
{{ toYaml .Values.globalAnnotations | indent 4}}
{{- end }}
creationTimestamp: null
name: speedscale-operator-provisioning
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: speedscale-operator-provisioning
subjects:
- kind: ServiceAccount
name: speedscale-operator-provisioning
namespace: {{ .Release.Namespace }}
---
apiVersion: v1
kind: Secret
metadata:
annotations:
helm.sh/hook: pre-install
helm.sh/hook-delete-policy: before-hook-creation
{{- if .Values.globalAnnotations }}
{{ toYaml .Values.globalAnnotations | indent 4}}
{{- end }}
creationTimestamp: null
name: speedscale-certs
namespace: {{ .Release.Namespace }}
type: kubernetes.io/tls
data:
tls.crt: {{ $crt | b64enc }}
tls.key: {{ $key | b64enc }}

138
charts/speedscale/speedscale-operator/2.2.425/values.yaml Normal file
View File

@ -0,0 +1,138 @@
# An API key is required to connect to the Speedscale cloud.
# If you need a key email support@speedscale.com.
apiKey: ""
# A secret name can be referenced instead of the api key itself.
# The secret must be of the format:
#
# type: Opaque
# data:
# SPEEDSCALE_API_KEY: <key>
# SPEEDSCALE_APP_URL: <appUrl>
apiKeySecret: ""
# Speedscale domain to use.
appUrl: "app.speedscale.com"
# The name of your cluster.
clusterName: "my-cluster"
# Speedscale components image settings.
image:
registry: gcr.io/speedscale
tag: v2.2.425
pullPolicy: Always
# Log level for Speedscale components.
logLevel: "info"
# Namespaces to be watched by Speedscale Operator as a list of names.
namespaceSelector: []
# Instructs operator to deploy resources necessary to interact with your cluster from the Speedscale dashboard.
dashboardAccess: true
# Filter Rule to apply to the Speedscale Forwarder
filterRule: "standard"
# Data Loss Prevention settings.
dlp:
# Instructs operator to enable data loss prevention features
enabled: false
# Configuration for data loss prevention
config: "standard"
# If the operator pod/webhooks need to be on the host network.
# This is only needed if the control plane cannot connect directly to a pod
# for eg. if Calico is used as EKS's default networking
# https://docs.tigera.io/calico/3.25/getting-started/kubernetes/managed-public-cloud/eks#install-eks-with-calico-networking
hostNetwork: false
# A set of annotations to be applied to all Speedscale related deployments,
# services, jobs, pods, etc.
#
# Example:
# annotation.first: value
# annotation.second: value
globalAnnotations: {}
# A set of labels to be applied to all Speedscale related deployments,
# services, jobs, pods, etc.
#
# Example:
# label1: value
# label2: value
globalLabels: {}
# A full affinity object as detailed: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes-using-node-affinity
affinity: {}
# The list of tolerations as detailed: https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/
tolerations: []
# A nodeselector object as detailed: https://kubernetes.io/docs/tasks/configure-pod-container/assign-pods-nodes/
nodeSelector: {}
# Deploy a demo app at startup. Set this to an empty string to not deploy.
# Valid values: ["java", ""]
deployDemo: "java"
# Proxy connection settings if required by your network. These translate to standard proxy environment
# variables HTTP_PROXY, HTTPS_PROXY, and NO_PROXY
http_proxy: ""
https_proxy: ""
no_proxy: ""
# control if sidecar init containers should run with privileged set
privilegedSidecars: false
# control if the sidecar should enable/disable use of the smart dns lookup feature (requires NET_ADMIN)
disableSidecarSmartReverseDNS: false
# Operator settings. These limits are recommended unless you have a cluster
# with a very large number of workloads (for eg. 10k+ deployments, replicasets, etc.).
operator:
resources:
limits:
cpu: 500m
memory: 512Mi
requests:
cpu: 100m
memory: 128Mi
# how long to wait for the SUT to become ready
test_prep_timeout: 10m
# timeout for deploying & upgrading control plane components
control_plane_timeout: 5m
# Default sidecar settings. Example:
# sidecar:
# resources:
# limits:
# cpu: 500m
# memory: 512Mi
# ephemeral-storage: 100Mi
# requests:
# cpu: 10m
# memory: 32Mi
# ephemeral-storage: 100Mi
# ignore_src_hosts: example.com, example.org
# ignore_src_ips: 8.8.8.8, 1.1.1.1
# ignore_dst_hosts: example.com, example.org
# ignore_dst_ips: 8.8.8.8, 1.1.1.1
# insert_init_first: false
# tls_out: false
# reinitialize_iptables: false
sidecar: {}
# Forwarder settings
# forwarder:
# resources:
# limits:
# cpu: 500m
# memory: 500M
# requests:
# cpu: 300m
# memory: 250M
forwarder: {}

Some files were not shown because too many files have changed in this diff Show More